November 27, 2014

This is from a real world Pentest conducted for a customer this week. First of all, what is a client side attack? It involves the user to take some action (like browsing to a website or trying to view an excel, powerpoint or PDF document etc.)

The customer tasked us to look for any breach possibility outside the standard server and perimeter Pentesting. Without going into too much technical detail, we were once again shocked how easy it would be for real hackers to breach corporate Security.

We won’t disclosing all tools and methods but just wanna share a high level overview with our readers as an eye opener.

Step 1: After figuring out that Windows 7 runs on employees laptops, we have created a crafted PDF document, backdoored it, disguised it from common Antivirus detection ( testing).

Step 2: Captured 10 email addresses from the organisation via some Google search operators

Step 3: Set up a TCP listener on a server on port 443

Step 4: Sent out crafted spoofed emails between employees which enticed them to open the important PDF

Step 5: Once clicked an outbound SSL tunnel from victim to server had been established

Step 6: 8 mails have been sent and 5 machines had been compromised in less than 1 hour

Step 7: After the sessions were migrated to a persistent Windows system process, privilege escalation to Admin was not a challenge

Whilst we have spent 10 days on Pentesting our customers server farms to be successful of eventually finding a vulnerability, the client site attack took all in less than 2.5 hours.

Don’t think your IT is protected by even running the latest and well know Anti Virus software.

What could have prevented this? SSL inspection of outbound traffic and Deep packet inspection of Emails and attachments (Hopefully) but even some IPS systems we tested are prone to source code change of malicious payload and give no full guarantee of detection unless anomaly based detection is being used.