On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically phishing only). In preparation for the attack, I wanted to see what software they were running, to see if Vlad and I could target them in a more intelligent fashion. As this technique worked well, I thought this was a neat trick worth sharing.
First off the approach was to perform some footprinting to see if I could find their likely Internet breakout. While I found the likely range (it had their mail server in it) I couldn't find the exact IP they were being NAT'ed to. Not wanting to stop there, I tried out Vlad's Skype IP disclosure trick, which worked like a charm. What's cool about this approach is that it gives you both the internal and external IP of the user (so you can confirm they are connected to their internal network if you have another internal IP leak). You don't even need to be "friends", you can just search for people who list the company in their details, or do some more advanced OSINT to find Skype IDs of employees.
Once I had that IP, I went on a hunt for web logs that had been indexed by a search engine, that contained hits from that IP. My thinking was that I run into indexed Apache or IIS logs fairly often when googling for IPs or the like, so maybe some of these contained the external NAT IP of the target organisation. It took a fair bit of search term fiddling, but in the end I found 14 unique hits from their organisation semi-complete with User Agent information (some were partially obscured).
This provided me with the following stats:
Win XP 8
Win 7 32 3
Win 7 64 3
IE 8 8
IE 6 3
IE 7 1
IE 9 1
Win 7 IE 8 4
Win XP IE 8 4
Win XP IE 6 3
Win 7 IE 9 1
Win XP IE 7 1
Anecdotally, and to give the story an ending, it turned out that BlackHole and Metasploit's Browser AutoPwn were a bust, even our customised stuff got nailed by Forefront when the stager tried to inject it's payload at runtime, but an internal tool we use for launching modified meterpreter payloads worked like a charm (although, periodically died on Win7 64bit, so I'd recommend using reverse-http, you can restart sessions, and firing up a backup session to restart the other with).
Hackathons are used by many tech companies to give their employees breathing space to work on new ideas. Google and Facebook are big fans and Facebook's Like button was conceived as part of a hackathon. Getting everyone together at the same time was no mean feat, the term 'herding cats' springs to mind but on the week of 12th of November, all SensePost'rs were in our new offices and ready to break, build and develop.
Prior to the event, we asked everyone to think about what they wanted to work on. As mentioned above, there was no specific guideline as to what anyone could come up with, as you can't force creativity. After a brainstorming session, the following ideas were given and solutions made during the hackathon period*:
1. SensePost World App
A mobile application (multi-platform) that will streamline the process of receipts, expenses, travel requests, holiday leave etc.
2. SensePost IRC Bot
A IRC bot that will offer:
An application that allows us to utilise SMS from a company-wide perspective, including:
4. Magstripe Hacking
Having moved into our new fancy offices, we decided to look at the current implementation of magstripe used to work out if we could read the data, clone the data and create free parking for us (at the same time, potentially looking for flaws in the magstripe implementation). The magstripes on the parking tickets were very unsual. Between the reader in the office, and Andrew Mohawk's more advanced ones, we could not get a consistent read. It is possible that the cards use an unusual arrangement of tracks. Typically there are 3 horizontal tracks at predefined heights. If the tracks are at unusual heights we may have been getting interference between said tracks. Andrew has tried to dissect one of the cards, but no luck yet.
Watch this space. 5. AV VirusTotal Project
Rather than submitting our payloads to VirusTotal (who then inform the vendors), we will create our own version that uses all vendors, to determine if our custom payloads could be detected.
6. SensePost Green Project
A project to make our business greener in approach and ideas. How responsibly were we using resources? What was our consumption of electricity and water like and could it be made better?
With teams created and everyone clear on what they had to do, 48-hours were given to create the above ideas. Food, drink, hardware and toys were provided. Vlad brought some amazing Russian Vodka and energy drinks were supplied.
The cool thing about the hackathon was that some of the top ideas came from traditionally non-technical people, such as our finance wizard who came up with the idea of the SensePost world app. This was the outcome that we wanted: to prove that you don't need to be a heavy tech-orientated person to come up with meaningful projects or ideas.
Overall the 2012 Hackathon was a brilliant time had. Some amazing ideas have come to light, ones that will see us pushing offensive approaches and also ones that will have an impact on the way we work at SensePost.
For those thinking about running an internal hackathon, I'd say go for it. Giving people the space to work on ideas with likeminded colleagues will only bring benefits.
*There were other projects, but they won't see the light of day as of yet, so will remain confidential until the time is right.
When performing spear phishing attacks, the more information you have at your disposal, the better. One tactic we thought useful was this Skype security flaw disclosed in the early days of 2012 (discovered by one of the Skype engineers much earlier).
For those who haven't heard of it - this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an 'Add Contact' form.
Why is this useful?
1. Verifying the identity and the location of the target contact. Great when performing geo-targeted phishing attacks.
2. Checking whether your Skype account has not been used elsewhere :)
3. Spear phishing enumeration while Pen Testing.
4. Just out of plain curiosity.
To get this working, following these basic steps:
1. Download and install the patched version of Skype 5.5 from here (the patch enables the Skype client to save the logs in non obfuscated form)
2. Save the lines below as a Skype_log_patch.reg reg file:
Once saved, run it to enable the Skype Debug Log File.Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Skype\Phone\UI\General]"LastLanguage"="en""Logging"="SkypeDebug2003""Logging2"="on"
4. Start Skype.
5. Search for any Skype contact and click on the 'Add a Skype Contact' button, but do not send the request, rather click on the user to view their VCard.
4. Open the log file (it should appear in the same folder as Skype executable e.g. debug-20121003-0150)
5. Look for the PresenceManager line - you should see something similar to this - >
The log will include similar credentilas for everyone listed as a "contact" under your Skype account, as well as many other fresh, genuine and useful information received directly from your local Skype tracker.
We often get asked by students of our Hacking By Numbers courses if the course environments or at least the VMWare images are available after the training is over. As a result we've started to experiment with a model for offering our courses in an online environment. The idea would be to maintain the full numbers of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations. The approach we've been testing appears to show some promise, so we're hoping to ask some of you for your input and opinions.
The model we have in mind works like this:
1. Our slide decks have been ported to a Flash format with voice-overs blended in. This allows the students to browse through the materials, pause the presentation and move forward and backward as they please. The voice-over is by an experienced trainer and is presented in the same anecdotal style we use in our regular courses. There's also a transcript of the speaker's presentation that ensures students understand the trainer and allows them to copy and reuse text from the dialog.
2. The Flash slides are accompanied by the same lab sheets and accompanying answer sheets that are used in our regular training.
3. In order to complete the labs students connect to a Microsoft Terminal Server over the Internet. Each student has their own desktop that's pre-installed and configured with everything they'll need, including an SSH session to the Linux box that's needed for some of the labs. In this way the student walks right into a clean pre-configured environment with a full Windows and Linux toolset. All the targets, along with the classroom infrastructure like web and DNS servers, are available on virtual networks attached to the Terminal Server.
4. The course is broken up into a series of 'modules', where a module corresponds to a number of slides from the deck, followed by a lab exercise from the lab sheets. The students can work their way through the slides in the module then tackle the corresponding labs by logging onto the Terminal Server.
5. Although students work their way through the materials and labs on their own time, they are expected to complete each module within a certain amount of time. At the start and end of each module there is a trainer briefing that occurs via Skype. Students are given an overview of the materials and labs to follow and are given the opportunity to ask questions and make comments.
6. There is also an interim Skype briefing at fixed times at the start and end of each day. Finally, students have the opportunity to submit questions via email during the course of the day that will be dealt with by the trainer at the next briefing. In this manner we envisage a two-day classroom being spread over a five-day or even a seven-day period.
So that's the basic approach. We've started by porting our Cadet Edition in this fashion because it had the least labs and (as a beginners course) seemed to make the most sense. There's a brief course summary of the course here. But before we take the course live, we're planning to take it for a few test runs and hopefully get some input and feedback from you. Basically, there are three questions we want to ask:
1. Have you done online training before? If you've done online courses, what are your observations? Did it work for you? What did you and didn't you like?
2. Do you think our online approach is a workable learning tool? Do you think our approach can work and would you be interested to attend a course presented in this manner?
3. What would you be prepared to pay for such a course? Here's some benchmark pricing for you to consider - A CEH course starts at $ 695.00 (normal pricing seems to be $ 895) - A SANS @Home hacking course starts at $3,275.00 - The Offensive Security Offsec 101 starts at $ 550.00 (and goes up to about $ 700, without 'options') - Our Cadet course retails at Black Hat from $ 2,200.00, with fully configured laptops provided Our total training content amounts to about 2 days. Given this, what do you think would be a fair price to pay for this course?
Finally, we're planning to hold a free online 'beta' of the course early in 2009. If you'd like to take part, please let us know by contact 'email@example.com'
I suspect somewhere there exist cardinal rules of blogging which would state that using a single post to make 2 completely un-related posts is a no-no.. I will now promptly ignore it 2 push out 2 random thoughts that came up..
Echelon and Echelon spam..
While watching the Bourne Ultimatum the other night the usual "echelon"esque scene played out.. Guy on phone says keyword.. pan to NSA/CIA type building.. computer drone type person screams something like "we have a hot one"..
Now i admit to knowing very little about echelon and how it actually operates, but figure if i lived in the states (where i believe local calls are free) i would have my phone generate echelon spam when not in active use.. Concerns about tying up your line? use it as hold music.. Effectively a bunch of people worried about their privacy should be able to inject enough noise in the system to render it less useful.. it sounds ferpeclty feasible...
Skype and the recent Skype Outage..
So lots of people wrote about it (before and after skype's official response).. Basically on August 16 Skype had a major outage.. this is old news.. but what is really interesting (partly because i only recently finished Talebs "fooled by randomness" is the law of un-intended consequences coming into play.. Skype by many accounts is well engineered and the skype network is built to withstand spikes in usage.. Even its peer-to-peer net has what they call self healing capability.. So what took skype down? a massive botnet? a co-ordinated attack? Windows Patch release cycle.. Turns out that skype was not able to handle the number of machines that all simultaneously re-booted with the last windows update update.. This apparently caused a chain reaction and the rest is history.. its really interesting because with any reasonably complex system, there are always matters beyond the horizon, that are near impossible to see coming..