The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments.
Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Advanced phishing for red team assessments
1. A Red Teamer’s Access from
the internet.
Null Chennai Meet 23 November 2019
PRESENTER: JEBARAJ M
2. Most Used Mail Servers
Office 365
Gsuite
Custom mail servers ( postfix, exim etc.)
3. OSINT to the best
OSINT is the most important phase for conducting a Red Team Assessments.
Some of the usefull resources for OSINT are as follows.
https://osint.best/
https://osintframework.com/
4. Linkedin to get Linked
Linked in provides more data than you think that can link you in to an organization.
From Linkedin name we can derive a email address by serveral combinations like,
firstname.lastname,
Lastname.firstname
Firstnamefirstletter.lastname
Lastnamefirstletter.firstname etc.
5. Hunting for emails
There are many email scraper lying around the github.
Hunter.io is an email scraper if you give an domain name it will fetch out the emails
on public internet.
You can also makeuse of https://www.alreadycoded.com/ which has lead
generation tools.
6. Preying by Spraying
Password Spraying is trying a single credential over multiple accounts.
Some default password that can be used for spraying are
Eg.
Nov@2019
Password123$
Summer2019 etc.
7. Attacking Office365
Office 365 is a service provide by Microsoft for an organization communication.
Autodiscover and Lyncdiscover are indicators.
Eg. autodiscover.example.com, lyncdiscover.example.com
8.
9. Gotta check out the GAL
Using GAL is a perfect way for user enumeration.
GAL is Global Address List. You can use search option either on skype or while
composing a mail.
In Gsuite you can open hangout to check for the user
10. Staying Stealth by Rules
Attacker plan to remain stealth to maintain access for the compromised O365
accounts.
Real Attackers Try to stay stealth as possible leaving no traces which would alert by
creating inbox rules and deleting the incoming mails after forwarding.
11. Doppel Ganger Phishing
Doppel Ganger Domain is a look a like of a legitimate domain.
Always choose a wise doppel ganger domain.
12. Phishing
My approach towards a phising campaign which works most of the time is buying
a domain with ecommerce name, or elearning portals. Create a signup page or a
fake login portal customized to the targeted domain.
Then conduct a phishing campaign stating we have partnered with
Eg book2learn.com etc
13. Phishing Delivery
You can use Frameworks for phishing delivery by adding you smtp through which
your phishing email will be delivered.
You can aslo use sendemail cli version tool.
Some of the populary used phishing frameworks are
Gophish
KingPhisher etc.
14. Staying Stealth while Phising
Hide your personal informations which may get leaked while setting up a phising
campaign.
Main things a good attacker will hide as follows.
* Whois informations
* SSL Certificate informations
15. Phishing on GSuite
Offcourse Gsuite use AI to read for any Spam and spoofy content.
Gmail is secured by preventing malicious attachment.
16. Then How we can Conduct Phishing against a
GSUITE user?
20. Groups
Google Group is a platform for creating a group conversations.
You can create a google group at https://groups.google.com/
Invite members to the group.
Likelihood of suspicion is less also all thanks to google for their feature.
22. Ordering for Takeout
Google provide a way to export all the google data in zip file which will contain
gmail,maps,playstore, etc.
Takeout.google.com
23. Phishing attachment file types
Most encountered phishing malicious attachments are as follows.
Docx
Doc
Xls
Xlsx
Rtf
24. Macroless
DDE is Dynamic Data exchange based payloads can used to create dde based
pyloads which can be inserted on document.
Some of the ways to generate the macroless payloads are as follows.
metasploit
Unicorn
Manual approach by formula injection etc.
25. Advanced macro based payload
Vbscript are used for macros.
Vbscripts can be obfuscated to evade detection.
Vba Stomping can be done to evade detection
26. MACRO OBFUSCATION
Vbscript can be obfuscated to evade detection.
Some of the ways that VBScript code canbe obfuscated are as follows
use of strreverse() function
Custom use of the function name.
Using custom encoder to encode the payload function eg. ROT series encoding.
Many macro obfuscation tools are available on github.
27. VBA Stomping
A Macro payload file contains two things VBA source code and pcode.The VBA
source code is compile into pcode which gets executed when enabling macros
after opening malicious marco embedded file.
VBA Stomping is modifying the VBA source to fake that there is nothing malicious
on the macro file but the pcode will contain maclious payload.
Tool: evilclippy
28. Undetectectable Marco payload
An attacker can craft a malicious undetectable macro by combining macro
obfuscation + VBA STOMPING + AMSI BYPASS payload
30. Linking maldocs
Attacker abuse the Objecting Linking feature on Microsoft by embedding malicious
file and changing the icon to look legitimate.
Microsoft ASR provides security in OLE nowadays
32. Phishing Templating
Mime type legitimate marketing mails can be copied and customized for phishing.
Create internal forward like template while spear phishing.
33. See to the C2
C2C server are setup on VPS to execute commands to the connected vitim
machines
Some of the popular C2 framework used nowadays are
Covenant
Empire
Koadic
35. What about Firewall?
Many organizations have firewall and defender how to evade firewall and
endpoints.
Stealth C2 data exfiltrations needs to be used in these type of scenarios.