Outlook and Exchange for the bad guys


Published on

DerbyCon 2016
Nick Landers @monoxgas

External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.

Published in: Technology

Outlook and Exchange for the bad guys

  2. 2. > getuid Nick Landers (@monoxgas) Security Consultant at Silent Break Security Salt Lake City, Utah, US Hacking for 8 years, 2 professionally My Loves: ◦ Writing Windows malware (slingshot/throwback) ◦ Coding with C++, Python, or PowerShell ◦ Security Research for the Red Side ◦ Long walks on the beach NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  3. 3. Tonight’s Agenda 1. Exchange Overview 2. Recon 3. Credential Harvesting 4. Outlook Rules 5. Exploitation Details 6. Demo! 7. Questions NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  4. 4. Currently supported versions: 2007, 2010, 2013, 2016 Office 365 / Outlook.com Remote Access Protocols ◦ Exchange Web Services (EWS) – SOAP over HTTP ◦ Outlook Anywhere – RPC over HTTP ◦ MAPI over HTTP (Exchange 2013+) ◦ Exchange ActiveSync (EAS) – HTTP/XML – High latency/Low bandwidth Functions ◦ AutoDiscover – Fast collection of Exchange configurations, supported protocols, and service URLs ◦ Outlook Web App (OWA) – Minimal E-Mail client available via the web – http://mail.org.com/owa ◦ Global Address List (GAL) – LDAP/Active Directory NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  5. 5. Recon Goal: Collect E-Mails, usernames, and (maybe) passwords from public resources Sources: ◦ Search engines (Google, Bing, etc.) ◦ Company Websites – DNS brute-forcing to discover subdomains ◦ Public Websites (LinkedIn, GitHub) ◦ Database Dumps (leakedsource, haveibeenpwned) ◦ Active Directory – For lateral movement and segmentation bypassing Tooling: ◦ Discover - https://github.com/leebaird/discover (Lee Baird) ◦ Passive: ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng ◦ Active: nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and Whatweb ◦ FOCA - https://www.elevenpaths.com/labstools/foca/index.html ◦ LinkedIn Scraper - https://github.com/wpentester/Linkedin_profiles (Hans Petrich) ◦ HackerTarget - https://hackertarget.com/ip-tools/ NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  6. 6. Collecting Credentials Brute Forcing Techniques ◦ OWA – Black Hills Security Password Spraying w/ Burp - http://www.blackhillsinfosec.com/?p=4694 ◦ EWS – ShellIntel PowerShell Toolkit - https://github.com/Shellntel/OWA-Toolkit ◦ NTLM HTTP Auth – Python Requests - https://github.com/requests/requests-ntlm ◦ Use a targeted E-Mail list with common passwords – Summer2016, Password1, etc. NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  7. 7. Collecting Credentials pt. 2 Credential Harvesting Attacks via E-Mail ◦ Impersonate target company logon page (OWA, Office 365, etc.) ◦ No payload to burn + Blend with the spam ◦ = Attacks can be scaled up (5-10 vs 100-200 targets) External Site Compromise (WordPress, LiveAgent, etc.) ◦ No longer useless for gaining internet network access! ◦ Credential re-use is VERY common ◦ Backdoor logon pages with JavaScript to steal credentials ◦ Grab passwords from databases ◦ Social Engineering NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  8. 8. Outlook Rules Overview “A rule is an action that Outlook for Windows runs automatically on incoming or outgoing messages. You choose what triggers the rule as well as the actions the rule takes.” – Microsoft Rules can be created: ◦ Server side (OWA, Outlook.com) ◦ Client side (Outlook) ◦ Often not compatible due to subtle differences in the usage of rule properties Rule action order: ◦ Server side actions (move mail to folder) ◦ Client side actions (print a message) Rules are stored with the exchange server. Any new Outlook instance receives all existing rules When a client side action is needed, deferred action message (DAM) is sent to client w/ rule ID NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  9. 9. Rule Actions That looks promising! NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  12. 12. ShellExecuteEx lpVerb – “The set of available verbs depends on the particular file or folder. Generally, the actions available from an object's shortcut menu are available verbs. This parameter can be NULL, in which case the default verb is used if available. If not, the "open" verb is used.” ◦ Can be viewed/modified in HKEY_CLASSES_ROOT lpFile – “The address of a null-terminated string that specifies the name of the file or object on which ShellExecuteEx will perform the action specified by the lpVerb parameter. ” lpParameters – “Optional. The address of a null-terminated string that contains the application parameters. ” NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  13. 13. Exploitation Challenges Requires valid account credentials along with Exchange service access ◦ Recon & Brute Forcing ◦ RPC/MAPI over HTTP No command line arguments Need a local file on disk for Outlook to open – UNC to the rescue! (ServerShareevil.exe) ◦ Local SMB share (Kali Linux, existing windows share) – Internal pentesting/pivoting/persistence ◦ WebDAV share – Accessible via UNC path – HTTP with proxy awareness A file type which can give us code execution with ShellExecute ◦ BAT, EXE, PIF, VBS, JS, HTA, LNK, etc. Target needs Outlook open to receive the DAM and execute the attack NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  14. 14. Use Cases Initial Access to a target network ◦ Relatively easy to collect E-Mail credentials externally Pivot to workstation without local admin privileges Bypass network segmentation Persistence: ◦ Stealthy – Obscure technique with minimal tooling available for detection/monitoring ◦ Long-Term – Linked to E-Mail profile, not workstation. Persistence across a DFIR wipe ◦ Drop a executable onto an internal file share ◦ Load rule into many E-Mail accounts, trigger with one E-Mail NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  15. 15. State of things Rulz.py – Build malicious RWZ files for importing into Outlook (monoxgas) ◦ https://gist.github.com/monoxgas/7fec9ec0f3ab405773fc Ruler – MAPI over HTTP to quickly sync rule file without building complete profile (SensePost) ◦ https://github.com/sensepost/ruler Xrulez – Use local Outlook profiles to import malicious rule for persistence (MRW Labs) ◦ https://github.com/mwrlabs/XRulez NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  16. 16. Demo! Pop a shell with E-Mail! NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  18. 18. Case Study #1 Black-Box Penetration Test for an organization Discovered 0-Day in externally hosted LiveAgent software for support chat Compromised SQL database and used tokens to login to the web interface Placed custom HTML on the footer of the logon page to steal user credentials Password Re-Use to get into an E-Mail account Outlook attack to pivot into the environment Lateral movement and privilege escalation to Domain Admin NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  19. 19. Case Study #2 Black-Box Penetration Test for an organization Credential brute-forcing to find weak user login Outlook attack to gain initial access to the network Security team discovered the compromise, changed user password, wiped workstation Use previously synced rule with external E-Mail to gain access to the network AGAIN Lateral movement and privilege escalation to get Domain Admin Phishing payloads are DEAD! Long live the Outlook Attack! NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  20. 20. What Now? Future Research ◦ Abuse mso.dll/Outlook to avoid argument limitations with ShellExecute ◦ Modify ‘Ruler’ by SensePost to include support for MAPI over RPC over HTTP (2007/2010) ◦ Build Pass the Hash support into tooling so NTLM hashes can be used to pivot internally ◦ Use Named Pipes as a file replacement for In-Memory pivoting ◦ Backdoor/Patch mso.dll on disk for Outlook persistence without modifying server-side profile Defenses: ◦ Disable WebDAV outbound at the firewall ◦ Monitor process creation from Outlook and/or app whitelisting ◦ Monitor Exchange logs for rule sync events from outside of the network? NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY
  21. 21. Questions? Nick Landers - @monoxgas Silent Break Security nick@silentbreaksecurity.com NICK LANDERS / @MONOXGAS / SILENT BREAK SECURITY