PATERVA

(PTY) LTD

Maltego Tungsten with Teeth / KingPhisher

Creating a collaborative attack platform with Maltego Tungsten
RT 20130712

Contents
Background...................................................................................................................................................3 Designcriteria...............................................................................................................................................3 MaltegoTeeth ................................................................................................................................................3 Infrastructure................................................................................................................................................4 Step1:Whatsoutthere?......................................................................................................................... 4 Step2:Whatcanwegetto?..................................................................................................................... 6 Fileanddirectorymining...................................................................................................................... 6 Checkingforindexability....................................................................................................................... 7 FindingCMSbackend............................................................................................................................ 7 FindingOWA(andotherinteresting)interfaces................................................................................... 8 FindingPossibleInjectionPoints(PIPs)................................................................................................. 8 Step3:Breakingcontrols.......................................................................................................................... 9 BruteforcingCMS.................................................................................................................................9 BruteforcingOWA................................................................................................................................9 SQLinjectionattackingPIPs............................................................................................................. 10 Portscans/Servicescans/NmapwithNSEscripts........................................................................... 10 AttacksagainstpeopleKingPhisher.......................................................................................................... 11 Introduction............................................................................................................................................11 Thegoal...................................................................................................................................................11 AlreadyinMaltego..................................................................................................................................12 Templates ................................................................................................................................................12 Typesofredirects/bounces................................................................................................................... 12 Challenges...............................................................................................................................................12 SenderPolicyFramework(SPF).......................................................................................................... 13 DomainKeysIdentifiedMail(DKIM) .................................................................................................... 13 Filtering,triggerwords........................................................................................................................ 13 Managingthecampaign......................................................................................................................... 13

Background
OneofthekeyfeaturesofMaltegoTungsten(tobereleasedatBlackHat2013)iscollaboration.Itallows analysts to share graphs in real time over XMPP. This allows a group of analysts (or attackers) to work togetheronthesamegoal.Combinedwiththealreadystateoftheartfootprintingandpersonalprofiling capabilitieswehaveinMaltego(thinkmachinesinRadium),thisprovidesaverycapableattackplatform. Itcombineshumanintelligence,patternrecognitionandpowerfulautomatedattacktoolswithgraphical informationsharingsoftware.Whenwedesignedandbuiltthissystemourmotivationwastocreatethe ultimateattackplatformthatcanbeusedbymultipleanalysts.

Design criteria
Thefollowinglimitationswhereconsidered: ExternalattackmeaningthattheattackteamwillbeconductingtheirattacksovertheInternet. In other words, not internal to the network, not over wifi or from hosts compromised prior to theattack. No 0day we assume that the attackers do not have access to 0day. The success of the attack shouldnothingeontheavailabilityof0day. Zero knowledge (black box) we assume that at the start of the attack the attackers have no priorknowledgeofthetargetsystemsinuseorthepeopleinvolved. Attackingalargeorganization.Wewillassumethatthenetworkororganizationunderattackis nationalormultinational.Inotherwords,thetypeofattackismostusefulforawideselectionof targetsnotasinglespecifichostorperson.

Otherdesigncriteriawerethatalltransformswouldrunaslocaltransforms(fortheteethsegment),that thecodebeopenandinwritteninPython/PHPandthatitwouldbeveryeasytomodifyandextend.The platformchosentodevelopanddeploythisisKaliLinux.

MaltegoTeeth
Since thefirstreleaseofMaltegowevemadesure thatnoneof thebundledtransformswereoffensive. While the results of the transforms were very valuable for security analysts the transforms themselves didnotdoalottoraiseeyebrows.WithourBlackHat2013talkweregoingbacktoourrootssecurity. Weve created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or askforexcuses.Whenusingthesetransformsyoullbeclearlyattackingatarget. Therearethreesectionsofinterest. Infrastructure.TheseareconventionalattacksagainstmachinesconnectedtotheInternetas opposedtopeopleorpersonaldevices. People.Theseareessentiallyattackswherepeopleareinvolvedinthesuccessoftheattack.Think socialengineering&spearphishing.

Thesewillbediscussedindetailbelow.

Infrastructure Teeth
Keepingthelimitationsinmindtherearebasicallythreestepswefollowhere: 1. Whatdotheyhaveoutthere? 2. Whatcanwegetfromwhatsalreadyoutthere? 3. Canwegetmorebybreakingcontrols?

Step 1: Whats out there?

Thefirststepisdiscovery ofeverythingthatthe targetexposestotheInternet.Thisisbasic footprinting somethingthatsalwaysbeenakeyfeatureofMaltego.Usingtheprepackagedfootprintingmachines introducedwithMaltegoRadiumyoucanliterallydoaoneclickfootprintofalargeorganization. Themethodologyofthisfootprinthasbeendiscussedindepthinthepastandisnotrepeatedhere. Below is a graph generated by the L3 foot printing machine of Maltego on the Johannesburg stock exchange(JSE):

ItsnotamassivegraphastheJSEdoesnothavealargeexternalfootprint. ThefootprintofIransAEOI:

 OrtheCIA:

Incomparison,areallylargenetworkmapofYahoo(justDNSnamesanddomains):

 Theresultofafootprintprovidesuswith: DomainsandDNSnames(Websites,MXrecords,NSrecords,reverseDNSnamesamongstothers) IPaddresses,netblocksandASnumbers

Step 2: What can we get to?

File and directory mining In terms of exposed services you are most likely to see HTTP and HTTPs. The most basic form of info gathering would be to look for unlinked files and directories on these web servers in other words file anddirectorymining. Therearemanyscriptsandscannersouttherethatperformthisfunctionhoweverwevefoundthatfew very of them do this properly (e.g. not looking at HTTP status codes but rather comparing server responses).Therightwaytodothisisasfollows: RequestadirectorythatyouknowdoesnotexistandstoretheresponseinX RequestanotherdirectorythatyouknowdoesnotexistandstoretheresponseinY If X and Y are similar (were using Levenshtein distance) then we know we can test properly. If theyarenotsimilaritsnotpossibletotestotherdirectories Now request the directory youre interested in and compare the response to Y (or X). If its significantlydifferentthenthedirectoryislikelytobethere.

Inthesamewaywecantestforfilenamewithtwoexceptions:

Baseline testing (X/Y) needs to be performed per file extension type. The response for an unknownASPXfilemightbedifferenttothatofaPHPfile. Baseline testing (X/Y) needs to be performed per directory. The response from the system for /scripts/login.phpmightbedifferenttotheresponsefor/backup/login.php

Thereareafewotherthingstokeepin mind.To get therealresponseitsbesttotest theactualoutput of the file/directory request meaning after following HTTP redirects. For this reason were using the Mechanize library. Other than Selenium (which is too heavy weight for this and not as portable as we wouldlike)thisistheclosestyouaregoingtogettoarealbrowser.ThedisadvantageofusingMechanize isthatitdoesnotinterpretJavascript. Testingforalistofdirectoriesorfilesintherootofawebserverisonlysoexciting.Inordertodothisjob properly we also need to check for files and directories in other paths of the server. Imagine that the entirewebstructureislocatedunder/corp/thentestingfor/backup.zip(whilemandatory)isalotless interestingthantestingfor/corp/backup.ziporlookingfor/corp/mediafile/archive/. Weusetwomethodsforgettingvalidwebdirectories: performingacrawl/mirrorofthesite requestingandparsingfor/sitemap.xml.

Not all sites contain sitemap.xml, but for those that do its an instant win well get the entire sites structure.Ifthatfailswecanalwaysrevertbacktocrawlingthesite. With the sites structure known (or partially known) we can now happily scan for files and directories in theseknownpathsandwelldothisforallthewebsiteswefoundinthefootprint. Checking for indexability Atthisstageweshouldhaveanicelistofdirectoriesthatwevefoundeitherbycrawling,bruteforcingor inspectingsitemap.xmlanditwouldmakessensetoseeifanyofthemareindexable.Enoughsaid. Finding CMS backend CMS (Content Management System(s)) have become very popular. Two popular CMSes are Wordpress andJoomla.Bothoftheseprovidetheuserwithanadministrativebackendwheretheycanlogintoupload newcontentormodules.WithJoomlaandWordpressitispossibletouploadamaliciousmodule/addon thatwillprovideawebbasedcommandshell(likeC99shell).Inmostcasestheseinterfacesareexposed totheInternetthismeansaccesstothewebcontentoruploadamaliciouspayloaditismerelyprotected by a single password. They are mostly located in a set location and its trivial to test if they exist. In MaltegoTeethwerelookingat3differentCMSes: Joomlaat/administrator/index.php WordPressat/wpadmin/ cPanelat:2082/login/(althoughnotarealCMSstillverypopular)

InthenextsectionwellseehowwebruteforcetheseCMSes. 7

Finding OWA (and other interesting) interfaces OWA (Outlook Web Access) has almost become the de facto standard way to provide remote email for largecorporateorganizations.WhenlookingattheFortune1000companieswevefoundthatabout60% ofthemhaveexposedOWAinterfaces.Inmostcasesyoucansimplybrowsetothisinterfaceandentera validusernameandpasswordinordertogainaccesstothemailinterface.Theinterfacenotonlysupplies theactualemailbuttheorganizationscalendarandaddressbook(names,phonenumbers,departments) aswellthisisagoldmineforotherattacks(thinksocialengineeringseenextsection). ThereareafewOWAtypesused: OWA2003 OWA2007 OWA2010 OWAOffice OWALive(cloud)

TheseareprotectedeitherwithaformsbasedloginorwithNTLM. ThewayTeethfindstheseareasfollows: 1. UsingAsyncDNSsearchforthefollowingDNSnames mail,webmail,owa,outlook,exchange,secure,gateway,vpn,activesync,connect 2. 3. 4. 5. 6. 7. Checkthatitdoesnotresolvetoawildcardentry Seeifitsopenonport443(weassumenobodywillruntheirwebmailoverHTTP) IfyoufindHTTPcode401assumeitsNTLMandmarkassuch IfyougetHTTPcode200followredirectsandstoretheresponse Comparetheresponsewithalistofsignaturesandseewhichonesmatches Ifitdoesnotcomparetoaresponsemarkitasgeneric.

Itbecomesclearfromsteps5and6thatthismethodalsoworksforothertypesofinterfacessuchasVPNs, gateways,webmailetc.providers.InTeethwevestored22differentresponsesfromCITRIXgateways, SecureIDinterfacestoCiscoWebVPNresponsesandaddingadditionaltypesistrivial. In the next section well show how we brute force OWA. Building a brute force attack script for other typesisleftasanexercisetothereader. Finding Possible Injection Points (PIPs) Usingautomated SQLinjectiontoolssuchasSQLMaponecan testfor SQLinjectionwith minimal effort. TobeabletodosoyouneedtopointittoaURL,specifyifitsaPOSToraGETandwhichparametersto testfor.

Asideeffectofacrawl/mirroristhatwealsohaveagoodideaofwhatforms(orGETswithparameters) aresurfacevisibleonawebsite.Notethatwesaysurfacevisiblee.g.notformsorGETsthatarelocated behindwebformsthatrequireauthenticationorelaborateJavascript. Armed with this info we can make a calculated guess which forms would be interesting to test for SQL injection.Aformwithasinglesubmitbuttonmightnotbeinteresting.Aformwithoneparametercalled printmightnotbeinteresting.Wemightenduptestingjustasingleparameter. Asanexampleconsiderthefollowingform: POST/search.php Parameters: o s= o print=true o redirect_url=http://www.site.com/search_done.php o sessionID=12345

Inthiscasetheonlyparameterthatislikelytoyieldinterestingresultswhentestedwouldbes.Thisdoes notmeanthatwecandiscardtheotherparameterswhensendingtherequestasitmightcausethescript tobreak.Wethusgettoasituationwherewecanfilterwhichparameterstotestforbasedonthenames, actionsorvaluesoftheparameter. InthenextsectionwelllookathowwecanattackthesePIPs.

Step 3: Breaking controls

While the methods used in the previous section could perhaps still be seen as information gathering techniquesthemethodsdiscussedhereisalloutattack. Brute forcing CMS A Metasploit plugin for brute forcing Wordpress exists and well use that to brute force Wordpress. The passwordlistisextendedwiththreederivatesofthedomainname.Letsassumethatthewebsiteiscalled www.cookiesrus.co.za.Thepasswordlistwillbeextendedtoincludecookiesrus123,cookiesrusadminand cookiesruspassword.Thiscaneasilybeextendedtoincludeothermutations. Joomla brute forcing is performed using a custom Python script this is because Joomla inserts a CSRF token in every login page which is checked when a POST is sent and most generic bruce forcing scripts doesnotsupportthis.ThesamepasswordextensionhappensforJoomlabruteforcing. Successfulloginsaregraphicallyindicated. Brute forcing OWA In order to brute force OWA the attacker needs to select which email addresses she wants to use first. ThesearewrittenviatheMaltegoGUItoalocalfile.WhentheuserrunsthebruteforceOWAtransform an external dialog window is popped up to ask the user from which domain she wants to select email addresses. 9

Theattackercansendemailaddresseswithorwithoutthedomain(usedintheemailaddress,nottobe confused with Microsoftworld domain). The thinking here is that OWA really uses a username and (Microsoftworld) domain. If the (MS) domain is not specified it will use the default domain which in mostcasesisthebestbet.Theusername*might*bethepartoftheemailaddressinfrontofthe@sign andmanylargecorporateorganizationsarenowadoptingthisnamingconvention.Theotheroptioncould bethattheMSdomainandtheemailaddressdomainisreallythesamething,inwhichcaseitwouldmake sensetosendboth. TheOWAtypeisstoredwithintheentityandbasedonthetypeeitherNTLMorwebformsisused.NTLM bruteforcingusesHydrawhileformbasedloginisdonewithMechanize. AnotherinterestingsideeffectofOWAbruteforcingisdenialofservice.MostOWAimplementationslock the account after 3 incorrect password attempts. As such the password file for OWA only contains two passwords.Ifthefilecontainsmorethan2passwords(andtheyareindeedincorrect)theaccountwillbe locked out. Since many OWA servers are directly connected to the main domain controller of the organizationthismightmeanasystemwidelockoutatleasttemporarily.Suchadenialofserviceagainst multipleaccountswouldseemtobeverycostlyforthetargetorganization. SQL injection attacking PIPs In the previous section we saw how we can identify possible injection points (PIPs). Using SQLMap we nowtestiftheseformsorGETsareindeedinjectable.ThetransformsimplyrunsSQLMapontheURLwith the correct parameters. When an injection string is found to be successful it is shown graphically on the MaltegointerfacethedefaultbehaviorofSQLMapistoshowthedatabaseandcurrenttablestructures. Therearesomelimitationsandconsiderationswhenusingthisattack: 1. The PIP scanner will only identify surface visible forms this was discussed in more detail in the previoussection. 2. Since were not sure what database type is in use we can either scan using all types (SLOW) or specific the database type. In subsequent version of the framework this should be addressed e.g.findingthemostlikelydatabasetypeautomatically. 3. SQLMaptakesalongtimetorun.Assuchyouneedtocarefullyselectwhichformstoattack. It would be possible to extend this so that the list of database are shown as entities from the PIP, with transforms to enumerate tables from these databases. This functionality is left as an exercise to the reader. Port scans / Service scans / Nmap with NSE scripts After careful consideration (we looked at Nessus, Metasploit etc.) it was decided to go with Nmap with NSE scripts as makeshift vulnerability scanner. We use this is quotes because its not a full blown vuln scannerbutratheracompilationofscriptsandagoodportscanner.Wevefoundthatinmanycasesthe NSE scripts bundled with Kali Linux served our purpose very well. Other considerations were stability, speedofexecution,extensibilityandeaseofintegrationwithMaltego.

10

There are 8 different families of NSE scripts. There are auth, default, discovery, external, intrusive, malware,safeandvuln.Twoadditionalonesareallandnoneafamilynameweveaddedwhenused withMaltegoTeeth.Theattackercanselectwhichofthesefamiliesshouldbeused,whichportsshouldbe scannedandwhichadditionalNMapparametersshouldbeused. The attacker can initiate scans against DNS names (includes web sites, MX/NS records) or IP addresses. NetblockscanbeextendedtoseveralIPaddressesinordertoscanthese.

Attacks against people KingPhisher

Introduction
Whileinfrastructureattacksareprettywellknowntoeveryonetheyarenotalwaysveryeffective.Askany pen tester whats the most certain way that theyll compromise a system and they are likely to tell you thatitwouldinvolvepeopleworkingatthetargetorganization. Peoplearenotmachines.Peoplemakemistakesandaredriventoactincertainwayseitherthroughfear, curiosityorgreed.Additionallypeopleintentionallyopennonconventionalattackvectorstothemselves. Thisincludesemail,IM,socialnetworksorevenreallifedevicessuchasphonesorothermobilecomputing platforms. Inthissectionwelllooktoseeifitwouldbepossibletodeliverawellcraftedemailtoatargetanddoing so with little or no interaction from the attacker. In other words is it possible to spear phish someone andletMaltegodotheheavylifting.Insubsequentupdatestotheplatformwellalsolookatothervectors suchasIMandsocialnetworks.

The goal
Thegoalofthisphishingattack(inorderofimpact)isasfollows: 1. IdentifyusercharacteristicsfromclickedlinkssuchasuseragentandIPaddress. 2. Get the target to simply click on a link. We might choose to deliver some form of payload in resultingpage. 3. Redirecttheusertoafakesocialnetwork/publicwebmail(Gmailetc)loginpage.Hopethetarget willentercredentials. 4. Redirecttheusertoafakecorporatewebmail/VPNportalandhopetogetcredentials. In 3 and 4 were hoping that the user will reuse credentials and the attacker can use these on more sensitive infrastructure (think corporate VPN etc.) The keyword in scenario 2 is of course browser 0day butgettingtheexternalIPaddressoftheuserisalsovaluable.

11

Already in Maltego
The more information we know about a person the more enticing the email we can send to our target. Maltego already offers many transforms to profile a person. This includes getting the targets email address,socialnetworksandfriendsfromthesesocialnetworks. The starting point would likely be the domain of the organization were attacking. From there we can enumerateemailaddressesandfromthatwecanresolvesocialnetworkmemberships.Insomeinstances we might be able to make educated guesses as to what the persons name and surname is or add more informationaboutourtargetmanually.

Templates
Maltegocreatesagraphoftheserelationships.Bysending thegraph toanexternalprocessweareable to extract these relationships and based on what information we find we can create a list of email templates. In a practical example from a target domain of target.com we find an email address john.doe@target.com.ThepersonsnameislikelyJohnDoe.Weresolvesocialnetworkmembershipand find a Flickr profile and a Facebook profile. From the Flickr and Facebook profiles we get interest and friendsandconnections.Ourtemplatesthatwecanchoosefromcouldnowbe: 1. 2. 3. 4. 5. SpoofedemailfromFacebookwithanewfriendrequest SpoofedemailfromFacebookwithphototaggedfrompersonwhoisaFBfriendoftarget SpoofedemailfromFlickrwithnewphotosfromafriend SpoofedemailfromacompanyspecializingininterestX Spoofedemailfromtarget.comwithinstructions

Theattackerwillbeabletochoosewhichtemplateshewantstouse,tweakafewconfigurationoptions, andtheframeworkwillfigureouttherest.

Types of redirects / bounces

Therearethreetypes: Justbounce.Uponclickingonthelinktheuserwilljustberedirectedtoanothersite. Get info, then bounce. The framework will collect the users IP address, user agent and then redirect. Get info, phish, then bounce. The framework will collect the IP address and user agent then presenttheuserwithacopyofapopularsocialnetworksloginpage,collectthecredentialsand thenredirecttheusertotherealsite.

Thisgivetheattackertheflexibilitytochooseexactlywhatthetargetwillseeonceheclicksonalink.

Challenges
Thefollowingmechanismsareusedtoautomaticallyprotectusersagainstthistypeofemail:

12

Sender Policy Framework (SPF) Thisisimplementedonthereceiving SMTPserver.TheserverwillcheckiftheremotehostmatchesSPF recordsforthesendersdomain.Whatthismeansisthatyoucannotsendemailaspete@companyX.com ifyourconnectionisnotoriginatingfromtheIPrange(s)ofcompany DomainKeys Identified Mail (DKIM) SendersofemailcandecidetoimplementDKIM,therebycryptographicallysigningpartsofthemessage typically the sender and receivers email addresses. The means you cannot send email as pete@companyX.comifyoudonthavetheirkeys. Filtering, trigger words Email providers (like Gmail) or email clients (like Microsoft Outlook) have builtin spam and phishing detection and will mark email from our platform as so. They might choose to trigger on emails that are closetothetemplatesofknownproviders. These techniquesare usuallyusedincombination. Thefirsttwo protectionmechanisms meansthatyou cannoteffectivelyspoofemailfrommajoremailsources(likeFacebook,Twitter,LinkedInetc).Thisisnot amajorproblemasyoucaneasilysendtheemailfromaccountsthat*looks*liketheseproviders.Inother wordsyoucansendfromnotications@fcebook.comortweets@twitte.r.com. However when the techniques are used in tandem it becomes a little tougher. If you are sending email thatlooksalotlikethatofamajoremailsourcebutyouarenotthatsourceitmightbemarkedasspam. ThegoodnewsisthattherearemanywaystocreateHTMLthatlooksthatsame.TheHTMLsourcemight not look the same but the rendered output will. This makes it possible for us to send email that looks exactlyliketherealdeal,butonthewirelooksalotdifferent.Itsmoreworkbutitsworthitattheend.

Managing the campaign

When sending email to many different targets the attacker would want to have a way of managing the campaign as it is easy to lose track of which emails where sent to which targets. With three simple transforms and perpetual machines this can be done graphically within Maltego. The transforms are as follows: Fromcontrolcentergettheemailaddressesoftargets FromeachtargetgettheIPaddressanduseragent(ifitexists) Fromeachtargetgetthecredentialsmined(ifany)

Theentiresystemsflowdiagramthuslooksasfollows:

13

5. Monitor campaign

Maltego client

1. POST graph

Collector

2. Collector setup

KP controller Attacker configures mail

4. User visits site

2. After setup, ready send

Target 3. Email sent SMTP sender

Conclusion
ThereareseveralaspectsofITsecuritythathavenotbeentouchedoninthispaper.Thegoalofthispaper is not show new attack vectors or methods. It is to show that almost all methods of attack can be incorporated into a single platform. A platform where attackers can share information, visualize it and launchnewattackscollaboratively. We are painfully aware that for the man with hammer, everything looks like a nail. In our case every securitytoolorattacktechniquelookslikeanailandourhammerisMaltegoTungsten.

14