Hack Demo Videos:

Email Connect Back

18 Sep 2013

This video is a live walk through on how endpoint protection such as AV can be defeated with malicious Office attachments.


…particularly interesting if you’re in an organisation that regularly shares Office docs containing VBA and Macros.

Today we’re looking at some of the dangers of email attachments. Everyone knows to not click untrusted links but we’ll be looking specifically at the sort of attachments that you can get through to the user, particularly Office documents.

What we’ve got here is a straightforward virtual machine, as an example of a user that we’re going to attack. In the background we’re running Metasploit. It’s listening for the connection back from our payload, from the moment we compromise the user’s machine.

The particular exploit we’re going to be using is a Meterpreter reverse shell, but we’ve modified it to run in VBA. Why’s that? Well, that way we can dump it into an Office macro. Doing this makes it much more difficult for antivirus and other endpoint protection to pick it up. Here we have a nice simple Excel document, an .xlsm. When we open it up lo and behold it contains macros. For it to run properly the user has to to enable editing and content. Getting them to do that might take a little bit of social engineering, but I know lots of organisations that use VBA scripts and Office macros a lot, so it’s not far fetched to expect that someone will open it all up.

Now there’s nothing in that .xlsm document, nothing in there to see at all. BUT all we have to do is go back to our Metasploit listener and we find that actually there is something going on here. We now need to have a look to see if we’ve got any sessions back, and we have. Next we start to interact with one of those sessions and then a few moments later we find we’ve got a nice reverse shell.

There we go, easy as that. So what I would recommend is if you are trying to defend against these types of attack you really need to make sure you’ve got great endpoint protection in workstations, and really good antivirus scanning. It’ll help if you have thorough scanning on your gateways as well.