Firework – Leveraging Microsoft Workspaces in a Penetration Test

Firework – Leveraging Microsoft Workspaces in a Penetration Test

Firework is a proof of idea instrument to work together with Microsoft Workplaces creating legitimate recordsdata required for the provisioning course of. The instrument additionally wraps some code from Responder to leverage its potential to seize NetNTLM hashes from a system that provisions a Workplace feed by way of it.
This instrument could also be used as a part of a penetration test or crimson workforce train to create a .wcx payload (and related feed) that if clicked on may very well be used to:
  • Phish for credentials – NetNTLM hashes can be despatched if a consumer enters their credentials (or on older variations of Windows mechanically).
  • Add objects to the Start-Menu – After set-up shortcuts are added to the Start-Menu which launch the served RDP file(s). These entries might doubtlessly be used as a part of a wider social engineering marketing campaign.
  • Download sources – Resources such because the .rdp recordsdata and icon recordsdata are downloaded and up to date by Windows on a every day foundation (if authentication of the feed is disabled or is happy).

Read the SpiderLabs weblog for a extra detailed abstract and stroll by means of.


  • Tested with Python 2.7.x. (PythonThree not at the moment supported, though the primary Firework class may very well be used in Python 3)
$ pip set up -r necessities.txt
  • The instrument serves content material over HTTPS and requires a certificates and personal key to make use of in-constructed net server with NetNTLM seize. Default recordsdata: cert.crt and key.pem


.-:::::'::::::::::..  .,::::::.::    .   .:::  ...    :::::::..    :::  .   
;;;'''' ;;;;;;;``;;;; ;;;;''''';;,  ;;  ;;;'.;;;;;;;. ;;;;``;;;;   ;;; .;;,.
[[[,,== [[[ [[[,/[[['  [[cccc  '[[, [[, [[',[[     [[,[[[,/[[['   [[[[[/'  
`$$$"`` $$$ $$$$$$c    $$""""    Y$c$$$c$P $$$,     $$$$$$$$$c    _$$$$,    
 888    888 888b "88bo,888oo,__   "88"888  "888,_ _,88P888b "88bo,"888"88o, 
 "MM,   MMM MMMM   "W" """"YUMMM   "M "M"    "YMMMMMP" MMMM   "W"  MMM "MMP"

utilization: [-h] -c COMPANY -u URL -a APP -e EXT -i ICON [-l LISTEN]
                   [-r RDP] [-d DOMAIN] [-n USERNAME] [-p PASSWORDHASH]
                   [-t CERT] [-k KEY]

WCX office instrument

non-obligatory arguments:
  -h, --help            present this assist message and exit
  -c COMPANY, --company COMPANY
                        Company identify
  -u URL, --url URL     Feed URL
  -a APP, --app APP     App Name
  -e EXT, --ext EXT     App Extension
  -i ICON, --icon ICON  App Icon
  -l LISTEN, --listen LISTEN
                        TLS Web Server Port
  -r RDP, --rdp RDP     RDP Server
  -d DOMAIN, --domain DOMAIN
                        RDP Domain
  -n USERNAME, --username USERNAME
                        RDP Username
  -p PASSWORD, --password PASSWORD
                        RDP Password
  -t CERT, --cert CERT  SSL cert
  -k KEY, --key KEY     SSL key

Basic instance:

  • Organisation Name: EvilCorp
  • URL to feed XML (or URL to Firework’s in-constructed server): – This is the place Windows downloads the feed from.
  • Application Name: Firework
  • File Extension: .fwk
  • Icon File: firework.ico
python ./ -c EvilCorp -u -a Firework -e .fwk -i ./firework.ico 

In constructed net server will begin on port 443 if cert.crt and key.pem are current in present listing. This will power an NTLM problem with responder. If these recordsdata usually are not current the instrument will write all recordsdata to native listing in your personal internet hosting.
If you want to begin the in-constructed net server on alternate port use the -l flag as under:

python ./ -c EvilCorp -u -a Firework -e .fwk -i ./firework.ico -l 8443

You may also add some customisations to the .rdp file that will get served.

  • Remote Desktop Server: dc.corp.native
  • Domain: corp.native
  • Username: admin
  • Password Crypt: Encrypted password that will get included in RDP file

Note: Passwords saved in .rdp recordsdata are probably ignored in a default config.

python ./ -c EvilCorp -u -a Firework -e .fwk -i ./firework.ico -r dc.corp.native -d corp.native -n admin -p <crypt password>

Having run the instrument ‘payload.wcx’ can be written to present listing. This file is what when clicked on begins the provisioning course of.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.