All Projects → mgeeky → Robustpentestmacro

mgeeky / Robustpentestmacro

Licence: gpl-3.0
This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.

Programming Languages

macro
33 projects

Projects that are alternatives of or similar to Robustpentestmacro

Excelize
Golang library for reading and writing Microsoft Excel™ (XLSX) files.
Stars: ✭ 10,286 (+10727.37%)
Mutual labels:  office
Cloudfail
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
Stars: ✭ 1,239 (+1204.21%)
Mutual labels:  pentest
Onenote
📚 Linux Electron Onenote - A Linux compatible version of OneNote
Stars: ✭ 1,300 (+1268.42%)
Mutual labels:  office
Girsh
Automatically spawn a reverse shell fully interactive for Linux or Windows victim
Stars: ✭ 66 (-30.53%)
Mutual labels:  pentest
Abiword
Official Mirror of the AbiWord git repository - Read-Only
Stars: ✭ 77 (-18.95%)
Mutual labels:  office
Shellpop
Pop shells like a master.
Stars: ✭ 1,279 (+1246.32%)
Mutual labels:  pentest
Dr0p1t Framework
A framework that create an advanced stealthy dropper that bypass most AVs and have a lot of tricks
Stars: ✭ 1,132 (+1091.58%)
Mutual labels:  pentest
Officelife
OfficeLife manages everything employees do in a company. From projects to holidays to 1 on 1s to ... 🚀
Stars: ✭ 90 (-5.26%)
Mutual labels:  office
Nac bypass
Script collection to bypass Network Access Control (NAC, 802.1x)
Stars: ✭ 79 (-16.84%)
Mutual labels:  pentest
Awesome Nodejs Security
Awesome Node.js Security resources
Stars: ✭ 1,294 (+1262.11%)
Mutual labels:  pentest
Cloudflair
🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
Stars: ✭ 1,176 (+1137.89%)
Mutual labels:  pentest
Burp Bounty Profiles
Burp Bounty profiles compilation, feel free to contribute!
Stars: ✭ 76 (-20%)
Mutual labels:  pentest
Docx
Fast and easy to use .NET library that creates or modifies Microsoft Word files without installing Word.
Stars: ✭ 1,288 (+1255.79%)
Mutual labels:  office
Findsploit
Find exploits in local and online databases instantly
Stars: ✭ 1,160 (+1121.05%)
Mutual labels:  pentest
Cve 2019 0604
cve-2019-0604 SharePoint RCE exploit
Stars: ✭ 91 (-4.21%)
Mutual labels:  pentest
Cloakify
CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection
Stars: ✭ 1,136 (+1095.79%)
Mutual labels:  pentest
Vxscan
python3写的综合扫描工具,主要用来存活验证,敏感文件探测(目录扫描/js泄露接口/html注释泄露),WAF/CDN识别,端口扫描,指纹/服务识别,操作系统识别,POC扫描,SQL注入,绕过CDN,查询旁站等功能,主要用来甲方自测或乙方授权测试,请勿用来搞破坏。
Stars: ✭ 1,244 (+1209.47%)
Mutual labels:  pentest
Py Kms
KMS Server Emulator written in Python
Stars: ✭ 1,318 (+1287.37%)
Mutual labels:  office
Pentest Guide
Penetration tests guide based on OWASP including test cases, resources and examples.
Stars: ✭ 1,316 (+1285.26%)
Mutual labels:  pentest
Trackray
溯光 (TrackRay) 3 beta⚡渗透测试框架(资产扫描|指纹识别|暴力破解|网页爬虫|端口扫描|漏洞扫描|代码审计|AWVS|NMAP|Metasploit|SQLMap)
Stars: ✭ 1,295 (+1263.16%)
Mutual labels:  pentest

RobustPentestMacro

This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.

Created to make it possibly to simply Paste Payload then Copy & Paste entire macro into phished document.

For list of example Macro generation and usage scenarios one can check out author's gist here:

Various-Macro-Based-RCEs.md


SYNOPSIS:

This is a skeleton code for the malicious Macro that could be used during Penetration Testing assignments (or for education purposes), in order to embed it within Phishing documents as a Microsoft Office macro.

There are following features implemented:

  • Platform detection logic (Windows/MacOS X) - All the penetration tester has to do, is to generate both Windows and Mac OS X commands and put them into appropriate macro's functions: WindowsMalware() and MacMalware()
  • Sandbox detection (Windows) - allowing to exit macro when being scanned
  • WMI Subscription persistence (Windows) - allowing to survive system restart
  • Social Engineering trick by shape removing - for hiding fake "Enable Content" warning.
  • Supporting both MSWORD and EXCEL startup routines

One should definitely feed this script into some kind of Visual Basic obfuscator, like the author's one: VisualBasicObfuscator

The macro's code has been built up from other author's building blocks:


CONFIGURATION

The most essential configuration here is filling up functions like MalwareWindows() and MalwareMac(). One can for instance leverage Empire stager's functionality and obtain two payloads - for:

  • windows/macro
  • osx/macro

Then one have to put this way generated macros into aforementioned Malware*() functions. The penetration tester also can use buil-in primitives like:

  • ExecuteCommand(command)
  • ExecuteCommandAndPersist command, startupTaskName

For instance, such modifications to the script could look like:

Private Sub WindowsMalware()
	[...]
	str = "powershell -noP -sta -w 1 -enc  ABCDEFGHIJKLMNOPQ"
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    ' Rest of the powershell command cut for brevity
    ' [...]
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    
    ExecuteCommandAndPersist str, ""
End Sub

Private Sub MacMalware()  
	[...]
	cmd = "abcdefghijlmnopqrstuxwyz012345678990"
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    ' Rest of bash command cut for brevity
    ' [...]
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    
    Dim fullCommand As String
    fullCommand = "echo ""import sys,base64;exec(base64.b64decode(\"" " & cmd & " \""));"" | python &"

    ExecuteCommandAndPersist fullCommand, ""

Also, there are Const options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.


SOCIAL ENGINEERING SHAPE REMOVAL:

In order to leverage this feature, one has to prepare a fake "Enable Content" warning message like for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary, and then to create a shape consisting of TextBox (via INSERT -> Shapes... -> TextBox). Then cover the document with this shape. Having that, one has to rename that shape using the path:

(Ribbon -> HOME -> Editing -> Select... -> Selection Pane -> give it a name, like "**warning-div**")

After that, the shape can be further modified to be floating and cover up entire document by clicking:

Right click on shape -> Move selected shape -> then setting up Position and Size to 100%, Left-Top aligned.

Among various Social Engineering shapes that could be used - two of them had been attached to this repository:

Example shape


TODO:

  • Add OpenOffice platform detection and autorun logic (OnOpen), then modify OS detection if's to support getGUItype method offered by OpenOffice.
  • Add document layout switching functionality, like the original page subsitute function did.
  • Implement host reconnaissance and situation exfil functionality
  • Refactor the code to make it a bit less detectable by AVs
  • Add architecture bitness detection logic and specific payload usage
  • Add macOS related function for platform indepency
  • Add macOS X persistence functionality (MacPersistence()) in form of for instance per-user LaunchAgents PLIST
  • Prepare builder-script customizing script's backbone as needed by user and offering instant obfuscation
  • Add more Sandbox evasion and avoidance techniques, as documented in pafishmacro, here, here and here

KNOWN BUGS:

  • The routine: DeleteWarningShape doesn't support Excel sheets at the moment (ActiveWorkbook)

DISCALIMER:

The author of this code is not taking any responsibilities of any illegal usage of it. The code had been created solely for Penetration Testing purposes.


AUTHOR:

Mariusz B. / mgeeky, '17
Shared on GPL license.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].