Phishing Frenzy: HTA PowerShell Attacks with BeEF
If you’re not currently using Phishing Frenzy, BeEF, or PowerSploit for your Phishing campaigns you’re really missing out. In this article we are briefly going to cover what I consider to be one of the “new hotness” attack vectors that every pentester should be using in their next phishing assessment.
This would require that you have a BeEF instance running on port 3000/TCP located at phishingfrenzy.local.
With BeEF enabled your website will have the BeEF tags added to the source code of the HTML automatically.
HTA Powershell Attack
Thanks to the recent addition from antisnatchor to the Phishing Frenzy templates repository you can check out the HTA PowerShell template for a PoC demonstration. Note that the HTA Powershell attack is only viable against modern Internet Explorer browsers.
Now that we know how to quickly hook browsers using Phishing Frenzy and BeEF lets go over automating a real world attack vector that can be extremely effective to gain a shell.
By default BeEF will not launch any modules automatically when a browser is hooked. You have two primary options for launching modules which are the web UI or configuring specific modules to run automatically. In this example we are going to demonstrate how to launch the HTA_Powershell module automatically.
First thing we need to do is enable the module’s AutoRun attribute so it will run once a browser is hooked. This can be done on a module-by-module basis by editing the respective config.yaml file.
Once AutoRun is enabled you’ll most likely want to change the default values that are configured for the module. In our case BeEF was running at phishingfrenzy.local and our metasploit service was running on 192.168.1.164 so we changed both values as shown below.
These are the only necessary changes needed for BeEF to AutoRun the HTA_Powershell module with our custom values.
Now you’ll need to ensure that you have BeEF service running and your hook.js is fully assessable to the Internet. This is required so the targets can get hooked properly.
Before we send out any emails and start the attack we will want to ensure we have metasploit running with a multi/handler. Here is the example resource script that I run on msfconsole startup.
Now that our BeEF service and multi/hanlder are up and running lets send out some emails so we can get some visitors to our phishing website.
Below is an example email that we sent to hook some browsers off our phishing website.
Once the user clicks on the phishing link they will be directed to a phishing page. When they land on the page BeEF is configured to automatically send the HTA_Powershell module. This will cause a popup for the user where they can “Open”, “Save”, or “Cancel”.
Example of BeEF sending HTA_Powershell module to visitors who are hooked automatically without interaction.
Example of HTA Powershell popup notification.
Once a user clicks the “Open” button HTA code execution will occur. The HTA, if allowed to run, runs via a completely different executable called “mshta.exe”. Code inside an HTA run in a more privileged context, and allows you do more stuff like calling OS commands such as “powershell.exe.” PowerShell then leverages PowerSploit to invoke-shellcode and give us the shell while mitigating the risk of getting caught by Antivirus.
If everything goes properly you should be greeted with a Meterpreter shell that we all know and love.
For all of those who love a video demonstration, here is Phishing Frenzy + BeEF + PowerSploit + Metasploit == FTW:
Again, if your not using Phishing Frenzy, BeEF or PowerSploit for your Phishing I highly suggest you check it out. For more information checkout www.phishingfrenzy.com
Enjoy Phishing all the things with Phishing Frenzy!
Share this article
Follow Pentest Geek
Subscribe to Pentest Geek
- How To Install Metasploit Framework Ubuntu 14.04
- How to Install Nmap From Source
- Another Lap Around Microsoft LAPS
- Credential Harvesting via MiTM – Burp Suite Tutorial
- SSL Certificate from letsencrypt.org – Setup Guide
- Forensics and Incident Response
- Information Gathering
- Penetration Testing Tutorials
- Web Applications