Honeypots Reimagined: Many Targets, One Access (Part 1) – Acalvio

1. Initial Reconnaissance – About to explain
2. Initial Compromise – About to launch
3. Establish Footholds –
4. Escalate Privileges
5. Additional Reconnaissance where we will move laterally and continue to maintain presence
6. Complete

Initial Reconnaissance: “Let me show you how I find you”

• OSINT, SIGINT, HUMINT
• Google is your friend
• Forums are treasure troves (both the official Cisco/Oracle ones as well as developer general ones)
• GitHub is great
• LinkedIn tells me a lot more than you want me to know
• Public records, local, state tax, housing sites, Zillow, phone databases etc.
• Thank goodness for HOA’s and their damm “public notes” J
• Compromise databases
• Pastebin is friendly
• Nmap and Shodan systems are most truly your friend
• CVE database
• Actual Threat Intelligence feeds, what’s good and what sucks!
• Subscriptions to CLEAR or LexisNexis ARE useful for consolidating information

Armed with these tools (and others) above, I should be able to quickly and efficiently understand “you” my target. Not only who you are, what you do, where you work and what focuses you have but also more importantly WHAT it is going to take to make you click on something OR what is going to engage you in conversation.

We have all put so much of ourselves online, most of the time doing so without providing a second thought as to what the implications are. We let others take out data, our pictures our lives and put it online, and then quite simply that intelligence is used against us.

We are encouraged to provide our professional life to all other online, to join forums, sites and other data/information exchange locations without giving a second thought for how this could be used against us.

Our very lives are captured digitally every day, why should we be surprised when that very data is used against us?

Initial Compromise “Let me show you the ways I get in…”

1. The Healthcare website
   1. E-Mail to all targets: We are working on behalf of your HR department to help you better understand your healthcare choices.
   2. Website has been set up to best serve you by integrating with your regular windows systems, therefore please simply use your user ID and Password from your regular domain login.
   3. Typically we harvest 70% of all targets
   4. We now have their ID and Passwords, now we need to find VPN, Cisco, RDP
2. The Unites States Justice Department PDF
   1. Payloaded PDF file (MSFvenom or similar) to generate an important PDF coming in from a “registered” address (spoofed)
   2. PDF typically passes through filters as it is both obfuscated and PDFs typically are allowed
   3. If PDF blocked we can payload DOC, XLS etc. Something gets through
   4. Once downloaded to Email and “opened” by legal/compliance or purchasing the payload is executed behind the scenes on the local computer.
   5. Payload varies, a reverse shell would work (but can be noisy) a Trojan or Polymorph would quickly gain a local foothold and then depending upon target type would either tunnel out (80/443) or open up other inbound ports etc.
3. The malicious website and the unpatched browser
   1. Directed visit to our infected website, or the advertising on the website
   2. Browser vulnerability will result in a managed installation of Adware on your machine.
   3. From adware we can pull machine specific intelligence or simply deploy a Trojan, or series of Trojans
   4. Browser Hijacking (more intel)
4. Fed up of losing at Bejeweled? Download the “eternal” patch
   1. Malware or payloaded Trojan embedded in the freeware or shareware programs
   2. Legitimate program runs in the foreground, we run in the background.
   3. Payload varies, a reverse shell would work (but can be noisy) a Trojan or Polymorph would quickly gain a local foothold and then depending upon target type would either tunnel out (80/443) or open up other inbound ports etc.
   4. IF we look at Trojan deployment tools we can drop the following types: Backdoors, Exploits, Rootkits, Bankers, DDoS, Downloaders, Droppers, FakeAV, IM, Ransom, SMS Etc.
5. Who needs iTunes when I can download ripped music files
   1. Basically No4 repeated with music as the target file, or movie files, these are downloaded (sometimes with a player) and then as they are decompressed and executed (the player function)
   2. You can payload a music file directly, but you have to rely upon overflow scenarios for a successful execution… and that IS a Pain.

At this point we are “in” if we accept the above logic flow. (Hopefully by this point we’ve debated it to death over a couple of good single malts)