Honeydocs and Offensive Countermeasures

[Music] right so uh thanks for the introduction I think I'm just going to hold this so um I'm just going to talk today about honey dos so just to make sure we're all on the same page how many of you know about honey dos of know what that is okay cool um so what I'll do I'll just uh quickly cover what honey dos are and so essentially honey dos are uh documents that were solely designed to make people want to download them and open them right so uh we can think about an attacker someone who's trying to uh study your company or an Insider someone who's trying to download files they shouldn't um so the whole point is to

lure them uh and uh these documents can be used usually Word documents but uh just the same they can be PDFs uh PowerPoint files even Excel files so uh just to quickly demonstrate uh how effective uh honey dos can be uh in this example I'm sending an email with uh supposedly a job application uh document uh to someone so as soon as the email is sent uh and that person opens the document uh in this case this is an old system of uh something going to show you later but that's that was the first version of my honey system so as soon the document was opened we can see that uh they used a Mac OSX uh Used Office

Word version 1441 and uh where they came from uh using uh the AP information also down below there's uh IP who is Data so you can see what organization they came from and so on so already a very powerful system just to see uh who's really behind uh uh the the information theft or someone for example if someone is bugging you with Spam and won't stop I'm talking about like targeted fishing attacks you want to know who that is that's a good example too so yeah this is the information I just mentioned and uh so in this case I emailed back that person I told him that I noticed that uh his version of word is

uh out of date and uh his response was uh basically was uh crying saying that it's not fair because uh word just popped up that uh update window but uh if it was a penetration test and that was a penetration uh uh exercise I could have easily delivered a specific exploit to that version of office um just an example for pent testers so for the sake of uh I just want to see what kind of other ideas I can get from you guys so can you guys think of any other use cases for honey documents so I've showed you a quick example anything practical in a security World anyone has any ideas yeah seed inboxes like someone someone

breaks into your inbox and you want to know about it right that's actually a good uh example I was thinking about that today to include it in my presentation but I didn't but uh I just didn't have the time to do the extra screenshots but yeah that's a great example at sector I heard examples of uh for example uh like data leak prevention or policy enforcement you want to know that people don't open specific documents at home that they only get open in the office because you want to be able to control how data uh leaves the perameter um so that's an example but I'm going to show you some other examples that I could think of um so I'm

going to give you a scenario you're a company and and there's right now a group that wants to infiltrate your either your industry or your specific company so the first thing they're going to do is Google about you see what kind of information was cached on the web um you obviously have a website so they're going to start investigating looking into your website see what information they can get that they shouldn't um so I'm going to ask another question what would you do uh if you were the bad guy put yourself in their shoes what would you what would be the first quick thing that you would do on someone's website to find stuff you

shouldn't URL yeah that's yeah using Google right but like let's focus just on the website what would be the first thing you would try to look at so I'm just going to throw uh the example I'm going to use is the robots file so every website in order to tell search engines what you want them to cach and what you don't want them to cash uh usually list off stuff that is supposedly private but as an attacker usually that would be the first place I want to go in to look at stuff that's supposed to be secret or private right from search engines um so the idea here is really to create a system that can

alert us when people are doing this kind of uh investigations into your company you want to know ahead of time when someone is looking at places they shouldn't which probably means that you know they have uh their agenda is probably not something that's constructive and the whole point here is to really slow the attacks and make them first of all figure out what's real what's not and now they have to be extra careful not to trip any alarms because after they've uh opened the documents they'll realize probably that it was a honey document but but that's good that's going to make them even more cautious that's going to make them uh hesitate probably even go to a different

Target someone who has less uh defenses that are you know I want to say Advanced but worse than yours so I'm going to show you very quickly uh how to do this so as I said first of all we need to create the Hy documents make sure you name them with uh interesting file names like passwords or employees or a new account set up these are probably the files you want to look at as an attacker if you want to infiltrate them um so on your web server uh hopefully the corporate web server but uh be careful uh create a new folder and that folder specifically I want you to enable directory listing on it and

I'll show you why but be again be careful and make sure that all the other directories don't have directory listing but once we have that we can update the robots file and add some lines like that so as an attacker once you see something like docs on on this file that's probably going to be one of the first places you're going to go and try to visit see what's in there so this is probably what you're going to see and if you're the bad guy and you see this you just stumbling on this what you're probably going to download all of them and I'm really I really doubt that you're going to run them in a VM or through a proxy once you

open these documents no one suspects documents uh Word documents so once that happens this is what I'm going to see I'm going to get an email that tells me hey your document was opened uh from this IP address probably from this location and this is the operting system uh and other details that uh uh that person used so this is actually an alert email from a system I'm going to show you later that um I'm releasing that I released at sector but um it would show you also a lot more information so other use cases um we mentioned before but I want to go over uh for example a Honeypot so let's create a a system

either inside your company with an FTP server enable if you want Anonymous access on it don't have to you can even use just a weak passwords but SE it with a bunch of these documents as soon as someone downloads the document and opens it bam again you have that info you know where they came from and what machine they used um very simple to create and uh very effective another example would be uh using Google so we mentioned Google Hack so what you could do is actually see some some of these documents on a website wait for Google to cach them but use interesting names like and this is this is an actual example but you can

just use the same uh naming procedure um and if I was one of the bad guys I would definitely go after these I would probably search for documents with strings like clogging uh new account staff and that kind of stuff so right away uh another another good way to uh alert you when someone does and looks for sensitive information uh how many of you throw away Hardware uh old Hardware how many of you are concerned about people going through your garbage so yeah a lot of people bother with shredding but not everyone can afford it it's an expensive procedure but as an interesting test to see who's looking at your garbage bin besides putting a camera I guess would be to

just you know throw a bunch of USB Keys maybe an old hard drive that you zeroed out obviously and you know just put some documents create some folder structure there and just wait to see the Ping On on your dashboard that would be a great test to see really dedicated people nor normal people wouldn't do that but that would be a great example um another example would be I mentioned earlier scammers so this is an actual email we got in 2013 uh someone was doing doing spear fishing on us so they sent us uh this email specifically to uh the finance uh uh Department asking for wire transfer details uh we're a security company so we're pretty

uh Savvy when it comes to detecting these kind of emails but um it was really well done well researched so we decided to you know really uh play with the guy and see who's uh Behind these attacks so we just replied back to the person with uh a document called wire transfer details and there was the same structure you'd expect to see in a wire transfer document but it everything was bogus and uh and it was bugged and yeah we saw where it came from but in this case we couldn't really do anything about it it was in a foreign country but at least that way we can assess the threat we can tell uh where the GU is

coming from what their technical capabilities are if he came from a proxy on some sort of VPN an address that is uh known to be uh not associated with any organization then you can probably suspect that this is a sophisticated attacker and it should probably be uh prepared across the organization to address uh more targeted attacks but if it was just some guy uh or some kid uh sending these because you know he got some software on a Russian Forum then I wouldn't worry about it too much just um ask my security guys to look for that stuff so how much time do I have I have enough time so I'm going to show you quickly

how to create a very basic honey document um so this uh this technique I'm going to show you I tested it on Windows on Mac and on Linux uh and it works on every system and it's uh it's great and it's very simple too so all you have to do is start with an empty text file uh and what we're going to do we're going to write a little bit of HTML inside really just about six lines of code there are um really two components here there's the text and then um if you guys can see the uh the second line from the bottom is actually an image tag so if You' run this document in a browser what would

happen yeah exactly the browser would try to fetch that image right that would be the first thing the browser would do um and it doesn't matter if that specific URL exists or not uh that server would be contacted from by your browser and try to actually grab that file so that's that's a good idea but so let me tell you a little secret word documents are actually browsers sorry uh office uh word the application itself also can render HTML documents so if we actually rename our file um so if we rename it save it as do doc word would actually open it so let's see what happens so this is actually how it would look like um for the sake of of

making things simple I put a very confusing text that says a document error but it could be anything it could be an actual document um some guys actually when we sent this kind of template they uh tried to open the document at least three times because they thought it was an actual error uh I've seen that too so but the good thing is now that uh uh we know that the image was fetched or at least uh the uh word word tried to fetch that image we can now go to a web server and look at the logs uh if the the actual image exists on the server you'll look at uh the access log but if not at the error log

so you'd run something like this right you'd grab for that keyword that we used let me just go back uh here um the as you can see at the end here we used unicorn that should be the tag you're going to search for but it could be anything else it could be just a string of unique numbers or um or anything you want to look for but you want to make sure it's Unique so you don't see too much information in the logs when you get there so this is uh the type of information you get back so you'll see the IP address of the person uh this is the tag we looked for but the

interesting stuff is what kind of operating system and computer they used and the version of uh word so this would work um for as I said word but I haven't tested this technique for uh Excel I'm pretty sure Excel is not going to render HTML documents it's just a different format completely uh it's not for documents and PowerPoint probably not but um there there is another method to work with Excel and PowerPoint so but there are two problems with using this technique so if you're a little bit suspicious of these documents the first thing you're probably going to do is run the file command you want to see what kind of uh uh how the system

detect it so uh in this case OSX uh this is the do doc but it considers as an HTML document uh because of the content and the magic bites in the beginning so the next test You' probably want to run is uh because it's a text document in HML youd probably want to cat the document see what's in there open it with a a text editor in and you'll see that you know there's an image tag with a weird URL inside and that would be probably your clue so as I mentioned those are problems that uh would affect you if you're trying to go after more sophisticated people if you're trying to actually uh bypass

uh you know what even systems that would filter for that kind of stuff but if you're going against a sophisticated guy you'd probably want to use doc docx so I uh spent some time actually researching on how to perform that in uh Word documents uh with the open XML format and um I'm just going to show you that but very quickly about uh open XML so these are essentially containers that uh are it's all it's essentially one zip file that's got a bunch of XML files in it and uh there's also resources in other images uh but what I really want to focus here is on how I quickly uh how I was able to

reverse uh document uh open XML documents so for the first uh the first test the first procedure would be to create a document with a text and an image just so you can see how the structure looks like uh that would be an example of something you create and save that document and now you you probably want to unzip uh that uh file so the document structure would be something like that the that's the folders uh the folders that are in the zip file and there are really two files that we're interested in there's the relationship file and there's the do document file where all the content goes the relationship file contains all the information that document references so

images um links uh to websites and so on all the HS everything goes in the relationships file so uh this is the document file so we can see the text that we created but uh more interesting is so this is uh the XML structure for embedding an image in in a word uh document um so pay attention to the ID here the embed ID this is something that we're going to see again in the relationships file um so that's how it looks like that's the relationships file uh we can see the image name and the ad showing up again so let's break it down very quickly this is just one tag and the only thing that really pops out

is the media image file so so if you were in my shoes the first thing you'd probably want to do is change that value with a web URL right so that was the first test I did and uh it didn't work turns out after a little bit of research that is an extra attribute that you can add that tells word to actually fetch uh documents remotely so if you have a URL and you have Target mode external word would happily go to uh the internet and fetch that uh image for you and voila now we have our tracking method this is the same technique that marketers use to track if you open their email right they have images if you

allow uh to view images in your mail client we can they can tell easily on the web server logs that uh you specifically opened your email so I'm borrowing the same technique so to make things easier this is a bit complicated if you want to do it uh more than once I actually created uh a web application that does it for you um and the cool thing is it actually supports Excel files and PowerPoint files um using a similar technique but the structure between PowerPoint and Excel and Word is a little different in the uh XML structure um so it's a free website uh is entire the company I work for is sponsoring the hosting and SSL Sears and

all that so thanks for them uh but what I really want you to know is is uh okay I'm going to show you a quick demo on how to use it so five minutes okay so we're just going to create a uh an Excel file very quickly put some data in it so we save it to the desktop I don't need this anymore and what I'm going to do I'm going to upload this now to the website logged in file was uploaded so now what the system did in the background it actually patched uh this uh document that I uploaded I'm going to go to the details here and what I need to do is download the patched

version so now there's the tracking code uh similar to the technique I showed you uh as soon as I open the document it should essentially try to fetch an image there by pinging the system so if I'm going to ref ref fresh here I should I should see something but this is a demo so demos never work so what I'm going to do is uh I I I prepared for this so I have uh the local system um but the internet here is just not very good I guess so let's try this again I swear it worked at uh sector okay so we open the document so hopefully we should see all right goddamn demos all right trust me it

works just uh I'm I'm using a uh uh 3G internet here I'm just I guess it's not working very well but uh it works well with PowerPoint Excel files as I mentioned and there uh now this is not working okay so I'm just going to show very quickly some other use cases um as I mentioned in a pentest you'd want to fingerprint to know what kind of operating system your target is using what version of uh PowerPoint Excel word whatever they're using uh as a marketer you might want to send some collateral to see if uh uh your clients actually opened it um if you in sales and you're sending you know RFP documents um if your job hunting and

you want to see the company sent your document to actually open the resume or if they opened it more than once which usually means that you know they sent it to other people in the company which could be a good sign um but more than that um I took it to the next step I don't know if you guys heard but uh few months ago there was this uh a few articles about Dropbox opening your documents turns out that uh if you upload Word documents to Dropbox uh for the purposes of creating thumbnail they'll render the document they'll open them for you uh which could be kind of bad if you're very conscious about your

privacy so um knowing that I went to investigate other services so uh I don't know if you guys are using Amazon workspaces but they have this uh file sync uh service that essentially uh lets you sync your files from your computer to Amazon so it turns out once you upload a document to Amazon they'll open it for you as well how nice and uh in this case they're using Windows 7 apparently Google Drive how many of you using Google Drive more than than I I saw hands for but um turns out they do that as well but what I found really interesting about Google Drive that when they do open your documents uh they're using Windows XP

and Internet Explorer as the user agent to identify uh the browser that uh uh fetches those images from the documents so I don't know if they're trying to play with me uh but if you guys want I'm not condoning it but you're welcome to try some you know windows xpx exploits on in some of those Word documents but uh that's the user agent strings they sent me so uh that's pretty much it I don't have anything else and I think uh I'm just on time as I mentioned doc ping that me uh is free to use if you want to create your own documents uh your own uh uh honey dogs uh the only thing is that

someone actually mentioned to me at sect or is that uh because you need to upload a document to patch it uh they can't do that with uh uh confidential information right they're going to be afraid uploading stuff so actually a friend of mine suggested that instead and that's going to be the next feature uh what the doping will do You' be able to create a blank document that already has a tracking code and then just you know paste everything into that or just start writing in this and uh it'll do it for word uh Excel and PowerPoint and think of it as Google analytics for Word documents or is a security tool it's up to you um so that's that and if you guys

have any questions I'll be happy to take them now

[Music] okay