Download to read offline
Uploaded by⭕Alexander Rymdeko-Harvey
THE {PHISHING} {PATH} TO {INFO} WE MISSED
The document discusses various aspects of phishing techniques, focusing on the use of Microsoft InfoPath for creating deceptive forms. It analyzes market data on document attachments and outlines the structure and security settings of InfoPath forms, while providing insights into red team tactics for phishing campaigns. The content includes technical details about deployment options and coding practices to effectively execute such attacks.
THE {PHISHING} {PATH} TO {INFO} WE MISSED
- 1. THE {PHISHING} {PATH}TO {INFO} WE MISSED ALEXANDER RYMDEKO-HARVEY RED TEAM – THREAT EMULATION (¬_¬), October 25, 2017
- 2. WHO AM IIN MEME’S?
- 3. Anyone Know ThisLogo?
- 4. AGENDA MS INFOPATH INTERNALS HELLOWORLD WEAPONIZATION USECASES STATE OF THE PHISH
- 5. DATA ANALYSIS: MicrosoftOffice Market Share % of Market share help by office in the text processing sector with in the US Source: http://www.webmasterpro.de/portal/news/2010/0 2/05/international-openoffice-market-shares.html 82% 10% 4% 4% OpenOffice WordPerfect Apple iWork MS Office
- 6. DATA ANALYSIS: 2016Attachments By The Numbers Office documents were the most popular attachment type, with executable files becoming less popular. Source: https://www.symantec.com/content/dam/symante c/docs/reports/istr-21-2016-en.pdf 58% 16% 10% 9% 3% 3% 1% .HTM/HTA .DOCM .DOC .EXE .JS .HTM/HTA .XLS
- 7. WE KNOW THIS…HECK WE ALL LOVE AN (OLE) PAYLOAD.. I ENDED UP STUMBLING ON....
- 8.
- 9.
- 10. INFOPATH DATA STRUCTURE .XSFFILE manifest file that describes the basic definition of other form files 1 .XSL FILE Defines the transformation for data into different views 2 .XSD FILE Defines the data source schema. 3 .DLL FILE Carries the custom logic built into .NET or COM. 4 Custom HTML/Images resource files and other resources for the form 5 RESOURCE FILE InfoPath.xsn
- 11.
- 12. INFOPATH DESIGN • Tocreate and publish an InfoPath form template (.xsn) • Pre-built forms • Easy UI design • Allows for Red Team to make awesome corporate surveys • InfoPath Filler • People who are filling out forms • Simple and easy-to-use UI • Limited version, can not inspect source or XML InfoPath Designer vs InfoPath Filler1 InfoPath Designer / Code Editor
- 13. BUILD ENVIROMENT Windows 10Pro Build: 16299 Visual Studio Professional 2012 Visual Studio C# Support Visual Studio Tools for Applications 2012 Office Professional Plus 2013 .NET Framework 3.5 SP1 1 2 3 4 5 6
- 14.
- 15. DON’T FORGET TOREBOOT...........................
- 16.
- 17. INFOPATH HELLOWORLD: • InternalStartup() •FormEvents_<event>() • Loading • Merge • Save • Sign • Submit C# Basic Popup
- 18.
- 19.
- 20.
- 21. UNSAFE CODE • UsingSystem.Diagnostics to create a process requires: • “Allow unsafe code” flag set • “Unsafe” functions require this as well Unsafe Code
- 22. INFOPATH SECURITY LEVELS Followingwill not work: • Data connections • Managed code and script • Custom dialog boxes • Microsoft ActiveX controls RESTRICTED DOMAIN FULL TRUST Can access the following: • Same domain as the form • Content in the Local computer zone in Internet Explorer • Content in the Local intranet zone in Internet Explorer Can access the following: • Same domain as the form • All other domains, without first displaying a security message • Files and settings on the computer
- 23.
- 24.
- 25.
- 26.
- 27.
- 28. SOLVING THIS ISSUE:Some what stealthy.. Resume execution • Locate the PE Entry • Create small but of ASM • Patch IMAGE_OPTIONAL_H EADER Patch the original process entry point • ZwCreateSection(), RWX for our Shell Code • Map our shellcode Map a view of our shellcode buffer into it • FindEntry() • Locate the module base address in the remote process • Read in the first page • Locate the entry point Start a new (suspended) process • Operator selects target process • CreateProcess() Execute InfoPath Entry Point • PInvoke • Unmanaged code • Structures / Enums
- 29. TRADECRAFT: Tips &Tricks INVEST IN BUILDING A STORY NOT JUST A PAYLOAD New-SelfSignedCertificate Certificate Creation Create a Pretext to Match Create custom self signed certs to match the pretext of the phish. If possible roll EV certs for easy win.. Take the time build out the scenario, even if you get exec(), its always nice to leave the warm and fuzzy.
- 30.
- 31. INFOPATH DEPLOYMENT OPTIONS •Easy deployment options for content authoring • Supported by InfoPath • Allows you to “Update” payload on the fly • Allows you to send a link or template file WEBDAV SHAREPOINT EMAIL • Allows to deploy internally • Deploy to cloud for internet access with no authentication • Create new Emails that contain the form • Use this when you don’t want to host externally • InfoPath Filler still required
- 32. ANY QUESTIONS? Credit: Steve Borosh@424f424f – Helped with deployment Chris Ross @Xorrior & Jesse Reiner @unclejesse – Helped with phishing aspects Aaron Bray @Ambray – Built PE Hollowing Resources: https://github.com/InfoPhish/InfoPhish/