Client Side Penetration Testing – T&T Part 2

8 May 2015

Upon being able to contact the target and sound legitimate, we should be able to have a binary executed through persuasive and undetectable techniques. Below we discuss some of these techniques:

PowerPoint presentation with embedded .exe

A legitimate and undetectable by AntiVirus method to deliver an executable (if the executable itself is undetectable of course), is by embedding an object to a PowerPoint presentation. However, it only works on MS Office 2007 and earlier versions, but not on MS Office 2010 or 2013.

On the 1st slide of the presentation we take the following steps:

  • Navigate to “Insert” tab
  • Click on “object”
  • Choose the “Create from file” option and select the executable

Tip: Draw something on the 1st slide and “send to back” the created object so it is not visible when the presentation is opened by the target.

After creating the object we should configure it to execute immediately when someone runs the presentation (if the target clicks “Run”), as described below.

  • Navigate to “Animations” tab
  • Click “Custom Animation” on the top left
  • Click “Add Effect” on the box which will appear on the right -> Object Actions -> Activate Contents
  • Select the created action and at the “Start:” property choose “With Previous”

Afterwards, we test if everything is working properly by renaming the presentation to .pps and running it. A prompt which requires us to authorize the execution should appear and if we click “Run” the executable file will run.

The last thing we have to do is to create a nice looking 1st slide (the title of an “internal” presentation with colors and styles similar to the target company is a good choice) and also create a 2nd slide which will tell the user that he can’t see the presentation if he doesn’t run the executable.

Word Macro

An MS Word file can be trojanized with shellcode in the form of a macro. The shellcode can be encoded by Metasploit’s Powershell Base64 Command Encoder (cmd/powershell_base64) and then outputted to VBA format. This technique is currently undetectable by most AVs, provided that the shellcode itself is undetectable. However, it is possible to bypass all AVs by changing the macro manually.

After encoding the shellcode using the “cmd/powershell_base64” metasploit module, we execute the following commands.

  • We add the shellcode at a VBA script:
    $ cat shellcode.bin | msfencode -t vba > macro.txt
  • Check if everything is ok:
    $ cat macro.txt
    #If Vba7 Then
    Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal …..
    Sub Workbook_Open()
    End Sub
  • Open MS Word and navigate to View > Macros > View Macros
  • Give an arbitrary Macro name and at “Macros in:” select *Current document name (document)*
  • Select “Create” and after clearing the contents of the new window that is opened, paste the content of macro.txt
  • Close the macros window and save the document as “Word 97-2003 document” that produces a .doc Word file. There is also an option to save the document as Word Macro Enabled Document (*.docm) that is less preferable due to the produced document icon, that is not the same as normal Word files, plus the .docm file type may seem suspicious.

When the document is opened by the target, he will be notified that “Macros have been disabled” by a security warning bar. It is crucial to trigger target’s curiosity in order to bend his will and make him enable macros. To achieve that, the content of the document should involve legitimate information that has been harvested passively from various sources and advertise something extraordinary e.g. salary bonus etc.

UAC Awareness

It is possible to add windows User Account Control (UAC) awareness to any windows executable. Making the executable UAC-aware may prove to be essential in specific cases where the target is a local administrator, but UAC is set to the highest level. Metasploit’s “bypassuac” module will not work when UAC is at the highest level. Furthermore, Metasploit’s “ask” module requires having an active session established and it will also ask for the Administrator password in case the user does not have local administrator privileges. If we choose to make the executable UAC-aware we prefer giving it the “highestAvailable” privilege and not “requiredAdministrator”, unless we want to compel the target user to call the administrator and request him to fill his password in order to gain administrator access. We may make a UAC-aware executable by either following the steps of the article below, or through Visual Studio.


Evading blocking technologies

Blocking technologies include AntiVirus and EndPoint software, IDS/IPS, Proxy/Web Filtering, Firewalls with deep packet inspection etc. Regarding AntiVirus evasion techniques we will make a dedicated blog post soon.

  • Encapsulate any traffic between you and the target over Secure Sockets Layer (SSL) to avoid packet inspection. Prefer SSL certificates signed by a trusted certificate authority over self-signed ones. This applies to trojan communication, phishing websites and trojan delivery by any means.
  • Use Code Signing Certificates for any piece of code that is delivered to the target (Java applets, trojans, macros in Word files etc.). Although Code Signing will not evade any detected signatures in the code or behavioral triggering, it will help significantly versus certain checks, especially score-based blocking rulesets.
  • Do not use IP addresses or dynamic dns names for any type of reverse connection. Register a domain name instead and use hostname calls.
  • To evade egress filtering, use HTTP(S) reverse payloads and make the trojan proxy aware using WinINet API.