Monday, May 14, 2012

BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

In this installment, we'll be talking about pre-hooking activities: how to build on the information from our target with social engineering to gain the trust required for stable BeEFed browsers.


Part I: Assumptions
Our engagement is a ten day project. As part of the standard engagement, the basic information we get from our client is:
  • Target company’s external IP address range.
  • The names of CEO, IT director, HR manager, and the names of a couple of normal employees.
  • The most important asset of the company (e.g. financial records, network availability,...etc ).

We'll want a phishing domain and some social media presence for our cons. For this scenario, we'll use Microsoft’s notorious fictional company, Contoso Ltd. (“We love Microsoft!”, as the Three Musketeers would say. Kudos Ed Skoudis, Kevin Johnson and Joshua Wright).



Part II: Pre-requisites
For our phishing campaign, we need e-mails that make it past spam filters with convincing links that will secure our targets. Good phishing domains for Contoso.com include variations in letter ordering, TLD interchange, or use of unicode characters (e.g. Cotnoso.com, Contoso.cm, Contoso.net, Ćontoso.com, ċontoso.com, ...etc). One great tool that can help find a suitable phishing domain is URLCrazy. It's a domain name typo generator that lists various common typos for a given domain.

Since this is a domain we actually own, we can even go one step further and purchase a valid SSL certificate for the phishing domain to ensure visitors that they are “secure”. But since SSL certificates usually take time, it’s a good idea to start this process as soon as the project kicks off.

Employees will probably interact with people they don't know within their organization. With the right fake profiles, this interaction is even easier on social networks. We create several fake profiles to target  wider classes of people. Consider:
  • Statistically, people tend to accept friend requests from females more readily than from males.
  • The display name of a fake profile should be as generic as possible. Research and use common first and last names at the target company’s country.
  • Provocative female avatars will increase acceptance by males, but will lessen the  probability of females accepting friend requests. It may also raise moral issues for married or religious people. Therefore, cartoonish female display pictures (e.g. Belle from the beauty and the beast) may give the profile a perfect “generic” look, allowing wider audience acceptance.
  • It is important to create fake profiles that pretend to work in the target company.
  • Vagueness leaves the details to the imagination of the people. It’s better to be vague than to trigger an alert that might reveal your fake identity. Hide most information to be as generic as possible.
Part III: Set the lines
Starting with the names we have, we expand our circle. We search for our target employees on Facebook, Twitter, Linkedin, etc. and filter out wrong profiles having the same name based on job description and/or picture. Then, we identify all related friends and classify profiles into:
  • Class A targets: employees working at the target company in key positions
    that give them access to valuable information (e.g. HR, System admins,
    ...etc).
  • Class B targets: Normal employees working at the target company.
  • Class C targets: Friends of Class A people
  • Class D targets: Friends of Class B people.

Over the course of a day or two, we start interacting, following and friending people from the least important to the most important targets. Well timed interactions are crucial here. More important targets should not notice any flaws in the fake profiles’ activities. So, follow this pattern:
  1. Send friend requests to many class D targets
  2. When you have some class D friends in common with a class B target, add this class B target.
  3. Repeat steps 1 and 2 till you have a significant number of class B targets.
  4. Start adding class C targets
  5. When you have some class C friends for a class A target, add this class A target.
  6. Repeat steps 4 and 5 till you have a significant number of class A targets.

The process can be partially automated using the Facebook exploitation framework (FBPwn). Because people sometimes accept the friend request for a small period of time, it is critical to save relevant information as quickly as possible. Also, FBPwn gives you other options to pull off more advanced social engineering tricks.

Depending on the activity level of the targets, this process should take no more than two or three days. Be as friendly and generic as possible, and save any information you get. Key information to look for and save for future reference:
  • Posts mentioning interactions, rants, and or events happening inside the target company.
  • Company specific lingo and keywords.
  • Company specific or commonly used hashtags.
  • Conversations taking place between two people in the company.



In the next post in this series, we'll talk about how to use this information to bait and set the hook, and what we can do with the  phish once we have them on the line.

3 comments:

  1. Trust yield proves dividends when it comes to it jobs in uk. A stable company with a good track record will always attract top talent.

    ReplyDelete
  2. There are a lot of internet businesses that make money nowadays and the information you have shared might just jump start a lot of entrepreneurship endeavors of your readers.

    ReplyDelete
  3. Interesting points you got here. I believe these are the reasons why most companies strive to exist in the market. I'd like to point out that having an exemplary network system is also a big factor.

    Best,
    Mischna Ong

    ReplyDelete