The Hassle Exploit

Written by johnytor

The catching up (troubles of my mere existence)

It’s been a long time again. I can say from the WordPress Editor UI, that has had some changes (it’s totally not recognizable). Things have changed in many ways, but I’m still Penetration Testing for food (and accommodation sometimes). I also bought a wok (that’s totally irrelevant).

As I said, I’m still Penetration Testing. Mostly big companies. I try to secure their money and assets, so people that want them won’t get them. I arguably am like Peter Pan’s villain – I’m securing rich people’s stuff, so poor people won’t get them without paying, having sex with them (that’s not the majority of my projects) or allowing a permission in their Android phones

So, I have this controversial job, most of the time, probably the same with my readers (at least during the day). We could be considered “Captain Hooks” of some sort. I’ll let my psychologist know about my identity crisis. Or my mom.

The subject looks like it needs a post of its own, so moving on…

The Warmup

So yeah, I pentest a lot, it’s a job and I am pleased doing it. The thing that gives me the  most chills is Red Teaming.

Oh boy, Red Teaming is the real thing. Attack simulation and such, from physically opening a door, to phishing and vishing, to NTLM relaying, to DAing a Domain (or a bunch o’ them), to displaying dickpics in all ATMs of the country before dispensing money. I mostly skip the last part (or flash them for a brief second – like Tyler Durden’s appearances).

But my favorite part is phishing. I love people, in a philosophical sense. I love them with their defects (as a race), with their ambitions and fears. That’s what made me come up to here (not sure if it’s considered “up” anyway), and that’s what motivates me in life. Looking for ways to fool them really got me from the beginning. I’m one of them (us?) myself, and that helps a lot, too.

 

The Real Topic of the Post

By now, I’m not sure what I really am gonna write below. I was planning to introduce you to the Wormnest tool. Something I made to serve payloads with style, but that’s gonna be technical (you know HTTP headers, Python Development, Reverse Proxies and TLS certs), so I’m leaving it for some other time. *Fixing the title*. So, let’s continue with our next guest:

 

Hassle in Social Engineering

Most social engineering projects start with setting up a Mail Server. And setting up a Mail Server is a hassle. I don’t like hassles. Fuck hassles (Taxes are a hassle – Fuck taxes). Plus, when you set everything up (it’s not that difficult, it’s just a hassle), you will still be Greylisted anyways in most cases, that shows how badly designed the Mailing Protocol is (for 2018), etc-etc.

Setting up a phone number is not that bad anyway. You just buy it, or get your company to buy it. And background checking a telephone number is so much more hassle than checking an SMTP server… It is 1000 times more difficult to get a mobile phone number blacklisted than an SMTP server. And re-deployment is as easy as “buy another number”. And the cost is less.

Actually, its all about avoiding hassle. And in a totally different meaning. The “hassle” is an exploit to Human Psychology. And it’s obvious when you think of it.

Hassling as an Exploit

Well, you know how your country’s law enforcement system works. Right? Exactly, you have no clue. What about the tax system? Yep, thought so. And, of course you know the Terms and Conditions of Gmail. I mean you are using it all the time. Well, that’s a “No“, right. Then you have been exploited (like most of us).

Hassle is a bad thing. Creates bad feelings in a lingering way. The feelings create an experience, and the experience breaks into our behavior (from time to time).

We all avoid hassle, as this experience has formed our behavior into avoiding it. So, the exploit lies into putting hassle in things that you want people to avoid. That’s an old one. But a golden one.

The Bible’s “Have faith and doubt not” is just the payload (do you remember the color notation it’s gonna come in handy here). The exploit for that is hassle.

Hassling vs Troubling

Well, hassle and trouble are very different. SO VERY DIFFERENT. And the difference lies in the below example:

Example to show the difference between hassle and trouble:

There are 2 countries, with the following rules for murder with intention:

Country 1: A Murderer will go to jail for 15 years.

Country 2: A Murderer will have to sign a form based on Law 2142/2014, and then provide it to local authorities. After that, he/she is going to receive the form based on Law 3354/2011 by postal service, complete and sign it, along with 3 of his/hers victim’s blood family members and provide this form to the ministry of Law Enforcement. After receiving Law Enforcement final report on the case, and providing it to local authorities, he/she is free of charges.
Ones that not comply will go to jail for 20 years.

In the second country, add the fact that the Ministry of Law Enforcement is open only 10:00 to 13:00 all weekdays except Mondays, and that the one accountant that handles such cases is on vacation in Bahamas for an indefinite period of time.

I don’t know about you but I’d prefer to live in Country 1. Not because I like jailing laws, but because it is clear that if you perform murder, to stay free, you have to escape. Not complete written forms, that none informs you were to find (and it’s probably fruitless to ask the Murder Community here…), and wait in queues.

In the bottom line: in the first country if you are a murderer you are in trouble. In the second country you are in hassle.

Defying the Laws of Tradition

Fighting against trouble, is always easier than fighting against hassle. The second one takes more courage in the long run. There is no real enemy in there, so you have nothing clear to fear, yet you feel disappointed, as the things you are trying to achieve never really get fulfilled. Yet, nothing virtually is there to prevent you. Hence, it’s easier to surrender when putting a fight against hassle, with the illusion that you could achieve the goal given more time/patience/etc.

The only won fight against hassle, that I’m aware of, is in Margaritaville (a South Park episode).

Hassle in Phishing

This exploit doesn’t need any serious setup (nowhere near a valid SMTP server). It is easy to pull off. You just have to introduce someone into a hassle-inducing situation. And then carefully place your payload in a shortcut/gateway you provide. It’s as simple as that. Most installers do it that way:

 

  • Customize before installation (for advanced users)
    (Too much hassle, to find the correct settings)
  • Express Install (hassle free!)
    (Installs Google Chrome and other rootkits along with the main software)

So, a Mail Social Engineering Scenario could be the following:

From: Outlook Security <outlook@example.com>
To: Victimious John <victim@example.com>

Outlook Security Notice – 12/10/2018

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network. It is highly recommended to inform your IT Administrator, showing this email and the mail threads received by that host the last 7 days.

To fix the issue yourself, please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660 ¹.

Thank You
The Outlook Security Team

[1]: Create URLs like this automatically using Wormnest (shameless plug)!

Breakdown of the victim’s psychological aspect

Outlook Security Notice – 12/10/2018

It has a date, and no “Dear X,” it must be formal and serious.

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network.

Defender is an Antivirus, it probably knows more about my computer than me (spoiler alert: it does). I don’t know what a PUP is, but googling it is too much of a hassle.

It is highly recommended to inform your IT Administrator,

This creep that sweats and swears in every situation that includes computers? Oh, well…

showing this email and the mail threads received by that host the last 7 days

He’s gonna get mad at me when he sees that I use the corporate email in buying shaving stuff in shop.workingmother.com with discount (well, I googled “working mother shop” and it existed).

To fix the issue yourself,

Yeeeeees?

please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660

I’m so eager to eat whatever this link brings in my computer

Thank You
The Outlook Security Team

I thank you “Outlook Security Team“, have a nice day!

Bonus points:

Actually mentioning the IT Administrator gets points in the non-phishing direction…

 

Hassle in Vishing (The something-wrong-with-your-mail Scenario)

– Hello is that John Victimious

– Yes, it’s me. Who is calling?

– My name is John Smith (who else?). I’m calling on behalf of your corporate mail provider.

– Google?

– Yes, Google Corporation <Receivers Country name here>.

– Oh, is there something wrong?

– Well, not exactly. Can you please login to a page and give me what you see?

– I’m a bit busy now, can I sent you an email when I manage?

– You can’t send me an email, you have to call at <phone number>, ask for email verification support, wait 8-9 minutes as it is the mean waiting time, then describe the situation and wait for someone to handle the case. Plus, it has to be done today, because it’s probable that you’ll have trouble logging into your email tomorrow.

– Oh, never mind. What is the website?

– It is google.yolose.com. Y, O, L, O, S, E.

– Ok, I’m in. Do I just login here and tell you what I get?

– Exactly!

– OK, gimme a sec. *types the creds* hmm… Yes. I see a green tick, saying that “The account has been verified against <TargetCompany>

– Great! You’re set! Thank you for your time!

See? Just introducing some hassle will bend most defenses. Plus…

Hassle is a recognized attribute of dealing with Authorities

One of the reasons we really get overwhelmed with hassle situations, is because we have met hassle in the past and had a negative experience, as said before. But, hassle in our lives has been introduced in a quite specific way. And that’s when Dealing with Authorities. The paperwork in most countries is so staggering that creates hassle for even the simplest of tasks.

That’s another good reason to use hassle in your Social Engineering. You give the impression of authority, even without being yourself aware of that!

 

Final Thoughts

Really Generic/Philosophical…

It’s not humanity that sucks, it’s its systems. It became (humanity) so big, so fast, that people didn’t have the time to develop really sane ways of co-existing (in groups of more than 150 in the same community e.g: cities). That’s where ideology and common ideas come into play, to unite the 150+ people that are forced to live so close together.

But, as all projects with tight deadlines, communities are full of bugs. And some become security vulnerabilities. And people end up being massively exploited as they carry their common (vulnerable) traits.

The Hassle Vulnerability is not a new one. It is being exploited by lawyers and tax makers for years now. But to patch it, a new community needs to be build. A community that won’t be so obviously based on it

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s