Saturday, March 12, 2016

The Commonalities of Fly Fishing, Pentesting and Social Engineering

I spend a lot of time thinking about these topics, so seeing illustrations of them in each other is expected.  This post is intended to share some of these.  But first, some concept definitions.

Pentesting is the art of testing an organization's defenses and security posture by exploiting (with appropriate written permission) computer software, hardware, and in the case of social engineering, people.

Social engineering is the art of getting someone to do something that they would not normally do (the psychological manipulation of people into performing actions or divulging confidential information).  It is not uncommon to obtain remote access to an organization's network via social engineering someone to execute a backdoor (by sending them a carefully crafted email with the backdoor as a link or an attachment), or by physically gaining access to one of their computers within their facilities.


Fly Fishing is an angling method in which an artificial "fly" is used to catch fish.


Sometimes fly fishing feels like a form of social engineering.  What I mean is that when we fish with artificial flies, we are essentially lying to fish.  We are putting something right in front of them that is fake, something that may or may not closely resemble something that they eat, and hoping they will fall for it.  I generally spend most of my time fly fishing for wild trout in mountain streams.  And if you didn't already know, trout are way smarter than we think they are. Which is why fly fishing is not easy, is a lifelong learning process, and is so incredibly interesting and fun.

That's essentially what we do when we attempt to socially engineer someone.  We put something fake in front of them that looks so real that they will fall for it.  And that fake thing often gives us access to networks and computers and facilities that we need to complete our penetration testing engagements.


Here are some thoughts from fly fishing on its similarities to to social engineering and pentesting...

Preparation.  It's about choosing the right fly for the fishing situation.  That's way harder than it seems.  Trout are picky about what they eat, and unless they are extremely hungry, they focus on what they expect to see.  They see Midges in the water, emergers on the surface, or mayflies falling to the surface.  Trout flies need to match (as closely as possible) what the trout expect on that day (and even that time of day).  It's often referred to as "matching the hatch", which makes a basic understanding of entomology very important.  It's often a hit-and-miss thing, where you have to try quite a few different flies before one works.  And you are doing this in an environment that is their home, not yours. It's not an easy thing to do, and if it was I probably wouldn't be very interested.


Preparation for a social engineering attempt is similar, especially if it's a targeted attempt.  We have to create and present something that the user would expect, or at least make it look like something they would consider legitimate.  That involves understanding what's normal in an organization, and includes knowing who knows who, who know what, who trusts who, etc.  Similar to knowing bug entomology and what trout eat, you must know your target.  If you are targeting a "big fish", you will definitely have to "match the hatch", focusing on the people and events that the target knows and finds relevant, making it harder to resist.
Presentation. This is one of the hardest parts of fly fishing.  It involves good casting techniques to place the fly exactly where you want it so it drifts naturally in front of the trout.  The cast has to land just right so as to not scare the trout away.  Good casting and presentation techniques take a long time to master.  Then comes the drift.  The fly has to drift naturally without "drag", as if it is floating or swimming in a manner a real bug in the water would.  It has to look real to the trout.  That isn't easy, because you have a fly line in between you and your fly.  Currents are often different in different sides of the river.  "Mending" the line is critical to maintain a "dead drift" so your fly line doesn't disturb the natural drift of the fly. If a fly acts differently in the water than a real bug does, trout are are smart enough to know to ignore it.


Watching some of Jayson Street's (@jaysonstreet) talks on physical pentesting remind me of this concept.  Jason walks into physical facilities (with proper permission from the facility owners) and pretends to be somebody who is supposed to be there.  His goal is to infiltrate their facility and demonstrate its security weaknesses. He's really good at it too. His presentation isn't nervous or out-of-place at all.  It is natural and relaxed.  That gives those he is trying to trick a sense of ease and normality.  People give him what he wants and needs.  He looks "normal."  It's a perfect "dead drift" and it works time after time.


Setting the hook and the fight.  The trout takes the fly.  But do you know for sure it's a trout (unless your fish literally jumped out of the water for it)?  What if your fly just bumped on a rock as it is floating by?  Setting the hook with subtle tugs whenever the line or fly appears to stop is very important.  Because when trout initially take a fly, they quickly realize it isn't real and will attempt to spit it out.  Split second action is critical to set the hook. And when you realize you have a fish on, the adrenaline hits big time.


I usually only end up "landing" the fish I hook (getting the fish to the net) only about 70% of the time (fishing exaggeration in progress ;).  That's partly because I fish with barbless hooks (hooks without a "barb" that normally keeps the fish from being able to easily get off the hook). I "catch and release" wild trout.  That means I try to get them to the net safely so they can easily recover from the fight.  Then I take a selfie with them, give 'em a pet and put them back in the water to fight another day.  Because I fish a lot in areas where "catch and release" is popular (a really good thing), the fish I catch aren't stupid.  They know the drill.  Some just fight a little and let me do my meet-and-greet with them and get it over with.  Others fight like mad men.  And they often know just how to move or jump into the air or twist just right during the fight to get off the hook.


So what does that have to do with pentesting? To me it relates to getting the "beach head", securing a persistent backdoor, and creating a backup backdoor if at all possible.  Maintaining persistent access to the network you are pentesting is critical during a pentest engagement so you can consistently continue your post-exploitation efforts.  Then there's the fight.  I liken that to all the post-exploitation work we do in order to "land the trout".  Good defenses can and should put up a fight.  Getting to the "end game", taking a selfie with the "trout" equates to demonstrating real business impact, meaningful results that can help an organization become better at defense.  And pentesting is truly "catch and release" as we don't want to do harm to the organization.  Watch Ed Skoudis (@edskoudis) present about taking the right trout selfie that results in meaningful business results in "How to Give the Best Pentest of Your Life": https://www.youtube.com/watch?v=6_5Sj5iahSU
 

Defenses.   As I mentioned before, trout can be smart.  And it's the smart trout that don't go for the fly if it isn't perfect, and know how to keep from getting "landed" if they do happen to inhale the fly.


Organizations can be these smart trout by being very suspicious of anything out of the ordinary (and verifying it), monitoring their environments closely, watching for unusual connections and terminating them, and having strong internal defenses that include segmentation and tiered/strong authentication.  Defense in depth means that if an organization accidentally swallows a hook, they have the ability, time and energy to try to break free from it before real damage is done.

So...to become a better pentester, learn to fly fish!  :)))

The tactical river is where the thrill is.  This isn't lake fishing where you sit and wait.  It involves detailed tactics and hard fought techniques to find the real gold.  Trout live in the most beautiful places in the world.  And that's where the gold is.


For more, check out the targeted attack portion of my presentation, "The Fly Phishing Hack that Cost Millions" here: https://www.youtube.com/watch?v=D5yhi1FOZd4


Tuesday, March 1, 2016

Using Powershell Empire as a phishing test tool...


Performing internal phishing tests is important for both user education and security metrics.  There are a lot of vendor options out there for helping organizations with their phishing exercises, but up until now most of ours have been created using in-house tools.  One tool we are beginning to use for phishing tests is "Powershell Empire".


Powershell Empire (or "Empire" for short) has become one of my favorite pentesting tools.  Empire is a PowerShell post-exploitation tool that implements the ability to run PowerShell "agents" against target systems.  It contains awesome post-exploitation modules ranging from key loggers to Mimikatz, and is very good at evading network detection. Even after landing a Meterpreter session I find myself pivoting more often to using Empire these days for post-exploitation.

By using PowerShell, Empire has some offensive advantages including full .NET access, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+.

Because PowerShell is native to Windows, I don't have to worry much about AV catching my payloads (for now - some script tweaking tests against our AV may be necessary in the future, and other tools do see the activity).  That makes Empire super useful for creating payloads for both pentesting and in-house phishing exercises.  

Empire has numerous options for creating different types of agents.  Creating an Empire agent as an Office macro using Empire is straight forward.  By embedding the macro into a Word or Excel document and adding some tempting text, it becomes a good phishing exercise.  Here's an example of an Excel attachment to an email stating that Macros must be enabled:


If the victim enables the content, here's an edited version of what appears:


The macro executes the Empire agent and that agent checks in with my Empire server and provides what I need for phishing statistics (Empire also saves this info to an agent log on disk for easy parsing with the usual awesome Linux tools).  Here's a generic screenshot of an agent's info:


After collecting this information, I kill the agents and everything is back to normal on the victim workstations again.

Check out Powershell Empire at http://www.powershellempire.com/ .

 

Always beware the out-of-the-ordinary requests...

We continue to see a lot of phishing attempts that pretend to be from the IT Department and ask you to login in order to keep from losing your account or your email.  Here’s an example of one from yesterday:

 If you clicked on the link, here’s the fake Outlook Web Access page you would see:


Of course, the site name and the page is all wrong, but if you were to fall for it, you would be surrendering your credentials.

As always, be suspicious of anything that asks you to do something out-of-the-ordinary.   Stay safe.