Initial Access with Evil Calendar Files and GoPhish

Almost every time you sign up for an online event, you get one of those wonderful calendar reminders to set an appointment reminder. In this article we will take a look at using “evil” calendar .ics files in a pentesting or Red Team credential grabbing attack.

Crafting the E-Mail

The first thing we need to do is craft a Social Engineering e-mail to entice our corporate targets. Some may use cute puppy pics, or cat videos are always popular. As our pentesting target is a corporate environment, we will use what is near and dear to every worker – bonuses!

When I created this for a book chapter in my upcoming book, “Advanced Security Testing with Kali Linux”, I used GoPhish for the phishing management campaign. If you haven’t used it before, Gophish is a phishing framework that gives security professionals and pentesters the ability to perform live, real-time phishing attack simulations.

GoPhish is not necessary for our “evil calendar” test, but it is a perfect solution if you wanted to roll the test out to a large number of users. Honestly, you don’t need the calendar .ics file either, you could just used boobytrapped links or attachments in GoPhish for the same effect, but what is the fun in that?  

Installing GoPhish

Installing and using GoPhish is very easy. Though I just used it in a local lab, in a corporate test you would need to install GoPhish on a Cloud, VPS or other system with access to an e-mail server.

Download the latest release of GoPhish, extract it, and make the main gophish file executable. Once you run gophish, you need to open a browser to connect to the Web GUI.  

When you create a new phishing campaign, you first will create an e-mail template, target users & groups and a landing page, or the fake website that you will use to monitor who fell for the Phishing e-mail and who did not. Then setup your sending mail server in Sending Profiles. Lastly, start the e-mail campaign using the campaign menu.

E-Mail Template

Creating the e-mail template is where you will put your social engineering skills to the test. You want an e-mail that looks believable and have the greatest chance to have your target click on it. Some internal security testing teams may prefer to put a small hint in the e-mail that it is fake.

For the most part though, you want to make the e-mail as real looking as possible for a true test. Gophish allows you to import an e-mail to use as a template or you can use the HTML WYSIWYG editor included.

Good start, now we just need to add our evil calendar event. We can take a .ics calendar file and add a link to a non-existing server, as seen below:

As with any social engineering request, you would use wording that would entice the user to click on the link. I went with the totally innocuous “Evil Calendar Event”. Nobody would ever click on that. On second thought, trust me, yes, they would.

Now just add the Calendar File as an attachment to our E-mail in GoPhish. Again, you don’t need Gophish for this, it just makes it easier for sending large amounts of e-mails during a real test.  

When we kick off the GoPhish campaign, our targets get an e-mail that looks something like this:

Now the trap is set, we just need to have something to respond to the bogus “corporate_server\join_now” link when people click on it. Responder will work perfectly!

Starting Responder

Responder is an LLMNR, NBT-NS and MDNS poisoner, that will answer service requests for multiple services. What’s nice about it is you can set it to prompt users for a login prompt, when they try to surf to a non-existent network resource. This is exactly what we are using in our evil calendar file.

In real life, Responder would have to be running on an internal system, one already connected to the target network – say running on a drop box.

  • sudo responder -I eth0 -wb

This starts the responder service and it begins looking for service requests to poison. In our case, we want it to respond to any server request, where the server doesn’t exist, and prompt the user for “login credentials”.

Creds from Calendar Files

Now, back on the target desktop. When the calendar file is opened in Outlook, it looks like this:

When they click on the “Join Now” link, they will be given a Responder login prompt:

If they enter the credentials, we get them in plain text!

As seen below:

And that’s it! Our job here is done.

Conclusion

As mentioned, you do not need to use GoPhish for this, and you don’t really have to use a calendar event to do it. You could use any link, even one to the Browser Exploitation Framework (BeEF) if you wished.

And prompt them for their Facebook Creds, using the BeEF Social Engineering attack:

Though using the Calendar technique is a nice way to get creds if you know you will be onsite or have onsite access on a certain day.

For a lot more information on using Kali Linux as a security testing platform, check out my “Basic Security Testing with Kali Linux” book. For more advanced techniques, keep an eye out for my upcoming book, “Advanced Security Testing with Kali Linux”, available soon!

Quick Creds with Responder and Kali Linux

Tool website: https://github.com/lgandx/Responder
Tool Author: Laurent Gaffie

Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It is a LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

For the last few years one of the favorite tools in the pentester’s toolbox has been Responder. Responder works by imitating several services and offering them to the network. Once a Windows system is tricked into communicating to responder via one of these services or when an incorrect UNC share name is searched for on the LAN, responder will respond to the request, grab the username & password hash and log them. Responder has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells.

In this article we will see how to use Responder in Kali Linux. In the next article we will dig a little deeper and look at some of the additional tools that are included with Responder.

Basic Usage

Responder is installed by default in Kali Linux. To view the Responder help screen and see what options are available, just use the “-h” switch.

Kali Linux Responder 1

From the help screen, the usage is:

responder -I eth0 -w -r -f

or:

responder -I eth0 -wrf

So, basically run the program, provide your network interface with the “-I” switch and then any other switches that you want. You can combine the switches together if you wish, as shown in the second usage example above. You can also use the verbose switch, “-v” to increase the text output of the program for more formation.

Analyze mode

A good place to start is “Analyze mode”. This mode runs responder but it does not respond to requests. It is specified with the “-A” switch. This can be handy to see what types of requests on the network responder could respond to, without actually doing it.

Kali Linux Responder 2

Any events will be shown on the screen, as below:

Kali Linux Responder 3

Analyze mode is also a good way to passively discover possible target systems.

Enough intro, let’s see Responder in action.

Poisoning with Responder

You can start Responder with the basic poisoner defaults by just typing:

responder -I eth0

Kali Linux Responder 4

Responder will poison responses and, if it can, capture any credentials. If a user tries to connect to a non-existing server share, Responder will answer the request and prompt them with a login prompt for access. If they enter their credentials, Responder will display and save the password hash:

Kali Linux Responder 5

We could then take the hash and attempt to crack it.

Basic Authentication & WPAD

WPAD is used in some corporate environments to automatically provide the Internet proxy for web browsers. Many Internet browsers have “enable system proxy” set by default in their internet settings, so they will seek out a WPAD server for a proxy address.

We can enable WPAD support in Responder to have it respond to these requests. If we use WPAD with the “Force Basic Authentication” option, Responder prompts users with a login screen when they try to surf the web and grabs the entered creds in clear text.

Command:

Responder -I eth0 -wbF

  • -w” Starts the WPAD Server
  • -b” Enables basic HTTP authentication
  • -F” Forces authentication for WPAD (a login prompt)

Kali Linux Responder 6

When a user goes to surf the web, the browser will reach out for proxy settings using WPAD. Responder will respond to the request and trigger a login prompt:

Kali Linux Responder 7

If the user enters their credentials, you get a copy of them in clear text. No cracking needed!

Kali Linux Responder 8

As you can see in the picture above, the user “Joe User” is using the password, “SuperSecurePassword”, which it isn’t.  🙂

Log Files

Log files for Responder are located in the /usr/share/responder/logs directory:

Kali Linux Responder 9

Along with the regular program log files, any credentials recovered will be stored in a file that includes the IP address of the target. You can view these files to see the hash or clear text creds:

Kali Linux Responder 10

If only the password hashes were recovered you can take the hash file and use it directly with your favorite cracking program:

john [responder password hash file]

Kali Linux Responder 11

Obviously, this is just an example as corporate networks should never allow “12345” as a password. But sadly enough, I have seen companies remove password complexity requirements so users could continue to use simple passwords.

Conclusion

In this article we saw how easy it is to use Responder to obtain both clear text and password hashes. How would you defend against this tool?

Basic Network Security Monitoring (NSM) will pick up and flag Basic plain text authentication attempts and WPAD auto-proxy requests. This is just one reason why NSM is so important.

You can disable the services that Responder is taking advantage of, but you must be sure that this will not affect your network functionality before you do, especially in environments with old systems still running.

For WPAD based attacks, provide an entry for WPAD in DNS, or don’t use the “system proxy” setting in the browser. In the next article, we will look at some of the extra tools included with Responder.

Also, check out my new book that has an entire chapter on Responder & Multi-Relay – “Basic Security Testing with Kali Linux, 3rd Edition“!

 

New Version of Kali Linux (1.1.0) Released!

Kali Linux 110

After two years of development, a new version of Kali Linux is available! Version 1.1.0 of Kali Linux, arguably the greatest penetration testing platform available, is now ready for download.

The update contains a slew of system updates and fixes, plus some new wallpapers and it seemed even some new Metasploit splash screens.

If you already have Kali Installed, just:

  • apt-get update
  • apt-get dist-upgrade

VMWare images of 1.1.0 are available at Offensive Security.

Check it out!

If you are new to Kali Linux, or a veteran that wants to learn more, check out my step by step, How-To book, “Basic Security Testing with Kali Linux” on Amazon.com.

Upcoming Book, “Basic Security Testing with Kali”

This month’s issue of PenTest Magazine is out. This issue focuses exclusively on Kali Linux.

And in it you will find an exclusive interview about my upcoming book, “Basic Security Testing with Kali“!

I have been using Backtrack/ Kali for quite a long time now.

Over the years, I have helped out with several books and training classes on Backtrack/ Kali.

And answered a ton of user questions about the penetration testing platform and the included tools.

Seeing the interest (and being asked about it several times 🙂 ), I am writing this book to help both new and experienced users. The book will be geared to beginner to intermediate level users of Kali and will cover a lot of topics including:

  • Reconnaissance and Exploitation of hosts
  • Social Engineering
  • Wi-Fi Attacks
  • Kali on the Raspberry Pi

I am planning on releasing the book to Amazon when it is finished. I want to take the time needed to make sure it is done right, and it will be released as soon as it is done.

Thanks to everyone for their support and encouragement for this project, I truly appreciate it!