Sandboxing makes phishing/infection hard. If a target can hand off your payload to a third party to "detonate", how can you get them to run your payload?! Simple: by handing sandboxes innocuous payloads to detonate.
How do we do that? By dynamically creating and deduping a list (Apache .htaccess) based on:
- Sandbox/Security company networks by ASN
- Current Tor Exit Nodes
- Cloud Provider networks (AWS, GCP, Azure, IBM, etc)
- UserAgents of known security scanners/possible blue team tools
- Networks seen in previous engagements
The original idea came during some client engagements and getting annoyed while watching sandboxes grab samples. I created the initial version of the code, and later I found @curi0usJack's static htaccess example, which is grabbed and included.
Thanks to:
- @curi0usJack for his example htaccess
- @imoorhouse904 for testing and data
- aconite33 for adding Cisco ScanSafe data
- Jacqueline, because.. well, she deals w/ me
If it has to be said, ***THIS SOFTWARE IS FOR LEGAL/APPROVED OFFENSIVE SECURITY OPERATIONS ONLY. ***
./mkhtaccess_red -- Dynamically generate an htaccess file to redirect sandbox/blueteam to a benign sample.
twitter.com/violentlydave / www.insomniacsecurity.com
Command line arguments: [you have to use one option, even just -v or -z, otherwise all are optional]
-d DESTINATION_URL (add full url in quotes, "http://someurl.com/mybenignsample.docx")
Note: This can be specified as a static variable $DESTINATION
If this command line variable is used, it over-rides the $DESTINATION variable.
-a ASNs (add single or multiple ASNs in quotes, "NetworkName1_ASN1234 NetworkName2_ASN4321")
Note: This can be specified as a static variable $DEFAULTASN, if this command line is used,
ASN will be added to any ASNs in the $DEFAULTASN variable.
-u USERAGENTS (add single or multiple user agents in regex format in quotes, "^.*SomeScrapingBot.*$")
Note: UserAgents can be added to the static variable $DEFAULTAGENTS, and if this command
line is used any specified user agents will be added to the $AGENTS variable.
-e ExtraIPs-or-Nets (add single or multiple ips or nets in quotes, "MISC-127.0.0.1 MISC-10.6.5.0/24".)
Note: These can be added statically as MISC sources in the code.
-o OUTPUT (lets you set the path/name of the output, or it will default to /tmp/redhtaccess)
-v VERBOSE MODE (adds more info about behind the scenes/deduping)
-z I DONT CARE, JUST RUN! (will run w/ default static variables/info, and generate an htaccess)
Make sure your Apache configs AllowOverride, so the htaccess will work.
Example:
<Directory "/var/www/html/test">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
If you need to debug how it is matching, add "LogLevel alert rewrite:trace6" to your main configuration -- but keep in mind that each connection attempt will log EACH regex to your logs. This can fill logs/drives quickly if many attempts occur!
Sent me a note here, or on Twitter: twitter.com/violentlydave
Thanks!