As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
1. A Google Event
You Wonât Forget
Mike Felch & Beau Bullock
A journey through red teaming Google Suite
2. Who We Are
â˘Mike Felch - @ustayready
â˘Pentest / Red team at BHIS
â˘Involved w/ OWASP Orlando and BSides Orlando
â˘Beau Bullock - @dafthack
â˘Pentest / Red team at BHIS
â˘Host of Tradecraft Security Weekly
â˘Avid OWA enthusiast
6. G Suite Security
â˘Not an exhaustive list...
â˘Suspicious activity alerts/emails
â˘Additional security dialogs
â˘Touch this number
â˘Last location used
â˘Chrome kind of identifies phish sites
â˘Easily avoided using SSL! Letâs Encrypt!
â˘Awesome G Suite Admin console
8. G Suite 2FA
â˘Lotâs of different optionsâŚ
â˘None are bulletproof
â˘Convenience vs âSaferâ
â˘Not a Google problem.. so-to-say
â˘but.. everything w/ G is broken :(
â˘Advanced Protection Program
â˘Dual U2F .. come at me bro.
9. G Suite 2FA - SMS
â˘Username/Password + SMS token
â˘Super convenient to enroll
â˘Default 2FA option for most
â˘Backup option for Google
â˘Google is moving away from it
â˘NIST 800-63B is deprecating
â˘Mobile carrier redirection?!
â˘Malicious app?!
â˘Really bad idea
10. G Suite 2FA - TOTP
â˘Username/Password + TOTP
â˘Little difficult for non-tech
â˘Token rotates & expires
â˘Lotâs of apps available
â˘Backup option for Google
â˘Switch devices? Uhh ohh..
â˘Pretty bad idea
Source: https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324
11. G Suite 2FA - Phone Prompt
â˘Username/Password + Smart Phone
â˘Requires Android/iOS
â˘Weird login? Touch this number
â˘Suspicious location? Show me more
â˘Seamless verification process
â˘Pretty good alternative
14. Setting Up
â˘Quick recon for names/emails
â˘Create doppelganger Gmail
â˘Import contacts to resolve profiles
â˘Setup server environment
â˘Domain, SSL, Phishing page
â˘Create fake agenda in GDoc
â˘Set open sharing permissions
â˘Redirects users to avoid suspicion
15. Exploiting Trust
â˘Needs to look legit
⢠Needs to trigger a response
⢠Needs to create urgency
⢠Needs to go undetected
⢠Needs to avoid red flags
Donât email, inject events!
17. Event Injection
â˘Silently inject events into calendars
â˘Creates the urgency via reminders
â˘Include link to fake agenda
â˘Mass-exploitation w/o visibility
â˘Litter calendars for the future
â˘Remove traces by erasing the event
â˘Include GoToMeeting
â˘Donât forget to record the meeting! :)
â˘How did we get here???
18. Event Injection
â˘One day I got a calendar alert for a
flight that wasnât mine
â˘A coworker had sent their flight
details in an email
â˘Google thought the itinerary was
mine and automatically added to
my calendar
â˘This was the start of something
very interesting...
19. Event Injection
â˘An email isnât necessary though
â˘Simply add a Google user to an
event and select to not notify them
â˘Google will automatically add that
event to their calendar
â˘This can present a very unique
situation for phishing...
20. Event Injection & SE
â˘Here are a few ideas:
â˘Include a link to a conference call
site but have it pointing to a
credential collection page
â˘Include a malicious attachment
âagendaâ
â˘Have victims navigate to a fake
Google Auth page and collect creds
(more on that soonâŚ)
21. Event Injection
â˘Events get even more fun when
you use the Google API
â˘Itâs possible to make it look like a
user already accepted an invitation
â˘...they never received and invite
though.
â˘This bypasses the setting for not
auto-adding events to G-calendar
27. Personalized Password
â˘Fetch the profile image
â˘Google Picasa API
â˘JavaScript XMLHttpRequest()
â˘Ask nicely for the password
â˘Behind the scenes, authenticate
â˘Is 2FA present?
â˘No? Redirect them to GDoc agenda
â˘Doh! 2FA is enabled.
â˘Which type? Extract information.
30. Personalized Authenticator
â˘Contains profile image and email
â˘Contains 2FA application name
â˘Make it look pretty
â˘Ask nicely for the token
â˘Capture and move quickly
â˘You have 30 seconds
33. Personalized SMS
â˘Contains profile image and email
â˘Contains last 2 digits of phone number
â˘Make it look pretty
â˘Ask nicely for the token
â˘Capture and move slowly
â˘You have plenty of time
â˘SMS token not tied to session
â˘Unused tokens get re-sent later
â˘Not sure how long but definitely hours
39. ...and the dreaded U2F
â˘Contains profile image and email
⢠Can capture signed message
⢠Replay w/ SendKeys doesnât work
â˘Virtual keyboard lacks KeyCode
â˘Replay w/ Ducky doesnât work
â˘Changed VID/PID
â˘Modified USB Composite firmware
â˘Doesnât conform to FIDO U2F spec
â˘âŚ for another day
â˘Instead, letâs force a bypass!
40. ...and the dreaded U2F
â˘U2F only works w/ Chrome
â˘Requires backup SMS or TOTP
â˘What about other browsers?
â˘Downgrades to backup options :)
â˘Change our backend user agent
â˘CriOS or Python-urllib/2.7
â˘Triggers SMS token
â˘Redirect to SMS phish page
â˘Continue as normal :)
41. Additional 2FA Points
â˘Might get asked for last location
â˘GeoIP it from IP during capturing
â˘Immediately clear red alert bar
â˘Clear for one, clear for all
â˘Multiple failed phone prompts
â˘Disables phone prompt for few hours
â˘Automatically switches 2FA option
â˘May also contain attacker location/device
â˘Pass session from backend to attacker
â˘Havenât tried but I also havenât needed to
46. Pilfering Data
â˘Search GMail for sensitive data
â˘Just like how MailSniper works with Exchange you can now search
Gmail for sensitive data as well
â˘A bonus is that it works with Googleâs search operators
â˘Will soon include Google Drive, Google Groups and export Contacts
47. Pilfering Data
â˘Letâs talk about Googleâs data export for a momentâŚ
â˘It literally has everything
â˘You can export every piece of data Google knows about you including:
â˘Search history
â˘Location history
â˘All G-Drive files
â˘All Emails
â˘All Contacts
â˘and much more....
49. Pivoting Systems
⢠Victim using Google Drive? Synchronize payloads!
⢠Any third party systems in the email?
â˘Probably password re-use
â˘If not, just reset the password!
â˘What about a company Slack?
â˘Salesforce? Corp apps?
â˘Phish other employees!
â˘Corporate VPN
â˘Easy gateway into the internal network
52. Fighting Back: Admins
⢠Get familiar with Google Admin console
â˘Admin SDK available for CLI
⢠Search by IP address
⢠Donât just change passwords
â˘Remove backdoors
â˘Look for rogue email forwards
â˘Generate a timeline
â˘Communicate better!
53. Fighting Back: Users
⢠If you didnât expect it, question it
⢠Donât let urgency cause a misstep
⢠Security Check-up is awesome
⢠Look for suspicious activity
â˘Weird activity/devices/apps?
â˘Weird email rules?
â˘Weird recovery/forwarding email?
â˘Careful where you click/login!!!
â˘Pay close attention to the domain
55. Recap
⢠SMS/TOTP 2FA is DEAD if tokens arenât tied to sessions
⢠U2F is USELESS if SMS/TOTP are default alternative options
â˘Phishing training should be on BEHAVIOR not specific red flags
â˘Convenience for the company means convenience for ATTACKERS
If you use G Suite literally anyone can inject an event into your
calendar⌠and thereâs nothing you can do about it. ÂŻ_(ă)_/ÂŻ
56. Questions to Google
⢠Do we need the ability to force Event responses for users?
⢠Can we have the ability to whitelist auto-add events by domain?
⢠Can we have Phone Prompt AND U2F instead of SMS/TOTP?
⢠Can we have 2FA tokens tied to sessions?
⢠Why are the same SMS tokens re-sent instead of cancelling them?
57. End Slide
⢠Black Hills Information Security
⢠http://www.blackhillsinfosec.com/
⢠MailSniper
â˘https://github.com/dafthack/MailSniper
â˘CredSniper
â˘https://github.com/ustayready/CredSniper
â˘Questions?