Upload
emil-blume
View
219
Download
0
Embed Size (px)
Citation preview
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
1/14
PATERVA (PTY) LTD
Maltego Tungsten with
Teeth / KingPhisherCreating a collaborative attack platform withMaltego Tungsten
RT
20130712
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
2/14
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
3/14
3
BackgroundOneofthekeyfeaturesofMaltegoTungsten(tobereleasedatBlackHat2013)iscollaboration.Itallows
analyststosharegraphs inrealtimeoverXMPP.Thisallowsagroupofanalysts(orattackers)towork
togetheronthesamegoal. Combinedwiththealreadystateoftheartfootprintingandpersonalprofiling
capabilitieswehaveinMaltego(thinkmachinesinRadium),thisprovidesaverycapableattackplatform.
Itcombineshumanintelligence,patternrecognitionandpowerfulautomatedattacktoolswithgraphical
informationsharingsoftware. Whenwedesignedandbuiltthissystemourmotivationwastocreatethe
ultimateattackplatformthatcanbeusedbymultipleanalysts.
DesigncriteriaThefollowinglimitationswhereconsidered:
ExternalattackmeaningthattheattackteamwillbeconductingtheirattacksovertheInternet.Inotherwords,notinternaltothenetwork,notoverwifiorfromhostscompromisedpriorto
theattack.
No0dayweassumethattheattackersdonothaveaccessto0day.Thesuccessoftheattackshouldnothingeontheavailabilityof0day.
Zeroknowledge(blackbox)weassumethatatthestartoftheattacktheattackershavenopriorknowledgeofthetargetsystemsinuseorthepeopleinvolved.
Attackingalargeorganization.Wewillassumethatthenetworkororganizationunderattackisnationalormultinational.Inotherwords,thetypeofattackismostusefulforawideselectionof
targetsnotasinglespecifichostorperson.
Otherdesigncriteriawerethatalltransformswouldrunaslocaltransforms(fortheteethsegment),that
thecode
be
open
and
in
written
in
Python/PHP
and
that
it
would
be
very
easy
to
modify
and
extend.
The
platformchosentodevelopanddeploythisisKaliLinux.
MaltegoTeethSincethefirstreleaseofMaltegowevemadesurethatnoneofthebundledtransformswereoffensive.
Whiletheresultsofthetransformswereveryvaluableforsecurityanalyststhetransformsthemselves
didnotdoalottoraiseeyebrows.WithourBlackHat2013talkweregoingbacktoourrootssecurity.
Wevecreatedasetoftransformsthatdonotpretendtobefriendly,thatdonotbegforforgivenessor
askforexcuses.Whenusingthesetransformsyoullbeclearlyattackingatarget.
Therearethreesectionsofinterest.
Infrastructure.TheseareconventionalattacksagainstmachinesconnectedtotheInternetasopposedtopeopleorpersonaldevices.
People.Theseareessentiallyattackswherepeopleareinvolvedinthesuccessoftheattack.Thinksocialengineering&spearphishing.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
4/14
4
Thesewillbediscussedindetailbelow.
Infrastructure TeethKeepingthelimitationsinmindtherearebasicallythreestepswefollowhere:
1. Whatdotheyhaveoutthere?2. Whatcanwegetfromwhatsalreadyoutthere?3. Canwegetmorebybreakingcontrols?
Step1:Whatsoutthere?
ThefirststepisdiscoveryofeverythingthatthetargetexposestotheInternet.Thisisbasicfootprinting
somethingthatsalwaysbeenakeyfeatureofMaltego.Usingtheprepackagedfootprintingmachines
introducedwithMaltegoRadiumyoucanliterallydoaoneclickfootprintofalargeorganization.
Themethodologyofthisfootprinthasbeendiscussedindepthinthepastandisnotrepeatedhere.
Below is a graph generated by the L3 foot printing machine of Maltego on the Johannesburg stock
exchange(JSE):
ItsnotamassivegraphastheJSEdoesnothavealargeexternalfootprint.
ThefootprintofIrans AEOI:
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
5/14
5
OrtheCIA:
Incomparison,areallylargenetworkmapofYahoo(justDNSnamesanddomains):
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
6/14
6
Theresultofafootprintprovidesuswith:
DomainsandDNSnames(Websites,MXrecords,NSrecords,reverseDNSnamesamongstothers) IPaddresses,netblocksandASnumbers
Step2:Whatcanwegetto?
Fileanddirectorymining
Intermsofexposedservicesyouaremost likelytoseeHTTPandHTTPs. Themostbasicformof info
gatheringwouldbetolookforunlinkedfilesanddirectoriesonthesewebserversinotherwordsfile
anddirectorymining.
Therearemanyscriptsandscannersouttherethatperformthisfunctionhoweverwevefoundthatfew
very of them do this properly (e.g. not looking at HTTP status codes but rather comparing server
responses).Therightwaytodothisisasfollows:
RequestadirectorythatyouknowdoesnotexistandstoretheresponseinX RequestanotherdirectorythatyouknowdoesnotexistandstoretheresponseinY IfXandYaresimilar(wereusingLevenshteindistance)thenweknowwecantestproperly.If
theyarenotsimilaritsnotpossibletotestotherdirectories
Now request the directory youre interested in and compare the response to Y (or X). If itssignificantlydifferentthenthedirectoryislikelytobethere.
Inthesamewaywecantestforfilenamewithtwoexceptions:
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
7/14
7
Baseline testing (X/Y) needs to be performed per file extension type. The response for anunknownASPXfilemightbedifferenttothatofaPHPfile.
Baselinetesting (X/Y)needstobeperformedperdirectory.Theresponse fromthesystem for/scripts/login.phpmightbedifferenttotheresponsefor/backup/login.php
Thereare
afew
other
things
to
keep
in
mind.
To
get
the
real
response
its
best
to
test
the
actual
output
ofthe file/directoryrequestmeaningafter followingHTTPredirects.Forthisreasonwereusingthe
Mechanize library.OtherthanSelenium (which istooheavyweightforthisandnotasportableaswe
wouldlike)thisistheclosestyouaregoingtogettoarealbrowser.ThedisadvantageofusingMechanize
isthatitdoesnotinterpretJavascript.
Testingforalistofdirectoriesorfilesintherootofawebserverisonlysoexciting.Inordertodothisjob
properlywealsoneed tocheck for filesanddirectories inotherpathsoftheserver. Imagine thatthe
entirewebstructureislocatedunder/corp/ thentestingfor/backup.zip(whilemandatory)isalotless
interestingthantestingfor/corp/backup.ziporlookingfor/corp/mediafile/archive/.
Weuse
two
methods
for
getting
valid
web
directories:
performingacrawl/mirrorofthesite requestingandparsingfor/sitemap.xml.
Notallsitescontain sitemap.xml,but for those thatdo itsan instantwinwellget theentiresites
structure.Ifthatfailswecanalwaysrevertbacktocrawlingthesite.
Withthesitesstructureknown(orpartiallyknown)wecannowhappilyscanforfilesanddirectoriesin
theseknownpathsandwelldothisforallthewebsiteswefoundinthefootprint.
Checkingfor
indexability
Atthisstageweshouldhaveanicelistofdirectoriesthatwevefoundeitherbycrawling,bruteforcingor
inspectingsitemap.xmlanditwouldmakessensetoseeifanyofthemareindexable.Enoughsaid.
FindingCMSbackend
CMS(ContentManagementSystem(s))havebecomeverypopular.TwopopularCMSesareWordpress
andJoomla.Bothoftheseprovidetheuserwithanadministrativebackendwheretheycanlogintoupload
newcontentormodules.WithJoomlaandWordpressitispossibletouploadamaliciousmodule/addon
thatwillprovideawebbasedcommandshell(likeC99shell).Inmostcasestheseinterfacesareexposed
totheInternetthismeansaccesstothewebcontentoruploadamaliciouspayloaditismerelyprotected
byasingle
password.
They
are
mostly
located
in
aset
location
and
its
trivial
to
test
if
they
exist.
In
MaltegoTeethwerelookingat3differentCMSes:
Joomlaat/administrator/index.php WordPressat/wpadmin/ cPanelat:2082/login/(althoughnotarealCMSstillverypopular)
InthenextsectionwellseehowwebruteforcetheseCMSes.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
8/14
8
FindingOWA(andotherinteresting)interfaces
OWA(OutlookWebAccess)hasalmostbecomethedefactostandardwaytoprovideremoteemailfor
largecorporateorganizations.WhenlookingattheFortune1000companieswevefoundthatabout60%
ofthemhaveexposedOWAinterfaces.Inmostcasesyoucansimplybrowsetothisinterfaceandentera
validusernameandpasswordinordertogainaccesstothemailinterface.Theinterfacenotonlysupplies
theactual
but
the
organizations
calendar
and
address
book
(names,
phone
numbers,
departments)
aswellthisisagoldmineforotherattacks(thinksocialengineeringseenextsection).
ThereareafewOWAtypesused:
OWA2003 OWA2007 OWA2010 OWAOffice OWALive(cloud)
TheseareprotectedeitherwithaformsbasedloginorwithNTLM.
ThewayTeethfindstheseareasfollows:
1. UsingAsyncDNSsearchforthefollowingDNSnamesmail,webmail,owa,outlook,exchange,secure,gateway,vpn,activesync,connect
2. Checkthatitdoesnotresolvetoawildcardentry3. Seeifitsopenonport443(weassumenobodywillruntheirwebmailoverHTTP)4. IfyoufindHTTPcode401assumeitsNTLMandmarkassuch5. IfyougetHTTPcode200followredirectsandstoretheresponse6. Comparetheresponsewithalistofsignaturesandseewhichonesmatches7. Ifitdoesnotcomparetoaresponsemarkitasgeneric.
Itbecomesclearfromsteps5and6thatthismethodalsoworksforothertypesofinterfacessuchasVPNs,
gateways,webmailetc.providers. InTeethwevestored22differentresponsesfromCITRIXgateways,
SecureIDinterfacestoCiscoWebVPNresponsesandaddingadditionaltypesistrivial.
InthenextsectionwellshowhowwebruteforceOWA.Buildingabruteforceattackscriptforother
typesisleftasanexercisetothereader.
FindingPossible
Injection
Points
(PIPs)
UsingautomatedSQLinjectiontoolssuchasSQLMaponecantestforSQLinjectionwithminimaleffort.
TobeabletodosoyouneedtopointittoaURL,specifyifitsaPOSToraGETandwhichparametersto
testfor.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
9/14
9
Asideeffectofacrawl/mirroristhatwealsohaveagoodideaofwhatforms(orGETswithparameters)
aresurfacevisibleonawebsite.Notethatwesaysurfacevisiblee.g.notformsorGETsthatarelocated
behindwebformsthatrequireauthenticationorelaborateJavascript.
Armedwiththisinfowecanmakeacalculatedguesswhichformswouldbe interestingtotestforSQL
injection.A
form
with
asingle
submit
button
might
not
be
interesting.
A
form
with
one
parameter
called
printmightnotbeinteresting.Wemightenduptestingjustasingleparameter.
Asanexampleconsiderthefollowingform:
POST/search.php Parameters:
o s=o print=trueo redirect_url=http://www.site.com/search_done.phpo sessionID=12345
Inthiscasetheonlyparameterthatislikelytoyieldinterestingresultswhentestedwouldbes.Thisdoes
notmeanthatwecandiscardtheotherparameterswhensendingtherequestasitmightcausethescript
tobreak.Wethusgettoasituationwherewecanfilterwhichparameterstotestforbasedonthenames,
actionsorvaluesoftheparameter.
InthenextsectionwelllookathowwecanattackthesePIPs.
Step3:Breakingcontrols
While themethodsused in theprevious sectioncouldperhaps stillbe seenas informationgathering
techniquesthemethodsdiscussedhereisalloutattack.
BruteforcingCMS
AMetasploitpluginforbruteforcingWordpressexistsandwellusethattobruteforceWordpress.The
passwordlistisextendedwiththreederivatesofthedomainname.Letsassumethatthewebsiteiscalled
www.cookiesrus.co.za.Thepasswordlistwillbeextendedtoincludecookiesrus123,cookiesrusadminand
cookiesruspassword.Thiscaneasilybeextendedtoincludeothermutations.
JoomlabruteforcingisperformedusingacustomPythonscriptthisisbecauseJoomlainsertsaCSRF
tokenineveryloginpagewhich ischeckedwhenaPOSTissentandmostgenericbruceforcingscripts
doesnotsupportthis.ThesamepasswordextensionhappensforJoomlabruteforcing.
Successfulloginsaregraphicallyindicated.
BruteforcingOWA
InordertobruteforceOWAtheattackerneedstoselectwhichemailaddressesshewantstousefirst.
ThesearewrittenviatheMaltegoGUItoalocalfile.WhentheuserrunsthebruteforceOWAtransform
anexternaldialogwindow ispoppeduptoasktheuserfromwhichdomainshewantstoselectemail
addresses.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
10/14
10
Theattackercansendemailaddresseswithorwithoutthedomain(usedintheemailaddress,nottobe
confused with Microsoftworld domain). The thinking here is that OWA really uses a username and
(Microsoftworld)domain.Ifthe(MS)domain isnotspecifieditwillusethedefaultdomainwhich in
mostcasesisthebestbet.Theusername*might*bethepartoftheemailaddressinfrontofthe@sign
andmanylargecorporateorganizationsarenowadoptingthisnamingconvention.Theotheroptioncould
bethat
the
MS
domain
and
the
address
domain
is
really
the
same
thing,
in
which
case
it
would
make
sensetosendboth.
TheOWAtypeisstoredwithintheentityandbasedonthetypeeitherNTLMorwebformsisused.NTLM
bruteforcingusesHydrawhileformbasedloginisdonewithMechanize.
AnotherinterestingsideeffectofOWAbruteforcingisdenialofservice.MostOWAimplementationslock
theaccountafter3incorrectpasswordattempts.AssuchthepasswordfileforOWAonlycontainstwo
passwords.Ifthefilecontainsmorethan2passwords(andtheyareindeedincorrect)theaccountwillbe
locked out. Since many OWA servers are directly connected to the main domain controller of the
organizationthismightmeanasystemwidelockoutatleasttemporarily.Suchadenialofserviceagainst
multipleaccountswouldseemtobeverycostlyforthetargetorganization.
SQLinjectionattackingPIPs
Intheprevioussectionwesawhowwecan identifypossible injectionpoints(PIPs).UsingSQLMapwe
nowtestiftheseformsorGETsareindeedinjectable.ThetransformsimplyrunsSQLMapontheURLwith
thecorrectparameters.Whenaninjectionstringisfoundtobesuccessfulitisshowngraphicallyonthe
MaltegointerfacethedefaultbehaviorofSQLMapistoshowthedatabaseandcurrenttablestructures.
Therearesomelimitationsandconsiderationswhenusingthisattack:
1. ThePIPscannerwillonlyidentifysurfacevisibleformsthiswasdiscussedinmoredetailintheprevioussection.
2. Sincewerenotsurewhatdatabasetypeisinusewecaneitherscanusingalltypes(SLOW)orspecificthedatabasetype.Insubsequentversionoftheframeworkthisshouldbeaddressed
e.g.findingthemostlikelydatabasetypeautomatically.
3. SQLMaptakesalongtimetorun.Assuchyouneedtocarefullyselectwhichformstoattack.ItwouldbepossibletoextendthissothatthelistofdatabaseareshownasentitiesfromthePIP,with
transforms toenumerate tables from thesedatabases.This functionality is leftas anexercise to the
reader.
Portscans
/Service
scans
/Nmap
with
NSE
scripts
Aftercarefulconsideration(welookedatNessus,Metasploitetc.)itwasdecidedtogowithNmapwith
NSEscriptsasmakeshiftvulnerabilityscanner.Weusethisisquotesbecauseitsnotafullblownvuln
scannerbutratheracompilationofscriptsandagoodportscanner.Wevefoundthatinmanycasesthe
NSEscriptsbundledwithKaliLinuxservedourpurposeverywell.Otherconsiderationswerestability,
speedofexecution,extensibilityandeaseofintegrationwithMaltego.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
11/14
11
There are 8 different families of NSE scripts. There are auth, default, discovery, external, intrusive,
malware,safeandvuln.Twoadditionalonesareallandnoneafamilynameweveaddedwhenused
withMaltegoTeeth.Theattackercanselectwhichofthesefamiliesshouldbeused,whichportsshouldbe
scannedandwhichadditionalNMapparametersshouldbeused.
Theattacker
can
initiate
scans
against
DNS
names
(includes
web
sites,
MX/NS
records)
or
IP
addresses.
NetblockscanbeextendedtoseveralIPaddressesinordertoscanthese.
Attacksagainstpeople KingPhisher
Introduction
Whileinfrastructureattacksareprettywellknowntoeveryonetheyarenotalwaysveryeffective.Askany
pentesterwhatsthemostcertainwaythattheyllcompromiseasystemandtheyarelikelytotellyou
thatitwouldinvolvepeopleworkingatthetargetorganization.
Peopleare
not
machines.
People
make
mistakes
and
are
driven
to
act
in
certain
ways
either
through
fear,
curiosityorgreed.Additionallypeopleintentionallyopennonconventionalattackvectorstothemselves.
Thisincludesemail,IM,socialnetworksorevenreallifedevicessuchasphonesorothermobilecomputing
platforms.
Inthissectionwelllooktoseeifitwouldbepossibletodeliverawellcraftedemailtoatargetanddoing
sowithlittleornointeractionfromtheattacker.Inotherwordsisitpossibletospearphishsomeone
andletMaltegodotheheavylifting.Insubsequentupdatestotheplatformwellalsolookatothervectors
suchasIMandsocialnetworks.
The
goal
Thegoalofthisphishingattack(inorderofimpact)isasfollows:
1. IdentifyusercharacteristicsfromclickedlinkssuchasuseragentandIPaddress.2. Get the target to simplyclickona link.Wemightchoose todeliver some formofpayload in
resultingpage.
3. Redirecttheusertoafakesocialnetwork/publicwebmail(Gmailetc)loginpage.Hopethetargetwillentercredentials.
4. Redirecttheusertoafakecorporatewebmail/VPNportalandhopetogetcredentials.
In3and
4were
hoping
that
the
user
will
re
use
credentials
and
the
attacker
can
use
these
on
more
sensitiveinfrastructure(thinkcorporateVPNetc.)Thekeywordinscenario2isofcoursebrowser0day
butgettingtheexternalIPaddressoftheuserisalsovaluable.
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
12/14
12
AlreadyinMaltego
Themoreinformationweknowaboutapersonthemoreenticingtheemailwecansendtoourtarget.
Maltego already offers many transforms to profile a person. This includes getting the targets email
address,socialnetworksandfriendsfromthesesocialnetworks.
Thestarting
point
would
likely
be
the
domain
of
the
organization
were
attacking.
From
there
we
can
enumerateemailaddressesandfromthatwecanresolvesocialnetworkmemberships.Insomeinstances
wemightbeabletomakeeducatedguessesastowhatthepersonsnameandsurnameisoraddmore
informationaboutourtargetmanually.
Templates
Maltegocreatesagraphoftheserelationships.Bysendingthegraphtoanexternalprocessweareable
to extract these relationships and based on what information we find we can create a list of email
templates. In a practical example from a target domain of target.com we find an email address
john.doe@target.com.ThepersonsnameislikelyJohnDoe.Weresolvesocialnetworkmembershipand
findaFlickr
profile
and
aFacebook
profile.
From
the
Flickr
and
profiles
we
get
interest
and
friendsandconnections.Ourtemplatesthatwecanchoosefromcouldnowbe:
1. SpoofedemailfromFacebookwithanewfriendrequest2. SpoofedemailfromFacebookwithphototaggedfrompersonwhoisaFBfriendoftarget3. SpoofedemailfromFlickrwithnewphotosfromafriend4. SpoofedemailfromacompanyspecializingininterestX5. Spoofedemailfromtarget.comwithinstructions
Theattackerwillbeabletochoosewhichtemplateshewantstouse,tweakafewconfigurationoptions,
andtheframeworkwillfigureouttherest.
Typesofredirects/bounces
Therearethreetypes:
Justbounce.Uponclickingonthelinktheuserwilljustberedirectedtoanothersite. Get info, thenbounce.The frameworkwillcollect theusers IPaddress,useragentand then
redirect.
Get info,phish, thenbounce.The frameworkwill collect the IP address anduseragent thenpresenttheuserwithacopyofapopularsocialnetworksloginpage,collectthecredentialsand
thenredirecttheusertotherealsite.
Thisgivetheattackertheflexibilitytochooseexactlywhatthetargetwillseeonceheclicksonalink.
Challenges
Thefollowingmechanismsareusedtoautomaticallyprotectusersagainstthistypeofemail:
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
13/14
13
SenderPolicyFramework(SPF)
ThisisimplementedonthereceivingSMTPserver.TheserverwillcheckiftheremotehostmatchesSPF
recordsforthesendersdomain.Whatthismeansisthatyoucannotsendemailaspete@companyX.com
ifyourconnectionisnotoriginatingfromtheIPrange(s)ofcompany
DomainKeysIdentified
(DKIM)
SendersofemailcandecidetoimplementDKIM,therebycryptographicallysigningpartsofthemessage
typically the sender and receivers email addresses. The means you cannot send email as
Filtering,triggerwords
Emailproviders (likeGmail)oremail clients (likeMicrosoftOutlook)havebuiltin spamandphishing
detectionandwillmarkemailfromourplatformasso.Theymightchoosetotriggeronemailsthatare
closetothetemplatesofknownproviders.
Thesetechniquesareusuallyusedincombination.Thefirsttwoprotectionmechanismsmeansthatyou
cannoteffectively
spoof
from
major
sources
(like
Facebook,
Twitter,
etc).
This
is
not
amajorproblemasyoucaneasilysendtheemailfromaccountsthat*looks*liketheseproviders.Inother
[email protected]@twitte.r.com.
Howeverwhenthetechniquesareusedintandemitbecomesalittletougher.Ifyouaresendingemail
thatlooksalotlikethatofamajoremailsourcebutyouarenotthatsourceitmightbemarkedasspam.
ThegoodnewsisthattherearemanywaystocreateHTMLthatlooksthatsame.TheHTMLsourcemight
not lookthesamebuttherenderedoutputwill.Thismakes itpossibleforustosendemailthat looks
exactlyliketherealdeal,butonthewirelooksalotdifferent.Itsmoreworkbutitsworthitattheend.
Managing
the
campaign
Whensendingemailtomanydifferenttargetstheattackerwouldwanttohaveawayofmanagingthe
campaignas it iseasy to lose trackofwhichemailswhere sent towhich targets.With three simple
transformsandperpetualmachinesthiscanbedonegraphicallywithinMaltego.Thetransformsareas
follows:
Fromcontrolcentergettheemailaddressesoftargets FromeachtargetgettheIPaddressanduseragent(ifitexists) Fromeachtargetgetthecredentialsmined(ifany)
Theentiresystemsflowdiagramthuslooksasfollows:
7/22/2019 Creating a collaborative attack platform with Maltego Tungsten
14/14
14
Maltego
client
1. POST graph
KP controller
At t ackerconf i gur es mai l
SMTP
sender
2. After setup, ready send
Target
3. Email sent
Collector
4. User visits site
5. Monitor campaign
2. Collector setup
ConclusionThereareseveralaspectsofITsecuritythathavenotbeentouchedoninthispaper.Thegoalofthispaper
isnot
show
new
attack
vectors
or
methods.
It
is
to
show
that
almost
all
methods
of
attack
can
be
incorporated intoasingleplatform.Aplatformwhereattackerscanshare information,visualize itand
launchnewattackscollaboratively.
Wearepainfullyawarethat forthemanwithhammer,everything looks likeanail. Inourcaseevery
securitytoolorattacktechniquelookslikeanailandourhammerisMaltegoTungsten.