Disclaimer: Educational purposes, personal reference, don’t do illegal hacking, IANAL, etc.
Note: THP3 is my primary source for this. I’m putting my thoughts and notes to help me remember the info while avoiding putting too much info from the book here. If you are considering buying the book, I highly recommend it.
THP3 05 – The Screen – Social Engineering
Social engineering is a great way to get a foothold somewhere. If you’re unfamiliar with the basics, checkout Security through Education for some overview info. Chris Hadnagy’s book Social Engineering: The Science of Human Hacking, 2nd ed is also a good read. I’m about halfway through it right now. It’s a nice non-technical read to balance out the technical stuff. Kim mentions (and I concur) that checking out the Defcon SE CTF info would be a good idea. There’s a lot of good info out there, and SE attacks are still very effective. Plus it really is a nice balance to the hands-on-keyboard technical stuff. I wouldn’t call it a “break”, but a good change of pace.
See THP2 for more coverage – basically get a similar domain. Hope for typos, etc. Reap the rewards. Especially good for mimicking authentication pages and redirecting to the real page when creds are entered.
You can use the Social Engineering Toolkit (SET) to clone authentication pages. And a lot of other things, so check out the user’s manual available for download from the README page on Github. Going through the options is very straightforward. Setting up the VPS as the attack server is quick and easy. The config file needed updated to use Apache instead of python – change the APACHE_SERVER to ON (around line 95), set the APACHE_DIRECTORY (line 98ish), and adjust the HARVESTER_LOG (line 163ish). I want to go through the manual and some walkthroughs to get a better feel for the tool. I found a video from Packt on using SET that was helpful because it showed how to use it in a lab setup. I got it all setup with no problems. The Windows box I used really didn’t want to accept the edits to the host file to use the cloned login pages I created. This may be because I’m working in a host-only network. This StackExchange has a good list of things to try for troubleshooting. None of which made my Windows machine happy. I could force it to go, but I’ll have to look into it more. I wasn’t working on a new VM, so that may have been the issue. But it also looks like IE can be a little finicky with the hosts file.
Kim also recommends storing any passwords found in an encrypted fashion, such as with your public pgp key to protect the info in case of compromise. I think this is an important step to ensure that you (hopefully) could not be found liable if someone else obtained the same information elsewhere.
Creds with 2FA
On the defensive side, we like 2FA, preferably with something besides SMS. ReelPhish can be used to help deal with 2FA on the offensive side. Kim mentions running on Windows is preferred and gives a FireEye blog link. Other tools mentioned to bypass 2FA are evilginx, which was recently updated to version 2, and CredSniper. Both look like really good tools to experiment with for SE. Kim also mentions the importance of looking for places where 2FA might not be required.
Phishing remains one of the most important and effective attack vectors. People are getting better about avoiding and reporting, but it’s still worth attempting. Every company will handle training employees to handle phishing and handle reports of phishing differently. Reporting phishing emails should be encouraged, but it isn’t always. And there will inevitably be someone having a “bad” day who will click the phish link. GoPhish can be used for automated attacks. Other tools are Phishing Frenzy using Ruby and King Phisher using Python. The automation is good for mass, straightforward attacks. For targeted campaigns, it would be beneficial to use OSINT to create hand-crafted phishes.
Microsoft Word/Excel Macro Files
Oh the joy of Office macros! Yes, they can be beneficial, but the security risk is quite high. By default, Office files support VBA (Visual Basic for Applications) code. AV is getting better about detecting, but obfuscation can often allow it to work. Empire or Unicorn can be used to create payloads. The payload can be base64 encoded to get around some AV, though this is becoming well known and I’ve seen discussions of checking for specific keywords within base64 encoding. The process is straightforward – create payload, pop into Excel, create a macro, replace code with payload, convince receiver to Enable Content, and the payload executes. You can also embed .bat (batch files) into Office files. Newer versions likely won’t execute it, but if you can convince the receiver to move it to the desktop and execute, you’re good. LuckyStrike is available to make this more automated. VBad can also be used, but you have to enable macros yourself to use it. It heavily obfuscates your payloads and does several cool things. Call me paranoid, but I’d want to use this in a sandbox.
I think this sort of attack would be very effective in environments where people are used to getting documents from (somewhat) random people, especially at certain times of the year when attachments from people who aren’t actually known is expected.
Non-Macro Office Files – DDE
This section starts with a nod to timing – if you just happen to be doing a pentest when new vulnerabilities are exposed, well, that can be quite helpful. They Dynamic Data Exchange (DDE) protocol vulnerability was announced during one of Kim’s engagements, and the vuln can still be found. DDE is used for communication between applications. Sensepost wrote up how the exploit functions. There is an Empire stager to create the Word file and PS script (usestager windows/macroless_msword). Kim also mentions a toolkit to look for RCE in MS Office as well as generate malicious payloads, subdoc attacks and a subdoc tool. It looks to be straightforward, but I haven’t tried these out yet.
Hidden Encrypted Payloads
This section covers a couple encryptions tools. EmbedInHTML that will take a file, encrypt it, and embed it in an HTML file as a resource complete with automatic download routine. Demiguise generates HTML files containing an encrypted HTA (HTML Application) file.
Exploiting Internal Jenkins with Social Engineering
This chapter ended with a walkthrough of a Jenkins exploit that you can get full compromise with if the application is unauthenticated. The problem is the app is hosted internally, so to get the code to execute, you need to have a victim in the org visit a page with a stored XSS payload that allows WebRTC to expose the internal IP of a victim. Kim developed a tool specifically for this exploit. It will take the internal IP of a visitor and send the exploit to all servers in the /24 range. This requires Jenkins prior to 2.x.
Basic steps are set up a Jenkins server on a Windows VM with a bridged adapter. Put the exploit tool on Kali and set it up. Then visit the attack website from another system. The webpage will hit the internal network over 8080 with the payload, find the Jenkins server, and get the server to download/decrypt/execute the Meterpreter payload. Your machine may want to make the war file a zip, so rename it if necessary. Set up was straightforward. And remember to make sure that you’ve set up a server on the attack machine and a listener. I used my Kali VM and a simple Python server. I watched the server and saw when the Jenkins machine called the payload, but I didn’t get a shell. Something to play with later, but moving on for now.
As I was wrapping up this chapter, I also caught Episode 110 of the Privacy, Security, & OSINT Show that focused on testing your online security. The show notes have links to test browser security and would be a good idea to run to check your op sec. There was a site that would specifically check for the WebRTC, so a nice way to see if the fixes you apply are working.
This chapter was a bit of a brain break after the last couple. Good info, but I’d recommend branching out into some of the dedicated social engineering material if this is an area of interest. The technical info here is a great complement to the SE stuff I’ve been going through that is more focused on soft-skills.
- Figure out what was keeping the Jenkins exploit from working
- Finish the SE book I’m reading