There are lots of tools that overlap and this one is no different.  It has a few tricks that I haven't seen in other tools and it has some similar features to others.  I didn't play with the Pro version but I did ask the author if the Pro version was still capable of evading a/v and he said yes.  Before I move on, the description of the product states:  "macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments."


    Nmap - xml2csv : "Converts Nmap XML output to csv file, and other useful functions. Ignores hosts that are down and ports that are not open."

    A friend showed me this tool the other night and it's kind of funny because I was just looking for something like this but didn't find it when searching.  I normally use the -oN flag to output to a file but I was wishing for a better way to organize the data and poof, here it is...


    This is not original work, I found it here on Github.  Interesting idea with a somewhat limited use... in my opinion.  The description states:  "c# reverse shell poc that also does TLS".  I keep reading that CSharp is the new PowerShell but as far as I can tell, CSharp payloads are getting detected so maybe that ship has passed.  I will say that this shell goes undetected but it does require the arguments so it's not something you can get a user to click on. 

    One final thought -- you only need Program.cs which can be compiled in the .NET folder.


    Mshta.exe executes HTML application files -- and in terms of living off the land, this could be a useful tool in certain situations.  This is becoming less usable as a/v products clue in on the execution but it still works against some a/v products in some scenarios.  Probably a less useful method would involve Metasploit but this is a fairly easy way to show how this works.  There are other ways to generate HTA files, SharpShooter comes to mind, but those methods are becoming extinct as well. 

    Anyway...


    I'll warn you up front, this may or may not work with certain a/v products.  You also don't need to use Metasploit and in fact, you're probably better off if you don't.  The concept is the same though, we're going to schedule a task to run in Windows on login.  What we choose to execute can be anything really and it's probably better if it's something that can avoid detection from a/v. 

    Using the Metasploit method, we setup script delivery:


    "Spoof SSDP replies to phish for credentials and NetNTLM challenge/response. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. Also detects and exploits XXE 0-day vulnerabilities in XML parsers for UPNP-enabled apps."

    So what is SSDP?  "The Simple Service Discovery Protocol is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information."

    And if that's unclear to you, it will all make sense in a moment when you see what appears in the Network view. 


    Page 9 of 55

    © 2020 sevenlayers.com