For this chapter, we will focus on the human side of penetration testing. This includes the topics of phishing, custom malware, and social networking attacks where we can take advantage of people in order to perform further penetration testing. We'll look at open source tools which can help us in performing these attacks and then look at some real-world scenarios and how those tools fit. Lastly, you'll get to try out what you've learned in our hands-on challenge.
4.5. Case study: the tools in action
For this case study, we will be making use of all of the topics covered in this chapter: phishing, social network attacks, and custom malware. First, we'll take an identified target and go through some basic phishing attempts with and without malicious payloads. To make the attack more successful, we will then extend into using a social network to help move the attack forward. Finally, once we've established some level of credibility or compromise, we'll put together a piece of custom malware and use that with our target.
For this scenario, our target will be the CFO of the corporation which hired us to perform penetration testing. Through our reconnaissance and enumeration, we found very few available attack vectors, but did pick up some useful information about the officers of the company. In an effort to increase transparency of the company, the officers are all listed on the corporate web site along with their email address, and a brief bio on each officer. This is fairly common among corporations and is certainly useful to our purposes.
To start, we've identified the name of the CFO and did some basic searches using Google with keywords from her bio to learn more about the CFO. In this
reconnaissance, we determined that the CFO is a dog lover and appears to be involved in a number of dog-related organizations and groups. As we mentioned in
Chapter 2, any information found during reconnaissance can be useful and that is certainly the case here. From a social-engineering perspective, we should consider focusing on dogs as that is of high interest to this person.
Our first attack will be a phishing attack to try and get more information from the target. We have information on organizations that the target is involved with, so in this case we will play the part of a member of the ASPCA, a very popular animal cruelty prevention group. In order for our attack to be successful, we need to focus on what information we're looking for. Our real targets are the systems of the corporation who hired us, so something like a user ID, password, or even better contact information would be helpful since at this point, we only have a name, email address, and a hobby. Also, building up a relationship with the target can help in the future when we actually start using malware.
Chances are very good that since the target's email address is publicly listed, an assistant of some sort is monitoring and filtering most emails. Consequently, we want to put together an email which will make it past the assistant. To do this, it is generally best to assume the role of someone who has a previously established relationship with the target. Most assistants are reluctant to intrude on a preexisting relationship and will probably pass along the message.
With all of those details firmly in mind, we move to create a phishing email targeted to the CFO.
LetterHi Christina,
I don't know if you remember me or not, but we met at a fundraiser for the ASPCA quite some time ago. I apologize for taking so long to get back to you, but my travel schedule has been very hectic of late. As we discussed, I'd really like to explore the option of working together on some pet protection projects at some point in the future.
While we didn't get the opportunity to talk for very long, I know you were very interested in helping rescue some of the abused animals in your area. I'm sure we both donate to the ASPCA, but taking a more personal approach just feels better to me, don't you agree? At any rate, please email me back with your number when you get a chance and let's reconnect. Also, is this the best email address for you or do you have one at home that you'd rather I use?
Also, if you'd like to connect on Facebook, my ID is XXXXXXX and, of course, my puppy has a Facebook page too! I'm sure you've already set up one for your darling, so let's connect them too! Ditzy's ID is XXXXXX. Can't wait to hear from you!
Kindest regards,
Susan
In this phishing attempt, we haven't gone for any detailed information such as user IDs or password, but we really have accomplished a lot if the target replies:
• We establish credibility for future attacks
• We confirm that the email address is valid
• We potentially gain a personal email address as well as the corporate address
• We potentially gain a link via a social network to two dummy accounts that we have set up
Those aren't bad results for a single email. In this particular case, the target did reply. Here was her response:
LetterDear Susan,
I'm sorry, but I don't remember that conversation but that's not a surprise with all of the fundraisers that I've attended in the last year. No offense is intended and it's great to hear from you!
I agree, the fundraisers are nice, but I can't help but feel that I could do more. What kind of involvement are you thinking about? My schedule is pretty packed but I can always make some time on weekends for something like this! My number is XXX-XXX-XXXX and it would probably be better to email me at home. My address there is
[email protected].I have been on facebook for a while under another name so that people cannot find me as easily. I'm sure you understand that I have to be careful with my position in my company. I have sent you a friend request and of course Biscuit has an account too (we have to post pictures somewhere!). Ditzy should see a friend request from Biscuit here in the next few minutes.
Please let me know what projects you are thinking about and let's talk about them. I'm certainly interested and glad to get an email that is not just another request for money! Too many of those!!
Chris
It looks like our attempt was a huge success! We now have an established relationship with the target both via email and on a social networking site. We also have a contact phone number and a personal email address as well as a request that we contact her further. A quick check on the phone number shows that it's a cellular phone and doesn't have a listed physical address. Overall, her response puts us in a great position for our next attack where we'll send over a malicious payload.
To make the most effective use of our relationship with the target, we're going to take a multi-pronged approach here. We will put together another email sent to the target's home email address this time and include a malicious PDF file. In addition to that, we will also send over a link via the social network that leads to a site where we will phish for more information on the target. This time, we'll be looking for a physical address for the target as well as some other information which might help us out.
First, let's put together the PDF file. We'll use SET for this and use a PDF file that is a flyer for some sort of dog-related conference. We could create that on our own, but it's probably faster just to do a Google search for “flyer dog filetype:pdf.”
Fig. 4.24 shows the result of the search, and the third item on the list look perfect for what we're doing.
Using SET, we'll select a spear-phishing attack vector and just create a file format payload since we'll be creating our own email. For this attack, we'll use an Adobe PDF encoded EXE and use the PDF file we downloaded as the template. We'll use “Windows Meterpreter Reverse_TCP” for our payload and generate the file. This can be seen in
Fig. 4.25.
At this point, we have our payload ready to go and can send it in another email to our target. A follow-up email is very easy to craft and we'll simply include the attachment as a flyer associated in some manner to the project that we'd like to work with the target on. With a little luck, the target will open the attachment and we'll have a Meterpreter shell available. But we won't stop our attack with just an email.
The second part of our attack is to point the target to a web site designed to gather some more information that we can use. In this case, we'll put together a rather simple web site associated with our topic of conversation (dog protection) and put information on the site enticing the target to sign up for an account. Many people tend to use the same ID and password for multiple sites, so it's very possible that we'll be able to reuse the credentials they enter into our fake site. It's entirely possible that the password she uses for our site is her password for her office or home system giving us the access that we need.
To do this, we'll simply put together the site with a basic web form similar to that shown earlier in the chapter, but as part of the form, we'll prompt her for an ID and password to access the “private area” of the site. In addition, we'll prompt her for her physical address as part of the form. That information can be useful and if our current attacks are not successful enough, we can either use her address for further phishing or mail her a “free USB drive” with a malicious payload.
Again, we'll be using the social network for this phase of the attack, so what we'll do is post a status update with something similar to the following, “Just found a great site for info on preventing puppy euthanasia! Every signup means one more saved puppy! Join me and go to
http://www.fake-inc.com!” We'll also send a message with this info to both the target's account and her dog's account. This will increase the likelihood that the attack will be successful as the target will believe in an opportunity to double-dip and gain two saved puppies using each account independently.
After this email and social network attack are sent, we fall into the stage of the test where we're just waiting for the attack to be successful. Normally with an attack of this nature, two to three days is sufficient. If you do not achieve results in this amount of time, it might be wise to try another attack vector.
Epic FailRemember not to use a single target too much! If you send too many emails to a single person, they may become suspicious. This has happened in real-world attacks where repeated emails to a single target caused them to raise a concern to their IT security group. The security team identified malicious payloads in the emails and blocked further communication using that channel. Always remember to use a light touch when penetration testing as it is less likely to raise alarms.
In this particular case, two days was sufficient. Within hours of the malicious payload being sent, a connection was made back to the host system. Using some of the Meterpreter commands, we are able to pull some identifying information about the machine which connected which indicates that its name is “CHRIS” making it pretty certain that we have our target.
Fig. 4.26 shows the system info from our target.
Of course, this system is probably not an office system as most corporations have a more complex naming standard than the first name of the user. So that means we need to dig a little deeper. We can learn a lot from exploring the file system of this host. For example, in the c:userschristinadocuments directory, there is a file called “passwords.xls.” That might be worthwhile, so we'll grab that one. A quick look at the file shows that it is password protected, so we can take a closer look later.
WarningAgain,
always be certain that you have permission from the corporation for every level of activity that you are doing. Gathering a file from the personal machine of the company's CFO may be outside of what they thought they signed up for if it is not explicitly defined in your rules of engagement. This could lead to criminal prosecution, so as a penetration tester, make sure that you have everything clearly defined before you take any action.
A quick email check and we see that there is also a response from our web form! So far, this has been very productive. Included in that form were, of course, a user ID and password field to set up an account on the site. Just for fun, that might be a good password to try against the spreadsheet that we just downloaded.
The rest of this scenario plays out as expected. The password works against the spreadsheet, which has the target's passwords for a variety of systems including remote access to their office. Five minutes later and we have access to all of the company's financial records. At this point we can use custom malware to scan the network and gather files, but since we have a legitimate remote user ID and password, we should just be able to download the proof we need to demonstrate the vulnerability to the company.
Summary
We've covered a lot of material in this chapter associated with phishing, social network attacks, and custom malware but we've really only uncovered the tip of the iceberg. Social engineering and client-side attacks require a lot of practice and knowledge. By practicing these techniques and learning more about them, you are better positioned to perform any penetration testing which requires their use.
We talked about phishing and how to perform individually targeted and generally targeted phishing attacks. We discussed how to use both web forms and web applications to further our penetration testing and make our phishing attempts appear more legitimate as well. Finally, we talked about malware as it is used for phishing including both browser exploits and Trojan horses. All of these techniques are designed to get more information from our target and increase the depth of our penetration.
Social networks were our next topic. We talked a little about what social networks are, how they work, and how prolific they are in today's society. Then we moved on to how to use them to our advantage when performing a penetration test. They can be exploited to aid us in phishing, help distribute malware, or even give us a relationship to leverage for future social-engineering attempts. As we discussed, social networks can be very useful to today's penetration tester.
Lastly, we talked a little about custom malware. Malware is, of course, the definition for any malicious application. In our case, we can use malware to remotely exploit a machine or even custom design the malware to perform specific tasks such as gather files of interest from a network and send them to us. We talked about some of the tools used for working with custom malware and the three definitions of tools (build, mask, and deploy). Using the tools available to us, we can generate a malware payload that accomplishes exactly the tasks that we need to further our penetration tests quickly and easily.