You would be surprised at how easy it is to generate a list of potential usernames. Some are a bit more refined than others. All it takes is a quick browse on LinkedIn, and you have the first and last name for a lot of employees. Add in breach lists, sites like hunter.io, statistically common usernames and any metadata you can scrape from documents available on company sites.
You end up with a good list of potential users. Some services even let us validate usernames, which is nice! This allows us to refine our username list.
From this point, you can just use password spray attacks against those remote access portals and see if you get lucky. For example, when Bob in Finance is using Password123!
Unfortunately, there was no multi-factor authentication in place this time. We have just walked straight into the Office365 suite / Citrix / VPN and can now access all the information that the user account lets us. You can use the standard methods to try to escalate and gain a bigger foothold on the network. We are going to spin off from this and cover some of the more interesting avenues it has taken us.
Helpdesk – How can I help?
We've gained access to a user's O365 account, checked out their emails, but we've not found passwords or other account details. Jump onto SharePoint - again, nothing all that useful for giving us further access. No passwords hidden in text documents, no VPN configuration data.
This may sound like a dead-end, but there are some dangerous possibilities – a firm favourite being phishing other employees via the compromised mailbox with malicious attachments and links. This time we do a bit more digging through the mailbox and find an interesting email that explains how to have your laptop set up for remote working. Perfect!
All we need to do is raise a ticket with support, and they will arrange a time to access the device with TeamViewer and get it setup.
Time to do a bit of research on the person whose account we have compromised and set up a virtual machine (VM) with a desktop that looks like those we see on the helpful marketing pictures companies put out on social media. A bit of housekeeping is done, like installing TeamViewer and making a few configuration changes to make the VM able to pass the initial inspection.
An email is then sent to the central helpdesk to raise the ticket, and an appointment is scheduled for the following day. A few minutes before the appointment, we call the helpdesk and let them know we are working from home and ask if that is a problem. The very helpful engineer tells us it is not a problem at all and proceeds to access our VM and begins working on the ticket. Thanks to the conducted research, we direct the conversation towards topics they are interested in and try to keep them half distracted from the task at hand, so they don't realise how rough around the edges our VM is. Finally, the VPN is installed and configured, and an excuse is made to end the call so we can both continue with our working days.i th
Phew – sigh of relief that we weren't caught out. Now we can connect to the internal network and access even more information and ultimately compromise it entirely.
Our helpdesk won't fall for that!
Not everyone is going to be susceptible to social engineering, and it is one of the riskier methods of gaining access - you can lose the compromised account if discovered. So how else would we get access to the internal network from the outside?
Many businesses love to share information across the various teams on a structured platform. Often this is SharePoint. We find a plethora of useful information in there. Like step by step guides on how to set up your remote access VPN connection and wireless network passwords.
We will then drive to a suitable location and point a not-so-suspicious antenna towards the building and connect. Then, my personal favourite, we find text files containing lists of credentials for various services. Many of these give us additional ways to increase the foothold and access more information.
But multi-factor authentication will save the day?
Multi-factor Authentication (MFA) definitely makes life harder for a hacker and is a fantastic layer of security that you should have on external services. But you can always trust hackers to try and find the easiest ways around this. The most common method is to phone the person whose credentials you have while pretending to be from the help desk or IT Support and claim that you are sending them a verification code which they must read back to you.
Also, there are man-in-the-middle phishing attacks which will capture the session cookie during the login process, which gives the hacker access to that account.
At Chess, we have used both these methods successfully. Once access is gained to the internal network, it almost always leads to a full compromise. For this reason, it is important to have a layered security approach and to identify even the small weaknesses in those layers.