Outlook and Exchange for the bad guys

Outlook & Exchange
for the Bad Guys
IT’S ALWAYS FUN BREAKING THE RULES
NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY

> getuid
Nick Landers (@monoxgas)
Security Consultant at Silent Break Security
Salt Lake City, Utah, US
Hacking for 8 years, 2 professionally
My Loves:
◦ Writing Windows malware (slingshot/throwback)
◦ Coding with C++, Python, or PowerShell
◦ Security Research for the Red Side
◦ Long walks on the beach

Tonight’s Agenda
1. Exchange Overview
2. Recon
3. Credential Harvesting
4. Outlook Rules
5. Exploitation Details
6. Demo!
7. Questions

Currently supported versions: 2007, 2010, 2013, 2016
Office 365 / Outlook.com
Remote Access Protocols
◦ Exchange Web Services (EWS) – SOAP over HTTP
◦ Outlook Anywhere – RPC over HTTP
◦ MAPI over HTTP (Exchange 2013+)
◦ Exchange ActiveSync (EAS) – HTTP/XML – High latency/Low bandwidth
Functions
◦ AutoDiscover – Fast collection of Exchange configurations, supported protocols, and service URLs
◦ Outlook Web App (OWA) – Minimal E-Mail client available via the web – http://mail.org.com/owa
◦ Global Address List (GAL) – LDAP/Active Directory

Recon
Goal: Collect E-Mails, usernames, and (maybe) passwords from public resources
Sources:
◦ Search engines (Google, Bing, etc.)
◦ Company Websites – DNS brute-forcing to discover subdomains
◦ Public Websites (LinkedIn, GitHub)
◦ Database Dumps (leakedsource, haveibeenpwned)
◦ Active Directory – For lateral movement and segmentation bypassing
Tooling:
◦ Discover - https://github.com/leebaird/discover (Lee Baird)
◦ Passive: ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng
◦ Active: nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and Whatweb
◦ FOCA - https://www.elevenpaths.com/labstools/foca/index.html
◦ LinkedIn Scraper - https://github.com/wpentester/Linkedin_profiles (Hans Petrich)
◦ HackerTarget - https://hackertarget.com/ip-tools/

Collecting Credentials
Brute Forcing Techniques
◦ OWA – Black Hills Security Password Spraying w/ Burp - http://www.blackhillsinfosec.com/?p=4694
◦ EWS – ShellIntel PowerShell Toolkit - https://github.com/Shellntel/OWA-Toolkit
◦ NTLM HTTP Auth – Python Requests - https://github.com/requests/requests-ntlm
◦ Use a targeted E-Mail list with common passwords – Summer2016, Password1, etc.

Collecting Credentials pt. 2
Credential Harvesting Attacks via E-Mail
◦ Impersonate target company logon page (OWA, Office 365, etc.)
◦ No payload to burn + Blend with the spam
◦ = Attacks can be scaled up (5-10 vs 100-200 targets)
External Site Compromise (WordPress, LiveAgent, etc.)
◦ No longer useless for gaining internet network access!
◦ Credential re-use is VERY common
◦ Backdoor logon pages with JavaScript to steal credentials
◦ Grab passwords from databases
◦ Social Engineering

Outlook Rules Overview
“A rule is an action that Outlook for Windows runs automatically on incoming or outgoing
messages. You choose what triggers the rule as well as the actions the rule takes.” – Microsoft
Rules can be created:
◦ Server side (OWA, Outlook.com)
◦ Client side (Outlook)
◦ Often not compatible due to subtle differences in the usage of rule properties
Rule action order:
◦ Server side actions (move mail to folder)
◦ Client side actions (print a message)
Rules are stored with the exchange server. Any new Outlook instance receives all existing rules
When a client side action is needed, deferred action message (DAM) is sent to client w/ rule ID

Rule Actions
That looks promising!

Peeking Inside

A Deeper Look

ShellExecuteEx
lpVerb – “The set of available verbs depends on the particular file or folder. Generally, the
actions available from an object's shortcut menu are available verbs. This parameter can
be NULL, in which case the default verb is used if available. If not, the "open" verb is used.”
◦ Can be viewed/modified in HKEY_CLASSES_ROOT
lpFile – “The address of a null-terminated string that specifies the name of the file or object on
which ShellExecuteEx will perform the action specified by the lpVerb parameter. ”
lpParameters – “Optional. The address of a null-terminated string that contains the application
parameters. ”

Exploitation Challenges
Requires valid account credentials along with Exchange service access
◦ Recon & Brute Forcing
◦ RPC/MAPI over HTTP
No command line arguments
Need a local file on disk for Outlook to open – UNC to the rescue! (ServerShareevil.exe)
◦ Local SMB share (Kali Linux, existing windows share) – Internal pentesting/pivoting/persistence
◦ WebDAV share – Accessible via UNC path – HTTP with proxy awareness
A file type which can give us code execution with ShellExecute
◦ BAT, EXE, PIF, VBS, JS, HTA, LNK, etc.
Target needs Outlook open to receive the DAM and execute the attack

Use Cases
Initial Access to a target network
◦ Relatively easy to collect E-Mail credentials externally
Pivot to workstation without local admin privileges
Bypass network segmentation
Persistence:
◦ Stealthy – Obscure technique with minimal tooling available for detection/monitoring
◦ Long-Term – Linked to E-Mail profile, not workstation. Persistence across a DFIR wipe
◦ Drop a executable onto an internal file share
◦ Load rule into many E-Mail accounts, trigger with one E-Mail

State of things
Rulz.py – Build malicious RWZ files for importing into Outlook (monoxgas)
◦ https://gist.github.com/monoxgas/7fec9ec0f3ab405773fc
Ruler – MAPI over HTTP to quickly sync rule file without building complete profile (SensePost)
◦ https://github.com/sensepost/ruler
Xrulez – Use local Outlook profiles to import malicious rule for persistence (MRW Labs)
◦ https://github.com/mwrlabs/XRulez

Demo!
Pop a shell with E-Mail!

Case Study #1
Black-Box Penetration Test for an organization
Discovered 0-Day in externally hosted LiveAgent software for support chat
Compromised SQL database and used tokens to login to the web interface
Placed custom HTML on the footer of the logon page to steal user credentials
Password Re-Use to get into an E-Mail account
Outlook attack to pivot into the environment
Lateral movement and privilege escalation to Domain Admin

Case Study #2
Black-Box Penetration Test for an organization
Credential brute-forcing to find weak user login
Outlook attack to gain initial access to the network
Security team discovered the compromise, changed user password, wiped workstation
Use previously synced rule with external E-Mail to gain access to the network AGAIN
Lateral movement and privilege escalation to get Domain Admin
Phishing payloads are DEAD! Long live the Outlook Attack!

What Now?
Future Research
◦ Abuse mso.dll/Outlook to avoid argument limitations with ShellExecute
◦ Modify ‘Ruler’ by SensePost to include support for MAPI over RPC over HTTP (2007/2010)
◦ Build Pass the Hash support into tooling so NTLM hashes can be used to pivot internally
◦ Use Named Pipes as a file replacement for In-Memory pivoting
◦ Backdoor/Patch mso.dll on disk for Outlook persistence without modifying server-side profile
Defenses:
◦ Disable WebDAV outbound at the firewall
◦ Monitor process creation from Outlook and/or app whitelisting
◦ Monitor Exchange logs for rule sync events from outside of the network?

Questions?
Nick Landers - @monoxgas
Silent Break Security
nick@silentbreaksecurity.com

Outlook and Exchange for the bad guys

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Outlook and Exchange for the bad guys

Semelhante a Outlook and Exchange for the bad guys (20)

Último

Último (20)

Outlook and Exchange for the bad guys