Previously I took a look at how to take a malicious link created by Core Impact Pro and turn it into a QR code, so that you can further you client side attacks. The general idea was that you could use these QR codes to pin up on a bulletin board or create some type of flyer. I also mentioned that you could just add the image of the QR code into your client side attack email so that the spam filter could not check or restrict the malicious link. That is great if images are allowed in emails, but if images are restricted, unfortunately this attack vector is nullified. To help remedy this, I’m going to address our old friend ASCII art.

For this exercise I'm making the assumption that you have already created a malicious link and will be using it to create the new QR code. If you have not created a malicious link please see my previous blog here for some quick pointers.

To create the QR code, I will be using ASCII QR and will simply use the option to encode text, rather than pointing it to an image file of an existing QR code. In the bottom input I will add in my malicious link and the click submit.

Next I will click where it says "HTML" and select and copy all of the code

A special note here: you will see that at the beginning of this block of code there is a tag that says something to the effect of  "<span style="font-family: 'Courier New', monospace; line-height:1em; letter-spacing:1em;"><br />", I had to remove this entirely, and instead surround the generated code with a <pre></pre> tag,  to get the QR code to format correctly so that it was visible in my email and would scan with my QR code reader.

At this point I created a very basic HTML file and simply pasted the generated code and surrounded it by the "pre" tags. This file will be used in the next step when the malicious email is sent.

Now it is possible to go into Impact Pro and work with what we have created. One thing to remember is that we do not need to run a new attack at this point since we have already created the malicious link. When we created the malicious link and sent it to ourselves (in the previous article) Impact Pro stood up a server and should now be waiting for connections. Since we do not need to run another attack we can just click on the "Client Side", go to the modules, and then run the "Mail Sender Engine" module which can be found under the "Misc" folder.

At this point you can select your "To" and "From" email addresses (which must be created, imported, or discovered prior). The next step is to select the HTML file that you previously created by clicking the ellipses next to "MESSAGE BODY". The only other variable that I changed in this module was "MESSAGE CONTENT TYPE", and it was changed to "text/html".

At this point, you can just click "OK" and wait for your agents ::evilgrin::

Here is what it looked like once received in gmail:

and here it is in Unicode


- Teague Newman, Core Security Training Consultant and Independent Security Researcher