TRY HARDER: A Blog About Discovery
Author: Brennan Turner @BLTSEC
[Enterprise Security] Black Honey
“I keep swinging my hand through a swarm of bees cause I
I want honey on my table” – Thrice
Scenario: The quote above comes from a song entitled Black Honey by Thrice and I highly recommend you give it a listen. I deviated from the usual flow of my posts to illustrate the theme that I will discuss in this post which is the topic of canary tokens and honeydocs. These files are created and placed in a location that will entice an intruder or a disgruntled employee looking to view sensitive data or move the file away from the internal network in an unauthorized manner. These files can be created as a word document, pdf, web page, etc and usually appear to be a legitimate document that contains enticing information. Once these files are opened they beacon home to a server and send details such as the time and location at which the file was opened. This is just one of the many layers of defense an enterprise could implement in order to gain an insight into internal and external adversary activity.
Disclaimer: This is a test environment and the methods shown below shouldn’t be done in a production environment without proper authorization and documentation. Use these techniques responsibly and ethically and always test every flag, switch, command, and exploit in your own test environment prior to running in a customer’s environment.
Breakdown: Using Impacket’s smbserver tool I was able to spin up a fully functioning implementation of a Windows SMB server serving files on port 445. I used smbserver as an alternative to the typical Windows share but in an Enterprise environment, it would be most common to see the honeydoc served from a Windows server. In the screenshot below you can see the incoming connection and you can also see the client used the guest account in order to connect and retrieve the honeydoc.
Now from the screenshot below we can see the “malicious” client’s macOS computer as they connect to the share. While the typical situation would involve a Windows SMB server and a Windows client there are many mixed environments that allow Apple devices to connect to SMB shares using the guest account or by supplying domain user credentials.
In the screenshot above we can see that a user might try the “Registered User” Connect As option from their macOS system thus supplying their domain user credentials. In the screenshot below Impacket’s smbserver captures the NTLMv2 hash which could be relayed to another system but that would be a topic best saved for my [Penetration Testing] blog posts. We can see the username entered was cash and I bet you the password entered was aboynamedsue but you’d have to crack that to be completely sure…
From the two screenshots above we can see the suspected intruder has opened the honeydoc from within the SMB share and his details have been sent to my server. I intentionally left the file’s visible “payroll” content in an obfuscated arrangement. I’ve seen honeydocs that are arranged neatly with sample data and it becomes obvious that the data was initially left to be found by an adversary. I was hoping the way I arranged the content would discourage investigation of the file but maybe arranging the content somewhere in between would be best for targeting an adversary fitting the “attacker” role as well as the “disgruntled employee” role.
The screenshot above shows the complete makeup of the “Payroll Processing.doc” file, the honeydoc is simply an HTML page with a .doc extension which allows Microsoft Word to open the file and make requests to the two URLs which submit the campaign id and the tag that invoked the request. The index.php located at the root of the web server is responsible for establishing a connection to the MySQL database used for storing the information collected from the adversary that opened the honeydoc as well as gathering the intruder’s system and network information. The IP and user-agent values are taken from the HTTP headers using the $_SERVER array. Below I’m connecting to my server via ssh to view the results stored in the requests table. The server is hosted on DigitalOcean and is accessible from anywhere provided the network from which the adversary opened the file doesn’t have a firewall rule in place blocking traffic to DigitalOcean’s networks.
The Other Side: A threat actor could find an enticing share by using the following methods, first the attacker would need to enumerate a network segment looking for hosts running the SMB service. Nmap has an SMB enumeration script that will help with this task as seen below. Next, the attacker would look for shares that he could try and gain access to and in my case, Impacket’s smbserver has created an SMB server that doesn’t require credentials. Impacket’s smbclient can be used to identify shares and enumerate the names of those shares as seen below. Now in our case, we hope the attacker opens our honeydoc and we receive an alert indicating our system has been compromised. Our organization would then need to analyze the incident, contain the threat, eradicate the threat, and recover the system.
Conclusion: This technique for adding a layer of defense by providing insight into user’s activity will hopefully help identify threats on your network…and in this specific case sometimes outside of your enterprise network. This is a simple and free solution to implement and there are numerous ways to do this including buying enterprise-grade solutions. While this technique won’t prevent an intruder from penetrating the network it will provide an alert that there is some suspicious activity to investigate. I have included the repository I used to create the honeydoc and I used a traditional LAMP stack to run the web server and MySQL database. This post focused on macOS’s version of Microsoft Word but that’s what’s so amazing about this design. The honeydoc will be able to send the request to the control server whether the originating operating system is Windows, macOS, or Linux. The honeydoc can also be viewed using OpenOffice or Libre as well! As always reach out to me if you have any questions or just want to chat about life. You can use the contact page, keybase, or Twitter @BLTSEC Happy Hunting!!
- WebBugServer https://bitbucket.org/ethanr/webbugserver