ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
Getting a shell using a malicious Outlook rule is an awesome tool during a pentest and great fun! Nick Landers had a great post including enough information to make this happen. Although it left a few things for the reader to figure out and there was one gotcha. In this post I provide some additional information to help you get this going.
First, the Gotcha . . .
You need to use Python3 to run the rulz.py script. Otherwise you get an error similar to that shown below.
Rulz.py Error When Run with Python 2.x
Second, details for setting up a WebDAV server . . .
The original SilentBreak Security blog post gave minimal details for setting up your WebDAV server so I provided detailed instructions here. I suggest using a read-only WebDAV server so your payloads don’t get maliciously overwritten. When you run rulz.py, give it a local filename to save the rule to instead of the location on your WebDAV server. I also provide expanded information on setting up your Empire listener here to improve your chances of success.
Third, be sure to close your local instance of Outlook before sending an email to the target so that the payload executes on their machine and not yours.
- Getting Outlook Credentials:
- More on Malicious Rules:
For tips on getting a shell through a malicious outlook rule without using an EXE file, see this related post.
You can learn more from Carrie in her classes!
Check them out here:
Available live/virtual and on-demand!