In this article, we’ll discuss client-side attacks with Excel files.

Client-side attacks are always a fun topic for attackers today. As network administrators and software developers fortify the perimeter, pentesters need to find a way to make the victims open the doors for them to enter the network.

Client-side attacks require user interaction, such as enticing victims to click a link, open a document or somehow get to your malicious website.

Tools we’ll use:
1) Veil-evasion
2) Macroshop
3) Metasploit, Armitage or Cobaltstrike. Let’s stick with Armitage just for the visual effects – they’re nice, huh ?

All tools can be found by searching on Google.

Methodology of the attack:

We’ll create a Excel file where macros will be enabled. What are macros? Macros are “mini-programs” that you create within an Excel worksheet. They’re just a series of commands given in a certain order that Excel remembers. For more details, please search Google.

In our macro command, we’ll add a shellcode generated from veil-evasion. Before we add it to our Excel file, we “process it” with macroshop. You’ll see what I mean later on.

NOTE: We may have to use our social engineering skills to convince the victim to enable the macros (by default, they’re are disabled). Otherwise, our attack won’t work.

 

The practical part:

Run veil-evasion and create a powershell/meterpreter/reverse_https payload

Move that payload to Desktop for easy access.

 

 

 

Now, let’s use macroshop for the final result of our shellcode and add it to a .txt file for easy access later on.

 

 

The next steps:

We’re done with the shellcode generation. Now, we need to add it to our Excel file. Let’s move to our Windows machine – but first, we have to adjust a few settings on our Excel sheet.

Choose the file –> setting –> customize ribbon –> and tick the developer tab on the left

 

 

Afterwards, we’ll see a new menu tab on our sheet named Developer. We need to go there. Then, go to  Virtual Basic on the left. Next, to ThisWorkgroup, where we’ll paste the content of the cybraryIT.txt we created previously. After that, save the file as an Excel macro-enabled workbook.

 

 

 

Now. we’re done with Excel. Let’s go back to our pentesting machine, run Armitage and load multi/handler to catch any connections.

 

 

See the notification on the victim’s machine about disabled macros.

 

 

After the activation of macros, we’re able to get a meterpreter shell and own the machine. That’s it.

 

Thats it , hope you enjoy it