I have read a lot over the past few years about Advanced Persistent Threats(APT). Many people believe that these attacks are carried out by sophisticated attackers employed by China or other nation states. While this may be true, I have often I have wondered, how much effort/resources would be required to carry out such an attack.
Well, recently one of my clients said "We have invested a lot into security recently and we would like to see what a real attacker would do to our network". So, we proposed performing a "blended threat assessment" aka(Hit us with every trick in the book assessment). So, what did we do and what was the result?
Result = Global Administrative Rights(Domain Admin) and undetected persistence in the network for over a week. Not that we were detected, but the penetration test ended.
Level of Effort = 2 weeks of social recon, 5 phishing emails, 1 hr to setup C&C servers, 8 hrs to take global Domain Admin.
Strategy = Social Recon + Phishing + Browser Exploits + Trojan Excel Sheets + Metasploit & Meterpreter.
Given, real APT attacks often persist for months or years without detection and focus on leeching large amounts of data from target networks. But, the concepts are all the same. The client was a large multinational organization. Because of the critical nature of its business, it had made security a priority. While they did have their security flaws, they were ahead of the curve when compared to others in their industry. But, at the end of the day all it took was 1 man, limited recon, a few phishing emails, and a little imagination to achieve the same effect. I did not use any 0-Day exploits or advanced attack strategies.
I think this case study does an excellent job of illustrating the idea of the reverse arms race happening in cyber security today. The idea that it costs organizations millions of dollars to secure them selves against attack, while it only requires limited resources to breach that same security.
Thursday, July 21, 2011
Excel A Hackers Best Friend(Metasploit Payload Delivery)
I recently discovered an excellent way to use Excel macros to store and execute Metasploit payloads. I tested it out on a recent pentest and found that it also evades detection by the most recent version of Symantec enterprise. It is as easy as 1,2,3.
1. Create an excel document which entices users to enable macros. Below is an example:
The spreadsheet displays a warning informing victims that the document can not be viewed properly without macros enabled. Additionally, several cells in the spreadsheet appear to have calculation errors.
2.Using metasploit, export your desired payload in vbs format. I choose to used the meterpreter reverse shell. :)
3. Create your macro. Insert your vbs file into an excel macro as a string variable. Create a macro function which writes the vbs string to a file on the OS and then executes it. No, I will not give you the code. Finally create a function in your macro which fixes all of the "calculation errors" in the spreadsheet. Don't want your victim getting suspicious.
Its as easy as that. Excel provides a way to deliver and execute the entire Metasploit payload without AV or the victim ever knowing what hit them. Beautiful simplicity.
1. Create an excel document which entices users to enable macros. Below is an example:
The spreadsheet displays a warning informing victims that the document can not be viewed properly without macros enabled. Additionally, several cells in the spreadsheet appear to have calculation errors.
2.Using metasploit, export your desired payload in vbs format. I choose to used the meterpreter reverse shell. :)
3. Create your macro. Insert your vbs file into an excel macro as a string variable. Create a macro function which writes the vbs string to a file on the OS and then executes it. No, I will not give you the code. Finally create a function in your macro which fixes all of the "calculation errors" in the spreadsheet. Don't want your victim getting suspicious.
Its as easy as that. Excel provides a way to deliver and execute the entire Metasploit payload without AV or the victim ever knowing what hit them. Beautiful simplicity.
Easy Zip FIle Password Cracker
After searching today for a free password cracking application for zip file, I decided to make my own. All that is required is 7-zip, a decent word list, and this trusty batch file.
# usage zip_crack.bat
#note: Does not handle passwords with spaces.
@echo off
SET targetfile=%2
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (%targetfile%) DO (
echo %%i
7z.exe e -y -p"%%i" %1
IF !ERRORLEVEL! == 0 (
ECHO %%i >> CREDS.txt
)
)
# usage zip_crack.bat
#note: Does not handle passwords with spaces.
@echo off
SET targetfile=%2
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (%targetfile%) DO (
echo %%i
7z.exe e -y -p"%%i" %1
IF !ERRORLEVEL! == 0 (
ECHO %%i >> CREDS.txt
)
)
Subscribe to:
Posts (Atom)