How I gained initial access using Social Engineering




Cybercriminals have done a lot of damage to organization through Social Engineer Attack from FireEye to Cisco & recently Uber they all were hacked because of social engineering. This reminds me of my own internal pentesting in one of my organization which I did in 2021, I used social engineering technique to deliver and execute my payload.

I was asked to check if I can gain access to any of our employee's computer using any method I can think of. 

In this blog, I will simulate the same attack and will try to show how I gained initial access by using a social engineering technique.

 

Attack Phase 1: Information gathering

As it was from internal network i decided to compromise one employee. Here the person is a network engineer. Before attacking the target i started the attack with information gathering.

The first thing I started with checking all open port in my network range. To do this I used masscan, so i used command masscan -p445  192.168.7.1/24 --rate=1000


 

 

 

 

 

I found so many devices with smb port open, but my target here is "192.168.7.237". So I am going to attack this one. 

I did Nmap scan to check what operating system the target is using and also what other services are running there.

 

The network I was using don't have any firewall or any Packet inspection tool. So I decided to intercept the traffic to see what I can get from the traffic. 


I started with ARP spoofing the network to see if there's any antivirus software fetching update from it's server.   As ARP spoofing is out of scope of this topic I'll not discuss about how I did this. There are lot's of tool you can find on GitHub for this attack.

 

I filtered HTTP to check if there's any plaintext traffic in the network. Below screenshot shows traffic from Quick Heal server in Wireshark then I used http contains quickheal command to filter traffic containing quickheal.


 

From the above screenshot it's clear that our target is using Quick Heal Antivirus. Now all I have to check if my payload is being detected by this AV or not.

Attack Phase 2 : Getting the credentials

My target system is using windows so it's time to get the credential from that machine. I started Responder with python3 Responder.py -d -F -I ens33 to get NTLM hash from that windows machine


The option -d here will enable answer for DHCP broadcast request and the option -F will enable force NTLM authentication on the victim machine. 

I got the victim's NTLMv2 hash on my responder machine


It's time to crack it, so I used with command hashcat -m 5600 -a 3  PathToHash.txt --force  

Here -m 5600 is the hash type which is NTLMv2 and in just 15 seconds I got the password which is "root" here.

 

Now let's check what permission do we have on the target system, for this I used smbmap with command smbmap -u network -p root -H 192.168.7.230


The above screenshot shows that we do have write permission but the target Admin share was disabled and that's what I am going to enable. 

I needed to do two things on the target system. 

1. Enable Admin share using this we can give command on the remote system 

2. Disable User Account Control on the remote system this will allow me to run any admin command.

 

This command will disable UAC on the remote system: 
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f 

And this command will disable UAC over a network: 
reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
In case you don't know , above commands are required to execute our command in our target machines over LAN. 

Social Engineering
Here comes the most important part. As my target was a network engineer, I created a batch script and changed that script .exe and also changed the icon to Cisco logo.
So here's the steps : 
I started bat2exe and enter the script which I want to run on my target machine

 


Changed the icon to Cisco logo, Enabled hidden windows this will prevent any command to show on screen and at last I also enabled "Require admin permission"

 
Now after selecting convert option, below is how the final exe looks like.
I checked this with my Quick Heal antivirus. And it said the file is cleaned. So no need to bypass and I am all set to drop this file inside my target machine.

I drop this file on my target machine and the next day when I cheked again using crackmapexec smb 192.168.7.237 -u username -p password I got Admin share enabled and UAC was disabled.

 
 
Now I can run whatever command on my target machines. Crackmapexec has a lot of exploitation modules, but I used Atelier Web Remote Commander. This tool allows me to see my target computer screen, upload and download files and lot more.
So I installed AWRC and entered target IP , username and password and I was able to see my target computer machine

Final words
The main reason I was able to get inside my target machine was he clicked on my file which gave me backdoor access. 
The other reason i would say that the antivirus couldn't detect my script as malicious.













































Comments











Post a Comment



















Popular posts from this blog









USB forensic : Find the history of every connected USB device on your computer














Image







       Sometime we need to know what USB devices were connected to our computer in our absence.These information could be very useful for forensic examiner or in general case also where we just want to know what USB devices were used .    How do this works    We all know about registry on windows, a registry is a database in windows which stores settings of the operating system, hardware devices, software programs and user preferences settings.   Whenever we insert a USB drive in a computers a registry key with name "USBSTOR" is created this registry key store information about that USB device and whatever info the OS need to know can be found in this registry key.      Finding the all attached USB history     To find the usb  history of your device just do the following step below      STEP 1  Go to run and type "regedit".          STEP 2: In the registry go to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR  and there you will find a registry key with na








Read more










Crawling pastebin to find specific pastedump 














Image







    In this post we will crawl into pastebin.com to find specific pastebin dump. For example if we want to find paste for specific keyword like "password" we can get all the paste containing that keyword.    Preparing the Attack     Usually some sites don't allow web crawling and by doing so you may get banned from accessing that site, which will also make this method vain.    So before doing this i recommend you to use THIS  tool to anonymize all your traffic so that if we get banned we can switch our IP address immediately.      Start the Attack   STEP 1 Clone into this URL by typing https://github.com/kahunalu/pwnbin.git         STEP 2 Now type python pwnbin.py -k pass -n 10 -m 10 here "-k" is the keyword you want to search for "-n" is the number of paste you want to crawl and "-m" number of keywords matches you want.        As we can see above we have found a match and it's now saved to log.txt file so it's time to see the dump co








Read more










Hack WinRAR password by using Brute force attack














Image







    Winrar  have option to password protect your files in it.Some times we got  password protected rar files or we forget our password so we go online  to search to crack password of these type of rar files.Some website tell  about some program who promises to decrypt the password, But unluckily  there are lots of spam ,advertisement, on internet who ask you to  complete the survey to download the program that can unlock the password  and absolutely that's a spam,some websites also provide direct link  downloadable  program to crack rar password but when we download them  instead of doing that, they install lots of unwanted sponsors software  and make your PC slower.But now we have a easiest way to get the  password of rar file by using brute force attack. No spam,no survey,no  unwanted software and with proof.So lets start the hack and follow some  simple  step by step guide given below.    1 > For example i am going to set password in rar file      2> Now when ever i am try








Read more










Fileless malware Analysis with Cuckoo sandbox














Image







          What is cuckoo Sandbox     Cuckoo is a dynamic malware analysis sandbox which is open source and completely free. We can submit any malicious binary file and cuckoo will provide a detailed report of the malicious file, including the behaviour of that file during execution.                   What is Fileless Malware     A fileless malware is a favorite technique for malware authors, what this type of malware does, it doesn’t write anything on the disk to bypass mostly string base detection. The malware executes an obfuscated command usually PowerShell and during run time antivirus could not detect the strings which are being executed and after injecting it in memory the command get deobfuscated.           Cuckoo Interface and sample analysis     To run cuckoo just type  cuckoo  from your terminal, this will start cuckoo service. Now to get the web interface type cuckoo run webserver  this will start the cuckoo web interface on its defined URL and port address as shown below.  








Read more










Web application penetration testing: Tools and Techniques for web security auditing














Image







     Every  pentester has it's own tool and technique for web app security  auditing, Some time it depend on the type of website  we are pentesting.  We are gonna see some common tool and technique that can help us to  audit our web application security.      Detecting web application firewall and other services     You can start with by detecting is there any web application firewall in use? Later we can see if there's any way to bypass it.      Recommend tool  :    fofa.so   It is a cyberspace search engine launched by White Hat. It can help  researchers or enterprises quickly match network assets by performing  cyberspace mapping, for example, analyzing the scope of vulnerability.    shodan.io  It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports f rom  various web servers.   wafw00f   This tool allow you to detect and identify what Web Application is in use that is protecting the website.      Bypassing Cloudfl








Read more