Original Report by Tony Lee and Robert Portvliet
Although conferences, news articles, and everyday conversations make attacks on large organizations seem so simple, it may be hard to believe that these things work. The goal of this series of blog posts is to demonstrate the closest thing to getting "real world" without committing a crime.
This is an attack vector of an actual penetration test…
..and although every step was calculated and creativity was used in some areas, the fundamental concepts are all straight out of any hacking book you'd find on the shelf
Goal: Employee Information
The information gathering phase on this assessment was primarily conducted to gain information about the employees of the organization. The two most valuable resources for us were:
- Google/LinkedIn -
- Company's Website
Utilizing these two resources, it took us about a day to learn the organization's business, locations, and build a list of employee names and email addresses that could be used in other attacks later on. Taking time to learn about the organization makes it easier to craft more targeted and believable attacks. Here's just some of what we found:
- Employee Names - LinkedIn returned a good number of employee’s names, job titles, interests, and some email addresses while the company website had just a handful of press related contacts. One particularly useful piece of information was the name of an ex-employee. It was a good ice breaker when we called another employee and helped us build good rapport and trust with the victim employee.
- Email Addresses - Although we initially only identified a small number of valid email addresses, this proved to be enough. From the few we found, it was trivial to deduce the naming convention and apply it to the names found on LinkedIn (e.g. FirstinitialLastname@CompanyName.com.)
- Company Addresses and Phone Numbers - The company had a convenient "location finder" on the website which gave us the phone numbers and addresses for all of their locations.
- Valid Username Combinations - The company's website also had an employee login section which permitted account harvesting via the password reset page. It helped us confirm some employee names and gave us insight into username naming conventions.
Goal: Gain Employee Credentials by directly asking for them (say what?)To gain more information about the networks, systems, and employees, we picked a handful of users to target. We asked for items of interest such as:
- Job function
- Location (City, state)
- IP Address
- Host name
- Windows Domain
- Domain Controller
- Building Trust - The more the victim speaks, the more comfortable they are. Let them talk.
- Script - Build a script. Come up with answers to everything you can think of. Take your time between asking questions, be courteous when asking for it.
- Caller ID Spoofing - Always helps to spoof your Caller ID to be an internal number
- "Hello, this is (made up name) from the (headofficelocationname) compliance team.” Wait for a response. Often, the user will have an outstanding issue and begin asking about it. This can be very useful for building trust.
- Note: If challenged - "I am completing this task for Heidi Montag in the Information Security Department"
- Wait for the victim to respond. If they don't have a few minutes, thank them and move on to the next call.
- Wait for the person to respond. If they are not, thank them and end the call.
- Wait for the client to respond. Very often there will be something wrong. Ask them to explain any problems. Say that what you are calling about may be related. If there is no issue, simply continue.
- Wait for them to respond to the question. Obviously change the question (and the rest of the test) if they are using a different OS.
Goal: Enticing Users to a WebsiteAsking a user to navigate to a website can be a nice and indirect way to have them give you access to their system. For instance, you can have the website present them with a username/password prompt and ask them to log into it, or you can be as aggressive as we were here. We simply put out a Metasploit Java Applet Browser Payload using SET on a domain we registered (test-companyname.com). When the user navigates to the site, they're prompted to accept the applet and it connects back to the handler on our attack system. The social engineering script is pretty similar to the above, however this time we'll introduce ourselves as someone from the web team:
- Say to the user "Hello, this is (made up name) from the (companyname) web development team.”
- Wait for a response. Often, the user will have an outstanding issue and begin asking about it. This can be very useful for building trust.
- Say "OK, I'm going to need you to go to our test our new site. Are you running windows?"
- Wait for them for respond to the question. It should be ok if they are running Linux, Mac, or Windows as long as you have handlers set up for each operating system.
- NOTE: If A/V flags: “Don’t worry about the antivirus, we have worked with Microsoft [the applet states its signed by microsoft] to develop this accelerator and we are currently troubleshooting that issue.”
Goal: Internal Access via EmployeesWith a pretty decent sized email list pulled together, we created a phish to entice users to connect to our malicious site. The internal mail servers were filtering our spoof @companyname.com messages so we just sent the emails from the test-companyname.com domain which we created. Over the course of 3 days we sent emails out to a number of different users and each day we changed the phish:
- New Employee Portal - We pretended to be from the web development team and told users about the new employee portal. The link in the email appeared to be one to the normal employee portal, however once clicked, it actually directed users to the test-companyname.com malicious website.
- Target: Everyone Except HR
- Result: 2 shells
- Rate: First shell was obtained 4 minutes after the email was sent, Second was 3 hours after
- Financial Results/Stock Tracker - This time the users were directed to a clone of a company-created stock tracking site where they can get information about the financial status of the company
- Target: Management
- Result 2 shells
- Rate: First shell was obtained 13 minutes after the email was sent, Second was about 30 minutes after
- Locator Clone - We simply cloned the locator page and sent the email out to a select few.
- Target: Everyone
- Result 2 shells
- Rate: First shell was obtained 28 minutes after the email was sent, Second was about 6 hours after
Part 2 of this series will show you how to turn those user level shells into domain admin and what juicy areas of the network to look for confidential information!