The speakers from Accuvant now proceed to demonstrate a couple of tricks they utilize for greater attack plausibility and credential harvesting on a pentest.Martin Bos: The next thing you got to do is choose the attack vector (see image). And this goes back to our research: what type of AV they are using, whether we are targeting the HR department, particular favorite.
The couple of things that we use are, obviously, infected PDFs, Adobe’s got a 0day every week, so you’ve got a pretty good chance of one of those working. VB macros in Word and Excel documents – let me just go back by saying that none of this stuff is new and none of this stuff is revolutionary. Unfortunately, this stuff is still working, that’s the problem. So, Word and Excel documents with macros – that still works all the time. The main things we like to use are from SET, from Dave Kennedy’s toolset, so we like to use the credential harvesting, we like to throw a nice malicious .exe in there or two, you never know.
And, of course, we like to use the Java applet; we have a special Java applet from Dave that he gave us that we can’t give anyone, but we can show you. So, what we like to do is we like to get a combination of these things just in case one doesn’t work, we like to have backup. So, what we’re going to do for this demo is we’re going to do some credential harvesting, we’ve got a malicious .exe in there, and we’re going to do the Java applet, which, once again, I’m sure everybody’s seen, but we’re going to show you how you can make a legit one.
Eric Milam: One other thing we should understand is that spear phishing attacks are the most politically charged tests that you’ll ever do in your organization. So, if you are a pentester, you make sure that you get as far up the tree as you can; you talk to your customer and let them know: hey, human nature is fickle, you might not react the same way as the next person. I mean, we’ve been threatened to be sued, we’ve had our websites pulled down, we’ve had everything from people getting upset for being phished or falling for it.
So, if you’re wanting to do this within your organization, I’ll say it again, do your research, get recommendations as high up the tree as you can. Our goal is not to get anybody fired or anything like that, but I’m sure we’ve caused plenty of shitstorms by doing this, even though we’re doing legitimately everything they’ve asked us to do and not going outside the bounds.
QUESTION: How severe is your attack and infection, and do you put actual names of people who got tricked in your report?
Martin Bos: Usually we don’t want to harp on people just for visiting the website. Now, once they click on the link, obviously some kind of code is going to run, and then one of the first things we do is grab the system. But no, we don’t call out anybody specifically in the report at all.
Eric Milam: We specifically stay away from that, because we don’t want anybody to get in trouble. We can tell them we’ve gotten so many people that have logged in and we’ve got credentials and we know they’re valid. But we never give out their username, even in our reports we don’t give out their username.So, basically, here’s the website (see left-hand image). We’ve got the logo that says: “Secure Portal” because it says it is; over there at the top it says “secure” as well. There’s no lock there, but that’s cool because we put the lock right there by the employee login, so we know it’s legit, we know it’s safe. We’ve just got a standard login with a Login button; we’ve got a nice little “Trouble Logging In?” – Martin will show you what that does.
We’ve got a Security Notice and it’s red, so it’s important; it basically just says: “Information contained within is confidential, and it is intellectual property of Humana Inc. System is actively monitored and access records are collected” – and they are, only by us, not them. And then it says: “Use of the information and applications contained in the system, introduction of malicious code, temporary interference and disruption of the service is prohibited.” So, we take care of all that for them.Martin Bos: So, we got this, and obviously this logs any user credentials that come in. The one kind of thing we like to do is we’ve got a little “Trouble Logging In?” button, because what we do is we actively monitor the GoDaddy account. So, after we send out the phishing emails we get a lot of people that actually email back and say: “Hey, I can’t log in to the site, what’s going on? There’s something wrong.” So, what we do is we have this help desk page (see image).
Eric Milam: It basically just says: “Hey, we’re sorry you’re experiencing some problems logging in. Why don’t you click this link, click the RUN button when it comes up, it’ll install our little help desk application, and I can chat with you live.”
Martin Bos: So, you see down there at the bottom we got our helpdesk.exe. I know none of you would ever do that, but it works. Think about all the other people in your office: it would be like “Oh, game on.” So, that’s our site. The other cool thing that you can do with GoDaddy is…Eric Milam: So, here’s one of our other favorite things. We like to get as malicious as possible. So, you can change the WhoIs data, right? The reason you want to do that is that there are some smart people who will go out and check the WhoIs data from the Internet. So, all you’ve got to do is log in to your GoDaddy account, type in the organization name (“Humana” in this case), domain admins, it has the address – so basically I just looked up there WhoIs information and copied it directly to ours. And all I had to do is check this box that said: “Yeah, I certified that I’m with your organization, no problem.” Click OK – within 5 seconds ours matches theirs (see right-hand image).
The main thing that might be different is if they’re not registered with GoDaddy, that part will be different. So, what we do a lot of times, too, is we go and actually register the site where they registered their site, and then it looks almost 100% legit. So, we got ours that says: “Humana portal GoDaddy.”
Martin Bos: So, you can see up here I did a WhoIs on our Humana-portal.com site, and down there we’re legit.
Eric Milam: The only thing I ever changed in the email is that a lot of the time they say: “domain admin” or “admin”, or whatever; I just add an “s” on the end, so “domain admins”. GoDaddy rocks. Yes, we love GoDaddy.