Sandboxing makes phishing/infection hard. If a target can hand off your payload to a third party to "detonate", how can you get them to run your payload?! Simple: by handing sandboxes innocuous payloads to detonate.
How do we do that? By dynamically creating and deduping a list (Apache .htaccess) based on:
- Sandbox/Security company networks by ASN
- Current Tor Exit Nodes
- Cloud Provider networks (AWS, GCP, Azure, IBM, etc)
- UserAgents of known security scanners/possible blue team tools
- Networks seen in previous engagements
The original idea came during some client engagements and getting annoyed while watching sandboxes grab samples. I created the initial version of the code, and later I found @curi0usJack's static htaccess example, which is grabbed and included.
- @curi0usJack for his example htaccess
- @imoorhouse904 for testing and data
- aconite33 for adding Cisco ScanSafe data
- Jacqueline, because.. well, she deals w/ me
If it has to be said, ***THIS SOFTWARE IS FOR LEGAL/APPROVED OFFENSIVE SECURITY OPERATIONS ONLY. ***
./mkhtaccess_red -- Dynamically generate an htaccess file to redirect sandbox/blueteam to a benign sample. twitter.com/violentlydave / www.insomniacsecurity.com Command line arguments: [you have to use one option, even just -v or -z, otherwise all are optional] -d DESTINATION_URL (add full url in quotes, "http://someurl.com/mybenignsample.docx") Note: This can be specified as a static variable $DESTINATION If this command line variable is used, it over-rides the $DESTINATION variable. -a ASNs (add single or multiple ASNs in quotes, "NetworkName1_ASN1234 NetworkName2_ASN4321") Note: This can be specified as a static variable $DEFAULTASN, if this command line is used, ASN will be added to any ASNs in the $DEFAULTASN variable. -u USERAGENTS (add single or multiple user agents in regex format in quotes, "^.*SomeScrapingBot.*$") Note: UserAgents can be added to the static variable $DEFAULTAGENTS, and if this command line is used any specified user agents will be added to the $AGENTS variable. -e ExtraIPs-or-Nets (add single or multiple ips or nets in quotes, "MISC-127.0.0.1 MISC-10.6.5.0/24".) Note: These can be added statically as MISC sources in the code. -o OUTPUT (lets you set the path/name of the output, or it will default to /tmp/redhtaccess) -v VERBOSE MODE (adds more info about behind the scenes/deduping) -z I DONT CARE, JUST RUN! (will run w/ default static variables/info, and generate an htaccess)
Make sure your Apache configs AllowOverride, so the htaccess will work.
<Directory "/var/www/html/test"> Options Indexes FollowSymLinks AllowOverride All </Directory>
If you need to debug how it is matching, add "LogLevel alert rewrite:trace6" to your main configuration -- but keep in mind that each connection attempt will log EACH regex to your logs. This can fill logs/drives quickly if many attempts occur!
Sent me a note here, or on Twitter: twitter.com/violentlydave