How To Perform External Black-box Penetration Testing in Organization with “ZERO” Information

From the metadata recon done earlier, we might inform what our target companys file headers and footers looked like.

Utilizing numerous open source intelligence tools, we acquired openly available documents connecting to the organization utilizing Black-box Penetration Testing techniques.

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is suitable) of Hackme. We carefully crafted an e-mail signature with the name we picked.

With Google dork to the rescue, we ran some fundamental search strings: “website: * ext: xls OR ext: docx OR ext: pptx”.

Now, how do we make our e-mail more credible? By sending an email to Customer service/Help Desk with a service demand and observing the email signature in the reaction.

This then brings us to using Koadic C3 COM Command & & Control, an extremely good framework much like your Meterpreter or Empire.

After poring through reviews of Hackme on Glassdoor, we found some typical themes:.

I then developed a new word document like the one revealed below with a splitting picture of Hackme document design template with suitable headers/footers.

From this, I noticed that employees e-mails followed a specific naming convention– the very first letter of the firstname + surname @ i.e. [email protected]

Where else to get this details than Glassdoor, a platform that gives you inside scoop on business with worker reviews about incomes, advantages, advantages and disadvantages of dealing with the company.

An exhausting technique is to by hand crawl through the google pages in search for these names and function or one might also utilize GoogleScraper:.

Then we embedded our.hta as an OLE object. Microsoft Word Document >> > > Insert >> > > Object >> > > Package. We changed the icon to Microsoft Words icon and also the caption to reflect our message.

GoogleScraper -m http– keyword “website: -inurl: dir at Hackme Current”– num-pages-for-keyword 3– output-filename output.json.

Here comes the difficult part– we required a method to have the victim run “mshta payload_url” without our payload being spawned as a kid procedure of mshta.exe– as we believe this companys blue group might flag this.

Send them an email– telling them there is a change in the FREE LUNCH menu beginning with tomorrow.

The objective was easy– see how susceptible the company is from an external point of view and test the efficiency of the security manages that are handled enterprise-wide. As such, asides, the company name, we were offered “ZERO” info to carry out an external black-box penetration Testing.

OSINT 101.

Again, I leave the possibilities to your creativity– but you can easily convert this to a.csv file using or any other converter that works for you.

To do this, we need a really compelling story– simply because users are getting smarter. We headed back to doing more recon.

What made it truly stand out asides the gorgeous interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan regional network for open SMB, pivot to another machine, load mimikatz and a lot more.

We are midway through sending our payload now. Have some patience and keep reading …

Now we get to the interesting part, we require our victim to open the Microsoft word file and our payload.

We need to understand more about Hackme– specifically the culture and staff members behavior. The question we kept asking ourselves was “what would intrigue the employees?”.


… and more reconnaissance.

website: -inurl: dir “at Hackme” “Current”. A case in point is revealed listed below utilizing Google Inc as a recommendation company.

… and more reconnaissance.

After poring through reviews of the target organization on Glassdoor, we discovered some typical styles:.

Outcome: Black-box Penetration Testing.

Modification the icon to Microsoft Words icon and also, alter the caption to show your message.

We also know that it is a common practice for some file type/extensions to be obstructed by the companys email filters– to limit exposure to risk.

Considering that we are imitating a Black-box Penetration Testing, we decided (similar to what an opponent would do) to acquire code execution utilizing destructive payloads. As such, we thought about creating a payload and sending it via emails to employees of Hackme.

Its time to send our payload.

Feed our Target list a Payload.

… reconnaissance once again ???

This black-box external penetration Testing Performing with a by a client called (Hackme).

By hacking a script to automate the process, we copied out the given names, last names and the roles of the present employees of Hackme.

So we ran Koadic and set the required variables– utilizing the “stager/js/mshta” module (serves payloads in memory using MSHTA.exe HTML Applications).

Like the old stating goes, the fastest way to a males heart is through his stomach. What better way to get the workers to open our payload ingrained word document?

We started with some Open Source Intelligence (OSINT) 101:-RRB-. There are quite a number of open source intelligence tools– to help in gathering emails, subdomains, hosts, employee names, etc from different public sources like online search engine and shodan. There is an extensive list of such amazing tools here.

The outcome was a generate of our HTA payload URL as evidenced in the screenshot above. However, we require our targets to perform our payload as “mshta payload_url”.

Instead of send a random phishing e-mail to staff members that might be spotted quickly, we decided a seemingly authentic email would be ideal complete with Hackme e-mail signature while observing the organization email culture.

Some staff members felt mobility was an obstacle as the workplace is quite a long range from property places.
Staff members enjoy the organization since they secure free lunch.

Equipped with this knowledge, we forked out from LinkedIn the list of all present workers of Hackme using the following google dork syntax:.

The intended attack circumstance was:.

In recent years, HTA payloads have been utilized as a web attack vector and likewise, to drop malware on a victims PC. Now we need to get this payload past our victims numerous defenses.

Where else to get this information than Glassdoor, a platform that offers you inside scoop on companies with worker reviews about salaries, advantages, benefits and drawbacks of working with the business.

Obviously, our objective was not to relentlessly look for documents. Rather, our objective was to comprehend the companys naming schema by analyzing the metadata of the documents which is discovered in the “properties section” of the file (most especially Microsoft Word, PowerPoint, and Excel). One can also use FOCA for this.

Also Read: Network Penetration Testing Checklist.

This spawns a new procedure and we get a shell access into our victims PC.

The next step usually is to send our.hta payload as an ingrained OLE item.

Send out a Microsoft word file with our.hta payload embedded as an OLE item.
Get the user to open the word file and the embedded OLE object.

The good news is, we saw the tip on the left from Matt Nelson and remarkably, the team at NCC group have this implemented in Demiguise.

We need to know more about the target organizations environment– particularly staff members. The concern we kept asking ourselves– what would intrigue the workers?

So here is our last payload saved as a.hta file.

Using your favorite word processor (word combine, notepad++, etc) or some great scriptful skills, combine the firstname + lastname– to form your e-mail list.

Dont Forget the Anti-virus!!!

To inspect the AV detection rate of our payload– and to see if it will be flagged as malicious by Hackme anti-viruses service (if any), we did a quick AV scan on was used due to the fact that according to them, they do not distribute payload samples to AV companies. We scanned both the maldoc and the.hta file too.

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Managers email address.

Its Time to Send our Email.

In this case, I produced a Gmail account (yes, Gmail works too) utilizing the Logistic Managers first name and last name– and then spiced it up with his signature which was gotten earlier.

AV Scan of our.hta payload (0 detections).

Let the shells in.

Quickly after sending the e-mail, within a duration of about 3 minutes, we had at least 30 shell connections! W00t!!!


The rest they typically say is history. From here-on, utilizing the mimikatz modules, we intensified benefits, discarded hashes, scanned the regional network of Hackme, pivoted into other PCs, searched the targets file systems and even ended up being domain admins etc

What next?

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

There are quite a number of open source intelligence tools– to help in gathering emails, subdomains, hosts, employee names, etc from various public sources like search engines and shodan. Rather, our goal was to understand the companys calling schema by taking a look at the metadata of the documents which is discovered in the “homes section” of the file (most particularly Microsoft Word, PowerPoint, and Excel). One can also utilize FOCA for this.

The ethical of the exercise is: Recon, reconnaissance and more recon– for a smart guy as soon as stated.

” Once you understand your target environment, creating an imaginative ways in acquiring access to the environment becomes relatively easy”.

Rotimi Akinyele– Rotimi is a knowledgeable Cybersecurity, IT Risk, governance, and compliance (GRC) professional. He is an Assistant Manager, Cybersecurity at BDO UAE.


In conclusion. All in all, this was a very enjoyable engagement. Whilst it might take an opponent a month/2months/a year of devotion to get into a company– through a loophole at the infrastructure level. It can be fairly easy for one to get access by exploiting the human factor.

” Give me 6 hours to slice down a tree and I will spend the first 4 honing the axe”.

Dont Forget the Anti-virus!!!

To check the AV detection rate of our payload– and to see if it will be flagged as malicious by Hackme harmful solution (if any), we did a quick AV scan fast was used since according to them, they do not distribute payload samples to AV companies.