Launch a Client-Side Attack Using Excel Files
Companies are trading and sharing documents every day, but I don't believe they're aware of the threats associated with their actions or they just don't take it seriously. What can I say :P Tools we'll use:1) Veil-evasion2) Macroshop3) Metasploit, Armitage or Cobaltstrike. Let's stick with Armitage just for the visual effects - they're nice, huh :PAll tools can be found by searching on Google. Methodology of the attack:We'll create a Excel file where macros will be enabled. What are macros? Macros are "mini-programs" that you create within an Excel worksheet. They're just a series of commands given in a certain order that Excel remembers. For more details, please search Google.In our macro command, we'll add a shellcode generated from veil-evasion. Before we add it to our Excel file, we "process it" with macroshop. You'll see what I mean later on.NOTE: We may have to use our social engineering skills to convince the victim to enable the macros (by default, they're are disabled). Otherwise, our attack won't work. The practical part:Run veil-evasion and create a powershell/meterpreter/reverse_https payloadMove that payload to Desktop for easy access. Now, let's use macroshop for the final result of our shellcode and add it to a .txt file for easy access later on. The next steps:We're done with the shellcode generation. Now, we need to add it to our Excel file. Let's move to our Windows machine - but first, we have to adjust a few settings on our Excel sheet.Choose the file --> setting --> customize ribbon --> and tick the developer tab on the left Afterwards, we'll see a new menu tab on our sheet named Developer. We need to go there. Then, go to Virtual Basic on the left. Next, to ThisWorkgroup, where we'll paste the content of the cybraryIT.txt we created previously. After that, save the file as an Excel macro-enabled workbook. Now. we're done with Excel. Let's go back to our pentesting machine, run Armitage and load multi/handler to catch any connections. See the notification on the victim's machine about disabled macros. After the activation of macros, we're able to get a meterpreter shell and own the machine. That's it. Hope you liked it. If you have any questions or comments, please use the form below.