Skip to main content

WordSteal - Stealing Windows Credentials through crafted document

On every external pen-test I do after information gathering  and enumeration phase I prepare some spear-phishing campaigns. My favorite method is using Word Macros because most of the companies use a windows environment and the Microsoft Office pack is used widely.

During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails. 

Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) ,  I had to find a different way to spear-phish the employees.


Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.

Then I thought why not trying the  'file://' handler.

If you want to read more about the Word Exploit generator here is the blog post:

Now let's see if it works.

First I used metasploit auxiliary module server/capture/smb to start a SMB sniffer.










After that I created a simple rtf file that tries to load an image from my smb server.






And as expected it worked and the victim tried to authenticate to my SMB Server and the credentials were saved.

With the stolen credentials you can do a lot and is the first step inside the company.

I created a simple script ( which is terribly coded ) to do this automated job as time is important during a pen-test. 

The Script can be found here : https://github.com/0x09AL/WordSteal

WordSteal - Demo





Comments

Popular posts from this blog

SkyTower CTF Walkthrough

VM Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

Exploiting EasyCafe Server <= 2.2.14 Remote File Read

Disclaimer:
All the information described here should not be used for malicious purposes. The author of the post does not keep responsibility for any illegal action you  do. This posts are written only for education purposes and understanding of vulnerabilities to prevent similar vulnerabilities in the future.If you do not agree  please leave this site 
immediately.

I decided to do an audit to a software that is used widely among internet cafes here in Albania.
The software is called EasyCafe and the software website http://www.tinasoft.com/index.htm  states that is "The best Internet Cafe Management Software". First let me explain how this software works.