Phishing Files & Documents
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Microsoft Word performs file data validation before opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually, Word files containing macros use the .docm
extension. However, it's possible to rename the file by changing the file extension and still keep their macro executing capabilities.
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
You can use the following command to check which extensions are going to be executed by some Office programs:
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
Go to: Insert --> Quick Parts --> Field Categories: Links and References, Filed names: includePicture, and Filename or URL: http://<ip>/whatever
It's possible to use macros to run arbitrary code from the document.
The more common they are, the more probable the AV will detect them.
AutoOpen()
Document_Open()
Fo to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information.
When finished, select Save as type dropdown, change the format from .docx
to Word 97-2003 .doc
.
Do this because you can't save macro's inside a .docx
and there's a stigma around the macro-enabled .docm
extension (e.g. the thumbnail icon has a huge !
and some web/email gateway block them entirely). Therefore, this legacy .doc
extension is the best compromise.
An HTA is a Windows program that combines HTML and scripting languages (such as VBScript and JScript). It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model.
An HTA is executed using mshta.exe
, which is typically installed along with Internet Explorer, making mshta
dependant on IE. So if it has been uninstalled, HTAs will be unable to execute.
There are several ways to force NTLM authentication "remotely", for example, you could add invisible images to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the address of files that will trigger an authentication just for opening the folder.
Check these ideas and more in the following pages:
Force NTLM Privileged AuthenticationPlaces to steal NTLM credsDon't forget that you cannot only steal the hash or the authentication but also perform NTLM relay attacks:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)