Skip to content
Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload.
Branch: master
Clone or download
Latest commit 18e3163 Mar 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Nov 18, 2018
mkhtaccess_red Added ScanSafe by Cisco Feb 27, 2019

README.md

mkhtaccess_red

Sandboxing makes phishing / infection hard. If a target can hand off your payload to a third party to "Detonate", how can you get them to run your payload?! Simple: by handing sandboxes innocuous payloads to detonate.

This is done via some User-Agent matching, pulling networks advertised by ASNs of known sandbox companies, and "MISC" sources that were found from previous real-world phishing attempts. The original idea came up during some phishing campaigns a while ago, later someone pointed me to @curi0usJack's htaccess file which provided the user-agents.

Thanks to @curi0usJack for some data source/info, and thanks to @imoorhouse904 for testing and data to add!

TLDR; edit DESTINATION to point to benign version of payload, put output into .htaccess, hopefully enjoy phishing again!


Apache Config

Make sure your apache configs AllowOverride, so the htaccess will work. Example:

   <Directory "/var/www/html/test">
      Options Indexes FollowSymLinks
      AllowOverride All
    </Directory>

If you need to debug how it is matching, add "LogLevel alert rewrite:trace6" to your main configuration -- but keep in mind that each connection attempt will log EACH regex to your logs. This can fill logs/drives quickly if alot of attempts occur!

mkhtaccess_red Config

Simply edit a few variables within the program, all at the top:

WORKINGFILE=/tmp/redhtaccess ; this will be the final file, you can leave this
TMPFILE=/tmp/tmptargets ; temp working file, you can leave this
JACKTMP=/tmp/jacktmp ; temp working file for curi0usJack's file, you can leave this
CURLOPTIONS="--connect-timeout 10" ; add additional curl options here, such as proxies, you can leave this
DESTINATION="http://funkytown.com/DIR/file.doc" ; this is where to redirect sandboxes -- make it look as similar to the original as possible, but make it redirect to a clean (malware-free) version of your payload!

Adding Useragents / ASNs / Misc networks to mkaccess_red

Similar to the section above, all ASN/useragent/misc configs are kept internal to keep the file portable/easy to deal with.

AGENTS

Simply add additional regexs to match agents inside of this variable, example:

   AGENTS="^.*cloudfront.*$ ^curl.*$ ^Python-urllib.*$ ^Wget.*$ ^Lynx.*$ ^Slackbot-LinkExpanding.*$"

ASNs

Add additional ASNs to this variable in the form of CompanyName_ASN#, example:

   ASNS="zScaler_AS22616 DigitalOcean_AS46652 ForcePoint_AS13448 CiscoMeraki_AS395831"

Misc Nets/Addresses:

Add additional lines per "misc" source, starting with a "#" ! Add in the form of:
#MISC-NetworkOrIP-CompanyName-ReasonAdded
Example:

   #MISC-195.47.249.0/24-Bayer-Seen in phish
   #MISC-40.96.0.0/12-MicrosoftCorp-40.107.242.0 seen in previous phish
   #MISC-40.125.0.0/17-MicrosoftCorp-
You can’t perform that action at this time.