Full Report
On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically phishing only). In preparation for the attack, I wanted to see what software they were running, to see if Vlad and I could target them in a more intelligent fashion. As this technique worked well, I thought this was a neat trick worth sharing. First off the approach was to perform some footprinting to see if I could find their likely Internet breakout. While I found the likely range (it had their mail server in it) I couldn’t find the exact IP they were being NAT’ed to. Not wanting to stop there, I tried out Vlad’s Skype IP disclosure trick, which worked like a charm. What’s cool about this approach is that it gives you both the internal and external IP of the user (so you can confirm they are connected to their internal network if you have another internal IP leak). You don’t even need to be “friends”, you can just search for people who list the company in their details, or do some more advanced OSINT to find Skype IDs of employees.
Analysis Summary
# Tool/Technique: Skype IP Disclosure Trick (Vlad's Trick)
## Overview
This technique leverages the Skype application to obtain the internal and external IP addresses of a target user. Successful execution confirms the target is connected to their internal network, which is useful context for planning subsequent network intrusion phases, such as phishing successful payload delivery.
## Technical Details
- Type: Technique
- Platform: User Workstations (Windows implied, based on context of collected OS data)
- Capabilities: Disclosing both the internal and external IP address of a Skype user.
- First Seen: Information provided is from an article published in January 2013, referencing a known trick.
## MITRE ATT&CK Mapping
- T1598 - Gather Victim Identity Information
- T1598.003 - Social Media
- T1598.004 - Email Accounts
- T1049 - Reveal IP Addresses
- T1049.001 - IP Configuration Discovery (Indirectly, as it reveals IPs related to the internal network)
## Functionality
### Core Capabilities
- **IP Address Discovery:** Obtaining the IP address(es) associated with a Skype user's connection.
- **Internal Network Confirmation:** The ability to capture the internal IP allows the attacker to confirm if the user is currently connected to the target organization's internal network.
- **OSINT/Targeting Prep:** Used during the reconnaissance phase to tailor subsequent attacks (like phishing) based on known environment details (e.g., confirmation of internal connectivity).
### Advanced Features
- **No Friendship Required:** The technique can be executed by merely searching for users listing the target company in their Skype profile details or through other advanced OSINT to locate Skype IDs.
- **Dual IP Leak:** Uniquely provides both the external (NAT) IP and the internal IP simultaneously.
## Indicators of Compromise
- File Hashes: N/A (This is an information gathering technique, not a piece of malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Involves Skype network activity used for information leakage)
- Behavioral Indicators: Successful execution results in the attacker receiving IP correlation data from the Skype network infrastructure related to the target user.
## Associated Threat Actors
- The specific technique is attributed generally to "Vlad" and potentially used by penetration testers/ethical hackers ("we") as described in the article. It is a known technique in early 2010s reconnaissance circles.
## Detection Methods
- **Network Monitoring:** Monitoring outbound traffic patterns from Skype that might indicate call signaling or communication attempts designed for IP leakage (though this is hard to distinguish from normal Skype traffic).
- **Policy Enforcement:** Restricting or monitoring the use of non-business communication tools like Skype on corporate networks.
## Mitigation Strategies
- **Skype Usage Policy:** Implementing strict policies against using unauthorized, non-corporate communication tools for work activities.
- **Network Segmentation/Filtering:** Restricting outbound connections from internal networks that might facilitate these types of communication or data leaks.
## Related Tools/Techniques
- General OSINT gathering techniques used to find target employee details used to initiate the Skype contact.
- User Agent String Collection via indexed web logs to determine client software versions (OS, Browser, etc.).
- Use of client-side exploitation frameworks (BlackHole, Metasploit Browser AutoPwn) noted as being blocked, leading to reliance on customized internal tools.