A Wolf In Sheep's Clothing - Bsides Vancouver 2017
Show transcript [en]
good morning good morning test test test how you all doing this morning nice to see you out sorry uh there's not enough chairs here it's always hard to uh mix and match what some of our talks are gonna have more uh more people to attend or not anyways welcome to uh besides day two uh this morning we have mr roberto salgado that's uh presenting uh this talk of wolf in sheep's clothing um going to talk about uh exploring the latest social engineering techniques that are currently being used by criminals while going into some of the ways to defend against them roberta salgado is the both founder and cto of websec he's from victoria roberto and
website have also been our sponsors from besides from from year one and i'd like to thank her for that uh roberto's got lots of skills he's a definitely a skilled pen tester business developer he's uh also developed and put work into such uh known projects such as uh lib injection mod security php ids sql map web application of obscure observation book roberto also created and maintains the sql injection knowledge base and a valuable resource for security researchers is one of the most comprehensive references available when dealing with sql injections um i'm just going to cut that right nice and short thank you for being here roberto take it off thank you darren thanks so as darren said uh i'll be talking
about social engineering uh from sheep's clothing is the talk um here we did a brief introduction myself but just to recap uh robert sagalo co-founder of websec uh just a company who does information security services um i've been a developer since i was a little kid last four years or so i've been uh developing a lot in python recently i just started learning golang it's a great language and there's my contact info if you ever need to get in touch with me a brief overview of the topics we'll be seeing um but let's just jump right into it uh so yesterday i had like probably like 50 slides and today i have 115 slides so i
have 114 so let's it's gonna be a lot of stuff so thinking maybe we'll just uh if we have time we'll do the questions at the end but if anyone has questions throughout the presentation just feel free to ask me interrupt me if you need to um so these are some of the different kinds of social engineering that we see i'm not really going to explain them i'm sure a lot of you are familiar with most of these can anyone think of maybe a technique that's not on the list that's those engineering yeah that's a good one and i do touch on fishing later i just didn't include it in the list yeah you can keep on getting on the
issing variations um but yeah let's just go for it so why should we care about social engineering well i mean social engineering has probably been around since humans have it's just a way of uh deceiving someone or tricking someone in a way that will benefit you in a certain way um and it's a super common point of entry these days for uh data breaches as you'll see and and uh evidence shows that social engineering is probably actually trending so it says that 91 of its cyber attacks uh can start the breach with a phishing email i got a lot of these graphs from the verizon um data breach investigative report from 2016. it explains a lot more
on these graphs so if you're interested in that i'd recommend taking a read through that it's a pretty good report um so yeah you can see that hacking is still used quite a bit and just everything else breaches so the category didn't really fall into anything specific but just in general and social engineering is right below it but then if we look at um for example attacks using cyber espionage social engineering is huge in cyber espionage fishing is still like the third almost you know 70 percent there and then we see two other forms of social engineering like pre-texting and even bribery comes down is uh even though it's very low it does happen and even
with web attacks we can see that social engineering and phishing in particular is also really high up there when uh companies in the u.s and europe were were asked what do you think your biggest threat might be eighty-one percent of u.s and eighty-three and europe stated that social engineering is probably one of their biggest threats that they face and then if you look at the number of phishing sites that's discovered monthly all the way from 2007 and this goes up to only 2012 but you can see it's a huge spike and a few more graphs just to really support my my theory that phishing is trending um you can see the social aspect here and the number of breaches
the threats uh their cure social is is quite up there too as we can see with other graphs uh it's kind of the third place here same with this one this is a little harder to follow there's so much going on but social is being the pink one starts in down here goes up has a little spike but it's it's going up slowly up here especially from where it was 2015 to like 2010 it's really gone up in the last five years so are we a target like i know like you think fishing maybe it's only for like ceos of companies or you know other people like maybe the average day person isn't going to be a target but
there's really always something that they can get out of you if you just look at this image you see like maybe they can host malware on your computer or pirate software pornography they can use your machine to send out spam um they can obtain uh sensitive information from your computer if they compromise your email then they can use like business email attacks bc attacks where they pretend to be from inside the company and maybe ask for finance for money um they can try and sell like property software from your computer uh hijack your search engine uh your social sites um get your banking information install ransomware on your computer i mean there's just an endless amount of
reasons why someone would want access to your computer even if you don't even have money or like banking information they might just use it to send out spam or to pivot their attacks for for other machines that without compromise so why does social engineering even work in the first place i think it really like uses relies on human emotions and weaknesses these are some of the ones i thought of that i see often in social engineering attacks they take advantage of these certain uh emotions i guess and um with all my talks i always have to include a xkcd comic um it's kind of funny so fishing license supply here it's like hi i'd like to
apply for a you're under arrest and he's like okay i should have seen that coming but then if you highlight on the text that comes out later he's like later walking out of the jail and posting ten thousand dollar bill wait this isn't even the street the county jail is on so that guy was fished um there's just some quick historical examples you i mean you could say that maybe like adam eve was so engineered by that snake right when they're tricked to uh to take a bite of the apple uh of course you can think of the horse the trojan horse um and there's like you know i've heard people have heard of the ponzi scheme that was
back in the 20s there's a guy actually tried to sell like that eiffel tower he'd tell tourists that that he'd sell them tower or bits of it um there's that movie catch me if you can with uh leonardo dicaprio i'm sure some of you haven't seen it too this is based on frank abigail who's like a it's a real story and what he when he was interviewed later they asked him um so how do you do it how how does it work and he says like if you dress the part and play the part people will believe it that you belong to that part so a lot of times he'd maybe dress up as a captain for like an
airline and then he'd get free flights you know travel around um kevin mitnick's another big one in social engineering more recently he was around a lot when i was growing up uh especially like in the early 90s and stuff he was like the king of social engineering back then uh and then just like bernie madoff of course he's kind of like the modern day ponzi and a few other ones you know the targets they got into their hvac contractor through a phishing email i think and ended up being one of the biggest breaches uh database or credit card breaches in history uh this guy's awesome so he wanted to go see his favorite band and
he went backstage and right before he went up to the bouncer he modified the band's wiki page because it wasn't like locked or restricted anyone could modify it so he just modified it quickly and added himself as a family member of the band so to get in he just showed the bouncer on the wiki page that he was a family member they let him in and i guess the band was so impressed with that technique that they ended up taking photos with him and having some drinks uh i was just reading this article like a month ago or so i got it that in the 2005 he he managed to sneak into the oscars um
and kind of based on what i was just saying he when he asked he said i put on my best black suit and tie called my hair back and completely silver walked up to the kodak theater um they're just people i can be one of them so he just played the part and people believed him and he was able to get through very sick like three or four security barriers and actually got in and then took pictures of chris rock and a few other hollywood stars um of course more recently with the dnc hack and kind of embarrassing that uh john podesta was hacked through a phishing email for his google email account like gmail
and uh let me show you a quick demo of just like a phishing email here this one's going to write it's been going around quite a bit lately i saw it a few years and i saw a comeback of this so this is just my gmail i prepared this last night so i don't have the internet on this computer right now um so here's like an attachment or what looks like to be an attachment but it's not really an attachment it's an image that looks like it's an attachment with a pdf on it but it has a link that redirects the user somewhere else um so i also have my thunderbird here you can look at the link right below
and it won't appear it looks like it's going to a google page but this is just a little trick the real page is my evilcorp.com page if you can see it has a little at symbol right there that means that all of this is just like a login like a username password type thing and then this is the actual domain where it's going but it makes it seem like it it's really going to accounts.google.com and i was showing you my thunderbird because it shows you the full link in thunderbird but if i look at the gmail and put my mouse over it it'll take it will take up the credential part and it just showed me
the actual domain evocorp so evocorp is just a a host name i set up in my local local computer i actually should probably start wamp server here
okay so when the user gets this email he's like oh check check out the suite attachment they click on it and this is doing a redirect to my server it did it really quickly there it went to evocorp on my localhost and redirect it to a data protocol so instead of like an https protocol you're using there's the data protocol and then it's saying to you it could be a type text html so then again this is makes it look like it's actually like on google's domain but this is actually just text that's there um if you move all the way here you'll actually see a script tag and a script tag which uses again the data
protocol to base64 encode the payload this is the actual entire uh web page is hidden in that base64 string so i just could do this again quickly so you can see because it happens really fast people person gets an attachment they might you know click on it not thinking twice about it oh redirect ask them to sign in once they actually sign in the credentials are stolen for that gmail account so it's kind of kind of a tricky one unfortunately the one that podesta uh fell four was much simpler i think
try not to move around much i'm told to stay in this little square here um a few more real-life examples i thought this one was great because what russia did according to the story is they wanted to get into nato headquarters um so what they they wanted especially specifically into this air gap machine meaning it had no access to internet so what they did is there was a bunch of uh retail stores around they supplied all those retail stores with infected usb drives and eventually someone from the nato headquarters would go to one of these stores and buy a usb plug it into the computer and eventually it got accessed that way so pretty sneaky
um the fbi this one goes back to 1971 they really wanted to break into the fbi headquarters but the door was always locked and apparently lock picking it was not an option so they kindly left a note on the door asking them not to lock it and but surely enough when they showed up the door wasn't locked and they're able to just get in uh there's still a secret selective service records and left wow um and then in the media all the time when i was preparing this talk about like a basic version of this talk back in 2016 um i was just looking at the news and within like two weeks i saw like so many articles with phishing
and just uh scamming and social engineering in general paypal fishing is a huge one um attackers are usually trying to fish with paypal because even if they can get it in a paid down into a paypal account and they don't get financial information um there still can be a lot of sensitive information like maybe a banking number or something or a social security number something that can they can use to gain access to other accounts targeted phishing you know if they get like again maybe they get your uh your address through um paypal or some other website they hack and then they start sending you more targeted attacks uh this is huge so bec you know where someone pretends to be
the ceo and then emails the cfo for example asking them to wire you know so much money to like an account in china and i guess this is from april 16. so fbi said that 2.3 billion had been lost um by the time by june uh 2016 it had gone up to 3.1 billion so i mean we should we can see that business email compromise is also trending one of the worst cases was a cfo he ended up transferring transferring 44.6 million dollars and um in that example that first one the chinese scammers uh take matteo i think they're like a game toy company right i think what they what happened with these guys is uh
they sent it like on friday but since that was the weekend they sent the money but it was on friday it was the weekend so the money can't couldn't go through until monday so they're able to contact the bank in china and get the money back uh that was really lucky them so um krebs um brian krebs he's a investigative journalist he's like the sherlock holmes of the internet for getting bad guys he's amazing some of the stuff he finds um this is kind of he has a whole section on business email compromise examples um and unfortunately uh a lot of insurers won't cover you if you get uh scammed through phishing or social engineering because that was kind of
your fault they say this is one of the examples of how these business email compromises go you know they always ask it to be strictly confidential take priority over a task so like it's do it now fast not give them time to think about it they said they asked if they had been contacted by the attorney from kpmg um that's very sensitive only communicate with me you know don't don't speak with anyone else about this and then they later had someone later called pretending to be this uh kpmg attorney actually contact the person for the phone um and you can see the link about it where like this firm actually tried to sue the insurer insurer over forty eight
thousand dollar 480 thousand dollars that they had lost and um since january 2016 it says that um bc has uh witnessed a a huge increase as you can see and here you can kind of see um where bc is uh more predominant and you can the hot spot is obviously like us brazil australia but canada is growing too um it's getting up there and unfortunately um most of the targets are the higher executives in that company for these bbc attacks so like the cfo ceo and whenever i've done a social engineering engagement with my clients every time they ask me not to target the ceo cfo they're out of the tests like they don't want to get
left with right they don't want their daily operations messed with or anything so sometimes these guys are the least trained or at least aware of how to prevent or recognize these attacks and they're the most targeted so hopefully that will change um so this talk is going to focus mostly on phishing because it is one of the more prevalent forms of social engineering and part of that is because how easy it is to kind of execute if i look at my spam email or my spam folder in my email um this was back in 2016 well you can see about the dates right there actually all these attachments are like word documents or excel sheets um
with macros like malicious macros trying to hack me uh it's kind of funny because i took a look at my email like last night or two nights ago and i noticed that there's hardly any attachments now so gmail has stepped up their game and they start detecting and blocking all these macros that people are sending even when i've tried to do tests if my macro isn't fully undetectable and google detects it it won't even send it send the email it just blocks it right away so i did see i did notice two that had attachments so i decided to look at these quickly and these both attachments were html files that were attached um that bottom one the html file that
included was this fake phishing site asked you for your name you know your social security number credit card details or anything that you can get uh taking a look at the html code you can see some stuff referencing like g analytics uh more g analytics but i can see like a weird hash there and then f validator uh well it turns out this is actually a key it's decrypting this data um very suspicious i prettified the html so you can see it better and then running just this functions in the console to see what it gave back this is the actual compromise site this uh state chain and this is a php script where it's sending all that
information that i put in through a post request um i i got this one last year in my email but i noticed it was kind of targeting canadians i know a few other canadians i think colin had gotten it um kind of funny uh because it says macro sees like if it was like gollum or smigo or something uh this is kind of what the the macro looked like for this one and if i scan this with a total or no no distributor i can't remember which one uh yeah this is no distribute and it got detected by 16 out of the 35 avs which i scanned it with even though this this email had been
going around forever i mean it's good that 16 avs are detecting it but you'd hope that the detection rate would be higher you know closer to 100 so i mean i could send this old macro to people and it'd still work if you're using one of these avs didn't detect it uh another more interesting one is i got like an sms from rogers um well it seemed to be rogers it came from seven thousand number so a lot of people don't know that you can easily spoof numbers like you can spoof emails too um and i had a bit of trouble with this when i wasn't sure because i had this website i was trying to figure out if it
was real or not i'm not going to the website everything looks pretty real but once i looked a little closer into it it turns out it was a fake so i reported this to rogers and just put weak pd there why not and uh luckily i checked it like a month later and the flight had been taken down so that was a good thing um something i'm trying to see a little bit more too is uh fishing on os x so maybe six months ago i probably didn't see any macros that worked on on on mac um within the last month or two i've been seeing tons of them and because they're kind of fairly new to
the macro game i guess they have a really low detection rate and apparently office 2011 doesn't have a sandbox or anything it makes it really easy to back door and elevate your privileges on my business partner paulino calderon he's been doing some research in these mac macros and was kind enough to share this video with me of this new attack he's been working on
so he opens the dock and before the dock even opens it asks him to put in his apple id password tube just to view the dock before anything has even loaded once you put it in if you look at the wireshark the credentials were captured and sent to uh through http just to get requested this for example so we're going to look a little bit of how social engineering is done i like how we can maybe uh do some tests in-house with our employees or if you want you know just some in-house training you could set up or if you're doing this for an engagement um these are some phishing toolkits and frameworks that are current currently
exist i'm not really gonna go into them much i haven't really tested them or used any of them myself but it's definitely a quick way to kind of get uh engagement set up they have a bunch of templates you can use they can automate a bunch of the process there's also phishing as a service if you don't really want to set up your own fishing the only website i kind of knew about this was this fake game russian site uh i don't know if it's still active or not redirecting me check this admin url but it says there's a total of like a million hijacked accounts or something and that you can get uh steam online tanks and different other
accounts uh there's some other types of tools i mean i was looking at tools for fishing and social engineering there was like hundreds sony included a very limited set i found this snap r one kind of interesting i haven't tested it yet but um it was just presented at black out i guess and according to them uh it uses machine learning to like target like social media social media like twitter sites and based on what someone tweets or like adapt to what they like and then target them with a social engineering attack based on that and according to them it gets two out of three people there's set which is the social engineering toolkit um this is great for a variety of social
engineering attacks by david kennedy relic uh oh it's pretty popular so it might get detected you might have to modify certain things so it doesn't get detected then there's a few that uh you can do like social engineering or phishing through wi-fi so if i set up like a fake access point and then i did not have service your wi-fi so that you connect to mine i can present you with fake sites which you might think is real
and then there's the you know like teensy or like hid when you plug in a usb and it acts as a keyboard or a mouse so like before computers had problems like usbs that had the auto run so you'd plug in a usb auto run of the malware would automatically run windows end up changing that so you can't just auto run stuff anymore with a normal usb so what you can use is you can plug in a usb that pretends it's a keyboard or a mouse and you program all these commands for it to do so it might like open a command prompt just by clicking the start menu like typing command and then opening the quick command prop and
then execute a bunch of code that way these are some tools that can help you create uh attacks of that style so something you want to do is like open source intelligence to like research your target before executing the social engineering attack there's many publicly available sources of course social networks like google facebook looking at the person's linkedin is always good a company website can sometimes host like emails and positions and names of the people employees working there so that's always good and sometimes it's the last resort you can use like the dark web or you can even pay for a credit check on someone and you can get like their phone number or their address
so attackers use this all the time to get celebrities phone numbers and addresses is they just pay for like 50 60 for a credit check online and suddenly they have all that person's information and again just a few tools that could help kind of help you research people looking at the dark web as i was saying now tax season is coming up you can buy a bunch of tax data on many americans because they have like literally like almost every american in their database there's millions and this has other information like ssn numbers and other stuff that could be really useful for even target fishing i know there's even like they've hacked social security databases and then
russians sell these databases uh for very cheap you can buy like a social security number for a dollar two dollars and in some websites use social security numbers as like validation for to prove your identity um i'm talking about like the business email compromise earlier in this attack this person tried to get a copy w-2 copy of the entire employees of the company i think uh it didn't work for him but this is kind of what his his message looked like when he sent it out so once we've researched the target we have to figure out how are we going to deliver the payload to this target what's the best way to kind of get get them to open my tack or
what would work best so you have to consider what you know about the target what method might raise the least amount of suspicion and identify what your strengths are and weaknesses and practice on that build on that um some forms that you could go in person like in the office and uh you know pretend you're delivering flowers or something or over the phone you could pretend uh you're your isp and that they have detected malware coming from their network or that you can give them a free upgrade somehow and they have to provide certain information for that um
so just as kevin was saying earlier there's vishing um what's good about fishing is that you know generally you don't really need a technical knowledge say maybe the only technical knowledge you might use is if you're spoofing your phone number and this is actually really common fishing like there's some people especially like there's a story recently i read on krebs that led me to this other story on wired which i highly recommend it's from 2012 it talks about this i guess he was like 15 years old at the time hacker that went by the name cosmo and he developed a bunch of social engineering attacks where he'd call companies and he could get into almost anyone's account just
through calling the person and getting them to reset the password for example um he actually ended up hacking cloudflare the ceo just so he could redirect the channel for 4chan to his their twitter account for a few minutes and that was quite the the stunt because uh the ceo of cloudflare had two-factor authentication on and they had they figured out a way to bypass that too it's on the articles i recommend reading if you want to learn more about it
so i invited a few of the world's best hackers to try to hack me and show me where my vulnerabilities are and now i'm going to meet them in las vegas for defcon the biggest hacker convention of the year using social engineering which is essentially hacking without any right they just use a phone and an internet connection do you want to do a sample vision call what's phishing phishing is voice elicitation and basically um what you do is use the phone to extract information or data points that can be used in a later attack let's do it who are you going to call maybe i'll call your cell phone provider and see if i can get them to give me your email
address i i bet they're good i bet they have my back but yes go go for it i'm gonna spoof from your number so it's gonna look like it's calling from you okay there's the swooping technique and our technique is that the crime baby in the background i'm so sorry can you hear me okay i my baby my husband's like we're about to apply for a loan and we just had a baby and he's like get this done by today so i'm so sorry i can't um call you back i'm trying to log into our account for uses information and i can't remember what email address we use to log the account the baby's crying and
um can you help me awesome in just 30 seconds gmail.com jessica gets access to my personal email address now if i needed to add our daughter on our account so she could call in and make changes how would i need to go about doing that you would have to send me a secure pin through a text message yeah well the thing is i don't think i'll be able to receive a text message if i'm on the phone oh i'm not on there either i so i thought when we got married um he added me to the account jess uses my girlfriend's name and a fake social security number five one two seven to set up her own personal access to my
account so there's no password on my account right now can i set that up she even gets the support person to change my password thank you so much for your help today so she just basically blocked me out of my own account i'll get her fed after this all right thank you holy [ __ ] holy [ __ ] is right it's unbelievable how common it is it happens all the time you know ebay amazon like all these lights you know you think they would like that was so that's fishing another method is baiting um according to research 76 percent of people plug an unknown usb device into the computer holy [ __ ] uh
there's a like trick you know like i was saying you could send a secretary or whatever like maybe bouquet of flowers usb flowers pretending to be from a romantic lover and how could you resist not plugging that in and seeing what it's all about there's also some usb device the moment you plug them in they'll just fry your computer and destroy it don't fry the motherboard they have like capacitors that hold charge in the moment you just plug it in and unleash all that charge into your computer and your computer's done anyone here watch mr robot okay so you've probably seen this but i think it's a great example [Music] you're not breaking through the police
headquarters so arlene is dropping a bunch of usb detectives
someone pointed out to me yesterday like you only picked up one it's like 20 usbs there you know nice enough to delete them for other people
details it's very common too you see fishing sites you know offer you free music for your movies and stuff here the malware is already actually going in the background there's detectives
connection closed by remote host but we had a fish i was in the exploit started to run and then did you ride that exploit yourself i had an hour what you just pulled code from rapid nine or some rapid nine right what's interesting too about that video is how the the officer once he realizes that he's been infected he just unplugs his computer and shuts it off in a real attack you don't usually want to do that because if there's any evidence in memory you lose all the evidence and memory uh you can unplug it from the internet and stuff and you know call a security professional maybe to get a memory dump at least so they can kind of
figure out what was happening there so the other method which is probably the most used is the email payload auxiliary again because it's like you know extremely easy to do doesn't cost anything really low risk being caught and you can target a mass amount of people with your emails to like a spam or phishing campaign according to the research is 13 of people clicked on phishing attachments and that the median time of the click is very short my personal uh experience it's been a bit higher than this but i'm doing a bit more targeted spearfishing this is more generic i guess so if you want i mean send your payload through email you have the option of
setting up your own email server which can be a pain in the ass because uh sometimes if you just set up a new server for your email it's not hasn't been white listed it's not like approved you know it's just like a random server but if you do want to go this way about it i saw the script mail server setup which helps you there's the git for it it helps you automate this process of setting up your mail server these are the things it kind of does for you we used to do this back in the day not using this tool but setting up our own mail servers and it was just so much a
hassle every time sometimes our emails wouldn't go through and the spf wasn't right or it was always an issue or another so what we started doing is using like cloud email providers so um one that we've been using a lot recently was the outlook 365. so maybe we'll buy a domain through godaddy and godaddy gives you the off the option of including the email account through the outlook 365. um and then you know microsoft is whitelisted they're trusted they're a trusted email provider so if you use them there's a higher chance of your email will go through apparently spammers are also using warm-up accounts so these are like fake accounts that they created which they'll
send the emails the spam to first and since no one complains because they own all these accounts it gets trusted by the gmail account or whatever so then you can send it to the real targets and it won't be blocked at that point um so mostly if you look at this graph here the biggest threat is uh attachments people are sending attachments to their emails and then the second one would be like a web drive or an email link sending a link that would later have the malware once they click on it reach it if we take uh look quickly at what's being sent i mean docs are being sent quite a bit because still a lot of
people don't know that you can get hacked through a word of documents or like an excel document even potentially a powerpoint um you know just open it enable macros you're hacked a lot of people are just starting to send uh your j uh javascript files directly because if you open a javascript following windows windows will use c script or w script which is native tools to for windows to actually run javascript on the os sometimes they'll just send up the vbs too just the straight up visual basic documents
so ransomware it's pretty big if you look at the discoveries of ransomware from 2005 where there was maybe only one or two you know to 2012 to going all the way to 2016 we're in the first quarter of 2016 there's almost as many variants as the entire 2015 it's just exploding so another graph that just backs me up here ransomware has spiked 752 percent in 2016. uh so it's one of the biggest threats today but if we look at what attackers are actually sending um they're sending c2s to command and control malware so i mean this way they still have control of the computer and they can maybe mine for credentials for for banking details and then if nothing
works they could always throw the ransomware on top later right others just directly do the ransomware and then some people have like key loggers or backdoors uh trend micro stated that ransomware detection was around one percent there's so many new variants coming out and changes like a lot of people use one ransomware two you know gets detected they already have a new one coming up they've programmed and it's not detected by av so detection rates are pretty low for ransomware and people are doing it because i mean almost everyone will pay the ransom i mean i'm guessing i've just heard stories of so many ransomware attacks and they always pay the ransom so if we could pick a domain
to execute our attack from like maybe for our email or send them to a link um there's many uh things we can consider for the domain like omitting certain characters or swapping uh letters um putting a dot in the wrong place or missing a dot flipping using a different tld so if the website uses dot com sometimes we'll register with the same exact website but we'll use the.org.net and send our emails from that sometimes it can be confusing with certain companies for example if you get an email from facebook they send the mail from facebookmail.com or like if you get one from yahoo it's from yahoo inc dot com it's not coming from the original domain so that can confuse
users sometimes and then maybe like you can use the same idea for your attacks register something that's similar all of websites are starting to use uh certificates so um tsl um with let's encrypt let's encrypt is an organization that provides free search for your website i think that you have to renew every three months or so but according to someone's research is uh there's like 709 certificates that have been registered with the keyword paypal so obviously these are phishing sites and then there's other bank of america apple amazon you know and all these other sites that attackers are starting to ssl their their websites their phishing sites because it gives them a bit more credibility and even in some training
courses to prevent these attacks i've seen people say like look at the the green pad you know if it's green then it's pretty safe you're good to go but it's not true because the attackers are using that now too you can see here's an example of this one that uses the let's encrypt and here's an apple one that's also certified so for again getting back to picking your domain uh there's a tool that can help you out with that zero crazy talks about all the that list i just mentioned with the vowel swapping the missing the dots so you put in a website for example like example.com here it'll give you all these different variations
i was just seeing a new tool dns twist it does exactly the same thing it seems like so here he's trying it with amazon.com
and it can actually check to see if the website's available or not or if it's been registered so it gives you different variations and then you can kind of get a visual look to see what would be most confusing or look more similar to the real sight homoglyphic attacks so unicode characters that look very similar similar to the real character but it's a completely different character adrian or iron geek has a generator you can use for like generating these different unicodes actually look similar and here's just an example um this guy put in skype.com for the website that k is not a real k that's a unicode uh character that looks like a k but
it's not a k or with slack you use the k too um so if someone registered this domain and then sent you an email from that it might be really hard to tell that it's not the real slack and unicode they're aware of it the consortium they have in their docs they have a visual security issues and where they talk about this um unique attacks aren't aren't restricted either just like the domains um you can use unique code for other stuff there's a really interesting character known as the mirror character or it's the left to right override right to left override um where you can like it you can give it a string of text and
it'll flip it over like if you're looking it through a mirror so there's a few things to look at here this looks like has the extension of a jpeg right um but it's really an executable i just have the mirror character placed right in there so if you look at the properties for this the word properties has actually been reversed because of this mirror character that's properties right there but even though it looks like a jpeg it's still in a executable wood stone application and if we do an ls in dos you can see a question mark there because it can't represent that unicode character so it just it just puts a question mark in this place and it shows
the proper extension of the dot xd let's look at a quick demo of this
so character map is included is pretty much every version of windows as far as i know you just type char map in your thing and it'll come up so what we're looking for is that left character and there's a few of them so don't get confused it's like the left to right mark then you have the left to right embedding but you want the override character double click that copy it and then let's just pretend this uh this is a file name for example if i were to put the unicode character right in here it flips everything over and it makes it seem like a jpeg and then i could change the icon to make it
look like a jpeg too i mean windows by default doesn't even show you the extensions but in the case that they did enable extensions so now you know make it seem just because that unique character is right in there it makes it seem like it's a jpeg but it's not
next you need your command and control center so if you're expecting to like take over someone's computer you need a two-way communication with that computer um you know we usually just get any server you can do aws apparently with amazon if you're doing pen testing you need to get permission beforehand by like listing what ips you're gonna be testing and stuff like that but if you're just using it for command and control center they don't seem to care like they don't block you at all you can set up a interpreter um or an empire for example and it's fine you can use that i mean you can use any cloud server whatever i like to use metasploit but there's
also powershell messplate's great because i mean there's a community edition which is free it has a lot of support it's really it's been around forever so it's pretty reliable um it's multi-platform you can run on mac you know linux windows and uh i like to use resource scripts which is something it includes which might lets me automate quite a bit and it's developed by rapid7 like you might have heard earlier uh in the video they said rapid9 it was just a spoof on this rapid southern company and the nice thing about empire it's all powershell so powershell is has low detection it runs a lot of memory so it will keep it pretty undetectable but it doesn't it hasn't been around as
long as metasploit so it might not be as reliable um for creating your like template for your document i would recommend looking at john lambert's research his twitter is right there but that's pretty much all he posts and pictures of birds which i actually enjoy too but he has a bunch of different templates and examples and techniques that you can copy or get used as an example so if you want to make your payload uh fully undetectable to antivirus because i mean that's important these days like i was telling you you can't even send it through gmail if it's detected and then on their end if their firewall or any ids or antivirus system they have
detects it it will also get blocked so it's really important that your attack is pretty undetectable if you want to have it reach your target um if you look at like just go through github and type crypters packers stuff like officegators there's a bunch of like custom-made code that people have done and uploaded to github which you can use and it'll pretty much be undetectable because no one really knows about it for the most part uh there's also like the spanish website that i've been going to every now and then in detectables.net and they share a lot of uh rats or crypters or packers they use um some of them are you know you have to be
a long time member for them to to to give it to you others are just free those will probably get detected pretty fast um but then some have many challenges you have to solve in order to obtain the crypter or whatever they're giving you so because it has this mini challenge it makes it harder for anyone to just get it even like a researcher or something that works for an antivirus company they might not be able to obtain a sample of this crypter whereas if you do solve this main challenge you'll get it and it'll remain fully undetectable for much longer a lot of attacks too are using a file that's attacks um so all attacks are
just relying on windows tools like maybe you can use windows native tools um to accomplish your attacks without having to have your custom malware um so i mean nothing detects windows tools right because it's part of windows um and also a lot of attacks that are just in memory especially like using powershell and other techniques you can keep your attack purely in memory you never write to disk and antiviruses won't or have a really hard time detecting that uh for exfiltration you see a lot of dns exfiltration other like arp exfiltration different uh uncommon techniques are becoming more common these days and i've noticed um there are certain vectors that aren't that well detected um like sometimes i have a macro that's
detected in a word document but if i put in an excel sheet something that's undetectable for some reason i was saying os x has low detection rate and there's other things um so i was saying i was learning like python and golang so i decided to create um some common like some key loggers in these languages using very common techniques like techniques that are used by every key logger compile these scan them zero detection rate for some reason uh there's invoke obfuscation which is a powershell obfuscator it's a really cool tool it really obfuscates all your powershell scripts um so that may help to a certain degree to bypass uh like stream detection stuff like that but if av is using heuristics
this is not gonna help that much um for os x office for mac has the max script function which seems to not really be detected much at all either as i was saying using windows native tools is a good way to go about it um casey smith sub t he has some really interesting techniques that you can use to bypass app locker and other protections uac and just weird ways of using windows tools to execute code or javascript so if you take a look at his techniques and implement them in your process a lot of bad guys already are so they're becoming a little bit more detected but it's still a way of evading detection another windows 2 is cert util
which you can use to basic c4 stuff or or on encode code or unencode so you can basically for your malware using this windows tool and then unencode it to actually get it to run this is a video again paulino sent me just doing his mac research so he started a interpreter handler on the right side he scanned his uh macro the thing about this to note is he has an office gate or done anything with his macro which is the macro for mac um it's even a doc m which needs means it needs a macro um but zero obfuscation or anything not really trying to evade av but ends up being fully undetectable just i guess because it's mac and it's
too new or unseen before so enables macros and right away he gets the session and the interpreter there there's also some tools that can help us generate our payloads um i initially started using this was a small attack a small talk at derbycon uh ps flight gen and i used that tool for like two years or three i modified it slightly um but it's it's now somewhat detected so i stopped using it uh but it was great because it was it wasn't really known enough the next year like uh dave david kennedy um gave a talk or released the same kind of type of tool unicorn but this one at the moment like when it first came out was
really basic didn't use any obfuscation or anything and since uh relic is really well known this was really detected easy uh whereas this one remains undetectable just because it was not not as well known as this one and there's a few other tools that can help you uh just generate like your payloads for like these word macros or and have them off you get into a certain degree so it's not fully detected this is what my macro originally looked like using the ps split gen well i mean the unobfuscated version of it uh so you can see what it's actually doing and it just it checks to see if the the windows is 64 or 32 bits because it
depends what version of powershell you can run based on that it runs the powershell and then it downloads the script called invoke uh shell code i think it was uh which i invoke shell code which runs any shell code you give it so i generate a shell code with material metasploits to do a reverse https and then feed it to this uh powershell script and it'll actually run that interpreter shell code and give me a reverse https session this soaring crypt is just a simple sore function to kind of encrypt all and obfuscate all the all the data this is what the office version looks like you're gonna avoid to fit all in there um and this works again like
it worked great until it got detected so i made some modifications to it these are like the differences with the original it was detected and this was the modded version that became undetected sometimes just moving things around i removed a bit of the obfuscation it had like took it down a notch and that eventually made it you know undetectable again um you know a few like six months go by suddenly it's detected again like oh god so i created a much simpler version instead of using these tools i just start from scratch from zero and i added a bit of observation between like these function calls and stuff like that but i don't think that's even
necessary um the main thing to look at is just the way i'm executing the the code i'm using like these casey smith techniques i was talking about using native windows tools i'm not running powershell right away i'm running one thing that runs another thing that runs another thing so this is like the line here that's really important using run dl32 which is used to run dols but i'm using it to execute javascript there's kind of a weird parsing bug in windows it's it's known about but you can use that so the javascript creates an activex object which then this activex object will run the reg server 32 another native windows tool i use this tool to download an xml file
which contains a powershell payload the powershell payload is what you saw before would download the invoke shell code and then the meta split shell could just execute it there's a descript there's an explanation of why this thing works let's run dll32 to execute javascript i'm not going to jump into it right now but pretty much it does some weird parsing ends up loading ms html goes into the run html application and loads this whole thing and executes it this is the xml file that's retrieved so here in this xml file i actually have the powershell command and this is the shell code for my interpreter right here so i actually scanned this last night you can see like 2 48 am
i got 0 out of 35 of this new macro i was playing around with kind of the funny thing when i was looking at it too uh there's like ads popping up here for like multiple exploits like docs js vbs a lot of stuff i was talking about like great
so i'm just gonna fire up my cali here see if i can get this demo quickly hopefully it fires up fast
okay monitor layout issues here
okay
um i noticed another email that had gone through my the filter like gmail's filter i received a a you know i was showing you earlier gmod you don't really receive attachments with documents anymore but i receive one it was a doc x which was interesting because doc x can't have a macro you either need it to be a doc or doc m and i scanned it at zero to 55 detection rate so i was like okay this is interesting i open it and it has these three like embedded would seem to be docx in the document it turns out there weren't doc x once i click right clicked on it and did properties it was a vbs file like a
visual basic script which windows will automatically run if you double click on it looking at the code it's all off you get it just a bunch of garbage in there to confuse you i removed all that guard well i mean i scanned this thing first scanning the pure vbs file actually did get 12 out of 53 so i mean that's not great right um yeah for the sofas guys it's detected i know there's a lot of sophos people here um here i cleaned up the code you can see the full it was too long to fit on the screen but you can see though i put on paste in there i noticed that it's calling this website here for a
change log um i also when i was looking at this map i looked up that url and apparently it had been involved in some other attacks not only that one so i looked at the location based in russia looking at the history for this website it's been like a bunch of porn sites and other faranchi stuff and the site's detected by like one it's malicious and that one is the warning some other hurdles i faced is one applica one organization i was targeting um they didn't about websites that hadn't been categorized by their their proxy their blue their blue coats so what we did is we submit our phishing site to blue coats within under 24 hours they
they accepted it it was categorized as business economy and really all the website was was an iframe to to like a another fake site and like an exploit pack or something malicious was pretty easy to get it classif classified or categorized as a safe site when it wasn't um so a few other tricks i've seen um let's go just quickly so they get the subject to execute the command they're getting the subject they're they're getting the subject property from the word document which has the notepad.xe so they're not including what they're gonna execute right here but including it within the subject of the document and then retrieving that information um others will include like the payload
within the document but it's hidden so if you highlight it and change the color you can actually see the payload right there uh another one that included the payload basically foreign code this is executable it's uh basic c4 encoded it's it's just hidden in the comments section you can't even see it there but the malware later checks to see uh for the comments and then gets that you can see it's an mz so that's like a executive or something um uh some macros that are certified i'm kind of interested to start seeing that too this macro has all these checks you know it checks the document name see it's been changed checks for analysis tool
has been running if it's if it's in the vmware um if it's sandbox host names you know a bunch of things to know if it'll execute or not basically try to avoid being analyzed this one runs on a time so if it's under that time it'll execute otherwise it doesn't and there's other macros that are really targeted like maybe if it's not that user they'll check the user's email or user account if not if it's not that user they're targeting it doesn't execute at all so when you scan this with antivirus the heuristics won't detect it because it's not running as that user so that the malware doesn't execute at all this one is kind of funny uh i guess
this john john lambert was investing in this uh macro and the hacker started talking to him through like this little chat window so they had a bit of a conversation there so let's hope this live demo is ready here
just trying to get my kali to show up on the screen here one sec
i'm just going to drag it over because it's being difficult so i set up like a local network here my vm this is the ip for this um using msm msf venom you can see the command i generate a reverse http um it gives me the shell code i cleaned it up a bit to put it in the xml file showing you earlier then for my command and control center i just run msf's console using this resource script the phone.rc what the port rc does it sets up the reverse https that's my ip the port 443 so it's revert to http and i'm using port 443 so it just looks like normal uh web http traffic it's on
cryptid too um and then when i get a session it will automatically run this auto run script in the autorun script just for example it uh migrates processes it gets this info um get your id i don't have a webcam in the vm otherwise i take a webcam shot and then some key log recording okay so that's ready to go this will be my victim machine here
now
so i didn't put in any content the actual document it just has the macros um our command and control center is here set up and running waiting for a connection so the moment we enable macros
and it takes a second uh the first time just because it's running all these processes and things
that's right
just double check the macro quickly i was doing this last night before in the morning and it worked fine then but
i always put a password too on my macros just to make it harder for someone to look at later unfortunately i need to get the password from keepass
oh all right it's always weird typing your password in front of people
i swear that okay i know it's wrong thanks for being patient with me
there we go
so it's that simple macro i'm going to try to run it again just directly from here oh because i changed the autorun name that's why so i just ran the macro directly from here
should be up
it's not communicating with the machine for some reason i didn't have it on my private network now it's on the private network let's give it a sec there we go now it's communicating with the his axis so let's just run this macro quickly one more time
session open there we go now the resource script starts running automatically so without me having to touch it or be at the computer it already mitigated uh or migrated sorry to uh where it's trying to migrate to explorer here it doesn't have a webcam otherwise i take the screenshots and here it's recording keystrokes already so if i do type something here hi how's it going or anywhere in the computer right it's recording all my keystrokes
and we could just view that quickly hi how's it going there what you just typed right so that's a nice way of just automating the process it's all undetected by the av or firewall as well for that case
i'll just wrap up quickly with some solutions to kind of mitigate these things
how do you defend against this um well one study says that one of the problems is that employees remain careless i think it might i mean not only careless but maybe lack of awareness they haven't been trained on these issues so they don't know how to prevent them from the book kevin mitnicks the guy was talking about earlier he has the book of the art of deception which is all social engineering and it has some tips like people inherently want to be helpful so that's why they can be easily duped um sometimes they assume a certain level of trust or say if i spoof a phone number and call from with inside the company they
automatically trust that i'm inside the company or sometimes if i'm acting really angry sometimes we're pretending to be on the phone and yelling and shouting stuff to avoid conflict someone might even though maybe i'm in a restricted area someone might want not to approach me and tell me i shouldn't be there just to avoid that conflict when i'm really acting pretending to be really mad uh sometimes the information they think they're giving us uh is innocuous it's not gonna do anything but we can use a little bit of information to maybe gather more information later and sometimes just hearing a nice voice over the phone you want to help them out right uh there's this usg device i haven't
tried it out but apparently it claims to have a firewall for usb devices for any like bad usb types of attacks you can place this in the middle and then plug in your uh untrusted usbs and they'll act as a firewall i haven't tested it myself so i don't know just some general tips uh you know training and awareness is probably one of the biggest things you can do to help prevent phishing attacks if you have like posters around the office maybe or in environments it can help be a constant reminder um to like lock your computer you know don't click certain things it's always good to have a policy in place an instant response plan for if
if something does happen you can act on it right away um unique passwords is one of the biggest things i can tell you like our accounts are being compromised all the time you can see uh troy hunt's website have ibinpown.com put in your email i'm sure it's there um if you use if you repeat your credentials on our websites there's tools that are testing your credentials on all these different websites and services to see if you repeat it uh your password or username to gain access to these other accounts um keeping your systems updated patched is always a huge thing of course and following best security practices there's this website got fish.com where you can report incidents to if you
detect a phishing site or something you can go there and it has a bunch of resources another huge mitigation is removing admin rights from the user like don't let users install their own software when i compromise the computer for these techniques most users have admin so i don't even have to escalate privileges i can right away get their credentials like maybe using mimikats i can get the credentials in plain text from memory uh it just makes it really easy once i have admin and it i can pivot laterally throughout the network after that um you can see this graph that shows mitigation so if you're just removing software installs it's one of the easiest things to do and
you can get like a 15 times improvement um if you're training and preventing social phishing attacks that would be like a 25 times improvement for your security and again just remember it takes uh all practice patience and continuity you have to always keep on going doing it i mean you can't just give like a one training course you know every five years and expect them to remember that or for new employees you know you probably want to do it more continuous like six months or every year or so but if you keep on you know fighting off those pesky attackers eventually you'll get there and uh that's that i didn't get any questions maybe i just
wasn't paying attention so if anyone has questions feel free to ask right now or you can ask me after i know it's lunch so probably people are hungry no well thank you very much
so [Music]
you
Related talks
28:41
3:08:07
29:16
50:42
20:12
54:28