mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
Update phishing-documents.md
This commit is contained in:
parent
aa23f9e75b
commit
4b17d87a02
1 changed files with 10 additions and 10 deletions
|
@ -18,9 +18,9 @@
|
||||||
|
|
||||||
## Office Documents
|
## Office Documents
|
||||||
|
|
||||||
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
|
Microsoft Word performs file data validation before opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
|
||||||
|
|
||||||
Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.\
|
Usually, Word files containing macros use the `.docm` extension. However, it's possible to rename the file by changing the file extension and still keep their macro executing capabilities.\
|
||||||
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.\
|
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.\
|
||||||
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
|
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
|
||||||
|
|
||||||
|
@ -41,11 +41,11 @@ _**Categories**: Links and References, **Filed names**: includePicture, and **Fi
|
||||||
|
|
||||||
### Macros Backdoor
|
### Macros Backdoor
|
||||||
|
|
||||||
It's possible to use macros to run arbitrary code form the document.
|
It's possible to use macros to run arbitrary code from the document.
|
||||||
|
|
||||||
#### Autoload functions
|
#### Autoload functions
|
||||||
|
|
||||||
The more common they are, the more probable the AV will detect it.
|
The more common they are, the more probable the AV will detect them.
|
||||||
|
|
||||||
* AutoOpen()
|
* AutoOpen()
|
||||||
* Document\_Open()
|
* Document\_Open()
|
||||||
|
@ -99,9 +99,9 @@ Do this because you **can't save macro's inside a `.docx`** and there's a **stig
|
||||||
|
|
||||||
## HTA Files
|
## HTA Files
|
||||||
|
|
||||||
An HTA is a proprietary Windows program whose **source code consists of HTML and one or more scripting languages** supported by Internet Explorer (VBScript and JScript). The HTML is used to generate the user interface and the scripting language for the program logic. An **HTA executes without the constraints of the browser's security model**, so it executes as a "fully trusted" application.
|
An HTA is a proprietary Windows program whose **source code consists of HTML and one or more scripting languages** supported by Internet Explorer (VBScript and JScript). HTML is used to generate the user interface and the scripting language for the program logic. An **HTA executes without the constraints of the browser's security model**, so it executes as a "fully trusted" application.
|
||||||
|
|
||||||
An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**. In fact, **`mshta` is dependant on IE**, so if it has been uninstalled, HTAs will be unable to execute.
|
An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**, making **`mshta` dependant on IE**. So if it has been uninstalled, HTAs will be unable to execute.
|
||||||
|
|
||||||
<pre class="language-html"><code class="lang-html"><strong><--! Basic HTA Execution -->
|
<pre class="language-html"><code class="lang-html"><strong><--! Basic HTA Execution -->
|
||||||
</strong><html>
|
</strong><html>
|
||||||
|
@ -125,7 +125,7 @@ An HTA is executed using **`mshta.exe`**, which is typically **installed** along
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
```html
|
```html
|
||||||
<--! Cobal Strike generated HTA withot shellcode -->
|
<--! Cobal Strike generated HTA without shellcode -->
|
||||||
<script language="VBScript">
|
<script language="VBScript">
|
||||||
Function var_func()
|
Function var_func()
|
||||||
var_shellcode = "<shellcode>"
|
var_shellcode = "<shellcode>"
|
||||||
|
@ -161,9 +161,9 @@ An HTA is executed using **`mshta.exe`**, which is typically **installed** along
|
||||||
|
|
||||||
## Forcing NTLM Authentication
|
## Forcing NTLM Authentication
|
||||||
|
|
||||||
There are several ways to **force NTLM authentication "remotely"**, for example you could add **invisible images** to emails or HTMLs that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.**
|
There are several ways to **force NTLM authentication "remotely"**, for example, you could add **invisible images** to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.**
|
||||||
|
|
||||||
**Check this ideas and more in the following pages:**
|
**Check these ideas and more in the following pages:**
|
||||||
|
|
||||||
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
|
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
|
||||||
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
|
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
|
||||||
|
@ -175,7 +175,7 @@ There are several ways to **force NTLM authentication "remotely"**, for example
|
||||||
|
|
||||||
### NTLM Relay
|
### NTLM Relay
|
||||||
|
|
||||||
Don't forget that you cannot only steal the hash or the authentication, but also **perform NTLM relay attacks**:
|
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**:
|
||||||
|
|
||||||
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)****
|
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)****
|
||||||
* ****[**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)****
|
* ****[**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)****
|
||||||
|
|
Loading…
Reference in a new issue