Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function.

Transcription

1 10 March 2016 Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function. Presented by Neil Lines

2 Who am I? Neil Lines - Pen Tester Involved in a range of security areas. Social Engineering is my favourite! I want to share some tips n tricks.

3 Background. Much of what we will cover today as been around for a while a long while! 20 years!

4 Background. Attacking via functionality is awesome Exploits are expensive, noisy and often unreliable Massive success with something as common and simple as SMB

5 Background. SMB in action you ve all seen it!

6 Background. The following discovery was made by Aaron Spangler in 1997: file://x.x.x.x initiates an SMB request in IE He could force IE to do this without the users knowledge

7 Background. What does this mean? UNC Abuse! In 2016, this is as problematic as ever more so than ever!

8 Background. Quick introduction: What is UNC? Universal Naming Convention Used to specify the location of resources such as shared files or devices.

9 Social Engineering

10 Background. SMB/UNC yawn! So what? Remember exploiting design is always preferable Exploiting people even better

11 Background. We love attack surface We love footholds We love internal infrastructure We love being remote

12 A quick primer on basic reconnaissance

13 Reconnaissance AUTOMATED The Harvester Metagoofil Recon-ng FOCA Etc All automated but with limitations

14 Reconnaissance MANUAL

15 LinkedIn - Prowl LinkedIn is a great source Pain to traverse manually Existing tools limited Automated tool Prowl, by Matt Pickford

16 Adobe Adobe breach the gift that still keeps on giving Forget passwords it s all about users

17 Profiling Reconnaissance Let s add some legitimacy signatures are a good start

18 Cool. But what about UNC?

19 UNC Attacks Reconnaissance Not just IE & Edge that can initiate SMB connections Outlook Office Probably others too

20 Creating the payload

21 Creating the payload

22 Receiving the payload The victim receives this: If they click that link

23 Exploit success

24 DEMO TIME

25 Cracking the hash Password complexity ha Hash cracking is as easy as ever I use Rocktastic, but you can use anything

26 DEMO TIME

27 How can this happen remotely? None restrictive rule set. Very restrictive rule set denying most ports.

28 How can this happen remotely? Many corporate perimeter firewalls suffer from poor egress What about remote workers?

29 What's next? We have a domain cred. Now what? External attack surface! 1FA is still far too prevalent.

30 Access to internal resources

31 Access to office documents

32 Access to VPN

33 And we are in Remote access into internal network is often possible Single sign-on systems are very common Initial foothold obtained!

34 A typical attack chain

35 The beat goes on Remote access has been obtained The attack chain continues One example of how this might play out

36 Internal enumeration 5 30 mins Enumerate internal misconfigured network shares using domain credentials gained from UNC exploit.

37 Identify misconfiguration Attempt to exploit misconfigured network shares and upload a shell 5 30 mins

38 Elevation Attempt to elevate rights on the compromised internal machine 1-5 mins

39 Password reuse Use the local admin account to PTH mins Hunt out users of interest (not just DA)

40 Goal Access your target. Enumerate data. 1 5 mins

41 0 to hero It is often a short period of time from: No prior knowledge and remote location to complete asset compromise

42 Real world examples

43 The recruitment sample Word doc with UNC image embedded People click ok on everything

44 Win a watch

45 Browser games Remember Internet Explorer and Edge also understand SMB We are not limited to spear phishing

46 html image tags 1) Cloned Site 2) UNC image!

47 DEMO TIME

48 UNC with cross site scripting You can get inventive lots of options E.g. XSS? <script src="file:///\\ \test"</script>

49 So you block port 445

50 Delete that warm fuzzy feeling Block 445 outbound Don t use IE Safe?

51 DEMO TIME

52 Browsers that can be exploited over HTTP IE / EDGE Firefox Chrome

53 Any Questions?