Professional Documents
Culture Documents
(PTY) LTD
Contents
Background...................................................................................................................................................3 Designcriteria...............................................................................................................................................3 MaltegoTeeth ................................................................................................................................................3 Infrastructure................................................................................................................................................4 Step1:Whatsoutthere?......................................................................................................................... 4 Step2:Whatcanwegetto?..................................................................................................................... 6 Fileanddirectorymining...................................................................................................................... 6 Checkingforindexability....................................................................................................................... 7 FindingCMSbackend............................................................................................................................ 7 FindingOWA(andotherinteresting)interfaces................................................................................... 8 FindingPossibleInjectionPoints(PIPs)................................................................................................. 8 Step3:Breakingcontrols.......................................................................................................................... 9 BruteforcingCMS.................................................................................................................................9 BruteforcingOWA................................................................................................................................9 SQLinjectionattackingPIPs............................................................................................................. 10 Portscans/Servicescans/NmapwithNSEscripts........................................................................... 10 AttacksagainstpeopleKingPhisher.......................................................................................................... 11 Introduction............................................................................................................................................11 Thegoal...................................................................................................................................................11 AlreadyinMaltego..................................................................................................................................12 Templates ................................................................................................................................................12 Typesofredirects/bounces................................................................................................................... 12 Challenges...............................................................................................................................................12 SenderPolicyFramework(SPF).......................................................................................................... 13 DomainKeysIdentifiedMail(DKIM) .................................................................................................... 13 Filtering,triggerwords........................................................................................................................ 13 Managingthecampaign......................................................................................................................... 13
Background
OneofthekeyfeaturesofMaltegoTungsten(tobereleasedatBlackHat2013)iscollaboration.Itallows analysts to share graphs in real time over XMPP. This allows a group of analysts (or attackers) to work togetheronthesamegoal.Combinedwiththealreadystateoftheartfootprintingandpersonalprofiling capabilitieswehaveinMaltego(thinkmachinesinRadium),thisprovidesaverycapableattackplatform. Itcombineshumanintelligence,patternrecognitionandpowerfulautomatedattacktoolswithgraphical informationsharingsoftware.Whenwedesignedandbuiltthissystemourmotivationwastocreatethe ultimateattackplatformthatcanbeusedbymultipleanalysts.
Design criteria
Thefollowinglimitationswhereconsidered: ExternalattackmeaningthattheattackteamwillbeconductingtheirattacksovertheInternet. In other words, not internal to the network, not over wifi or from hosts compromised prior to theattack. No 0day we assume that the attackers do not have access to 0day. The success of the attack shouldnothingeontheavailabilityof0day. Zero knowledge (black box) we assume that at the start of the attack the attackers have no priorknowledgeofthetargetsystemsinuseorthepeopleinvolved. Attackingalargeorganization.Wewillassumethatthenetworkororganizationunderattackis nationalormultinational.Inotherwords,thetypeofattackismostusefulforawideselectionof targetsnotasinglespecifichostorperson.
MaltegoTeeth
Since thefirstreleaseofMaltegowevemadesure thatnoneof thebundledtransformswereoffensive. While the results of the transforms were very valuable for security analysts the transforms themselves didnotdoalottoraiseeyebrows.WithourBlackHat2013talkweregoingbacktoourrootssecurity. Weve created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or askforexcuses.Whenusingthesetransformsyoullbeclearlyattackingatarget. Therearethreesectionsofinterest. Infrastructure.TheseareconventionalattacksagainstmachinesconnectedtotheInternetas opposedtopeopleorpersonaldevices. People.Theseareessentiallyattackswherepeopleareinvolvedinthesuccessoftheattack.Think socialengineering&spearphishing.
Thesewillbediscussedindetailbelow.
Infrastructure Teeth
Keepingthelimitationsinmindtherearebasicallythreestepswefollowhere: 1. Whatdotheyhaveoutthere? 2. Whatcanwegetfromwhatsalreadyoutthere? 3. Canwegetmorebybreakingcontrols?
ItsnotamassivegraphastheJSEdoesnothavealargeexternalfootprint. ThefootprintofIransAEOI:
OrtheCIA:
Incomparison,areallylargenetworkmapofYahoo(justDNSnamesanddomains):
Inthesamewaywecantestforfilenamewithtwoexceptions:
Baseline testing (X/Y) needs to be performed per file extension type. The response for an unknownASPXfilemightbedifferenttothatofaPHPfile. Baseline testing (X/Y) needs to be performed per directory. The response from the system for /scripts/login.phpmightbedifferenttotheresponsefor/backup/login.php
Thereareafewotherthingstokeepin mind.To get therealresponseitsbesttotest theactualoutput of the file/directory request meaning after following HTTP redirects. For this reason were using the Mechanize library. Other than Selenium (which is too heavy weight for this and not as portable as we wouldlike)thisistheclosestyouaregoingtogettoarealbrowser.ThedisadvantageofusingMechanize isthatitdoesnotinterpretJavascript. Testingforalistofdirectoriesorfilesintherootofawebserverisonlysoexciting.Inordertodothisjob properly we also need to check for files and directories in other paths of the server. Imagine that the entirewebstructureislocatedunder/corp/thentestingfor/backup.zip(whilemandatory)isalotless interestingthantestingfor/corp/backup.ziporlookingfor/corp/mediafile/archive/. Weusetwomethodsforgettingvalidwebdirectories: performingacrawl/mirrorofthesite requestingandparsingfor/sitemap.xml.
Not all sites contain sitemap.xml, but for those that do its an instant win well get the entire sites structure.Ifthatfailswecanalwaysrevertbacktocrawlingthesite. With the sites structure known (or partially known) we can now happily scan for files and directories in theseknownpathsandwelldothisforallthewebsiteswefoundinthefootprint. Checking for indexability Atthisstageweshouldhaveanicelistofdirectoriesthatwevefoundeitherbycrawling,bruteforcingor inspectingsitemap.xmlanditwouldmakessensetoseeifanyofthemareindexable.Enoughsaid. Finding CMS backend CMS (Content Management System(s)) have become very popular. Two popular CMSes are Wordpress andJoomla.Bothoftheseprovidetheuserwithanadministrativebackendwheretheycanlogintoupload newcontentormodules.WithJoomlaandWordpressitispossibletouploadamaliciousmodule/addon thatwillprovideawebbasedcommandshell(likeC99shell).Inmostcasestheseinterfacesareexposed totheInternetthismeansaccesstothewebcontentoruploadamaliciouspayloaditismerelyprotected by a single password. They are mostly located in a set location and its trivial to test if they exist. In MaltegoTeethwerelookingat3differentCMSes: Joomlaat/administrator/index.php WordPressat/wpadmin/ cPanelat:2082/login/(althoughnotarealCMSstillverypopular)
InthenextsectionwellseehowwebruteforcetheseCMSes. 7
Finding OWA (and other interesting) interfaces OWA (Outlook Web Access) has almost become the de facto standard way to provide remote email for largecorporateorganizations.WhenlookingattheFortune1000companieswevefoundthatabout60% ofthemhaveexposedOWAinterfaces.Inmostcasesyoucansimplybrowsetothisinterfaceandentera validusernameandpasswordinordertogainaccesstothemailinterface.Theinterfacenotonlysupplies theactualemailbuttheorganizationscalendarandaddressbook(names,phonenumbers,departments) aswellthisisagoldmineforotherattacks(thinksocialengineeringseenextsection). ThereareafewOWAtypesused: OWA2003 OWA2007 OWA2010 OWAOffice OWALive(cloud)
TheseareprotectedeitherwithaformsbasedloginorwithNTLM. ThewayTeethfindstheseareasfollows: 1. UsingAsyncDNSsearchforthefollowingDNSnames mail,webmail,owa,outlook,exchange,secure,gateway,vpn,activesync,connect 2. 3. 4. 5. 6. 7. Checkthatitdoesnotresolvetoawildcardentry Seeifitsopenonport443(weassumenobodywillruntheirwebmailoverHTTP) IfyoufindHTTPcode401assumeitsNTLMandmarkassuch IfyougetHTTPcode200followredirectsandstoretheresponse Comparetheresponsewithalistofsignaturesandseewhichonesmatches Ifitdoesnotcomparetoaresponsemarkitasgeneric.
Itbecomesclearfromsteps5and6thatthismethodalsoworksforothertypesofinterfacessuchasVPNs, gateways,webmailetc.providers.InTeethwevestored22differentresponsesfromCITRIXgateways, SecureIDinterfacestoCiscoWebVPNresponsesandaddingadditionaltypesistrivial. In the next section well show how we brute force OWA. Building a brute force attack script for other typesisleftasanexercisetothereader. Finding Possible Injection Points (PIPs) Usingautomated SQLinjectiontoolssuchasSQLMaponecan testfor SQLinjectionwith minimal effort. TobeabletodosoyouneedtopointittoaURL,specifyifitsaPOSToraGETandwhichparametersto testfor.
Asideeffectofacrawl/mirroristhatwealsohaveagoodideaofwhatforms(orGETswithparameters) aresurfacevisibleonawebsite.Notethatwesaysurfacevisiblee.g.notformsorGETsthatarelocated behindwebformsthatrequireauthenticationorelaborateJavascript. Armed with this info we can make a calculated guess which forms would be interesting to test for SQL injection.Aformwithasinglesubmitbuttonmightnotbeinteresting.Aformwithoneparametercalled printmightnotbeinteresting.Wemightenduptestingjustasingleparameter. Asanexampleconsiderthefollowingform: POST/search.php Parameters: o s= o print=true o redirect_url=http://www.site.com/search_done.php o sessionID=12345
Theattackercansendemailaddresseswithorwithoutthedomain(usedintheemailaddress,nottobe confused with Microsoftworld domain). The thinking here is that OWA really uses a username and (Microsoftworld) domain. If the (MS) domain is not specified it will use the default domain which in mostcasesisthebestbet.Theusername*might*bethepartoftheemailaddressinfrontofthe@sign andmanylargecorporateorganizationsarenowadoptingthisnamingconvention.Theotheroptioncould bethattheMSdomainandtheemailaddressdomainisreallythesamething,inwhichcaseitwouldmake sensetosendboth. TheOWAtypeisstoredwithintheentityandbasedonthetypeeitherNTLMorwebformsisused.NTLM bruteforcingusesHydrawhileformbasedloginisdonewithMechanize. AnotherinterestingsideeffectofOWAbruteforcingisdenialofservice.MostOWAimplementationslock the account after 3 incorrect password attempts. As such the password file for OWA only contains two passwords.Ifthefilecontainsmorethan2passwords(andtheyareindeedincorrect)theaccountwillbe locked out. Since many OWA servers are directly connected to the main domain controller of the organizationthismightmeanasystemwidelockoutatleasttemporarily.Suchadenialofserviceagainst multipleaccountswouldseemtobeverycostlyforthetargetorganization. SQL injection attacking PIPs In the previous section we saw how we can identify possible injection points (PIPs). Using SQLMap we nowtestiftheseformsorGETsareindeedinjectable.ThetransformsimplyrunsSQLMapontheURLwith the correct parameters. When an injection string is found to be successful it is shown graphically on the MaltegointerfacethedefaultbehaviorofSQLMapistoshowthedatabaseandcurrenttablestructures. Therearesomelimitationsandconsiderationswhenusingthisattack: 1. The PIP scanner will only identify surface visible forms this was discussed in more detail in the previoussection. 2. Since were not sure what database type is in use we can either scan using all types (SLOW) or specific the database type. In subsequent version of the framework this should be addressed e.g.findingthemostlikelydatabasetypeautomatically. 3. SQLMaptakesalongtimetorun.Assuchyouneedtocarefullyselectwhichformstoattack. It would be possible to extend this so that the list of database are shown as entities from the PIP, with transforms to enumerate tables from these databases. This functionality is left as an exercise to the reader. Port scans / Service scans / Nmap with NSE scripts After careful consideration (we looked at Nessus, Metasploit etc.) it was decided to go with Nmap with NSE scripts as makeshift vulnerability scanner. We use this is quotes because its not a full blown vuln scannerbutratheracompilationofscriptsandagoodportscanner.Wevefoundthatinmanycasesthe NSE scripts bundled with Kali Linux served our purpose very well. Other considerations were stability, speedofexecution,extensibilityandeaseofintegrationwithMaltego.
10
There are 8 different families of NSE scripts. There are auth, default, discovery, external, intrusive, malware,safeandvuln.Twoadditionalonesareallandnoneafamilynameweveaddedwhenused withMaltegoTeeth.Theattackercanselectwhichofthesefamiliesshouldbeused,whichportsshouldbe scannedandwhichadditionalNMapparametersshouldbeused. The attacker can initiate scans against DNS names (includes web sites, MX/NS records) or IP addresses. NetblockscanbeextendedtoseveralIPaddressesinordertoscanthese.
The goal
Thegoalofthisphishingattack(inorderofimpact)isasfollows: 1. IdentifyusercharacteristicsfromclickedlinkssuchasuseragentandIPaddress. 2. Get the target to simply click on a link. We might choose to deliver some form of payload in resultingpage. 3. Redirecttheusertoafakesocialnetwork/publicwebmail(Gmailetc)loginpage.Hopethetarget willentercredentials. 4. Redirecttheusertoafakecorporatewebmail/VPNportalandhopetogetcredentials. In 3 and 4 were hoping that the user will reuse credentials and the attacker can use these on more sensitive infrastructure (think corporate VPN etc.) The keyword in scenario 2 is of course browser 0day butgettingtheexternalIPaddressoftheuserisalsovaluable.
11
Already in Maltego
The more information we know about a person the more enticing the email we can send to our target. Maltego already offers many transforms to profile a person. This includes getting the targets email address,socialnetworksandfriendsfromthesesocialnetworks. The starting point would likely be the domain of the organization were attacking. From there we can enumerateemailaddressesandfromthatwecanresolvesocialnetworkmemberships.Insomeinstances we might be able to make educated guesses as to what the persons name and surname is or add more informationaboutourtargetmanually.
Templates
Maltegocreatesagraphoftheserelationships.Bysending thegraph toanexternalprocessweareable to extract these relationships and based on what information we find we can create a list of email templates. In a practical example from a target domain of target.com we find an email address john.doe@target.com.ThepersonsnameislikelyJohnDoe.Weresolvesocialnetworkmembershipand find a Flickr profile and a Facebook profile. From the Flickr and Facebook profiles we get interest and friendsandconnections.Ourtemplatesthatwecanchoosefromcouldnowbe: 1. 2. 3. 4. 5. SpoofedemailfromFacebookwithanewfriendrequest SpoofedemailfromFacebookwithphototaggedfrompersonwhoisaFBfriendoftarget SpoofedemailfromFlickrwithnewphotosfromafriend SpoofedemailfromacompanyspecializingininterestX Spoofedemailfromtarget.comwithinstructions
Theattackerwillbeabletochoosewhichtemplateshewantstouse,tweakafewconfigurationoptions, andtheframeworkwillfigureouttherest.
Thisgivetheattackertheflexibilitytochooseexactlywhatthetargetwillseeonceheclicksonalink.
Challenges
Thefollowingmechanismsareusedtoautomaticallyprotectusersagainstthistypeofemail:
12
Sender Policy Framework (SPF) Thisisimplementedonthereceiving SMTPserver.TheserverwillcheckiftheremotehostmatchesSPF recordsforthesendersdomain.Whatthismeansisthatyoucannotsendemailaspete@companyX.com ifyourconnectionisnotoriginatingfromtheIPrange(s)ofcompany DomainKeys Identified Mail (DKIM) SendersofemailcandecidetoimplementDKIM,therebycryptographicallysigningpartsofthemessage typically the sender and receivers email addresses. The means you cannot send email as pete@companyX.comifyoudonthavetheirkeys. Filtering, trigger words Email providers (like Gmail) or email clients (like Microsoft Outlook) have builtin spam and phishing detection and will mark email from our platform as so. They might choose to trigger on emails that are closetothetemplatesofknownproviders. These techniquesare usuallyusedincombination. Thefirsttwo protectionmechanisms meansthatyou cannoteffectivelyspoofemailfrommajoremailsources(likeFacebook,Twitter,LinkedInetc).Thisisnot amajorproblemasyoucaneasilysendtheemailfromaccountsthat*looks*liketheseproviders.Inother wordsyoucansendfromnotications@fcebook.comortweets@twitte.r.com. However when the techniques are used in tandem it becomes a little tougher. If you are sending email thatlooksalotlikethatofamajoremailsourcebutyouarenotthatsourceitmightbemarkedasspam. ThegoodnewsisthattherearemanywaystocreateHTMLthatlooksthatsame.TheHTMLsourcemight not look the same but the rendered output will. This makes it possible for us to send email that looks exactlyliketherealdeal,butonthewirelooksalotdifferent.Itsmoreworkbutitsworthitattheend.
Theentiresystemsflowdiagramthuslooksasfollows:
13
5. Monitor campaign
Maltego client
1. POST graph
Collector
2. Collector setup
Conclusion
ThereareseveralaspectsofITsecuritythathavenotbeentouchedoninthispaper.Thegoalofthispaper is not show new attack vectors or methods. It is to show that almost all methods of attack can be incorporated into a single platform. A platform where attackers can share information, visualize it and launchnewattackscollaboratively. We are painfully aware that for the man with hammer, everything looks like a nail. In our case every securitytoolorattacktechniquelookslikeanailandourhammerisMaltegoTungsten.
14