DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Outlook and Exchange for the bad guys
1. Outlook & Exchange
for the Bad Guys
IT’S ALWAYS FUN BREAKING THE RULES
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
2. > getuid
Nick Landers (@monoxgas)
Security Consultant at Silent Break Security
Salt Lake City, Utah, US
Hacking for 8 years, 2 professionally
My Loves:
◦ Writing Windows malware (slingshot/throwback)
◦ Coding with C++, Python, or PowerShell
◦ Security Research for the Red Side
◦ Long walks on the beach
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
4. Currently supported versions: 2007, 2010, 2013, 2016
Office 365 / Outlook.com
Remote Access Protocols
◦ Exchange Web Services (EWS) – SOAP over HTTP
◦ Outlook Anywhere – RPC over HTTP
◦ MAPI over HTTP (Exchange 2013+)
◦ Exchange ActiveSync (EAS) – HTTP/XML – High latency/Low bandwidth
Functions
◦ AutoDiscover – Fast collection of Exchange configurations, supported protocols, and service URLs
◦ Outlook Web App (OWA) – Minimal E-Mail client available via the web – http://mail.org.com/owa
◦ Global Address List (GAL) – LDAP/Active Directory
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
5. Recon
Goal: Collect E-Mails, usernames, and (maybe) passwords from public resources
Sources:
◦ Search engines (Google, Bing, etc.)
◦ Company Websites – DNS brute-forcing to discover subdomains
◦ Public Websites (LinkedIn, GitHub)
◦ Database Dumps (leakedsource, haveibeenpwned)
◦ Active Directory – For lateral movement and segmentation bypassing
Tooling:
◦ Discover - https://github.com/leebaird/discover (Lee Baird)
◦ Passive: ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng
◦ Active: nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and Whatweb
◦ FOCA - https://www.elevenpaths.com/labstools/foca/index.html
◦ LinkedIn Scraper - https://github.com/wpentester/Linkedin_profiles (Hans Petrich)
◦ HackerTarget - https://hackertarget.com/ip-tools/
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
6. Collecting Credentials
Brute Forcing Techniques
◦ OWA – Black Hills Security Password Spraying w/ Burp - http://www.blackhillsinfosec.com/?p=4694
◦ EWS – ShellIntel PowerShell Toolkit - https://github.com/Shellntel/OWA-Toolkit
◦ NTLM HTTP Auth – Python Requests - https://github.com/requests/requests-ntlm
◦ Use a targeted E-Mail list with common passwords – Summer2016, Password1, etc.
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
7. Collecting Credentials pt. 2
Credential Harvesting Attacks via E-Mail
◦ Impersonate target company logon page (OWA, Office 365, etc.)
◦ No payload to burn + Blend with the spam
◦ = Attacks can be scaled up (5-10 vs 100-200 targets)
External Site Compromise (WordPress, LiveAgent, etc.)
◦ No longer useless for gaining internet network access!
◦ Credential re-use is VERY common
◦ Backdoor logon pages with JavaScript to steal credentials
◦ Grab passwords from databases
◦ Social Engineering
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
8. Outlook Rules Overview
“A rule is an action that Outlook for Windows runs automatically on incoming or outgoing
messages. You choose what triggers the rule as well as the actions the rule takes.” – Microsoft
Rules can be created:
◦ Server side (OWA, Outlook.com)
◦ Client side (Outlook)
◦ Often not compatible due to subtle differences in the usage of rule properties
Rule action order:
◦ Server side actions (move mail to folder)
◦ Client side actions (print a message)
Rules are stored with the exchange server. Any new Outlook instance receives all existing rules
When a client side action is needed, deferred action message (DAM) is sent to client w/ rule ID
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
12. ShellExecuteEx
lpVerb – “The set of available verbs depends on the particular file or folder. Generally, the
actions available from an object's shortcut menu are available verbs. This parameter can
be NULL, in which case the default verb is used if available. If not, the "open" verb is used.”
◦ Can be viewed/modified in HKEY_CLASSES_ROOT
lpFile – “The address of a null-terminated string that specifies the name of the file or object on
which ShellExecuteEx will perform the action specified by the lpVerb parameter. ”
lpParameters – “Optional. The address of a null-terminated string that contains the application
parameters. ”
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
13. Exploitation Challenges
Requires valid account credentials along with Exchange service access
◦ Recon & Brute Forcing
◦ RPC/MAPI over HTTP
No command line arguments
Need a local file on disk for Outlook to open – UNC to the rescue! (ServerShareevil.exe)
◦ Local SMB share (Kali Linux, existing windows share) – Internal pentesting/pivoting/persistence
◦ WebDAV share – Accessible via UNC path – HTTP with proxy awareness
A file type which can give us code execution with ShellExecute
◦ BAT, EXE, PIF, VBS, JS, HTA, LNK, etc.
Target needs Outlook open to receive the DAM and execute the attack
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
14. Use Cases
Initial Access to a target network
◦ Relatively easy to collect E-Mail credentials externally
Pivot to workstation without local admin privileges
Bypass network segmentation
Persistence:
◦ Stealthy – Obscure technique with minimal tooling available for detection/monitoring
◦ Long-Term – Linked to E-Mail profile, not workstation. Persistence across a DFIR wipe
◦ Drop a executable onto an internal file share
◦ Load rule into many E-Mail accounts, trigger with one E-Mail
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
15. State of things
Rulz.py – Build malicious RWZ files for importing into Outlook (monoxgas)
◦ https://gist.github.com/monoxgas/7fec9ec0f3ab405773fc
Ruler – MAPI over HTTP to quickly sync rule file without building complete profile (SensePost)
◦ https://github.com/sensepost/ruler
Xrulez – Use local Outlook profiles to import malicious rule for persistence (MRW Labs)
◦ https://github.com/mwrlabs/XRulez
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
16. Demo!
Pop a shell with E-Mail!
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
18. Case Study #1
Black-Box Penetration Test for an organization
Discovered 0-Day in externally hosted LiveAgent software for support chat
Compromised SQL database and used tokens to login to the web interface
Placed custom HTML on the footer of the logon page to steal user credentials
Password Re-Use to get into an E-Mail account
Outlook attack to pivot into the environment
Lateral movement and privilege escalation to Domain Admin
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
19. Case Study #2
Black-Box Penetration Test for an organization
Credential brute-forcing to find weak user login
Outlook attack to gain initial access to the network
Security team discovered the compromise, changed user password, wiped workstation
Use previously synced rule with external E-Mail to gain access to the network AGAIN
Lateral movement and privilege escalation to get Domain Admin
Phishing payloads are DEAD! Long live the Outlook Attack!
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
20. What Now?
Future Research
◦ Abuse mso.dll/Outlook to avoid argument limitations with ShellExecute
◦ Modify ‘Ruler’ by SensePost to include support for MAPI over RPC over HTTP (2007/2010)
◦ Build Pass the Hash support into tooling so NTLM hashes can be used to pivot internally
◦ Use Named Pipes as a file replacement for In-Memory pivoting
◦ Backdoor/Patch mso.dll on disk for Outlook persistence without modifying server-side profile
Defenses:
◦ Disable WebDAV outbound at the firewall
◦ Monitor process creation from Outlook and/or app whitelisting
◦ Monitor Exchange logs for rule sync events from outside of the network?
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
21. Questions?
Nick Landers - @monoxgas
Silent Break Security
nick@silentbreaksecurity.com
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY