Did you happen to attend live or watch the recorded version of the SANS webcast Because Jail Is Not Fun - Hacking Back Legally and hear our friend John Strand mention the Impact MS Word Web Bug module (about 31 minutes in)? If you’re a CORE Impact user, you might have been wondering, “What is this module? I’ve never seen it. Where can I find it?” Well I’m going to let you know exactly what he was talking about.
The module he was referencing falls under the category of Client Side. So to find this module, click on the Client Side tab at the top of the middle (Entity) window. From there select the Modules tab on the bottom left part of the Impact GUI. Now that you’re in the module folder view the module you are looking for is in the Information gathering and then Client Side folder. Once you're in this folder you should then see the MS-Word Webbug module. (Fig. 1)
You can now use the very same MS-Word Webbug module that John mentioned in his webcast (Fig. 2). Being a Client-side module you’ll notice that when you start the module it looks very different than a module you may be used to anywhere else in Impact. By default it is designed to be sent via email, but that’s not what John was talking about doing, so here’s how to embed a track-back URL into an MS Word Doc.
What you need to use is a detached client-side mode, which means the document will be saved on the local Impact machine allowing you to copy, post, or move the file to wherever you need. To turn this into a decoupled client-side click the Switch to File button at the top menu bar (Fig. 3). This will give you two fields to fill out (Fig. 4). The first is the Attack Description. Enter a name in here that is meaningful to you for the doc or “attack”. Impact will create a folder with this name into which that doc file you generate will be placed. For the second field use the ellipsis [...] button to the right of the field to choose a directory to create the above folder and .doc file.
We have to configure a few things before we are ready to generate the .doc file. First select the Parameters button. You will then need to provide an HTML file that will be displayed in MS Word when the file is opened, as John mentioned Word is just a web browser (I know scary). You can configure other settings as well, but it is the HTML file that is required. What should you use for an HTML file? I dunno, maybe something that looks like a document that an attacker would be interesting in. It doesn’t really matter since as soon as the file is opened the connect back to Impact is executed and you have the info you need. And yes, Impact needs to be accessible to whoever opens the file. That means if it’s opened outside of your network, which is what John was suggesting, then you need to a.) have Impact running and b.) Impact needs to either have a public IP or have NAT-enabled and the HTTPS port forwarded. If you want to do something really advanced you can put an agent on a public server and have the HTTPS connection go there and forward that to Impact. There are lots of ways to skin that cat, contact us and we can talk through the options.
Anyway if you’ve seen the webcast you know what he was referring to. If you haven’t seen the webcast, please visit http://www.sans.org/webcasts/ for more information.
Anthony Alves, Technical Account Manager