learn from malware - hack.luarchive.hack.lu/2015/practical_spear_phishing.pdf · 2015-10-21 ·...
TRANSCRIPT
![Page 1: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/1.jpg)
Learn from malware !
A practical guide of spear phishing for red teams…
Paul Jung
![Page 2: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/2.jpg)
hack.lu’2015
WARNING Legal disclaimer
All the tricks and tips showed here are used in real life
No malware were harmed during the preparation of this presentation
2
![Page 3: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/3.jpg)
hack.lu’2015
Phishing Steps
1) Reconnaissance
2) Bypass inbound security
3) Phish a user !
4) Bypass outbound security.
3
![Page 4: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/4.jpg)
hack.lu’2015
Collecting
• Ask google !
• “The Harvester”
http://bit.ly/1R8DaPr
4
![Page 5: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/5.jpg)
hack.lu’2015
Collecting• Got the format ? Then you get everything
FirmName inurl:linkedin.com +”| LinkedIn” +Current
jdoe vs j.doe vs john.doe
5
![Page 6: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/6.jpg)
hack.lu’2015
Abusing mail relay• Validate your email list
• Few people look at mail logs
• Only one tcp connection in firewall logs
6
![Page 7: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/7.jpg)
hack.lu’2015
Abusing mail relay$ nc b.mx.root.lu. 25220 smtp.mx.root.lu ESMTP Postfix rootMTAHelo toto250 smtp.mx.root.lumail from: [email protected] 2.1.0 Okrcpt to:[email protected] 5.1.1 <[email protected]>: Recipient address rejected: User unknown in relay recipient tablercpt to:[email protected] 250 2.1.5 Okrcpt to:[email protected] 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in relay recipient table
7
![Page 8: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/8.jpg)
hack.lu’2015
Collectinga.doeb.doe c.doe d.doee.doef.doe
8
26 x top common last names
Really complicated in luxembourg;
German, Luxembourgish, French, Portuguese
![Page 9: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/9.jpg)
hack.lu’2015
Abusing mail systemSpoofing
• Use same source, old spoofing…
• Use «nearly» same source
• Homographic equivalent : excelliurm
• PunyCode for cyrillic
9
![Page 10: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/10.jpg)
hack.lu’2015
Abusing mail system• Spoofing is usually possible at body level
10
MAIL FROM: [email protected] TO: [email protected]
SUBJECT: A common spoofFROM: [email protected] Hello click on my linkshttp://myevillink.com
![Page 11: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/11.jpg)
hack.lu’2015
Abusing mail system$ nc mx.luxcloud.net. 25220 spam1.luxcloud.net ESMTP Exim 4.85-83913 Wed, 17 Jun 2015 23:12:20 +0200helo ns2.trollprod.org250 spam1.luxcloud.net Hello ns2.trollprod.org [78.236.229.52]mail from: [email protected] OKrcpt to: [email protected] Accepteddata354 Enter message, ending with "." on a line by itselfFrom: Christophe Bianco <[email protected]>To: [email protected]: Spoofing on bodyHello
11
![Page 12: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/12.jpg)
hack.lu’2015
• Monitor mail gateway
• Configure anti-brute force
• Deny mails from unknown domains
• Use at least SPF
• Work on all spoofing scenarios
12
Security Tips
![Page 13: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/13.jpg)
hack.lu’2015
IN: Bypassing gateway
• Will someone “Click” on a rogue mail ?
Well, yes they do !
13
![Page 14: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/14.jpg)
hack.lu’2015
IN: Bypassing gateway• Last year we have sent ~ 1200 emails
• A very bad crafted rogue link
• An internal sender
Click Success rate is nearly 33%
14
![Page 15: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/15.jpg)
hack.lu’2015
IN: Bypassing gateway15
44 % 56%
![Page 16: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/16.jpg)
hack.lu’2015
IN: Bypassing gateway
• Ask to do something : Max 14 %
• “Drop a link” without explanation : Max 42 %
16
![Page 17: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/17.jpg)
hack.lu’2015
IN: Bypassing gateway
• Tips for even more efficiency :
• Use a custom domain
http://www.mybank.com.id.fa3bf54.param.34234.evil.com
17
![Page 18: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/18.jpg)
hack.lu’2015
Right target & good time• Top Management…
Opened on IPAD
• Too Early / Too Late…
Opened on Smartphone
• Medical / Media
Opened on a Apple
18
![Page 19: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/19.jpg)
hack.lu’2015
Enterprise “IN” defences19
AV Relay
Sandbox
MailServer
![Page 20: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/20.jpg)
hack.lu’2015
Enterprise “IN” defences20
AV Relay
Sandbox
MailServer
![Page 21: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/21.jpg)
hack.lu’2015
Exploits / Macros or Executions
• Exploits are nice but tricky
• Executions need tricks to bypass
• Office macro seems “oldschool” but proven !
21
![Page 22: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/22.jpg)
hack.lu’2015
Exploits / Macros or Executions
Wscript : %SystemRoot%\System32\WScript.exe
.js .JSE .VBE .vbs .WSF .WSH
Direct Execution : "%1" .bat .cmd .com .exe .pif .scr
22
Outlook avoid direct execution of files
![Page 23: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/23.jpg)
hack.lu’2015
Exploits / Macros or Executions
.ade .adp .app .asp .bas .cer .chm .cpl
.crt .csh .der .fxp .gadget .hlp .hta
.inf .ins .isp .its .ksh .lnk .mad .maf
.mag .mam .maq .mar .mas .mat .mau .mav
.maw .mda .mdb .mde .mdt .mdw .mdz .msc
.msh .msh1 .msh2 .mshxml .msh1xml .msh2
.xml .msi .msp .mst .ops .pcd .plg .prf
.prg .pst .reg .scf .sct .shb .shs .ps1
.ps1xml .ps2 .ps2xml .psc1 .psc2 .tmp
.url .vb .vsmacros .vsw .ws .wsc .xnk
23
Outlook avoid direct execution of files
![Page 24: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/24.jpg)
hack.lu’2015
Exploits / Macros or Executions
Straight .zip .cab Challenging .7z .rar .rxx (.r05)
24
Malware spread is aware
![Page 25: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/25.jpg)
hack.lu’2015
IN: Bypassing gateway• Dridex campaign is using old school recipe :
• Embed dropper in an office macro
25
![Page 26: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/26.jpg)
hack.lu’2015
IN: Bypassing gateway• This year Dridex is innovative
• Bypass most AV’s
• by using MHTML
$ file YU96260MFZ.doc YU96260MFZ.doc: MIME entity, ISO-8859 text, with very long lines, with CRLF line terminators
• by using macro obfuscation
26
![Page 27: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/27.jpg)
hack.lu’2015
ObfuscationDim VoIOlRMM As Integer VoIOlRMM = 7Do While VoIOlRMM < 74 DoEvents: VoIOlRMM = VoIOlRMM + 1 Loop strEncKey = Mid(strText, nLeft + 1, nCharSize) Dim JVremBiP As Integer JVremBiP = 8 Do While JVremBiP < 24 DoEvents: JVremBiP = JVremBiP + 1 Loop strEncKey = yiK(strEncKey) Dim iVyMzUlc As Integer iVyMzUlc = 9 Do While iVyMzUlc < 92 DoEvents: iVyMzUlc = iVyMzUlc + 1 Loop
27
GitHub Script http://bit.ly/1L6wiAx
2
![Page 28: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/28.jpg)
hack.lu’2015
IN: Bypassing gateway
• How to bypass workstation’s AV for final payload
• Pack your executable to obfuscate.
• Your own packer is a good investment
• Avoid UPX, it “triggers” some AV’s
28
![Page 29: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/29.jpg)
hack.lu’2015
IN: Bypassing gateway• Try to get a mail from the victim
29
![Page 30: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/30.jpg)
hack.lu’2015
IN: Bypassing gateway• To bypass AV’s sandbox, two tips
• Do… something stupid which creates a delay
30
Fare IT
![Page 31: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/31.jpg)
hack.lu’2015
Bypass local AV’s• 65535 times the 9 queens problem !
31
![Page 32: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/32.jpg)
hack.lu’2015
Bypass local AV’s• Load an improbable DLL
HMODULE hMod = LoadLibrary ("RainbowDash.dll"); if (NULL == hMod) { DO YOUR EVIL PAYLOAD !! }
32
![Page 33: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/33.jpg)
hack.lu’2015
Babar Friend’s• Casper gives a lot of tips for avoiding detection
33
http://bit.ly/1GodpZA
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
WMIC /Node:localhost /Namespace:\\root\SecurityCenter Path AntiVirusProduct Get displayName /Format:List
![Page 34: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/34.jpg)
hack.lu’2015
Bypass Sandboxes
• Dridex again is innovative;
• Detect VMs & Sandboxie directly in macros
34
![Page 35: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/35.jpg)
hack.lu’2015
Bypass SandboxesHacking team got an amazing Cuckoo bypass
35
pFake = (LPDWORD) malloc(4096*100);memset(pFake, 1, 4096*100);
mov eax, fs:[0x44];" // save old valuemov _pOld, eax;"mov eax, _pFake;" // replace with fake valuemov fs:[0x44], eax;
call CreateThread()
Full code http://bit.ly/1MmfBz3
![Page 36: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/36.jpg)
hack.lu’2015
Bypass SandboxesHacking team got an amazing Cuckoo bypass
36
![Page 37: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/37.jpg)
hack.lu’2015
Bypass Sandboxes• Unfortunately; Cuckoo and VMware are not deployed
37
Detect if computer is not a domain member
“%LOGONSERVER%” == “\\%COMPUTERNAME%”
Environ(“MyVariable”)
![Page 38: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/38.jpg)
hack.lu’2015
Last Step, Human !38
Hopefully for us, some customers, and even «big» one,
don’t have office macro activated !
![Page 39: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/39.jpg)
hack.lu’2015
Last Step, Human !39
![Page 40: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/40.jpg)
hack.lu’2015
Last Step, Human !40
![Page 41: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/41.jpg)
hack.lu’2015
• Block any container files
• Disable macros
• Train people
41
Security Tips
![Page 42: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/42.jpg)
hack.lu’2015
Company “OUT” defences42
Proxy
![Page 43: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/43.jpg)
hack.lu’2015
Company “OUT” defences43
Solution A - TCP Socket
• A really bad idea in enterprise
![Page 44: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/44.jpg)
hack.lu’2015
Company “OUT” defences44
Solution B - API WinHTTP
• Another bad idea, not easy to go out
![Page 45: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/45.jpg)
hack.lu’2015
Soon Finished
• Keep focused, only a few slides left !
45
![Page 46: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/46.jpg)
hack.lu’2015
Company “OUT” defences46
Solution C - API WinInet
• Good Idea, used by most malwares
• Deals with proxy
• Deals with “transparent auth”
![Page 47: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/47.jpg)
hack.lu’2015
Company “OUT” defences47
Using NTLM or KERBEROS for transparent auth
DONT IMPROVE SECURITYEven a basic one on a separate LDAP is better.
![Page 48: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/48.jpg)
hack.lu’2015
Enterprise “OUT” defences48
Solution D - Dcom Instrumentation
• Stealthy one
• Not easy to play with cookies
• Not easy to employ
• Reuse any proxy auth See P. Rascagnères IcoScript Analysis
http://bit.ly/1VOJUn4
![Page 49: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/49.jpg)
hack.lu’2015
Company “OUT” defences49
Solution E - DNS
• Enough for controlling
• Very verbose, but rarely spotted
• More than often bypass all security
![Page 50: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/50.jpg)
hack.lu’2015
• Avoid “automatic” authentications
• Break SSL when possible
• Monitor DNS Requests
50
Security Tips
![Page 51: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/51.jpg)
hack.lu’2015
Conclusion
We are in 2015 and macro enabled docs do the job !
51
![Page 52: Learn from malware - Hack.luarchive.hack.lu/2015/Practical_Spear_Phishing.pdf · 2015-10-21 · hack.lu’2015 WARNING Legal disclaimer All the tricks and tips showed here are used](https://reader033.vdocument.in/reader033/viewer/2022041714/5e49ef956b952a411b15964b/html5/thumbnails/52.jpg)
hack.lu’2015
Thanks…
52
Any Questions??