A Novel Technique in Evading and Invisibly Poisoning the Chalice1

all right so it used to be we'll just take this because if you think about it from a corporate environment RDP files are used all the time right you've got some remote desktop that you're shared for terminal Services um you're good my mic just quit working though hold on one second the mic's working but my mouse is not working now all right let me just try this one more time let's see if that works yeah it's not working let me see there we go sweet so remote desktop looking at remote desktop the things that I've noticed were that RDP files are not blocked by email clients why because business continuity says that sometimes we need to send RDP files to our employees so that they can access the remote workstation and so that's a really good indicator for us because that means we could email RDP files to our targets um they're not blocked by security providers so if you're using like proof point or any of the security mail gateways then they'll fly right through by default I mean you could obviously configure these rules up to block these and then Outlook Office 365 all of these mail providers are also permitting RDP files by default and so this was just kind of me generating a bunch of the extensions and randomly clicking and then bam RDP pops up and so RDP files are a really good indicator that we could leverage that so but when you start thinking about this what does RDP provide to an attacker in the event where an RDP file was sent in and so the thing that we can actually do is there's a lot of stuff that comes with features within this um so RDP can be configured with the RDP file to actually pass through Network file shares for instance so let's just say that there's a mounted Network file share as you know Z drive or something that you're you automatically provision with a group policy for all your employees so those map network drives are available through a session of RDP then you have read write over the client drive so on the C drive you can do binary planning so if you think about that from the the aspect of dropping a beacon in the startup folder or some other sort of persistence you could just drop it there the other cool thing is it actually forwards the local printers of that Network so if there's printers there it'll mount it and become available on the terminal Services client because Microsoft really wants to be able to enable this remote workspace so that it's seamless with the clients that are connecting to it and it creates a massive Vector for that uh with that you also get the clipboard contents and this is really this is actually really cool because in my research I was in a virtual machine launching the remote desktop in order to connect to my rogue server which we'll talk about in a minute and the actual clipboard content from my host computer outside my virtual machine was forwarded to my remote server so now you have this other problem where network files or shares that are mounted on the host computer that are forwarded to a VM become available as well because the clipboard is usually there by default and so um you could also look at the audio devices so think about audio and video or any sort of USB components that are plugged into the machine you could actually set RDP up by default to forward all of the devices from that local machine from your target to the remote session and we'll talk about why that gets really bad um in a little bit you can do cameras the other cool thing is in some some in some cases you can do remote code execution directly so as soon as that client connects to your Rogue server there's ways that you could actually execute code on that computer we'll talk about that a little bit in the con in the conditions that are required around it but if you look I mean Microsoft terminal Services has a wide variety of attack vectors that we could Leverage and so the cool thing with that is we can actually configure mstsc or the RDP file on our own machine and then just send it as a file attachment and we could send it to any meal client because it passes through all the mail gateways and it bypasses all the mail providers and all the security gateways and everything else so we're basically evading everything um from end to end so it's a really great initial access Vector to kind of consider the only problem with this is we need a really good roof so when you're sending somebody an RDP file in the corporate environment what do you typically see right so you think about this from the outside the box because you're going to need to tailor the attack Vector to your Targets in something that they're familiar with and so the way that we do that is using a really good ruse and so the cool thing is you know with with social engineering attacks and all this moving to other verticals and not necessarily having to stay on email anymore we can go back to email now and so because these RDP files pass through we don't have to worry about security gateways and so what we're going to try to do is we're going to try to entice a user to connect to us and it needs to look legit and because obviously we want them to be able to open the RDP file connection and then do some cool stuff um and then if we in the in the email ruse if we provide some sort of out right if there's concerns or questions like I'm not expecting this we need to be able to provide them a decent way to get out of that without reporting back to their security teams and then we could forward them on after they're done and so we kind of want to think about all this because you don't want to leave red flags and you don't want to leave anybody concerned that they just open something because then the security team is going to be on you and then when they're on there you got a limited time and you got to move quick and lateral movement and pivots and everything else has to be done really quickly rather than go low and slow like we would all like to do and so this works really good if you're on an internal Network because if you have it on an internal Network already you could plant RDP files on like Network file shares and it just makes it really valuable um and so the way that we're going to do this is we're going to set up a fake remote shared workspace and so I tend to go to LinkedIn look at what jobs are hiring for or look at what Engineers they have on their teams already and then find out what technologies that they're well versed in um in a lot of cases this was a real one that I used from Citrix workspace and if you'll notice I I template the email because I usually send these in bulk so I'll send like 10 at a time or something and I'm basically spearfishing like five or ten people at a time but I want to be able to search and replace the target the sender and all that but we're testing a new shared recruitment environment need your help please verify your access as soon as possible to avoid service disruption the attack connection file will automatically connect you to the workspace so we're telling them what they can expect that way there's no red flags so I would automatically connect you to the workspace the invitation is going to expire and so that because it's expiring it creates that urgency that we're trying to get them to do before something else happens we don't want to interfere with business so they're going to want to click on it and then I and this is a real Citrus Workspace Email um I just swapped it out with my own my own stuff and then you'll see the the workspace RDP file and then there's an attachment on there and it looks really nice um the cool thing is at the bottom I put in the event you're unable to connect to the remote workspace we don't want them going to the security team or if I'm fishing them from another employee we don't want them to go to that employee so what we'll do is we'll say if you're having any problems please fill out this form using this link that way they just report it to us and it just goes to devnoll we don't care um and so that's that's how we kind of let them down from the roofs um and so now the roost delivery is really interesting because we're once again back on email but it doesn't have to be email you could do this through Linkedin lots of social networks and team collaboration tools will pass RDP files through flawlessly so think about start thinking outside the box whenever you're starting to send these RDP files you can plant them anywhere um and then the other cool thing is when I was mentioning what the network file share replacement we'll talk about how that's going to work but if there if you find if you're on an internal Network and you find an RDP file that's there this technique that I'm going to show you will give you the ability to replace theirs with yours and not interfere with their normal connection so it'll pass right through they'll still connect to their normal resources and we'll talk about how we do that with man in the middle um proxying the RDP protocol and so that's basically what we're going to be looking for this is what we're going to deliver um the cool thing is I have a bonus here this is a new one that's relatively new I'm not really sure exactly where I learned it from but I learned it from a friend who learned it from someone else so I don't know where the original came from it hasn't been talked about really publicly I think um Steve boros from Black Hills is doing a blog post on it this week and so you'll be able to see more about it but the cool thing with this is we can actually spoof from Office 365 to office 365. and so the reason why this is valuable is now you can imagine like back in the day you used to be able to spoof emails and it was this big thing and now you get dmarc and or you got SPF records that are set or dchem you know encryption certificates but we could bypass all of that by going directly to the mail connector for office 365. and so it's enabled by default for Office 365 it's using this thing called direct send and it's a way for being able to send bulk mail with but it bypasses everything all the mail gateways and security controls that are in place you go directly to the Microsoft connector and and so it's a smart host is what it's technically called and so and the reason why it works is because they don't want to Route the domain that you're sending email to as a Spam domain so it just automatically goes through I don't know what Microsoft's deal is but if you look over here on the image over in the middle there's a pink box that says your MX endpoint so it's your domain Dash Com or whatever TLD you have dot mail.protection.outlook.com the really Beauty behind us is there's no authentication you literally just connect to that mail connector on Port 25 and send SMTP as you normally would there's only a few caveats with it um you you need to be able to get the MX record um this is the way that I do it I just use nslookup I query the MX record for my target domain so whoever the target is I Target dot comment and then I I'm able to connect to the SMTP server on Port 25 and in it's usually always the the name of the domain Dash the tld.mail.protection.outlook.com the only one of the only caveats is you have to be able to send from and to a real user that's on there so you want to do some user enumeration before you're actually using it for your ruse um and then the other thing is um you just you you basically have to know that the smart host of The Domain is the right host outside of that you're really good once you have the the recipient account and the one that you're spoofing you could just send it directly to it and it works on a lot of o365 domains I mean we've used this um on pretty much most of the targets and it goes directly into um the Inbox and so you're basically spoofing whatever you want to spoof you can this proof another user you could spoof a distribution group as long as that user account is enabled and it's not just an alias you should be good to go so it's just a little bonus slide and so let's talk about bringing our own server because this is probably the most important part right I mean we could send RDP files all day but if we're not sending them somewhere to connect to we need to make sure that um that we we nailed this part more than anything because this is where the code is going to be running right so think about running your own Windows server and you know you can put it in the cloud you could you could expose it if you want I'm going to show you how you can do it without exposing it but the idea is you're running your own RDP server you spin up a Windows Server you configure RDP and bear in mind that RDP file is going to auto connect to your server so there's some logistical issues that I had with researching on how to pass in authentication and how do I do it where I'm not exposing my RDP server to the internet because you know Russia and China are going to be there beating down your door within minutes if you have exposed port 3389 and so you could change the local Port there's a just quick way to do it down there at the bottom but the idea is that you're going to want to open RDP in the firewall set up your server set up a new user that has RDP permissions now bear in mind your malicious code is going to be running on your own server but what happens is when the when the client connects to the server you're actually able to access the hard drives and all the devices on the connected clients this is where the beauty comes in and so now we're looking at RDP there's lots of protocols with RDP that we'll talk about but the hard part about this was really on the credential loading so if you're familiar with DP API within Windows anytime you're you're storing encryption um your encrypted credentials it's based on the DP API of the computer that encrypted the credentials so if I encrypted them and then put them in an RDP file and saved it and then sent that RDP file to someone else that person that opens it's not able to actually decrypt the credentials to use them for the connection and so I was like okay what if we just use like a blank account which is super bad don't ever really think that's a good idea but I wanted to try because this is progressing through how to force the client to automatically connect to us um it does require a little bit more interactions you also get this really ugly yellow Banner which is always scary whenever somebody clicks on it you want blue right Windows yellow is bad blue is good so we need to be able to get rid of that yellow Banner blink account passwords are going to expose the server to the internet which means anybody can connect in and while we're running malicious code so that's not that big of a deal we don't want to accidentally hack someone outside of our scope so we want to make sure we stay in scope so it's super risky and then there's also the unverified banner that we're going to get rid of here in a second and then if the publisher is unknown now we have another issue right because it's sketch it says publisher unknown like you see that you're like I'm not clicking on this I'm not connecting um and then outbound 3389 might be also blocked right you're like oh well you know what outbound our RDP over the Internet we're not going to allow that we will never we block that at the firewall okay well that's great but we can set whatever Port we want and we can pre-configure the RDP file to use colon port and it'll just automatically connect over that other port instead and so that's kind of the the catches that we have and so the solutions that we have is nice and blue um the way that we do this is we're gonna we're gonna man in the middle the client so they're going to connect to our our proxy server our proxy server is going to connect to our real server the reason why that's really good is because first we could firewall off only our proxy to be able to connect to our RDP server and we don't have to worry about anybody connecting in the other thing that it really does is it gives you the ability to create whatever username you want for the RDP file it doesn't even matter so what I try to do is I try to tailor that for my target if it's a department that I'm targeting then I'm going to use the department name for my username you just want to make it look as legit as possible and but the other really good thing is you could just generate a real SSL certificate now there's some funkiness that you have to do like if you're wanting to use let's encrypt for instance you could convert the let's and grip encryption certificate to like a pem and then import the pem into windows and and use the thumbprint to sign the RDP we'll talk about that in a minute but we're going to assign these RDP files with our own SSL certificate that matches some doppelganger domain of the company that we're targeting and make it look nice and pretty and then we're going to sign it using a built-in tool within Microsoft called RDP sign how novel um and so we do that it's signed there's no Mark of the web we're sending this over the wire we're we're good everything was great it'll pass through and then when they open it it's just going to look like that nice and blue they click connect and it's game over and so the other really cool thing with this is we can set our proxy server to listen on whatever Port you want to listen on so if you wanted to set it for 443 or 480 you could certainly do that and you're basically connecting RDP over those ports but I mean who cares it's just a client connecting into you anyway and so that's the way that you can do let's encrypt that do this in the slide deck in case you wanted to go back and reference the slides later because it was a little tricky to kind of convert this stuff especially on a Windows machine you had to install Coco and openssl in order to get the python3 sir bot to actually work properly once you do that you just generate your doppelganger domain and then you could actually use openssl to convert that certificate and that key into a p um a pfx which Imports directly into the search store within Windows once it's imported into the search store it'll provide you with a nice little thumbprint you take that thumb print ID and you pass it to RDP sign and point it at your RDP file and it signs it and everything is super great there's probably a much easier way to do this this is just me kind of hacking the solution through because I have no clue what I'm talking about with this kind of stuff I just have to figure it out as I go so there's probably a better way and if you do know you know feel free to reach out and I will update this and I'd love to find a better way to do it and so um so the proxies let's talk about the proxy the proxy is really interesting because in order to proxy RDP traffic you have to do all kinds of protocols there's there's fast protocols and short protocols and there's these fast paths and low pass and encryption protocols and communication protocols there's lots of binding for the the GUI so there's lots of protocol binding um to be able to get the user interface from the Windows server to pass through your proxy into the client so they can render properly there's all kinds of specifications and this Rabbit Hole goes really deep so I was I was looking I started looking at like free x free RDP I started looking at x-free RDP all these different protocols or these software packages that were open source that kind of already implemented it so I can try to avoid this part of it um and then I started I came across a tool called Pi RDP now Pi RDP implemented all of the protocols so it's the TCP the segmentation all of the encryption the security stack everything they did all of it in Python it's already put together you don't have to do any thing you just tie it together and they put it in a really cool tool so they built all of this and the hard part about this is you have to remember we're proxying the red