So, I stumbled upon an interesting script.
Over the years, I have been using various tools and scripts to do spear phishing; with the many vulnerabilities in Microsoft Office Suite and Adobe PDF reader being enablers and the ability to embed macros being an even bigger enabler. But things have changed and users are now keen on the “enable macro warning” and they don’t enable macros anymore 😦
…hence most spear phishing attempts fail or are filtered by mail filters, firewalls, IPSs as they are deemed suspicious.
So this was a breath of fresh air and seems to get through most IPSs and security devices.
On your listening server:
Download the script. Put an image of your choice in the folder. I chose elephant.jpg
Start script as below. For this we want to set this server as a listening server hence the 1 after the image. Setting to 0 will not run the listener.
The script is mostly automated and the only
hard work is to send the file. Notice below that an *.rtf file (1491333207.rtf) has been generated from the *.jpg (elephant.jpg) image.
This is what we need to send to our victim, and when we need to get really creative..
After sending the *.rtf document to victim:
Wait for victim to open the document, and immediately you notice NTLM hashes being populated on the listening server terminal. At the same time a file, passwords_netntlmv2, which contains NTLMv2 hashes is created. Which brings us to the last step – cracking the hashes..
There are many tools to do this, but john the ripper is recommended for various reasons. I used JTR for this illustration as below:
And voila, passwords of the victim!
Note: it would have definitely taken a longer time depending on the complexity of the password and wordlist used.
From a blue teamers point of view:
- We see the need for a strong password which should meet password complexity requirements
- The back connection via port 445 is common especially for meterpreter sessions and this would point, though not necessarily, to an indicator of compromise.