Shaun Jones - Social Engineering | Phishing Stories (Rookie Track)

alright and so my talks on life stories from fishing jobs that we've done the last year going after whispering because I've done too many slides but basically I've got three stories and hopefully you will know what fishing has or just quickly with Reuters get to the good stuff so I'm first ones about how actual internet intranets are actually useful when you're doing social engineering jobs so basically the test was fast cept ability to phishing attacks and their IT teams to respond to it and basically it was part of a fishing like physical breach so basically we were actually breaking into offices our plan was to target their external log interfaces basically impersonate their extranet login page and basically capture creds

and use those crabs to log into their selves EPM and then do the root dance and use it to get onto a actual building and so we cloned their internet page and then we sent a pretty simple email just g3 essential maintenance you required to log in with using username creds to our domain that closely resembled dares it basically just had a hyphen on the end in between a letter any of you put it notes that and we actually end up get a lot of creds within like minutes of sending the emails some you scratch access to the owa and their selves even from there we found instructions and the mailboxes on how to connect to their VPN

other stuff as well like certain systems they have butch worth pretty interesting so from there we connected to VPN found like four scanned for easy common ports looking for easy routes and then we found ms equal basically default creds blank password sa logged in and my secret service running with domain admin privileges i pretty much game over on thursday and and then from there we started nipam and their network and went on to their internet and their internet was pretty interesting because of the access card requests you can request access cards for new employees or like visitors and stuff up so we made a fake request quest access got cards turned up on the day how to chat the receptionist

and one problem is you may not upload a actual picture like you can see there's the actual attachment thing we didn't realize this so I end up getting caught but a colleague of mine basically tailgate at any weight again and then went about it because it was choir they had several offices we basically went to another one did the same thing other info useful information on the internet was who their providers were so put on a red polo t-shirt rock up with red keyboard I meant I've looking fire extinguishers walk around checks and numbers are can i plug in to somewhere just get in access to send some emails a lot of time people don't care you're on

the network you can do what your high and so yeah this some pictures was wondering man who officers actually found an unlocked workstation decided to plug a keylogger in lock the workstation walk away come back in about 20 minutes someone's logged in left it unlocked again where we've caught their creds as well so basically what was learned from that insurance actually really useful for businesses and attackers cuz they could tell us who physically tells a lot of information like their policies and procedures for visitors their badges and their layouts like this company did security training before and had a whole slide back on what color lineage people should have what types of badge really useful for us we had a printer we just

print stuff off at the hotel and we were gone building layouts as well their third party providers so basically what ish do is two factor authentication on their external logins as well as using certs rather than usernames and passwords as well because basically you can use a lot of login efficient you see us or after basically by party and log yourself in if you capture that two factor auth so why do we need next one was why you need to factor off again kind of along there again this physical reach with efficient assessment yada yada yada base of his time we were going to steal courage using owa log into a mailbox send a nice email two receptions and

there's two visitors coming and create backstory and in gain access to a network again so owa they were running 2007 really update so we find that and sent a nice email with basically new migration if you don't log in with in before this state any accounts over two months will be deleted or disabled and yeah we've got quite a few it's quite useful so then we can't logged into one of the compromised mail accounts and we basically sent this email down here and I was doing it with a colleague of mine called Mithun and when he actually ripped the emo he was kind enough to sign it Thank You myth it but the reception desk which is an email to

didn't actually pick this up and still gave us access so next day we've got fobs and officer badges we went to a meeting room and basically logged in within 20 minutes with the main admin we found basically the report for AE AE found it basically the svn server with default code so i tried admin password logged in as i asked a bit odd so tried a rdp ok local admin and then most find out that our week service i'm as a backup service in this one basically was running so created the main admin number off so that's that one service award we learn from now looking for contacts like reception or meeting room stuff like

when you compromise and make out it's really useful because you can actually use those to book a meeting room or book people in rather than emailing an individual which is helpful and another top tip is if they don't have oh w a accessible you might be able to just log in using the outlooks wizard because even though you can't see yo WA you can still probably access outlook that way less using notes notes but that takes on storage free so this one was test users really like set delete to a phishing attack and but on this occasion we took a white box approach due to some security measures which client had in place so we full of

two different ways silk Reds we did employee benefit scheme like a fake one and a new owo roll out which at the time we didn't realize but they're actually using loucks notes so it's quite helpful here and basically wanting to get shells and remote access to the boxes so why was it white box because it's time limit and their number technology was in place they had they took a white listing approach to web filtering and had application whitelisting in her running on all their like client laptops and stuff and they also had a V and a host-based firewall using so forth and a trend micro's into web scam which was like TMZ if everyone's come across that

before but where's the fun in that you know want to bypass all the technology and get to the prep pad that users so we did owa went 2010 this time so exactly the same email as we used before still works just change the bait and so some of you victims were actually kind enough to reply to us with some screenshots saying they get this untrusted esto era oh you know sent them a nice reply it's fine just just click for it actually a majority of people just clip for it anyway which is quite nice of them and then sometimes people just don't want bring my access so this guy here was basically I think this is a waste of

time as I don't have a works device to read my emails on so i replied like did she work from anywhere have you tried logging in and he goes hi sure why would i can't check my email work email when i'm away from work i switch off from the minute I leave site and enjoy my free time I decided no point going on with this guy so but you know sometimes you get some really odd questions like this guy wanted to know if you could access it in an internet cafe Iraq like okay so odd and then you do get other people that just want access real bad this guy emailed as a good few times he was like

the link took me to company website which didn't work which is the whole point and then I said I'll look into it i'll get back to you and he was sent me an email about half an hour later and just when you planning on doing this by the way he was head of something so it was quite important so I was like I've got several emails of him so we decided we were going to take a bit fun with this guy so we told him with my access to his machine and we decided we we jacked up a website it was actually riches idea which is pretty good and to run basically we had a malicious batch

script that drop the payload for us and then he moaned it didn't work but an actual fact we were had him that's quite nice no no he didn't know anything and then so one of the ways we were getting a show on this job was basically we had a payload of DNS cat and in-house custom River shows that we've written and basically we used militia macro to drop it drop a load and then basically we got users to enable the macros by doing an asset register okay and basically we ripped my queries in there will automatically fill in some fields because everyone's lazy they'll run the macros also it's worth noting we had leeton our phone number as well so we

send this email out blah blah blah really not interesting but yeah we must get quite a few shells back which quite nice and DNS cat is worth mentioning if it changes no so oh yeah one of the things that was a good point on this was always make sure you have valid email addresses and phone numbers on your phishing emails and then that way you can use that to do different attacks like you know it could mean the difference between getting some credit or get in the show because everyone likes to run stuff but you know we thought so on one of the jobs we didn't actually set up one of the accounts but you know users was

still nice enough to forward on the delivery to play a failure report to us just saying are you can you fold this on short I can't get through through and the website's not working I didn't realize and basically dinner shows are not stable in terms of when you're using the actual test leave these like dropping out quite a lot so basically the white box approaches getting a lot more beneficial for the test fishing test because it it saves a lot of time and playing around figuring out what payloads are going to work and how to bypass stuff it's really nice about doing it and benefit of writing your own custom shells and of course imagination

when you're doing it is basically the best way of bypassing stuff like allocation whitelisting and white list of web apps as well which is good and that's it cool I don't they Oh got mean I left any questions what about ideas once we've worked so what what one sorry this was the food world Oh what them responding to us yeah with and service area when we do fishing jobs we've normally get it so their IT team will know about it or a member of their IT team will know about it and basically on the first story the when they realize what happened by that time we already found the week Nico and stuff they decided they were going to think about

shutting down the VPN and because it's like a commercial company the IT manager he knew about tests they decided straight away it just how his IT team and like tell them straight away but they only had about 44 like people report it out of about 2 300 people that we targeted it's also like we're we're finding the numbers change from companies company a lot of times so like last week we got I think we've got thirty five out 40 shells back which quite a lot of shells if you think about it whereas before we've had like one out of 50 it varies from company to company nice like the benefit of what life security wellness arena and I'll

make sure your employees aware of the risks and don't touch / but yeah you always get these war yeah which is more than enough for us kind of thing yeah so how when you've run your campaigns are you mostly using owa s the example we we do like various ones and the owa seems to just work a lot because everyone knows about it and like knows what it is even people using Lotus Notes seem to want to use it as well so it's one of those things anyone else by Newser sure it's best approaches to use citrix and then basically use two-factor off with a sir and basically do it through that way because you're basically allowing access

to your network through like controlled area whereas owhh username password I've had jobs before where owa has been basically their internal count policy didn't lock accounts so you can just brute force people's passwords and get access to a double yet easily so I do is kind of like big wrist have open if you're not going from escape said if hey well we're at ten bucks alright cool and can I just say thanks to rich