Tracking Attackers With Word Web Bugs (Cyber Deception)



Hello and welcome! My name is John Strand, and in this video, we’re going to be talking about Word Web Bug Servers. Now the idea of a Word Web Bug Server is we can create a Word document that any time that document is opened it will actually create a call back and it will allow us to identify where the attacker’s IP address is.

Now the cool thing about Word Web Bugs is they don’t need to have macros enabled for them to fire. In fact, they don’t necessarily even have to open Microsoft Word at all.

NO MACROS!
NO M$ WORD!

So, let’s actually go through how a Word Web Bug document works. Now in this particular video, we’re using the Active Defense Harbinger Distribution. This is the distribution I use for my class on cyber deception at Wild West Hackin’ Fest, both in San Diego and in Deadwood, South Dakota, and I also use it for whenever I teach that class at BlackHat, the four-day version of that class.

Now the instructions are on the ADHD usage document on the desktop of the system. And then once you’re in, you can select attribution, and then you can select Web Bug Server and it’ll take you to step by step instructions on how to use the Web Bug Server.

Let’s actually jump right in here.

So to get this to work, everything is in the opt directory. So I’m going to CD into opt, into web bug server and I’m going to type LS. Now in this directory, there’s a number of different things that exist. The first thing that you’re going to notice is we have a number of document templates. We have web_bug.doc and we have web_bug.html.

Now the thing that you need to understand is that both of these are pretty much the same. And I’ll explain why here in just a couple of seconds.

So if I do ifconfig and I pull down my IP address, you’re going to see that my ens33 adapter has an IP address of 192.168.149.128. So I’m going to copy that IP address because we’re going to use that here in just a second. Then I’m going to use VI and I’m going to open up web_bug.doc.

Now if you look inside of web_bug.doc, web_bug.doc actually has HTML code, which is weird because it’s a doc file.

Now in this particular example, if you were to open up this document in Word, you wouldn’t see the HTML, HTML and the head and the link URL. You wouldn’t see that. Instead, what you would see is just a document that’s blank and it would say “what a buggy document” and that’s it.

Instead, what’s happening in the background is really interesting because what’s happening in the background is the word processor, in this situation, Microsoft Word or AbiWord or whatever is going to try to pull down some HTML elements. It’s going to try to pull down a cascading style sheet.

The other thing that it’s going to do is try to pull down an image source tag. So if you’re working with ADHD, you’re going to take the default IP addresses in this document and you’re going to replace them with the IP address of your computer system. Now if we start, let’s say AbiWord and we open up web_bug.doc, it says it can’t open this appears to be an invalid document. Huh? That’s weird. But it doesn’t matter if it says, “Hey, this is an error” or not because in the background what’s going on is really interesting.

So I’m going to show you the database in the backend and ADHD has Abminer as the backend database. So we’re going to log in with a user ID of webbuguser and we’re going to log in with a password of, I think it’s webbug or ADHD, can’t remember what it is, ADHD and then webbug for the database.

There we go.

By the way, you should never ever use this in production like ever.

And you’re going to see requests and if I select requests, it’s going to open up the actual data. And here you can see a bunch of examples that I’ve already pre-populated. You can say LibreOffice opened and we got the IP address. We also had Microsoft Word from an earlier run on a Windows 10 computer system, was making a connection back as you can see this user agent string. And then right down here at the bottom is not necessarily the user agent string, but it’s my AbiWord attempt at opening this. And if you remember AbiWord threw an error, but in this particular scenario, who cares because the document already did a call back to us as the defenders.

Now the key for this is it actually runs in multiple different ways.

It will use image source tag and cascading style sheet. The reason why is some word processors do better with image source tags and others do better with cascading style sheets.

So I hope you had a good time in this video. Be sure to check out the links below, and I don’t do this much in my videos, but I’m going to say hit that subscribe button because other YouTubers do it and they seem to be really popular with the middle school kids.



Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand