1 00:00:00,000 --> 00:00:03,870 you started out good to go okay guys we're gonna go and get started 2 00:00:04,410 --> 00:00:07,649 uh this is outlook exchange the bad guys 3 00:00:07,649 --> 00:00:13,950 so you're in the wrong room now would be the time a little starter about myself 4 00:00:13,950 --> 00:00:17,189 my name is Nick Landers monarchs gas on twitter my handle 5 00:00:18,000 --> 00:00:28,259 I'm a security consultant security i am with the work in the volume where I'm 6 00:00:28,260 --> 00:00:32,040 from Salt Lake City Utah i actually grew up in Utah still live there today as for 7 00:00:32,040 --> 00:00:35,879 the company's out of I've been hacking for probably about eight years two of 8 00:00:35,880 --> 00:00:39,750 them professionally my love's include writing windows malware I don't know if 9 00:00:39,750 --> 00:00:43,440 any of you guys are familiar with throwback slingshot throwback is 10 00:00:43,440 --> 00:00:48,870 a-actually public on get up the stage one persistent stool and then slingshot 11 00:00:48,870 --> 00:00:53,218 is a counterpart which is an interactive rap i do active development on on tools 12 00:00:53,219 --> 00:00:56,100 that we use internally or four versions of those tools that we use internally so 13 00:00:56,100 --> 00:01:01,109 comparable to something like cobalt strike interpreter but all the all the 14 00:01:01,109 --> 00:01:05,700 code is ours and I love coding with C++ Python and power show i might add . 15 00:01:05,700 --> 00:01:09,750 netted marriage don't get a chance to code and it very often and i love 16 00:01:09,750 --> 00:01:13,920 security research on the red side so I'm definitely ready Murr i love to do you 17 00:01:13,920 --> 00:01:18,000 know the piece of functionality and essentially writing vulnerabilities that 18 00:01:18,000 --> 00:01:21,900 take advantage of Windows environment and I do enjoy long walks on the beach 19 00:01:21,900 --> 00:01:25,080 so you guys want to swim me later you can make that happen 20 00:01:26,729 --> 00:01:30,479 so tonight's agenda going to go over a quick overview of the sort of exchange 21 00:01:30,479 --> 00:01:36,210 the way we access it and what it has to offer us recon for collecting 22 00:01:36,210 --> 00:01:40,169 credentials usernames passwords email things like that credential harvesting 23 00:01:40,170 --> 00:01:45,630 for turning like a list of emails or essentially performing attacks to gain 24 00:01:45,630 --> 00:01:51,539 email password credentials and then i'm going to go over an overview of outlook 25 00:01:51,540 --> 00:01:55,350 rules so inbox rules inside outlook and talk about the exploitation details of 26 00:01:55,350 --> 00:01:59,130 using these rules for and you know remote code execution persistence 27 00:01:59,130 --> 00:02:03,899 lateral movement anything like that you give you guys a demo and then we'll take 28 00:02:03,899 --> 00:02:09,149 questions so first we'll start off is exchanged microsoft email product i 29 00:02:09,149 --> 00:02:12,540 can't imagine anybody in the room stop familiar what exchanges are currently 30 00:02:12,540 --> 00:02:13,319 supported version 31 00:02:13,319 --> 00:02:19,260 Ansar 2007-2010 2013 2016 there's quite a lot of variance between all of these 32 00:02:19,260 --> 00:02:22,469 versions but add typical microsoft fashion they do a pretty good job of 33 00:02:22,469 --> 00:02:27,510 supporting all of them and then office 365 outlook.com those are built on top 34 00:02:27,510 --> 00:02:31,709 of exchange so pretty much any attacking perform against an exchange server you 35 00:02:31,709 --> 00:02:37,739 can perform against officers 65 or an hour . com profile has a few remote 36 00:02:37,739 --> 00:02:41,189 access protocols that we can use one of them is the exchange web services AWS 37 00:02:41,189 --> 00:02:46,078 it's over HTTP probably one of the most prevalent especially for newer versions 38 00:02:46,079 --> 00:02:50,040 of exchange is used in a lot of applications and particularly on phones 39 00:02:50,040 --> 00:02:53,760 but windows mobile things like that we have outlook anywhere which is sort of 40 00:02:53,760 --> 00:03:00,480 the predecessor it's RPC over HTTP or sub protocols underneath RPC over HTTP 41 00:03:00,480 --> 00:03:05,518 so like mapi over RPC over HTTP so leave it to Microsoft to build you a bunch of 42 00:03:05,519 --> 00:03:11,549 abstraction layers and then in 2013 and up they actually did RPC all together 43 00:03:11,549 --> 00:03:16,769 and you have straight direct mapped the over HTTP so office 365 outlook.com and 44 00:03:16,769 --> 00:03:21,209 any 2013 and up exchange servers typically support this protocol they 45 00:03:21,209 --> 00:03:24,449 just pulled our pc right in the middle and you can do mapi directly over HTTP 46 00:03:24,449 --> 00:03:27,569 so that's really neat and then you have exchange activesync bit of an older 47 00:03:27,569 --> 00:03:31,679 protocol uses HTTP and XML and it's typically used for like older mobile 48 00:03:31,680 --> 00:03:32,430 devices 49 00:03:32,430 --> 00:03:36,870 it's a high Latin see low-bandwidth network protocol that is very efficient 50 00:03:36,870 --> 00:03:41,310 over those so it's a little bit slower as far as thinking goes but it's still 51 00:03:41,310 --> 00:03:48,120 useful some functions or terminology just say we have autodiscover which if 52 00:03:48,120 --> 00:03:51,930 anybody is familiar with you know you open up outlook and you type in an email 53 00:03:51,930 --> 00:03:56,729 credential and you hit set up my profile and outlook somehow finds your exchange 54 00:03:56,729 --> 00:04:00,389 server and like build you a male profile out of the blue like all you have to 55 00:04:00,389 --> 00:04:04,409 provide it was your you know email with a domain name and your password so 56 00:04:04,409 --> 00:04:08,069 autodiscover is really the basis of this it's a it's a fast collection of 57 00:04:08,069 --> 00:04:11,909 exchange configuration supported protocols and service URL so any 58 00:04:11,909 --> 00:04:19,680 organization that has an exchange setup you can get you can actually go and type 59 00:04:19,680 --> 00:04:25,320 in autodiscover . or . com for their dns name and it'll oftentimes Matthew to the 60 00:04:25,320 --> 00:04:26,940 server that can give you autodiscover 61 00:04:26,940 --> 00:04:31,440 information so that the sub has actually autodiscover door com flash autodiscover 62 00:04:31,440 --> 00:04:36,360 / autodiscover to xml a lot of times blocked with ntlm authentication so once 63 00:04:36,360 --> 00:04:39,840 you provide authentication and you essentially request in the right way you 64 00:04:39,840 --> 00:04:42,869 can get back a huge xml file that provide you all the information about 65 00:04:42,870 --> 00:04:47,040 what the exchange server supports so it's really useful and Microsoft doesn't 66 00:04:47,040 --> 00:04:52,500 online test utility for this camera to exchange test connectivity runners I got 67 00:04:52,500 --> 00:04:57,150 all products are old applications like to dominate that that uses autodiscover 68 00:04:57,150 --> 00:05:02,190 you can actually do the output of it we have outlook web app is owa I kind of 69 00:05:02,190 --> 00:05:05,790 removed from the remote access protocols not really protocol we can use interface 70 00:05:05,790 --> 00:05:09,090 with outlook but it's super popular minimal email client available on the 71 00:05:09,090 --> 00:05:13,890 web you go to any mail . or calm / owa and you pretty much get their owa login 72 00:05:13,890 --> 00:05:17,969 page that's really popular like a minimal outlook and then you have a 73 00:05:17,970 --> 00:05:22,410 global address list a gal and that's that's pretty self-explanatory just 74 00:05:22,410 --> 00:05:26,130 means that users that are using exchange from outside the organization who don't 75 00:05:26,130 --> 00:05:30,900 have an interface to active directory are allowed to pull down a list of all 76 00:05:30,900 --> 00:05:34,799 of the emails inside the organization contact info is sort of like a 77 00:05:34,800 --> 00:05:39,000 rudimentary active directory sync so once you can authenticate to exchange 78 00:05:39,000 --> 00:05:42,780 successful you can pull down whatever gal you have access to and store that 79 00:05:42,780 --> 00:05:46,890 offline and use it from further reinforcing I'm gonna go a little bit 80 00:05:46,890 --> 00:05:50,520 into recon this is a topic that's covered all over in in red teaming and 81 00:05:50,520 --> 00:05:55,229 pen testing and network security in general but it's really important this 82 00:05:55,230 --> 00:05:58,919 attack this is a credential attack so we need to have email credentials so a 83 00:05:58,919 --> 00:06:03,299 username and password before we can perform these sort of operations and I 84 00:06:03,300 --> 00:06:06,990 like to talk about boring attacking the external which oftentimes involves recom 85 00:06:06,990 --> 00:06:11,669 so you know the goal is to collect emails usernames and hopefully password 86 00:06:11,669 --> 00:06:17,039 for public resources and sources at the typical ones search engines Google being 87 00:06:17,040 --> 00:06:21,000 company websites use all the popular tools do like dns brute-forcing with a 88 00:06:21,000 --> 00:06:24,570 list to find a bunch of subdomains for an org public website 89 00:06:24,570 --> 00:06:28,140 these ones are two of my favorite linkedin is awesome because in the past 90 00:06:28,140 --> 00:06:32,940 three years you can pretty much fine that every organization out there all of 91 00:06:32,940 --> 00:06:35,729 their employees are tagged to that organization linkedin so you can do a 92 00:06:35,729 --> 00:06:39,930 search for a company and you'll find that all 1,000 employees are like linked 93 00:06:39,930 --> 00:06:40,150 here 94 00:06:40,150 --> 00:06:43,450 and you click on that link and it pulls you up a search of every single person 95 00:06:43,450 --> 00:06:46,960 on linkedin who claimed that they work for that company or have worked for that 96 00:06:46,960 --> 00:06:53,049 company so it's really useful for essentially creating an intelligent list 97 00:06:53,050 --> 00:06:56,530 about username emails that we can never force again 98 00:06:56,530 --> 00:07:01,270 get out that's also super great you guys never searched it have its not indexed 99 00:07:01,270 --> 00:07:04,419 in Google so you know you're going to get help search page and research you 100 00:07:04,420 --> 00:07:08,680 know or dot-com in quotes and then like password and clothes or email or a tour 101 00:07:08,680 --> 00:07:13,270 com you can find all ports are all sorts of sources we find interns post up all 102 00:07:13,270 --> 00:07:16,419 the time the constant will go to organizations like yeah there's a 103 00:07:16,420 --> 00:07:20,020 there's a configuration file for your sequel server sitting out on get out 104 00:07:20,020 --> 00:07:24,520 somewhere so you should probably chat with that we can use database dump those 105 00:07:24,520 --> 00:07:28,900 are really popular right now and then Active Directory this is solely for 106 00:07:28,900 --> 00:07:33,580 internal but you know I talked about this attack in a sense of if you have a 107 00:07:33,580 --> 00:07:37,870 game network access already and you're trying to bad bypass network 108 00:07:37,870 --> 00:07:41,080 segmentation or the fact that the user doesn't have local admin on the remote 109 00:07:41,080 --> 00:07:45,700 box or you want to make sure that you know you gain additional access to the 110 00:07:45,700 --> 00:07:48,340 organization and you're afraid you might lose it 111 00:07:48,340 --> 00:07:51,250 oftentimes the first thing we do is we go to active directory and pole list of 112 00:07:51,250 --> 00:07:54,520 all the active emails from active directory and store them offline that 113 00:07:54,520 --> 00:07:57,729 way later if we need to make more brute forcing attempts we have the most 114 00:07:57,730 --> 00:08:01,060 up-to-date intelligent as possible so it's really simple and easy piece of 115 00:08:01,060 --> 00:08:06,010 information you can call some tooling for this leaf-bare did the discoverer 116 00:08:06,010 --> 00:08:10,510 script or it's like a cali tools so does lots of other things besides recon but 117 00:08:10,510 --> 00:08:15,130 I'm actually pretty partial to his tool his script is super awesome it'll do 118 00:08:15,130 --> 00:08:17,860 active and passive discovery and I don't know if you guys can see that but has a 119 00:08:17,860 --> 00:08:21,130 list of all of the tools that it actually goes against it will just meet 120 00:08:21,130 --> 00:08:25,150 little like local website with HTML files that you can browse around in for 121 00:08:25,150 --> 00:08:29,739 a person just starting off in recon I cannot recommend this you know more it's 122 00:08:29,740 --> 00:08:33,250 that you put in the organization domain name or their name it does also the 123 00:08:33,250 --> 00:08:37,179 company searches in Google searches the harvester pulls out emails files links 124 00:08:37,179 --> 00:08:41,289 everything like that I use it all the time super great for that focus is a 125 00:08:41,289 --> 00:08:45,550 tool he was at DEFCON three or four years ago I can remember how long ago 126 00:08:45,550 --> 00:08:49,420 but I kind of fallen off the map of it's hard to find a good binary to it a 127 00:08:49,420 --> 00:08:53,829 little will schedule when you use it can crash a lot but that was also super 128 00:08:53,830 --> 00:08:58,510 school a guy that works for silent break with me i have metrics actually made a 129 00:08:58,510 --> 00:09:02,290 Python script for doing linkedin scraping Sookie I just put it on github 130 00:09:02,290 --> 00:09:05,949 for me yesterday i'll provide a link to it if you go and download it you can 131 00:09:05,950 --> 00:09:09,640 actually run the script against an organization and it uses millennium 132 00:09:09,640 --> 00:09:16,720 inside of LinkedIn to pull a list of all the users their names and their titles 133 00:09:16,720 --> 00:09:20,920 their job titles and it doesn't actually click into their profile so that the 134 00:09:20,920 --> 00:09:22,780 user doesn't get alerted that you looked at them 135 00:09:22,780 --> 00:09:25,990 I'm and it can go through tons of search pages and essentially the end of the day 136 00:09:25,990 --> 00:09:30,760 you get a CSV file of like the employees names their email and you sort of have 137 00:09:30,760 --> 00:09:33,939 to make a guess on their email structure typically like first name dot last name 138 00:09:33,940 --> 00:09:37,630 first initial last name but it will give you a list of like their job description 139 00:09:37,630 --> 00:09:41,620 their name and their I you know assumed email and we actually use that not only 140 00:09:41,620 --> 00:09:47,020 for this attack but also we do fogo blackbox test so you know we send in 141 00:09:47,020 --> 00:09:50,380 targeted phishing emails like macros only document things like that it's 142 00:09:50,380 --> 00:09:52,900 super awesome for getting targets because you just pull through a huge 143 00:09:52,900 --> 00:09:54,370 excel document go 144 00:09:54,370 --> 00:09:57,550 I think I want to target all of these HR people are all of these people from 145 00:09:57,550 --> 00:10:00,969 another customer service department whatever it may be and then hacker 146 00:10:00,970 --> 00:10:04,510 target that the needs i also really good for beginners they have a lot of the 147 00:10:04,510 --> 00:10:08,350 api's for doing like dns lookups and and sub domain through forcing things like 148 00:10:08,350 --> 00:10:10,570 that it's really cool 149 00:10:10,570 --> 00:10:14,050 I'm so now i'm going to move it a little bit more to active so there's collecting 150 00:10:14,050 --> 00:10:17,979 let's say that you know we use linkedin and this is a common tactic press we 151 00:10:17,980 --> 00:10:21,160 pull list of a bunch of emails that belong to the organization it's a 152 00:10:21,160 --> 00:10:24,670 thousand and their assumed email but we don't password for those emails yet so 153 00:10:24,670 --> 00:10:28,240 what we want to do is we want to collect passwords for those as well and brute 154 00:10:28,240 --> 00:10:31,300 forcing an awesome way to do that the guys were black hole security actually 155 00:10:31,300 --> 00:10:36,250 wrote passwords great are spraying against owa before I even built this 156 00:10:36,250 --> 00:10:40,060 attack and it's super awesome they use Burke with owa and essentially they 157 00:10:40,060 --> 00:10:43,959 iterate through with like a common password like summer 2016 and the brute 158 00:10:43,960 --> 00:10:47,050 force like all of these six character usernames until they find email 159 00:10:47,050 --> 00:10:52,479 credentials ews shell intel has a powerful tool kit called owa toolkit 160 00:10:52,480 --> 00:10:57,220 that i absolutely love it's couple powershell Commandments built for 161 00:10:57,220 --> 00:11:01,030 interfacing with the ws and like you can do brute-forcing again ews HIV 162 00:11:01,030 --> 00:11:03,699 screenshot included they're like what that command that would look like 163 00:11:03,700 --> 00:11:07,300 so just said through ews you supply it ews 164 00:11:07,300 --> 00:11:12,849 service URL like so URL and it will try every single user with like a basic 165 00:11:12,850 --> 00:11:16,779 password you know summer 2016 password one spring 2015 these are also awesome 166 00:11:16,779 --> 00:11:20,920 candidate and you'll find that when you have a thousand emails to try and you 167 00:11:20,920 --> 00:11:22,569 try the really stupid password 168 00:11:22,570 --> 00:11:25,540 all you need is one account so of those thousand emails you might get you know 169 00:11:25,540 --> 00:11:28,660 less than five people that have that dumb password but it gives you an 170 00:11:28,660 --> 00:11:32,980 additional access vectoring the network and then for ntlm HTTP on the run into 171 00:11:32,980 --> 00:11:37,660 some situations where i needed to do just like raw HTML reporting verb does 172 00:11:37,660 --> 00:11:41,890 not do this as far as I'm aware so I just used the request library instead of 173 00:11:41,890 --> 00:11:46,449 Python there's a github page for an ntlm edition plugin for that and I just 174 00:11:46,450 --> 00:11:51,100 scripted out inside a Python to push against that to this come part to 175 00:11:51,100 --> 00:11:54,940 collecting credentials on top of brute forcing i also love to credential 176 00:11:54,940 --> 00:11:57,880 harvesting attack the email so a lot like phishing emails 177 00:11:57,880 --> 00:12:01,630 my favorite is to impersonate the company's login page like officers 55 178 00:12:01,630 --> 00:12:04,990 owa you'll make a fishing site with similar domain name looks the exact same 179 00:12:04,990 --> 00:12:08,980 you send the user an email saying their mailboxes filled up and they did we just 180 00:12:08,980 --> 00:12:12,100 expanded the space they need the login to make sure that they still have access 181 00:12:12,100 --> 00:12:15,250 to their email and you'll be surprised how many people freak out about that and 182 00:12:15,250 --> 00:12:18,700 go get one of the better things about this is there's no payload to burn and 183 00:12:18,700 --> 00:12:22,029 we blend in with spam so when we're doing targeted attacks with like fishing 184 00:12:22,029 --> 00:12:27,100 documents and like office macros we might only send ten to twenty attacks in 185 00:12:27,100 --> 00:12:32,079 an organization or to an organization because if our word document gets caught 186 00:12:32,079 --> 00:12:35,800 we oftentimes have a lot of IP invested in that macro we don't have you know 187 00:12:35,800 --> 00:12:39,849 really bad at macro that can do all sorts of detection and sandbox detection 188 00:12:39,850 --> 00:12:42,700 and bypassing things like that we really don't want that compromise we keep it 189 00:12:42,700 --> 00:12:46,930 small versus a credential harvesting campaign we're trying to get somebody to 190 00:12:46,930 --> 00:12:50,199 click on a website their credentials that so much more common with fam so we 191 00:12:50,199 --> 00:12:53,770 can send 200 emails which gives us a much higher likelihood that at least one 192 00:12:53,770 --> 00:12:58,540 user will open the attack i've also used external site compromises another method 193 00:12:58,540 --> 00:13:02,110 so WordPress live agent you have these companies are outsourcing some other 194 00:13:02,110 --> 00:13:05,709 public-facing web sites to other companies so you go find a bowl in there 195 00:13:05,709 --> 00:13:08,800 wordpress site you pop the box and then you find out that server is actually 196 00:13:08,800 --> 00:13:11,800 inside of your target organizations that work and you go shit I gotta like I 197 00:13:11,800 --> 00:13:15,130 popped a word press box for nothing and you go bail now that's no longer needed 198 00:13:15,130 --> 00:13:19,390 and we can do things like backdooring login pages doing social engineering 199 00:13:19,390 --> 00:13:20,560 from that site 200 00:13:20,560 --> 00:13:24,670 and we can also get password hashes from database and then do credential reuse to 201 00:13:24,670 --> 00:13:27,370 you know their internal email because a lot of times people use the same 202 00:13:27,370 --> 00:13:30,010 password for the wordpress site that they would for their internal email 203 00:13:30,010 --> 00:13:32,800 there like a web admin or something like that 204 00:13:32,800 --> 00:13:37,060 I'm so I'm going to get into the outlook rules a little bit and just kind of go 205 00:13:37,060 --> 00:13:37,959 over an overview 206 00:13:37,960 --> 00:13:42,190 I see Microsoft's official terminology on outlook rule is really what I focus 207 00:13:42,190 --> 00:13:45,339 on the fact that the rule comes in two parts that comes with the trigger an 208 00:13:45,339 --> 00:13:49,029 action and I can be multiple triggers to find multiple actions to find those sort 209 00:13:49,029 --> 00:13:52,689 of the two pieces of analytical you know triggers are pretty common 210 00:13:52,690 --> 00:13:56,650 self-explanatory anything from receiving an email with a specific subject from a 211 00:13:56,650 --> 00:14:02,050 specific person anything along those lines rules can be created with 212 00:14:02,050 --> 00:14:05,589 server-side and client-side microsoft actually added the ability to make 213 00:14:05,589 --> 00:14:11,680 outlook rules on like owa or outlook.com and they can also be built client side 214 00:14:11,680 --> 00:14:14,709 which is kind of the original way they were designed and if the rules aren't 215 00:14:14,710 --> 00:14:18,520 necessarily compatible in fact like if you build a bunch of rules and out the 216 00:14:18,520 --> 00:14:22,240 raw outlook client or the normal our client go into owa and try to add inbox 217 00:14:22,240 --> 00:14:25,120 ruled there it'll actually warned you and it'll say hey like you already have 218 00:14:25,120 --> 00:14:28,660 rules from out look at it if you add the rules on the owa side they're gonna 219 00:14:28,660 --> 00:14:31,719 destroy your outlook calls there they're not quite compatible so just keep that 220 00:14:31,720 --> 00:14:37,360 in mind in your attacks there's two actions there's the actions part of the 221 00:14:37,360 --> 00:14:40,690 rule split into two sides their server side actions and client-side actions so 222 00:14:40,690 --> 00:14:44,830 you know when you define an action like I when I receive a message from this 223 00:14:44,830 --> 00:14:47,500 person I want to market is important or move it to a folder those are all 224 00:14:47,500 --> 00:14:51,670 actions of the exchange server can take so it doesn't bother asking outlook to 225 00:14:51,670 --> 00:14:54,250 do it because that would just be a i'll ask you when you come back to me and 226 00:14:54,250 --> 00:14:55,300 tell me what to do 227 00:14:55,300 --> 00:14:58,990 so the service side will get processed immediately on the server and then for 228 00:14:58,990 --> 00:15:02,890 any rule that is based in the outlook client so playing a sound printing a 229 00:15:02,890 --> 00:15:07,000 message executing an application those are executed client-side and what 230 00:15:07,000 --> 00:15:10,959 happens is there's a hidden folder inside of everybody's male profile 231 00:15:10,959 --> 00:15:15,339 called the deferred action folder and when the server side wants the 232 00:15:15,339 --> 00:15:18,400 client-side to perform the actions associated with the rule it actually 233 00:15:18,400 --> 00:15:22,870 puts a deferred access met or action message in that folder and the clients 234 00:15:22,870 --> 00:15:26,200 think that down outlooks on that hidden folder will look at that message 235 00:15:26,200 --> 00:15:30,520 it has a rule ID associated with it it'll look up that rule locally and 236 00:15:30,520 --> 00:15:33,520 execute the actions associated with it so the server is actually supplying a 237 00:15:33,520 --> 00:15:34,030 message 238 00:15:34,030 --> 00:15:37,300 to let out would know that it needs to execute rules i'd love to look at ways 239 00:15:37,300 --> 00:15:40,420 to forge these rules in the future but i haven't had a chance yet 240 00:15:41,200 --> 00:15:43,990 and then of course rules are stored on the exchange server and there's think 241 00:15:43,990 --> 00:15:48,910 all outlook profile was actually so the bases his attack if I have for outlook 242 00:15:48,910 --> 00:15:53,140 profile setup on portable boxes and I go to rule 11 it'll hit the exchange server 243 00:15:53,140 --> 00:15:56,230 and then get sink down to all of my outlook profile so they can all profits 244 00:15:56,230 --> 00:15:59,890 the rule as well even if that rule was built as a client site only rule so even 245 00:15:59,890 --> 00:16:03,310 if only the only actions associated with that rules are ones i want to apply on 246 00:16:03,310 --> 00:16:04,329 my computer 247 00:16:04,330 --> 00:16:09,130 they'll still get synced other machines when i first started looking at this if 248 00:16:09,130 --> 00:16:12,939 you go into outlook you can actually you know build a rule and when I got any 249 00:16:12,940 --> 00:16:15,550 actions portion there's a lot of interesting stuff in here 250 00:16:15,550 --> 00:16:19,120 most of them are for typical exchange actions like you know forward the 251 00:16:19,120 --> 00:16:21,400 message markets important things like that and you get into some of the 252 00:16:21,400 --> 00:16:25,750 interesting ones printed play a sound start an application run a script and he 253 00:16:25,750 --> 00:16:28,180 seems really interesting to me especially start an application running 254 00:16:28,180 --> 00:16:32,140 script i'll be focusing on start an application because that's where this 255 00:16:32,140 --> 00:16:35,800 exploit comes from but run a script is also really need action 256 00:16:35,800 --> 00:16:40,180 it will if you go into outlook and you develop are you enable the Developer tab 257 00:16:40,180 --> 00:16:43,810 and actually go and you can build BB macros that's it associated with your 258 00:16:43,810 --> 00:16:49,390 outlook profile and in run a script you can have it run local like macros inside 259 00:16:49,390 --> 00:16:50,290 of outlook 260 00:16:50,290 --> 00:16:53,530 the problem is these macros aren't synced through the exchange server like 261 00:16:53,530 --> 00:16:57,520 the rule is so for our purposes of gaming initial access it's not as useful 262 00:16:57,520 --> 00:17:00,490 for persistence it could be and I'd love to see somebody look at that it's like a 263 00:17:00,490 --> 00:17:04,599 tooling mechanism it's super stealthy you put a macro out of their pro outlook 264 00:17:04,599 --> 00:17:07,629 profile and then putting messages received it will trigger that macro 265 00:17:07,630 --> 00:17:12,010 script and run it inside out so i wanted to work in front of the star application 266 00:17:12,010 --> 00:17:13,390 function 267 00:17:13,390 --> 00:17:17,470 besides built a rule here and when you click start an application that has you 268 00:17:17,470 --> 00:17:20,740 supply an application name it opens a file explorer you go and browse to 269 00:17:20,740 --> 00:17:24,400 whatever file on your system that you want to run and you click yes and by 270 00:17:24,400 --> 00:17:27,280 default that limits you to exe file that you can just do that trick where you 271 00:17:27,280 --> 00:17:31,180 change the exe drop down to all files and pick whatever you want i'm so I 272 00:17:31,180 --> 00:17:35,680 built this rule and inside-out look there's a you can go to rule menu go to 273 00:17:35,680 --> 00:17:39,430 options and then hit export and you can export all of your rules to like 274 00:17:39,430 --> 00:17:43,420 individual files so I popped open these files in a in a hex editor I wanted to 275 00:17:43,420 --> 00:17:47,170 see what these files with my credit score and I started looking at I can see 276 00:17:47,170 --> 00:17:47,800 the name of the 277 00:17:47,800 --> 00:17:53,560 all this fun rule and the path down there at the task stop txt I'm so 278 00:17:53,560 --> 00:17:58,450 clearly these offline rule files are supplying this information so they could 279 00:17:58,450 --> 00:18:02,800 be messed up there i also took a deeper look I wanted to know what windows api 280 00:18:02,800 --> 00:18:06,940 outlook with executing when we pull the executor also when I built the rule that 281 00:18:06,940 --> 00:18:11,290 executed cmd.exe what actually happens in the back end when outlook calls 282 00:18:11,290 --> 00:18:15,159 cmd.exe because what I really wanted to do was get argument parameters that 283 00:18:15,160 --> 00:18:17,560 stole my main goal with this is something I really want i'll talk about 284 00:18:17,560 --> 00:18:21,370 the exploitation challenges and you can see there I actually cooked to 285 00:18:21,370 --> 00:18:25,209 outlook.com and I i just took a gas at all the API that would call it actually 286 00:18:25,210 --> 00:18:29,020 ended up calling shellexecute exw the white version shellexecute the extended 287 00:18:29,020 --> 00:18:32,889 wide version of the original function shellexecute and the module that's 288 00:18:32,890 --> 00:18:37,210 calling is actually MSO dl this is a shared library amongst all office 289 00:18:37,210 --> 00:18:38,560 applications 290 00:18:38,560 --> 00:18:43,149 it's in like the program data directory in my career and piles and then you can 291 00:18:43,150 --> 00:18:46,720 see that i looked at the details of this function of the verb is no I'll go into 292 00:18:46,720 --> 00:18:51,400 this in the next slide the file is set to you know cmd.exe and then the 293 00:18:51,400 --> 00:18:54,490 parameters is null so and you can actually go in there and you can look at 294 00:18:54,490 --> 00:18:59,230 the shelter has tons of parameters for setting icons or hiding the window has a 295 00:18:59,230 --> 00:19:02,050 lot of functions like that so you can see exactly what look is doing what it's 296 00:19:02,050 --> 00:19:06,760 calling this this is a quick look at shellexecute TX takes the structure 297 00:19:06,760 --> 00:19:10,390 called the shellexecute info structure this structure has a bunch of different 298 00:19:10,390 --> 00:19:13,420 properties and I've kind of ripped out the ones that I find interesting 299 00:19:13,420 --> 00:19:19,360 LP verb is kind of the most one of the most important and it's essentially 300 00:19:19,360 --> 00:19:24,850 really associated with exploring mouse clicking so when you're kind of browsing 301 00:19:24,850 --> 00:19:27,639 around your file system Explorer and you right-click on the file and it brings up 302 00:19:27,640 --> 00:19:31,210 all of the things you can do with that print open they run out all these things 303 00:19:31,210 --> 00:19:35,710 those are associated with verbs most of the time inside of the registry so 304 00:19:35,710 --> 00:19:38,350 Microsoft has built this us 305 00:19:38,350 --> 00:19:43,810 I call it a platform where applications can associate different actions with 306 00:19:43,810 --> 00:19:49,090 ways to call their program so a text file might be open with notepad or might 307 00:19:49,090 --> 00:19:53,530 be opened with adam or sublime depending on what you use and when you changing 308 00:19:53,530 --> 00:19:56,860 your default program what you're actually doing is changing the open verb 309 00:19:56,860 --> 00:20:01,000 for the text file you're going into the registering the HD classes route and 310 00:20:01,000 --> 00:20:01,500 you're set 311 00:20:01,500 --> 00:20:06,510 it's so txt files are now open with the command string sublime text file name or 312 00:20:06,510 --> 00:20:10,860 Adam txt file name instead notepad texting so this is sort of the core that 313 00:20:10,860 --> 00:20:13,709 windows they'll pop up when you're like interacting with the desktop and 314 00:20:13,710 --> 00:20:17,280 opening-up applications and files so it takes two more parameters one of them as 315 00:20:17,280 --> 00:20:20,790 a file which is pretty self-explanatory and then the parameters that allows you 316 00:20:20,790 --> 00:20:25,740 to provide arguments to the file and like that outlook the MSO dll just set 317 00:20:25,740 --> 00:20:28,530 this property to know I haven't gotten the way to like overflow into this 318 00:20:28,530 --> 00:20:32,250 property love to figure out how that these parameters is always know so 319 00:20:32,250 --> 00:20:37,080 really what you end up with is when you have to tell outlook that you wanted to 320 00:20:37,080 --> 00:20:40,770 act execute an application its you go to explore and double-click on that's the 321 00:20:40,770 --> 00:20:44,610 action you have so your payload has to be able to execute maliciously when you 322 00:20:44,610 --> 00:20:50,189 just double-click on the file I'm going to go into the exploitation challenges 323 00:20:50,190 --> 00:20:53,100 that you know what my mind certain thing about it was like okay let's actually 324 00:20:53,100 --> 00:20:56,580 make an attack out of this now what we have so we require valid account 325 00:20:56,580 --> 00:21:00,090 credentials along with exchange service access so you know we need to have a 326 00:21:00,090 --> 00:21:05,100 valid email and password we can get that through recon brute-forcing like the 327 00:21:05,100 --> 00:21:09,330 slides i mentioned earlier and through many other means it's actually cool 328 00:21:09,330 --> 00:21:12,090 attack if you find yourself in a position where you have somebody's email 329 00:21:12,090 --> 00:21:16,020 password you like how do i get on their box would be a perfect perfect reason to 330 00:21:16,020 --> 00:21:20,460 use that and then we need some sort of service access to exchange so RBC mapi 331 00:21:20,460 --> 00:21:24,300 over HTTP any of those services that we can interface with the exchange server 332 00:21:24,300 --> 00:21:29,879 from the external we don't have command line arguments so we have to make it so 333 00:21:29,880 --> 00:21:33,270 that our file as a package will execute our payload when we double-click on it 334 00:21:33,270 --> 00:21:37,200 or when we call shellexecute with an open bar between people typically do it 335 00:21:37,200 --> 00:21:42,150 and then we need local file we need a local file on the disk for outlook open 336 00:21:42,150 --> 00:21:45,660 so when outlook actually receives this trigger shellexecute is going to try to 337 00:21:45,660 --> 00:21:51,810 go find this file so it can run this verb on it and this is really where unc 338 00:21:51,810 --> 00:21:56,129 comes the rescues like that one of the larger pieces of this attack whenever 339 00:21:56,130 --> 00:21:57,870 you go you know quack 340 00:21:57,870 --> 00:22:02,219 servername back cher Windows support that habit i can go into Duran and type 341 00:22:02,220 --> 00:22:06,240 in a remote file system and when you do that Windows has a fallback mechanism 342 00:22:06,240 --> 00:22:09,480 that goes through for protocols so at the top it will try you know 343 00:22:10,140 --> 00:22:15,240 SMB and will fall through all of these different like RPC file management 344 00:22:15,240 --> 00:22:18,750 call the delegates to the very end and the last thing windows will try is to 345 00:22:18,750 --> 00:22:23,520 try to open a web dab to that address and web dad is a protocol built on top 346 00:22:23,520 --> 00:22:28,500 of the HTTP that microsoft introduced to allow file sharing so essentially you 347 00:22:28,500 --> 00:22:34,500 can access manage ctrl delete files over HTTP calls and by default when you do 348 00:22:34,500 --> 00:22:38,100 this inside of Windows it is proxy aware so actually they have like a system 349 00:22:38,100 --> 00:22:41,850 proxy setup and you go to UNC path will use the property when accessing the HTTP 350 00:22:41,850 --> 00:22:45,360 address which is super useful becoming really popular thing to make property 351 00:22:45,360 --> 00:22:49,979 where tools in this case the great service windows does it for us we need 352 00:22:49,980 --> 00:22:55,950 to try i'm so the two instances i will get building this were a local samba 353 00:22:55,950 --> 00:23:01,920 share so inside of cali you can set up a local file share and hosts files and 354 00:23:01,920 --> 00:23:04,710 that's really where i found a lot of utility and internal panting and 355 00:23:04,710 --> 00:23:10,170 pivoting so you get a row device on the network you're doing responder spoofing 356 00:23:10,170 --> 00:23:13,620 you get hurt somebody's credentials but you then you go try to access their 357 00:23:13,620 --> 00:23:16,350 machine and they're not a local admin so you have domain credentials but you're 358 00:23:16,350 --> 00:23:20,129 still on your own box in the network if you want to pivot somebody machine you 359 00:23:20,130 --> 00:23:23,550 spin up a local samba server on your cali box and perform this attack and 360 00:23:23,550 --> 00:23:27,690 have the user access the file off of your cali p.m. so they don't ever reach 361 00:23:27,690 --> 00:23:32,700 outside of the firewall the next one is a web share and not successfully a UNC 362 00:23:32,700 --> 00:23:37,770 path like that HTTP proxy awareness and the machine will actually reach out to 363 00:23:37,770 --> 00:23:41,309 the internet to get this file so we supply public IP if we apply domain name 364 00:23:41,309 --> 00:23:45,420 that resolved to public IP the windows box actually reach to that public server 365 00:23:45,420 --> 00:23:50,730 over 480 and try to access it over the web protocol we need to file type that 366 00:23:50,730 --> 00:23:54,270 can give us local code execution which alex cute as you know talked about a lot 367 00:23:54,270 --> 00:23:59,760 that exe pit pssht L&K any file where we double click on it we can get some sort 368 00:23:59,760 --> 00:24:03,059 of arbitrary action with it and then the target need to have outlook open that's 369 00:24:03,059 --> 00:24:06,540 probably hopefully one of the simplest requirement for this attack a lot of 370 00:24:06,540 --> 00:24:09,690 people you know business people have outlook open all the time but we have 371 00:24:09,690 --> 00:24:13,950 had instances where we try and attack at eight o'clock in the morning it doesn't 372 00:24:13,950 --> 00:24:16,920 work we come back six hours later and it does because they opened outlook 373 00:24:16,920 --> 00:24:21,750 sometimes between sometime between $TIME in the morning and in the afternoon i 374 00:24:21,750 --> 00:24:25,620 want to talk a little bit about use cases for this attacks on my favorite is 375 00:24:25,620 --> 00:24:28,559 initial access to a target Network it's relatively easy to collect email 376 00:24:28,559 --> 00:24:32,460 credentials and we can use it to convert those credentials and internal network 377 00:24:32,460 --> 00:24:36,749 access so no more payload more office documents and more ole's no more getting 378 00:24:36,749 --> 00:24:39,029 them to click on HTML and click run 379 00:24:39,029 --> 00:24:42,179 we just need them to give us our email credentials you know go to a coffee shop 380 00:24:42,179 --> 00:24:45,809 and speak their box we're sitting there and get their crabs we didn't really 381 00:24:45,809 --> 00:24:50,129 have to worry about what their machines are what the users trained to do in 382 00:24:50,129 --> 00:24:54,090 regards to like opening up a payload we just need their email credentials we can 383 00:24:54,090 --> 00:24:57,209 put into a machine without local admin privileges with my favorite uses for 384 00:24:57,210 --> 00:25:00,240 this we've actually had the situations where I've gotten credit to respond or 385 00:25:00,240 --> 00:25:04,019 broken the hash and I wanted to get on the workstation normally you need 386 00:25:04,019 --> 00:25:08,789 administrative access to access the service control manager wmi do sth task 387 00:25:08,789 --> 00:25:09,690 at whatever it is 388 00:25:09,690 --> 00:25:13,470 PS exact this we don't need it we just get their credentials and we go out 389 00:25:13,470 --> 00:25:17,369 through exchange and make their box reach out and grab our file from us so 390 00:25:17,369 --> 00:25:20,999 we don't have to interact with the windows services locally we can buy have 391 00:25:20,999 --> 00:25:24,690 network segmentation in the same way if you're sitting on an HR box and they're 392 00:25:24,690 --> 00:25:28,740 locked down from accessing ID but you have IT administrator credentials use 393 00:25:28,740 --> 00:25:33,360 those and make the ID workstation reach out and grab your payload for you and 394 00:25:33,360 --> 00:25:36,570 then persistence this is like over as when I haven't done a lot of work with 395 00:25:36,570 --> 00:25:40,710 but i love the thought process of its ridiculously stealthy the very obscure 396 00:25:40,710 --> 00:25:44,100 technique with minimal tooling on both sides for performing attack and 397 00:25:44,100 --> 00:25:48,449 detecting it so no defenders ever going to look for well hopefully you guys will 398 00:25:48,450 --> 00:25:51,570 now you're gonna walk in the room going oh my god i need to go look at my outlet 399 00:25:51,570 --> 00:25:55,860 girls kind of call your call your sock up like Paul open all the rules make 400 00:25:55,860 --> 00:26:00,600 sure there's nothing there that is really long term because the rule is 401 00:26:00,600 --> 00:26:04,080 linked to an Outlook or an email pro profile and not a workstation we can 402 00:26:04,080 --> 00:26:08,460 persist across the 1i are white so i'll talk about a case study at the end where 403 00:26:08,460 --> 00:26:12,720 we had access to a box we built a rule to get access to that box they found out 404 00:26:12,720 --> 00:26:15,840 that we were on the machine they wiped it completely had to use a reset a 405 00:26:15,840 --> 00:26:19,350 password moved into a new machine the user setup as outlook profile again and 406 00:26:19,350 --> 00:26:22,350 guess wat exchange like a by the way you need this rule so let's go ahead and 407 00:26:22,350 --> 00:26:26,248 have that and then we sent him an email the next monday from an external account 408 00:26:26,249 --> 00:26:31,889 and Bumi Papa shell it's super crazy how house Delvian and long-term basis in the 409 00:26:31,889 --> 00:26:35,100 same sense we can drop an executable an internal file share so for really 410 00:26:35,100 --> 00:26:38,219 stealthy persistence you get inside of a network you go find their most common 411 00:26:38,220 --> 00:26:40,480 public file share on the domain controller 412 00:26:40,480 --> 00:26:44,500 drop an executable file on it set up the malicious outlook rule on either one or 413 00:26:44,500 --> 00:26:48,730 many profiles you set up only 20 emails you get out of the network than two 414 00:26:48,730 --> 00:26:52,660 years later you come back you you know send an email externally to any one of 415 00:26:52,660 --> 00:26:56,860 those 20 people and their box will reach inside and grab that exe up a file share 416 00:26:56,860 --> 00:27:00,428 because everybody knows things but that's filthy files from like 98 sitting 417 00:27:00,429 --> 00:27:03,040 on file shares that's crazy nobody nobody ever believed that you name it 418 00:27:03,040 --> 00:27:08,200 something important like you know budget 2016 do not delete and nobody's gonna 419 00:27:08,200 --> 00:27:14,530 have something that so there's sort of a state of things just the start of this 420 00:27:14,530 --> 00:27:17,860 month a couple of really awesome people whose to tools interface with this 421 00:27:17,860 --> 00:27:22,689 project originally I had built this rule . py script which just build malicious 422 00:27:22,690 --> 00:27:26,470 RWC files for importing into outlook so I sort of reverse engineer the file 423 00:27:26,470 --> 00:27:32,080 protocol for those outlook profile or those outlook rule files and both python 424 00:27:32,080 --> 00:27:34,570 script that will generate rules for you so you don't have to really interface 425 00:27:34,570 --> 00:27:38,320 with outlook for the rule generation you build the file offline and it gives you 426 00:27:38,320 --> 00:27:41,740 a file you can tell outlook to import and suddenly have your role of things to 427 00:27:41,740 --> 00:27:47,200 change ruler is a map over easy to use map over HTTP to quickly single files 428 00:27:47,200 --> 00:27:49,900 without building the complete male profiles is something I've been wanting 429 00:27:49,900 --> 00:27:54,940 to build for a while and posted it super awesome it will just interface directly 430 00:27:54,940 --> 00:27:58,780 with map over HTTP to think the rule so all you have to supply it is user 431 00:27:58,780 --> 00:28:01,780 credentials and suddenly that user profile has your rules stink to it 432 00:28:01,780 --> 00:28:04,840 the only downside of this as far as I'm aware right now it only supports map 433 00:28:04,840 --> 00:28:09,399 over HTTP which means that it's only exchange 2013 and out and office 365 and 434 00:28:09,400 --> 00:28:15,309 outlook.com i love to make form someone else to make a port of it does map / RPC 435 00:28:15,309 --> 00:28:19,720 over HTTP that we can support all of exchange but super awesome tool and i 436 00:28:19,720 --> 00:28:22,630 highly recommend looking at if you want to understand how rules are synced over 437 00:28:22,630 --> 00:28:28,240 mapping did a lot of good research on it and then mrw labs built the X rules tool 438 00:28:28,240 --> 00:28:32,770 and that uses local outlook profiles to importantly his rules for persistent so 439 00:28:32,770 --> 00:28:35,740 you get code execution our box you want to persist on that box they built that 440 00:28:35,740 --> 00:28:40,210 USC that you can inject into memory it will go and look on disk all the mapping 441 00:28:40,210 --> 00:28:44,080 profiles off of disc and think the rule that way and I love those two tools and 442 00:28:44,080 --> 00:28:47,230 how they came to like similar tooling from different positions since post was 443 00:28:47,230 --> 00:28:52,380 working from the outside trying to get initial access and exhales a sort of 444 00:28:52,380 --> 00:28:55,470 I already have access to a box but I'm really worried that it's gonna get white 445 00:28:55,470 --> 00:28:59,490 every day and I want to have persistence of another method so I believe they used 446 00:28:59,490 --> 00:29:04,830 in the vdi environment really i'm going to go ahead and actually recorded a demo 447 00:29:04,830 --> 00:29:09,000 for you guys kind of a complicated one can see that already don't like the 448 00:29:09,000 --> 00:29:13,920 resolution alright alright so I'm in this case I have my local workstation 449 00:29:13,920 --> 00:29:17,400 which is like my attack workstation and i have a $TIME p.m. running which is 450 00:29:17,400 --> 00:29:20,550 like my target workstation all the houses outlook open there's no other 451 00:29:20,550 --> 00:29:26,490 programs open it sink to you know a mail account and it would call the darkside 452 00:29:26,490 --> 00:29:29,040 debt which anything he was having a black ops course you'll know that 453 00:29:29,040 --> 00:29:35,639 machine it so I've set up a public boon to server and I'm actually ssh into it 454 00:29:35,640 --> 00:29:39,210 right now so i have web configured on this server so this is good to servers 455 00:29:39,210 --> 00:29:43,860 serving files / web doubt it's really easy to set up web dab in Apache just 456 00:29:43,860 --> 00:29:47,760 like one configuration change actually lists out that the directory and the 457 00:29:47,760 --> 00:29:52,740 webcam just show up empty and then my my custom tool of choice for my rat will be 458 00:29:52,740 --> 00:29:56,580 empire so I'm actually going to use empire on the same server to get a shell 459 00:29:56,580 --> 00:30:00,810 back and that's just so i can actually use Empire to write like a bat launcher 460 00:30:00,810 --> 00:30:05,100 directly to disk so I already have a stage set up under be this is gonna call 461 00:30:05,100 --> 00:30:07,860 back over port 8080 I think ideally you'd probably want to use these on 462 00:30:07,860 --> 00:30:13,229 different servers so you can do true HTTP comfortable place so I set up a bat 463 00:30:13,230 --> 00:30:17,700 launcher and i just set the out file to the Apache directory with the web server 464 00:30:17,700 --> 00:30:21,960 is configured and I just tell it that is that the auto delete false i want this 465 00:30:21,960 --> 00:30:26,190 file to persist when I tell it generate you see down the bottom i refresh and 466 00:30:26,190 --> 00:30:28,950 suddenly windows can see that evil about that sitting in that Webster so it's 467 00:30:28,950 --> 00:30:33,600 actually calling out over HTTP to my web server externally and uploading it up 468 00:30:33,600 --> 00:30:37,409 and file explorer like it's a local file sure it's pretty crazy i pull up in the 469 00:30:37,410 --> 00:30:40,230 bat-file just to show you the power shown minor the Empire puts in there for 470 00:30:40,230 --> 00:30:41,250 the launcher 471 00:30:41,250 --> 00:30:44,760 so now that i have a payload sitting on the web server i need to build the 472 00:30:44,760 --> 00:30:48,840 outlook rule i'm just gonna use my rules tool i'm sure you could have used sense 473 00:30:48,840 --> 00:30:52,679 post tool for this but i kinda wanted to do my homegrown stuff just because i 474 00:30:52,680 --> 00:30:56,490 like it i said the rule name to derby Condit asked me for a subject trigger 475 00:30:56,490 --> 00:31:00,660 word so I just provide shells so you know when the word shells receive it'll 476 00:31:00,660 --> 00:31:05,190 trigger and then the file path I wanted to execute it off of that web share you 477 00:31:05,190 --> 00:31:06,140 know evil about that 478 00:31:06,140 --> 00:31:10,160 so it actually build me an article you see file on disk and this is just the 479 00:31:10,160 --> 00:31:14,540 offline version of that rule file so i'm gonna go ahead and open outlook here so 480 00:31:14,540 --> 00:31:18,170 my attacker machine in this instance I've seen my target outlook profile to 481 00:31:18,170 --> 00:31:21,230 my machine so I've gone into outlook they add a new profile provided their 482 00:31:21,230 --> 00:31:24,590 email and password and it's built me a local outlook instance for my target 483 00:31:24,590 --> 00:31:29,030 user is actually to outlook sessions existing one on my attacker box-and-one 484 00:31:29,030 --> 00:31:30,020 on the target box 485 00:31:30,020 --> 00:31:32,690 I'm just gonna use my local attacker instance actually think the role that 486 00:31:32,690 --> 00:31:38,210 change is where the map over HTTP comes in so I pull up in the rules panel i 487 00:31:38,210 --> 00:31:39,650 have options 488 00:31:39,650 --> 00:31:43,400 import rule and then I'm just going to supply the path of that art of easy file 489 00:31:43,400 --> 00:31:48,530 that i built so at this point outlook is going to read in my malicious rule it's 490 00:31:48,530 --> 00:31:51,350 going to sink it up to exchange it is going to supply it down to my target 491 00:31:51,350 --> 00:31:55,250 outlook instance so that target instance about look stunning in that vm just got 492 00:31:55,250 --> 00:31:58,430 this outlook rule without me ever doing anything to it you just had outlook open 493 00:31:58,430 --> 00:32:02,120 exchange like oh here you go have this malicious file that some attacker can 494 00:32:02,120 --> 00:32:06,260 sink them so there's a couple different ways to trigger there's lots of 495 00:32:06,260 --> 00:32:08,870 different ways to trigger the role my personal favorite is set up a subject 496 00:32:08,870 --> 00:32:12,139 trigger and then send the user an email from themselves 497 00:32:12,140 --> 00:32:15,980 it's hard to track and if the user ever find it in their inbox about Julia dials 498 00:32:15,980 --> 00:32:19,100 they just go always from myself and you just name the subject line like Outlook 499 00:32:19,100 --> 00:32:22,850 updates or like some weird hacks error and i think most users will blow it off 500 00:32:22,850 --> 00:32:28,939 so in this case i'm just setting the to address to that the user themselves and 501 00:32:28,940 --> 00:32:33,890 doing pop shells in the subject and I'm just I'm just telling him don't go to 502 00:32:33,890 --> 00:32:39,560 reconcile the pop shells on your box is from future to him so I go in its end 503 00:32:39,560 --> 00:32:42,950 here and then after the message sends an Outlook I just closed my local instance 504 00:32:42,950 --> 00:32:45,890 that so that my local instance and their local instance don't interfere with each 505 00:32:45,890 --> 00:32:50,360 other like my instant get that the Dom then it might execute the attack instead 506 00:32:50,360 --> 00:32:53,030 of the remote one so after the email times i just closed out of my instance 507 00:32:53,030 --> 00:32:56,389 and wait for the multiple delivered on-target actually I get a little bit 508 00:32:56,390 --> 00:32:59,840 impatient here and I'd like send and receive and i'm about to restart outlook 509 00:32:59,840 --> 00:33:04,699 oh my god email coming faster and then right there and pop so there's ways to 510 00:33:04,700 --> 00:33:08,360 do this without a window popping my favorite that exe with an individual 511 00:33:08,360 --> 00:33:12,350 options which actually this document in the blog you can see right there in 512 00:33:12,350 --> 00:33:16,310 Empire i just got a new agent back on my remote machine and it's on the dark side 513 00:33:16,310 --> 00:33:18,870 of machine i'm going to interact with that number 514 00:33:18,870 --> 00:33:23,520 PS just to prove I'm not going you guys so that was completely external to 515 00:33:23,520 --> 00:33:27,330 remote code execution on a host using only outlook that target only ever had 516 00:33:27,330 --> 00:33:30,330 outlook open and all they have to do is receive an email 517 00:33:36,820 --> 00:33:42,189 um so this is kind of case study number one I want to go over a couple 518 00:33:42,190 --> 00:33:46,840 legitimate use cases that we've done for this attack in the last six months I've 519 00:33:46,840 --> 00:33:50,799 used this on seven different engagement this attack is super useful and it is 520 00:33:50,799 --> 00:33:53,710 legitimate I don't do this out of research for oh hey this is cool you 521 00:33:53,710 --> 00:33:57,250 know give a presentation on it like I built this because i wanted to use it 522 00:33:57,250 --> 00:34:00,279 and engagement and it has worked out beautifully and so many times so the 523 00:34:00,279 --> 00:34:04,809 first one was a black box . black pen tester an org i discovered a zero-day 524 00:34:04,809 --> 00:34:08,560 and the live agent software so that support chat software that was 525 00:34:08,560 --> 00:34:12,489 externally hosted i compromise the sequel database and use tokens plugin 526 00:34:12,489 --> 00:34:16,839 web interface for the application and then I placed custom HTML on the footer 527 00:34:16,839 --> 00:34:19,779 of the login page to steal user credentials when people log into the 528 00:34:19,780 --> 00:34:23,139 slide agent app so the live agent server was externally hosted wasn't in the 529 00:34:23,139 --> 00:34:26,589 network all I wanted was credits so let that running for about a week and over 530 00:34:26,589 --> 00:34:30,250 time I found somebody who had the same password set for both this live agent 531 00:34:30,250 --> 00:34:34,239 program and their internal email use the outlook attack to pop their network and 532 00:34:34,239 --> 00:34:38,168 lateral movement a privilege escalation to domain admin so that was compromised 533 00:34:38,168 --> 00:34:41,529 of a third party application that wasn't even in the network to domain admin 534 00:34:41,530 --> 00:34:43,359 using this attack in the middle 535 00:34:43,359 --> 00:34:47,469 another one was another black box and aspirin or we use credential 536 00:34:47,469 --> 00:34:50,709 brute-forcing to find a week user login so i collected a whole bunch of target 537 00:34:50,710 --> 00:34:54,879 emails brute force against them to find a user who had like summer 2016 of their 538 00:34:54,879 --> 00:34:59,710 password use outlook access to pop their box and then again ladder moving to 539 00:34:59,710 --> 00:35:02,740 privilege escalation to domain admin and in the middle actually put their 540 00:35:02,740 --> 00:35:06,729 security team discovered the compromise they told the user to shut down his box 541 00:35:06,730 --> 00:35:10,180 he came back into the office they reset his password blue and machine actually 542 00:35:10,180 --> 00:35:13,899 moved him to an entirely new computer the next monday i shoot an external 543 00:35:13,900 --> 00:35:17,170 email and pop-up box again we're back to businesses out of the network that was a 544 00:35:17,170 --> 00:35:19,990 good example of how the persistent technique can be used to persist across 545 00:35:19,990 --> 00:35:24,759 ir whites so I like the fishing payloads are dead guys you might as well just 546 00:35:24,760 --> 00:35:29,109 toss all your macro payload salvador vs LA start getting on its outlook train i 547 00:35:29,109 --> 00:35:33,220 need stickers i feel like the HDD guys pick me up with stickers or like 10,000 548 00:35:33,220 --> 00:35:38,200 and then we'll family handling development so i kinda wanna talk a 549 00:35:38,200 --> 00:35:40,868 little bit about what now I mean I explain this attack explain its 550 00:35:40,869 --> 00:35:43,960 different usage future research 551 00:35:43,960 --> 00:35:47,980 i I'm a red team of mindsets like my future my ideas for this to like all 552 00:35:47,980 --> 00:35:50,230 what are all the cool different things that you can do with outlook rolls 553 00:35:50,230 --> 00:35:55,240 one of them is to abuse the MSO dllr outlook to avoid argument limitations 554 00:35:55,240 --> 00:35:58,779 shellexecute so if you actually I I actually threw the MSO dll inside of ida 555 00:35:58,780 --> 00:36:02,080 and like looked at the export function the house executing shall or shall 556 00:36:02,080 --> 00:36:05,830 execute went through a little bit didn't get very far with it but if you can find 557 00:36:05,830 --> 00:36:09,730 some way to like overflow in the rule to get command line arguments or 558 00:36:09,730 --> 00:36:13,930 potentially abuse the verbs in the registry i built a Python script to 559 00:36:13,930 --> 00:36:17,980 enumerate all the verbs out of the H classes HD classes route and look to see 560 00:36:17,980 --> 00:36:21,790 if there was any weird file extension that I could use where it would like to 561 00:36:21,790 --> 00:36:25,660 ask my file name as an argument as well to get my arbitrary command execution 562 00:36:25,660 --> 00:36:31,210 modify the the ruler by supposed to include support for mapping over RPC 563 00:36:31,210 --> 00:36:35,980 over HTTP just so we can get the 2007-2010 support bill passed the House 564 00:36:35,980 --> 00:36:39,400 support in the tooling so until I'm hashes could be used to have internally 565 00:36:39,400 --> 00:36:43,810 i did a proof-of-concept us with python and actually use the Python ntlm request 566 00:36:43,810 --> 00:36:47,770 library and modified it so to do pass the hash so we have an ntlm hash for a 567 00:36:47,770 --> 00:36:51,190 user we can actually pass that to the exchange server get access to their 568 00:36:51,190 --> 00:36:55,480 mailbox and then sink rules to it so another early Christians and have the 569 00:36:55,480 --> 00:36:59,619 idea of doing an SMB relay but to the exchange server so normally do and SMB 570 00:36:59,619 --> 00:37:03,220 relay attack and you have to be local admin on whatever remote box or relating 571 00:37:03,220 --> 00:37:06,910 to not anymore you could relate to the exchange server open up a session and 572 00:37:06,910 --> 00:37:11,529 then single rule for that profile and gate code execution that way you can use 573 00:37:11,530 --> 00:37:15,040 named pipes as a file replacement so you can do in memory pivoting so if you were 574 00:37:15,040 --> 00:37:18,160 on a box and you want to get to another box you like load up the file of the 575 00:37:18,160 --> 00:37:21,460 name tight supply it as an argument for the rule and then get the remote system 576 00:37:21,460 --> 00:37:25,990 to read that file or that named pipe like it was a file and supply like a bad 577 00:37:25,990 --> 00:37:29,529 over at whatever just so that you didn't have to write up disk anywhere i'm a fan 578 00:37:29,530 --> 00:37:33,340 of existing in memory that's what my tools do and then I thought about this 579 00:37:33,340 --> 00:37:37,420 recently you can potentially backdoor patch the MSO do on disk for like 580 00:37:37,420 --> 00:37:40,900 stealthy outlook persistent but didn't include a rule file so if you've got 581 00:37:40,900 --> 00:37:45,250 access to a host you could like patch there ms odl so that any time an email 582 00:37:45,250 --> 00:37:48,850 was received and it like check to see you the actions of a rule you like 583 00:37:48,850 --> 00:37:52,930 injected your code in there and was like hey if it's you know past 1230 on a 584 00:37:52,930 --> 00:37:56,799 wednesday i want you to execute this batch file over here so you know really 585 00:37:56,800 --> 00:38:00,820 really needs help with that as far as defenses for this go we do collaborative 586 00:38:00,820 --> 00:38:03,859 organ arc lab engagement with organization 587 00:38:03,859 --> 00:38:07,910 and our constant recommendation is the disabled webdav outbound on the firewall 588 00:38:07,910 --> 00:38:12,950 so a lot of 4 i'd say a lot of providers support this I know Palo Alto is due by 589 00:38:12,950 --> 00:38:17,328 default but you can just stop your clients from reaching out over HTTP web 590 00:38:17,329 --> 00:38:21,710 protocols that's probably the easiest defense on another hand to the host 591 00:38:21,710 --> 00:38:25,579 based approach where you monitor process creation for outlook and or app 592 00:38:25,579 --> 00:38:29,359 whitelisting so you know you have a pointless and Turner AppLocker I'm not 593 00:38:29,359 --> 00:38:32,900 gonna be able to reach the web sharing just execute a random exe or a bat file 594 00:38:32,900 --> 00:38:36,559 off of that web share so there is host based solutions do this Matt Grevers 595 00:38:36,559 --> 00:38:42,710 gonna be a great resource for that and then we can monitor exchange logs for 596 00:38:42,710 --> 00:38:45,589 rules think events from outside of the network and I put a question mark after 597 00:38:45,589 --> 00:38:48,529 next i haven't had a lot of time to research the defense's on the exchange 598 00:38:48,529 --> 00:38:51,799 server side but i imagine if we had enough auditing enabled we could watch 599 00:38:51,799 --> 00:38:56,089 this rule activity occurring against an account and create alerts on the logs 600 00:38:56,089 --> 00:39:00,619 and or just go out and watch all of the all of your check all of the rules 601 00:39:00,619 --> 00:39:04,940 against all the profiles only sometimes anybody have any questions from this 602 00:39:04,940 --> 00:39:07,940 research about that yeah what's up 603 00:39:10,099 --> 00:39:19,400 ok ok 604 00:39:19,400 --> 00:39:22,760 just so everyone heard and you just asked I've ever encountered legitimate 605 00:39:22,760 --> 00:39:25,910 usage of this feature inside of outlook me myself 606 00:39:25,910 --> 00:39:29,029 probably not but when I talked to Microsoft about this they didn't seem 607 00:39:29,029 --> 00:39:32,270 too keen on the idea of blowing the way the feature I imagine a lot of people 608 00:39:32,270 --> 00:39:38,720 use it for like when they receive an email from their boss they start up read 609 00:39:38,720 --> 00:39:42,859 it or YouTube or so like I don't have considered legitimate but like I don't 610 00:39:42,859 --> 00:39:46,190 know like you know a political and you can actually i should mention you can do 611 00:39:46,190 --> 00:39:49,430 the same thing with HTML files so or websites for that matter so if you 612 00:39:49,430 --> 00:39:52,669 supply a website string to the rule it will pop open your default browser and 613 00:39:52,670 --> 00:39:55,910 go to that website you can get out like pop websites when you receive emails 614 00:39:55,910 --> 00:39:59,240 instead applications economy will be your president 615 00:39:59,240 --> 00:40:23,479 oh oh ok so that definition question and one that I i if I constant ongoing like 616 00:40:23,480 --> 00:40:27,079 I would say within the past month I've had conversations about this i've seen 617 00:40:27,079 --> 00:40:31,010 some organizations walk down to factor on owa so when you go to the outlook web 618 00:40:31,010 --> 00:40:35,180 access you have to supply a token before you can finish logging in that wouldn't 619 00:40:35,180 --> 00:40:38,509 stop a lot of these attacks just because the two-factor off doesn't apply against 620 00:40:38,510 --> 00:40:43,160 ews or the ntlm off on the autodiscover page so a lot of a lot of times like the 621 00:40:43,160 --> 00:40:46,848 two-factor authentication will be applied to the owa pro like the login 622 00:40:46,849 --> 00:40:50,539 page so when you're doing the login with owa you've already accessed the site and 623 00:40:50,539 --> 00:40:51,529 brought it up 624 00:40:51,529 --> 00:40:54,710 whereas if you go to like the autodiscover xml file for an org you 625 00:40:54,710 --> 00:40:59,059 have to supply HTTP and tell em off before you can even view that file which 626 00:40:59,059 --> 00:41:02,480 means that you can do both forcing against the HTTP ntl Emma in the same 627 00:41:02,480 --> 00:41:07,369 way that you would do like basic reporting it's an old firewall and i'm 628 00:41:07,369 --> 00:41:10,760 not sure the specifics of the other protocols are like office 365 if you 629 00:41:10,760 --> 00:41:14,150 have it enabled their I believe you could cut that the two factors only 630 00:41:14,150 --> 00:41:17,839 going to apply after you've got to the successful credentials which means that 631 00:41:17,839 --> 00:41:21,920 you can get to the office 365 login page fine and you can try credential the 632 00:41:21,920 --> 00:41:24,920 minute you see a different response which is probably the next page where 633 00:41:24,920 --> 00:41:28,520 like load that up you know you have battle valid credit and then you could 634 00:41:28,520 --> 00:41:32,150 probably use a different exchange protocol ews our map your HTTP the 635 00:41:32,150 --> 00:41:32,660 access 636 00:41:32,660 --> 00:41:36,618 that directly i haven't verified that so I'd love to do research on it because 637 00:41:36,619 --> 00:41:39,619 they might apply that to factor out the different protocols 638 00:41:53,270 --> 00:42:00,559 yeah yeah sure I'm yeah I'm not sure I'd this is one of those things where I want 639 00:42:00,559 --> 00:42:03,770 more research to be done to it i'd love to factor out the i'm a huge fan of 640 00:42:03,770 --> 00:42:06,859 multi-factor up and I wanted to be a mitigation for this attack which is 641 00:42:06,859 --> 00:42:09,710 knowing the way Microsoft and the protocols work the very fact that you 642 00:42:09,710 --> 00:42:13,099 have like six different ways to interface with an exchange server means 643 00:42:13,099 --> 00:42:16,190 that the two factor of problems and applied to all of them and particularly 644 00:42:16,190 --> 00:42:19,880 not the low level one if you want to know for sure i highly recommend you try 645 00:42:19,880 --> 00:42:24,530 a are not that it's not for sure but if you want to like get a better idea pop 646 00:42:24,530 --> 00:42:27,890 open a brand new outlook instance and try to build somebody's profile remotely 647 00:42:27,890 --> 00:42:31,609 if you get any sort of to factor out there then I would all be a lot more 648 00:42:31,609 --> 00:42:34,910 confident that it's going to stop a sort of attack but if you just have to back 649 00:42:34,910 --> 00:42:39,500 off I'm like oh wao that officers 5 online login pages i'm kinda iffy about 650 00:42:39,500 --> 00:42:51,880 whether that stops so then we have any other questions yeah yeah I haven't 651 00:42:51,880 --> 00:42:54,579 sounds cool and actually thought about that if you could it once you have like 652 00:42:54,579 --> 00:42:57,849 domain admin on the network if you could get into account that had admin overall 653 00:42:57,849 --> 00:43:01,420 the exchange like the exchange admins group then you can like a drool to each 654 00:43:01,420 --> 00:43:04,839 individual person and like trigger them globally and pop shells all over the 655 00:43:04,839 --> 00:43:08,950 place like like mail slot for something like that i haven't like really i really 656 00:43:08,950 --> 00:43:11,769 want to encourage you guys please go research this technique i talked about 657 00:43:11,769 --> 00:43:15,189 it and I have so many things in my mind I'm like wow I want to try that but to 658 00:43:15,190 --> 00:43:17,529 answer your question no I haven't really looked yet 659 00:43:17,529 --> 00:43:25,630 somebody else have a question yet so yeah so there's actually ways to disable 660 00:43:25,630 --> 00:43:29,710 the supported protocols in exchange you can like disabled map over HTTP or RPC 661 00:43:29,710 --> 00:43:33,549 over HTTP and then in the exchange or in the autodiscover file you'll actually 662 00:43:33,549 --> 00:43:36,670 see that reflected so like sense post-election checks with us that it 663 00:43:36,670 --> 00:43:40,450 looks at the autodiscover file check to see whether the mapi over HTTP has a 664 00:43:40,450 --> 00:43:43,689 service URL supply and if it does then it will continue the attack 665 00:43:43,690 --> 00:43:47,799 otherwise it just gives up so it's tough because at some point you a lot of 666 00:43:47,799 --> 00:43:51,849 organizations need to supply a user with like external access to their email via 667 00:43:51,849 --> 00:43:55,180 exchange and so really hard to turn those things off and I think that 668 00:43:55,180 --> 00:44:00,279 functionality geeks even I i say harder to turn off when you get into like 669 00:44:00,279 --> 00:44:03,700 office 365 like what you're going to talk to Microsoft I'm gonna be like I'd 670 00:44:03,700 --> 00:44:06,848 yeah we can't just like the table this one core protocol for all your clients 671 00:44:06,849 --> 00:44:09,700 but i recommend looking into it you let me know 672 00:44:09,700 --> 00:44:14,618 hit me up on Twitter send me an email you know just I'd really love to spread 673 00:44:14,619 --> 00:44:17,650 out this research symbols have any questions 674 00:44:17,650 --> 00:44:20,589 no we're good i'll close it out there you guys have time to get your next talk 675 00:44:20,589 --> 00:44:22,930 come up and talk to me say hi but that's it