How To Bypass Email Gateways Using Common Payloads

thank you everyone for joining me rights away from microphone to me until I can't stay here right my name's Neil lines I'm pen tester involved in a Roy wide range of security testing social engineering is my favorite ever meets my talks before you let us start off with this I work for Team no dude I'm supposed to be here today talking about enemies of the West and we're gonna start the year I submitted to a load of conference it's not knowing which conference were picked me and this was one of the talks that got picked by another conference so I've decided today to actually do something completely different so if you've read anything in the book

about my talk it's completely under Heluva so today I'm going in scope it's got a catchy title there you go how to bypass email gateways using common payloads right just wait it's no rush right chapter one payloads okay a lot of my talks I've spoken a lot about payloads and how to sort of get them and what to do once you've got them how to get to mine admin it was pointed out to me recently I've never actually really sort of spoken a little bit more in depth about these payloads I tend to just go here's a payload this is what it does so macro payloads what is a macro if people didn't really know what a

macro is it's basically a series of commands and instructions that you group together and can be accomplished automatically by the computer once it's instructed to do it how can you use it I'm very much interested in legitimate functionality I think it beats pretty much any kind of I know clever zero-day remote code execute ball if you do some mutual legitimate functionality it's going to slip past antivirus and it's just more interesting to me so basically macros is legitimate functionality that can use maliciously you can use it to get remote access now I'm also interested in early payloads what is no really okay and RNA is object linking and embedding is a proprietary technology by Microsoft and allows you

basically to take something and embed it into another object so give an example Microsoft Word documents you can embed a payload directly into that how can use it remote recently it's been lots of talk about Oh Elly's I'm getting to that bit later on but both macros and Oh Alize require user inputs trigger now this is how you would trigger an office macro to do enable content and once you click that it will run your payload automatically Ola is roughly the same you don't have the big warning banner all you have is the embedded object in the bottom which the pdifferent excel sheet there and if you were to click on either of those you'll get a shell our ladies are less

common but they're becoming more common I was doing recently interesting where that was interesting so I'm suggesting they are less or they are becoming more common because of the security is put in place to stop macros people have looked at sneakier ways of getting payloads into some environments and how can you use these or how can you create these this is what I personally used to create most of my payloads recently using dave kennedy's unicorn which is fantastic unicorn payloads use PowerShell and Metasploit framework right so time for a demo is I'm just going to play right so here we are we're over Word documents and the macro is there I'm on here we've got our attack this machine we've picked

on the macro and you'll see we're receiving a session back so what can you now do with that very quickly right we're interacting with it we're now on their local machine controlling it remotely as that users rights and couldn't go through system information just to prove that you can see stuff there you go done right I'm now going to go to the Ola and I'm gonna get a bit more in depth in a bit and it'd be a bit more interesting than this trust me right so here we've got no LA and you can see there to open it and then you have to click that and once the users click that it triggers opens up

PowerShell you make that invisible normally and you'll get your reverse connection right and they find a one which I'm not going to talk about today but if you want to see any more information about it to see anyway other talks is the UNC just finished on the video I like talking about you and see a lot normally and exit I don't use live videos demos never works in the day I always flap and panic right here I'm opening the final one I've got responder listen here my tacking machine we open the document and from opening it I've got the username the domain name or Windows machine you know the password hash which we can crack I've spoken

about that loads before moment talk about that today right I use these payloads and the following are really good at blocking macros and our leads I'd bang my head against the wall numerous occasions on tests knowing that my pay loads which I've spent ages crafting are being blocked a quick look at what male gateways block now it's quite interested in how we can bypass this and there's lots of clever that scripts out there that do this for you some of them work some them don't and I sort of stumbled across something accidentally which I'm going to talk to you today about it I finished possibly the first time it's been spoken about right commonly generated word macros and Ola

macros they're also always gonna be blocked anything that you use using a common framework is going to be blocked straight out of the hat there's no way you're gonna get around it so all of these especially these zero days they're all gonna be blocked anything with dikes cutable in it anything that references PowerShell is going to be blocked from experience some environments just block every attachment growing in now I think this is a bit odd that they do this but it works for him so if you've got a small number of users you can potentially do this it seems odd to have a device that automates this for you and then to manually do it yourself

but it works and I told a few people that it's internally they're like no you're just paranoid no one does that but then on Twitter as it happens about a week ago someone said this they were basically saying that any single attachment can be used to exploit a machine and this was the reply now it's slightly since in the sense of it after the or because he swears I touched the railing my talks but basically it's a good example of someone it just doesn't accept them and other clients turn to me and say yeah we don't we don't accept them we just manually review so it's hard to get stuff past that but the proxy she can

get around right first off I'd like to mention that all those mail sort of appliances I just despite just discussed they're all good you need and they are important but they're not foolproof so how do they work I think and this hasn't been concluded I've come to my own sort of concept that they work a bit like antivirus they use signatures they say they don't and I'll see this a lot but from reading sort research documents and PDFs that they've released they'll say no we don't use signatures but the thing is I think that they do use signatures and I kind of figure this out by start to look at macros which I discovered at

the start of this research project is a really bad place to start the fun with macros are they're so common even if you are can ever say the word obsolete it with an inch of its life there's a chance it's still gonna get picked up on one of the gateways and you get it free maybe one but you won't get it through all of them but I did discover an interesting find by looking at it now this I'm about to show you here is a really bad slide you can see it Sukie well I don't like to do code on slides because it just doesn't look good but the main interesting bit is there we go

if you look at ends I and J and is equal sign you can start to see running right across powershell exe and this is from unicorn now he's broken it up Dave Kennedy's broken it up to try and get to slip past these sort of devices and there you go makes it a little bit clearer to say so what I found was if you delete it and I think this is an interesting phone I didn't get me a shell that still thought was interesting if you delete it and then add the macro to a Word document and attempt to deliver it it gets blocked now if you used exactly the same macro - that one like that references

PowerShell in an Excel document and then deliver that that gets delivered past these two so I'm starting to think signature but each receive was it got blocked by that and I was quite I was quite happy about it it's quite good to have you know different results kind of shows that they are looking for different things and but that's the interesting thing basically different office documents with the same macro you might get a little bit further so he always interested in macro sort of research model worth considering thank yous Word documents anymore you something out right it's time for a different approach and I wanted to go back to looking at Ola s now here is a

classic if you google Ola exploitation this is the kind of thing you're going to see and I think that looks hideous if I did that on a test or if the test as I work with used a document and look like that probably verbally slap them I think you should make it look a bit prettier than that but in essence you click on that and there you go you get you they're going to get a shell and right our ladies just to do sort of mention it earlier on is basically generally created by making a short cuts in Windows and the shortcut references PowerShell they're just case we've all sinned short coats but a lots could be

fully and there you go there's a shortcut in Windows and that's what you would drop in there now what this does something explains with one is it's off to go to the directory of power shop runs PowerShell then tells it to go to download and execute that payload from that IP address so in essence it's basically it's not lessons it's is great its destination download this payload and execute it now two common gateways and appliances catch the above Ola there's the answer it's just it's just yeah it's made of a framework everyone knows they're gonna be using that themselves in the labs I would hope so how to get round this right I'm a bit

parched nosing here but remembering I think their signature based let's see what happens when I took the word PowerShell and replace it mspaint now I know I should have used calc ax a or when I first I'm sure other talkers will be saying they get their work queued by the people before they do it publicly what are you doing why you think I miss paint I've my reasons right so I prayed that saved it's an email wait 15 minutes because even though all these apply to say they don't slow down your mail transit the minute you get rid of them and send the email it's incidents the minute you put all these devices in front it takes quite a long

time to get it through anyway delivered right win so I went back to research and I downloaded this from Symantec and there's a link at the bottom anyone wants to download it so you see I didn't just Photoshop it and make it up in this they are basically whole other solutions slapping someone else they don't use signatures basically they insinuate that we're gonna be thinking if you swap an obvious word like PowerShell with a non obvious words like calc or potentially there would be signature in calc but mspaint it works so I came up with this I think they're confused so what we learned email email gateways consider PowerShell to be malicious they think it's this

thing of the devil okay and what did I learn from this right swapping PowerShell with mspaint results in a payload that attempts to start mspaint gets confused and ends with an error thank you my boss said no one would laugh right thank you I will watch it on YouTube right so it's a useful proof of concept okay so let's take a real AAG what I then did going back to the drawing board was I tried to sort of tweak and get rid of the directory and tried a few other things like this chopping it up and it's still got caught so I did the right thing yeah I called a friend and rich ain't even effort right

here's my friend I called he's outside a basic find him said I want to call PowerShell and there's most people in the industry who know about these clever ways of calling something without directly calling it thank you yeah probably could off there's probably multiple ways doing it and the thing is like most things in research you have very very limited amount of time and just bang bang bang bang get it done you've got a goal completes it and looking back now yeah there's a million ways to do this I'm about to show soon which is really embarrassing and I probably should be showing you but I'm gonna show you anyway just just for transparency so it's recorded right

anyway he replied with this and I think that is right it's a piece of artwork I mean I saw a spike what the hell does that do but yeah yeah yeah I will release the slides at some point and I known about this for about two months and I've been trying hard not to tell anyone there's a way to release it at this conference so you get your fresh so guess this is quite interesting stuff this isn't obviously fan bond my friend but he knew where to find it to breath and sit former so what I'm about to do don't worry if you're what you're thinking I was thinking what the hell does that do but as most testers

arrogant don't ask so I sort of tried to figure it out myself right here we go so as you can see I'm copying it from there and I'm going to create a bat file because I'm old school I still like that falls drop it in don't watch it double-click it and never go powershell so it calls powershell without directly referencing powershell so is that going to slip past the signature right we drop it in same days you can see you running from others novena to get a PowerShell said well not session by PowerShell terminal right great so we call PowerShell on the slide but does the snip pass the gateway right so I make the shortcut for the r-la and there you

go there's the thing of beauty a lot of people will give you these reference suits like I this this darts PowerShell without and then they don't sort of go on to show you actually working with a proof-of-concept shell and always the ioan takes me about 15 minutes to figure that bit out she's really balancing but I like to see the real this is how it works and there you go politely downloads both payload referencing PowerShell okay but shortcuts as I discovered quite rapidly after this hours really head-butting the ball at this point it's a no-go I don't know whose idea it was but at urgell 60 character limit on a short cut is pretty restrictive when you're trying

to do that so excite leaves that are so close I thought this is gonna be this is wicked I'm going to get this this is gonna get past the mouth of gateways anyway it's like and this bit here I put just just place the FBI evidence I decide to restrict me I border simulated not real right someone slaps you back there you go I am insane and email proxy laughs at me but so shortcuts have limits and this is when I start to stumble across something else chapter two right roll on the bat I said I'm old school can you even email the bat file this just the first thing that I had so I try to send a bat file

just dropped into an email and outlook makes it really hard for you it really goes out this way to stop you from doing it got a big ward in going it's not gonna work don't do it it's unsafe you're obviously absolute malicious right you go okay lets you and then he blocks you and as you can see that that's what it says so even though it does let you park you lease owned it it then automatically as a client outlook or block it so no you can email back files but you can embed one into an office document and email that and that's where I sort of name something about once it's got name for

everything already to know you and their guys piece of music so it's involving the command it downloads the payload and it triggers it on the Box all running so obvious so clear it's like literally I will tell you how many days of work it's embarrassing because you look back if you actually done that two minutes like some smart person would off right how did you embed it now I know how to embed our lays I'm back so soon I'm a little bit embarrassed about but it actually just raised a slightly interesting question which I will say afterwards but in the meantime initially I came up with this horrid solution and I'm warning if you have any sense of style

or pride in your work please look away right how not to impaired a guy will talk you first as I'm doing it right here we go I'm copying I go over there I create a bat file now let's just see my HS in fact when you just drop a bat file I've ruined what not to do here we just drop a bat file into a document it has a massive warning saying this is insane don't do this it's ridiculous but if you save it and then tweak the names you've renamed it afterwards and just put a dot at the start and then you put a load of whitespace then have another dot your warning is really small it sort

of minimizes to the warning which was a float this is this is like I just cover this because smart not at all it's tough Luke and so here we go I'm about to drop it in I probably did yeah so I did actually if you go too far with it and well let you save it so you do reality here limit is 260 power to limit I think probably so we run that but you see there it's a really small warning now where before that would have filled the entire box I'm about to maximize so just from changing the name you get that interesting find right so what the hell am I doing here is really is wrong I'm

trying twice people to click on it now what knows this if you look there's the warning but when you drag it down anywhere that's in that box if you click on it or run the bat-file and yes I know there's a better way to embed it which I'm going to do later and I knew before I just I was experimenting and yes I hide it it's like properly this is like next year black and DEF CON this is how you embed about for what so there's an interesting thing here I ruin the aims but at some point the person earlier sort of said I related ed for a reason I'm going to touch on that

that's embedding the document if someone's insane enough not to bother embedding it properly and do some as ugly as this they may not for this just ain't worth were always submitting around things right it's obviously going to trigger it I'm gonna save it just to prove it does work it doesn't start mspaint and panic and die and there we go and again you've made that invisible normally session so yes that works but does it work just check mine just forward it just yet here we go there you go it works right so I emailed it hard to gateways did it get delivered any being to pass them all so I finished for a night happy proud and what was it the

ossification which I can't say so I retied in the morning exactly the same process - anything smart just with that and there it is you can see embedded it in the typical way this time so I'm not completely inside a typical way is you go to insert objects and packages and then you give it the destination of your bat-file whatever you want to do change the image to make it look even more potentially malicious these are all things they should be picking up on so this is done in the classic way of doing it Ola and this is their the only difference being is the shortcut has been now replaced with the bat-file which I showed on video earlier

right and sent it bang so yeah same PowerShell requests different medium gets throat I don't want to explain my theory yet I'll get to that right I'm now going to get back in time so on this date I emailed that to the world and I won't say arrogant things laughing this is the first time this has been discovered or potentially use the term zero day or anything like that because I think what I was going to say now it's not you've done back in the sixties or seventies or eighties it's all slapping down but I emailed that and 21st of July so not shortly not long after that pops up there is a very very

good researcher but basically it's almost decided to ruin my phone and our ladies are going to be banned in Microsoft Office documents ongoing so Microsoft Office released in 1998 waits 27 years to block back files so literally this is like the character limit someone was against me on this and intercept 14 days after I discover it now what is interesting I was told this is probably me being a bit paranoid but one of Microsoft Office manages likes one of the tweets that I put and then it gets blocked just just just saved interesting right they tweets that people have been I've tried to get out of a copy of office that blocks them and I want to see because they just said he

blocked basically certain objects that are embedded so I want to see whether it includes bat files secondly I want to know whether if you just slap it in there is it going to consider that as malicious and block it I suspect not I suspect they've missed it right eventually it will filter down into all versions of office it's office 365 at the moment I'll be told but it will filter down into everything now so is the Ola dead I wanted to play and I need you to update off yes now I don't particularly in my research update office very often so I have a little stumble across it's not intuitive and this is how you update

office if you don't know you basically go to that on the slot office 2010 I'll get to I use office 2010 and minute and you stumble across it in the file and to help which is not very intuitive and when you do that it every direct you opens up ie of all things and redirects you to the online normal downloads which seemed odd to me why would office not update itself from itself I don't get why they have to go to Windows Update birthday you go so Windows updates and a lot of people going to receive that when it attempt to update it so it's always interesting that in their office they go receive that it's run by your

administrators and in 2017 we still find that so silly Kimmy starts to think are people going to update office and I know the only thing is is I do lots of internal testing added lots of remote testing a lot of social journey testing as I said before and office 2010 is still really really common and supports dead it's ended so that's not getting update it's got extended support still but I don't know how many people have extended support so I think the r-la isn't dead and I think we're going to use it for a few years still to go so I think research into this area is still valid and once research into this area is completely dead I'll move over

to HD eyes because it's pretty much the same concept to a certain extent popular tomorrow browser right so why does this happen and I think the e-signatures I think they look for typical words typical frameworks typical things and then just blocks on that and I think he doesn't block back files because it assumes outlook will automatically do it potentially and I don't know but I've watched lots of talks this year and really good talks on antivirus bypassing techniques and things that it passed now this is think I'd like to quote if it was really really good it's a really good blog Black Hills InfoSec anyone can read it basically it says there so you change the template and

things stick passed Devi so if you change the language the same payload will slip past AV now I think about flow in essence is just a container and a shortcut is just a container see change the container they go they slip past that's my opinion rights the final dance chapter for that someone might shout down no at this point but what is a bad fault Wikipedia argument arguably says it's loosely connected to the scripting languages yeah it's a snot you could say is this frozen Magus is having people instantly it's a good point you can do it it's unlimited what you can do its functionality functionality is almost better than an exploit anybody in my

mind and it's pretty much unlimited what you can do not quite true but you can do a lot with it this millions of things you can do with it that we haven't discovered yet and we should be finding more and more and right so let's say they do block you know let's say that bat files are finally blocked it's loads of other script languages scripting languages change the language change the template and things slip past I have no idea how long I've spoken for he's roughly about 30 minutes are there any questions thank you so I imagine it's a tutor and 17 slides how do I do it quick right if anyone doesn't follow me I'll

fly back and have some questions on that I hope you enjoyed it [Applause]