5 Ways We Get On Your Network: Phishing

Posted on October 19th, 2016

From penetration testing to real world attacks, Phishing remains to be an extremely effective way to establish a foothold into a target organization. This blog post is a follow-on to “5 Ways We Get On Your Network” with a closer look at Phishing and it’s various techniques. Phishing is essentially sending a malicious email to target users with the intent of having them perform some action (Click a link, Open an attachment, etc.).

This will be a longer post so here is a quick overview:

• We will discuss how to setup a Phishing scenario
• We will demonstrate some manual testing techniques to find email spoofing vulnerabilities
• Go over some tools that are useful to Phishing campaigns
• Provide sample code for sending email with Python and credential gathering with PHP
• Demo how to create a malicious Microsoft Office document using Macros
• Discuss some common defenses for Phishing attacks

 

1) Outcome of Engagement: What Happens Once The User Clicks?

From a testing perspective, we conduct various types of phishing engagements to accomplish one of these three (3) outcomes:

• Click Analysis: Discover how likely a user is to click a link or open an attachment
• Credential Gathering: See how many users will supply their credentials when prompted
• Execute Code: Generally involves using PowerShell, Microsoft Office Macros, HTML Applications (HTAs), Java Applet Attack Vectors, etc.

 

2) Determining the Phishing Scenario

The goals of an assessment and Rules of Engagement (RoE) will dictate the type of phishing exercise that we leverage. In some instances we model a common threat (Ex: Ransomware), and in other instances we attempt to model a more targeted attacker or campaign.

2.1) Picking a Domain

Depending on the phishing scenario we will register domain names to be used for the attack. An example phishing campaign scenario is a UPS Tracking email. For this UPS Tracking scenario we would register a domain like “upspkgtracking.com”. For more targeted scenarios we may register a domain name that very closely resembles the target organization, potentially removing a single letter from the companies domain name (Ex: “breakpoint-labs.com” vs. “breakpoint-lab.com”) essentially we are using a doppelganger approach.

2.2) Register Your Domain With Proxies

With regards to the domain it is a good idea to submit your domain and register it to various web content filters. Some filter entities are more strict than others in validating your domain so if possible leave real content up to be classified and indexed like a blog. This can help with more restrictive environments that block domains based on web content filters. An example of this is BlueCoat, which allows you to submit and categorize domains here (Usually approved within 24 hours).

2.3) Testing the Phishing Email

Once everything is worked out we suggest testing the phishing email, potentially your testing POC from the target organization if allowed. Below is an example of a finalized phishing email for the UPS Tracking scenario described above:

3) Finding Vulnerabilities
Prior to conducting the phishing engagement we will normally perform some testing to see if we can identify any spoofing vulnerabilities, abuse features in web applications to send email, or potentially compromise an account to use.

3.1) Identifying Spoofing Vulnerabilities:

More often than not we find that customers mail servers do not have adequate protections in place for spoofing emails. We are able to telnet to their mail servers and manually create the email headers that forge the part of the email which Outlook actually displays to the user. Below are the steps to perform this testing, keep in mind you may need to play around with various components in order to get your spoofing to actually work.

Determine the mail servers for the target domain:

~$ host breakpoint-labs.com

Connect to the mail server:

~$ telnet alt2.aspmx.l.google.com 25

Attempt to forge the email with spoofed headers:

		HELO google.com
		MAIL FROM: <hacker@breakpoint-labs.com>
		RCPT TO: <victim@breakpoint-labs.com>
		DATA
		From: “Hacker” <hacker@breakpoint-labs.com>
		To: “Victim” <victim@breakpoint-labs.com>
		Subject: Phishing Demo
		Hey Victim,
		This is a demo for email spoofing, click this link: http://phishing-link-demo.com/
		.

Below is an example of a phishing email that was sent using Gmail, but to the user it looks like it is coming from the Help Desk:

 

3.2) Contact Us Email Abuse

Sometimes the target organization web applications allow you to send emails. How often have you seen a “Contact Us” or “Feedback” form that allowed you to submit an email? In our experience these are fairly common and if they are not properly secured they can lead to email spoofing vulnerabilities.

Consider the following Contact Us Page:

On the surface this looks fine, but if you look behind the scenes with a web proxy you can see the following HTTP POST request:

In this instance all the variables to generate the email are passed via an HTTP POST request, which opens the door for an attacker to modify. When we encounter these scenarios we can often control the parameters of the email, allowing us to send email as anyone in the target organization.

3.3 Account Compromise

If you are able to compromise a legitimate user account you can have a higher level of trust with your phishing campaign. We will not dig too deep into this particular method as we plan to cover it in a later blog post.

 

4) Executing The Attack

For actually executing the attack we prefer to send email using Python. This allows us to control all the aspects of the phishing campaign using a quick script. We will use variations of this script to actually send the email. Some other tools already exist and can help with crafting a phishing campaign include:

• Social Engineering Toolkit (SET)
• Unicorn
• SpeedPhish Framework (SPF)
• GoPhish
• Lucy
• Empire

Some of these tools help simplify the generation attack payloads like Empire. Other tools, like GoPhish, are geared mainly for analytics like click analysis and phishing engagement management.

4.1) Click Analysis:

In our testing a lot of the tools that are designed for click analysis can generate links that are commonly blocked by anti-spam technologies. It is important to test your phishing scenario prior to firing off an email to all your targets in scope. If not properly tested your phishing campaign can be ruined because its either not delivered or the URL is stripped within the body of the email.

The tools that aid with click analysis can be flagged by spam filters often because they generally leverage a long unique string per email. Based on which URL is accessed in web logs they can determine which user clicked the link. To counter this we use python to create a far less complex link structure that is still unique for our target users, but does not contain the complexity that flags the email spam filter(s).

4.2) Credential Gathering:

Credential gathering can be simplified with tools like the Social Engineering Toolkit (SET), which have built-in modules to support this type of attack. Additionally, you can create your own PHP snippet to accomplish the task of credential grabbing. Below is a quick snippet of PHP that will prompt users for credentials via HTTP Basic authentication. You would obviously want to modify the code to meet your specific phishing scenario, like storing the credentials to a file on the server vs. echoing to the screen:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Secure Page"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Please Supply Credentials to Login;
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

When the user visit’s the page they are presented with something similar to this prompt requesting their credentials before accessing the sites contents:

4.3) Code Execution:

Our favorite tool to aid with code execution in phishing engagements is Empire. Some common ways to accomplish code execution is by shoveling payloads into word docs (Office Macros, Embedding and Objective Linking and Embedding (OLE) Object), or hosting a malicious HTML Application (HTA). Lets explore the Office Macro technique in more detail.

The Microsoft Office Marco attack vector remains a very popular method for getting code execution via Phishing on Windows platforms. Once a document is setup for the attack the user just has to open it and enable the macro (See Image Below). Normally you can set it up so the user thinks they need to enable the macro in order to see the actual document contents.

Step 1: Generate the Payload

Empire can be used to setup the macro payload:

Step 2: Add Payload (Macro) to Office Document

Step 3: Save the document as “Excel Macro-Enabled Workbook”:

Step 4: Test Malicious Document and Email to Targets

Step 5: Get Initial Foothold

If you are interested in learning more about Phishing and Empire we suggest checking out this blog here.

 

5) Protection Against Phishing Attacks:

• User awareness training: Training and education of phishing for the employees and end users of the organization. The training will ideally help users understand the harm that can be caused by opening document or clicking a link and how to identify potentially malicious emails.
• Perform Reoccurring Phishing Engagements: Everyone thinks “It will never happen to me” until it does! This approach continues the awareness of phishing attacks being a real time threat to the organization.
• SPF/DKIM: Configure the proper DNS TXT records to help prevent email spoofing from your organizations mail services.
• Manual Testing: Many of the technology flaws that we discussed in this blog for email spoofing are missed by automated vulnerability scanners and required manual testing in order to discover these flaws and vulnerabilities.