Recently when talking to some friends, who are still enjoying the art of breaking in by being part of a red team, I was reminded by them how much more difficult initial access has gotten. I decided to write up some old stories in a bit more detail and well; admit that when companies implement advice and do stuff, cyber does have an impact.
If you are interested in similar blogs about how ‘easy’ things used to be, feel free to read this and this. Anyhow, enjoy the (hopefully) short stories. Oh and well euhm some might not be strictly about initial acces, after all we are pretending we are the bad guys right? So why not go directly for the objectives, even if that breaks some kill chains ;)
Thing that I liked the most about initial access, was mostly thinking about the true objective of the assignment. Since this determined if phishing was the most appropriate way to get there or not.
And as always with these stories, I’ve mixed up some details, so they are not exact replicas of the events to protect stuff. Many thanks to all my team members from back then, we had such a blast when brainstorming on yet another approach to get that first initial access.
- 0days, since they are all the hype
- Slowly does it, no need to hurry
- Typosquatting email catch-all pays off
- Pivoting of their-ish website
- iPads are for executives and curious people
0days, since they are all the hype
Since they are all the hype nowadays, back then when browser 0days were lying around, we decided to use one of them after capturing it from the bad guys. The 0day we used had been used in an active campaign when banking users were a target. Sounded fun turned out to be a gigantic waste of time, just to be sure we had a ‘classical’ Word macro campaign running on the same target.
The reason why it was a gigantic waste of time is because we didn’t just want to repurpose the exploit without understanding it line-by-line. We first had to do that, then ensure that there were no backdoors and that it didn’t leave the client in a weaker position. Afer all, just swapping payloads without reading the rest of the code doesn’t mean you are done.
Anyhow after some checking, rewriting, swapping payloads we decided to use it on one of the targets that we deemed to be of high value. It failed, unfortunately no clue why. Don’t laugh, but the macro’s did succeeed. Why start with this story? Because it is healthy to share failures as well and it felt like fun to start with a failure :)
Slowly does it, no need to hurry
There isn’t endless time available, but some assignment provide for a much larger horizon in terms of when the assignment should be done. In this case multiple months (4+).
This allows for a much slower approach where you can relax and break the pattern of always being the first one to offer a URL or attachment. Just show some honest interest in your target with the role that you picked. It being a journalist, sales person, marketing, you name it. Go nuts, play that character that you always wanted to play ;)
Lightly steer the conversation and have your victim ask for proof, confidentiality agreements, etc. I used to like sending a non-working PDF first just to further build trust. Since even when inspecting it, it was just a corrupted file.
After that it is easier for the target to suggest bypasses on their own security features. Some of the things that victims told me to use to avoid corruption were:
- file transfer services
- sending it to their private email so they could forward to work
- sending it to their private email so they could put it on an usb
- putting it in a zip with a password
Typosquatting email catch-all pays off
In multiple assignment we registered some domains with a typo in the name and an accept anything inbox. The nice thing is since there is no reply to the sender, most are unaware that they made a typo, unless they are really hoping for a reply.
This allowed us to get to know the organisation, the external people with which they collaborate and more importantly attachments. After that it is a matter of forwarding / replying to the right mailthread and back-then have a proper working Macro.
The nice thing about this is that as a bonus you collect sensitive information and that it helps to prepare better pretexts if you need a more direct approach later in the assignment.
Pivoting of their-ish website
To increase the chances of a victim clicking our URL and downloading a file it was also worth it to see if their main website or a sub-domain could be hacked. This enabeld a larger ‘trust’ for the victim.
The underlying techniques were however the same back then, exe files in zips or macro’s or java applets.
The nice thing is, sometimes you didn’t need to look at their website. You could copy their website with a typosquat domain and then just call them up. During the phone conversation, usually the reception, you’d walk them through a ‘website not working’ scenario and they would follow along with the same ‘problems steps’ that you seemed to have. Which of course resulted in some kind of file being downloaded to obtain code execution. The bonus was of course that since you were on the phone with them you both felt like you were ‘working together on fixing the website issue’.
iPads are for executives and curious people
For this assignment the objective was again sensitive information at the executive level. However, the interesting part was that they had recently switched to iPads and well all information had to be accessible from the iPad, cause you know execs and ease of use and all that.
This was still during the time that screen locks contained a lot of bugs and you could bypass them. How would you get that iPad you might ask? Well we tried our best to get a ‘steal it’ scenario approved, but the client (something something legal department) was reluctant so we just got it handed to us :(
During this initial entry the twist was the other way around, when the lock screen was bypassed we basically had access to all the juicy info HOWEVER, it turned out that…Yes, you guessed it right. The accessible document location had for some reason administrative files with domain admin credentials, protected with some light weight obfuscation and encryption.
In this case becoming domain admin was the byproduct, not the goal for a change.
DiabloHorn 