Credential harvesting phishing scenarios have become less and less popular due to the vast majorities of organizations deploying Two-Factor Authentication (2FA) on all external applications. FireEye’s recent research and tool ReelPhish is an awesome example of subverting 2FA and successfully accessing external web applications. This post and tool is an adjunct to ReelPhish that uses RPA to get past 2FA and log onto a VPN directly with the VPN client. This has been successful in real world environments and I also have a PoC video below.
What is RPA?
Important reminder: this is a personal blog, all thoughts and comments are mine and do not reflect that of my employer.
Robotic Process Automation (RPA) is an “emerging” technology that boasts the ability to automate anything. It is essentially a GUI scripting language with OCR capabilities that makes interacting with applications and extracting data easy and approachable to non-technical folks. RPA calls the output or tool you create robots, or “bots”. Trust me, I couldn’t make this up. Frankly I’ve been somewhat sour on the subject, and even after using it a bit, I can’t say I would choose it over any traditional language. But I did end up seeing a use case for it so I swallowed my pride and jumped in.
UiPath RPA Software
The only popular free RPA software I’m aware of is UiPath’s Community Edition. I downloaded and installed on a Windows VM. Once I opened it up I found a lot of terms that modeled traditional languages, such as loops, if statements, etc. I will definitely say UiPath is very intuitive and I was able to figure out what I needed and how to use it in under an hour. The only downside was there was no easy way to interact with a running UiPath program (I’m having a hard time calling it a robot). I couldn’t send an HTTP request to it and have UiPath receive and parse the request, which tells me UiPath isn’t quite built for a typical developer. Since I couldn’t have UiPath parse an HTTP request I had to write an intermediate tool to handle that.
Note: I have seen some forums talking about an API but I couldn’t find decent documentation and didn’t have the time to figure it out.
I had some phishing coming up and I was all set for the payload based spearphish but wanted to provide a solid credential harvesting scenario as well. I’d heard about RPA a little bit and knew its upside was the ability to interact with applications regardless of an accessible API. After a little research I came up with the following idea:
- Setup phishing page to ask for username, password, and second password (token or push)
- Setup an SSH remote port forward taking a local port on the phishing server and sending it down to a Windows VM
- Start UiPath to watch for a change to a file, ‘loginFile.txt’
- Use PHP to send the credentials down the SSH tunnel
- Use a Go exe to listen on port 3000, receive those posted credentials, and write username, password, and second password to ‘loginFile.txt’
- UiPath will immediately see ‘loginFile.txt’ has been modified, read in the credentials, and enter in all the relevant dialog boxes
- Initiate the VPN connection and profit!
If you like pictures, this is essentially the attack:
Below is a PoC video which demonstrates the attack with the following lab setup:
- Phishing site: vpn.adapt-and-attack.com
- VPN server: 192.168.1.31
- VPN info: Cisco AnyConnect and Cisco ASA 5505
- 2FA: Duo Push
I didn’t spend time on the refresh page so all it says is “Success”, don’t judge me! I also should mention since that VPN endpoint is an IP address, the SSL certificate warning pops up and the whole connection process takes a tad longer than against a production environment. Just to be clear, I typed in “push” for the second password and then around ~52 seconds in the video, I accepted the Duo Push notification in the app. All interfacing with the AnyConnect client is UiPath.
All required components can be found at this GitHub repo:
The GitHub repo includes the UiPath project XAML file used in the demo video, a sample PHP file for receiving the credentials and sending them down the SSH tunnel, and the mfastealer Go script. The README file should be enough to get you started with everything and feel free to DM me on Twitter if you have questions.
I named it mfastealer (Multi-Factor Authentication) rather than 2FAstealer as I believe this project could be edited to get around most MFA/2FA technologies which require the end-user to enter all information. I’m sure someone out there will argue semantics, though.
So far, I’ve been successful targeting AnyConnect+Duo and Pulse Secure Client+Duo environments. In both scenarios, it was successful with Duo Push and the Duo token value.
I will definitely echo the authors of ReelPhish and say to not abandon 2FA. It is a great control that adds an additional layer of security and should be implemented on all external authentication portals. Just like all security products and technologies, nothing is perfect. Some mitigation ideas can be to shorten VPN sessions to limit the amount of time an attacker is on the network and to apply strict network segmentation for the VPN segment. I also think that user behavior analytics could be useful here to discover an anomalous VPN login.
Consider including awareness around phishing that requests 2FA tokens within your overall security awareness training to your user base as I’m sure more and more techniques will continue to find ways to subvert 2FA.
UiPath came in handy here and was surprisingly intuitive and reliable. As mentioned earlier, I don’t see me using RPA often from an offensive security perspective. Although, RPA is expanding into many businesses and we may start seeing this in target environments during red team operations. For example, Blue Prism is another popular RPA product for the enterprise, and they boast some mature customers and partners. I envision some similar themed issues as we normally see: insecure password storage, weak permissions, easy backdoors, etc.
Hope someone finds this useful!