According to the description:  "A PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only."

    If you've used the Unicorn tool, this is not too dissimilar but instead of providing you with the PowerShell and it being somewhat specific to Metasploit, this allows you to generate Macro payloads and it can directly insert them into Excel for you.  In addition, if you use Invoke-Obfuscation, you can also obfuscate the payloads in a variety of different formats. 

    Consider the following -- you have a mysql database and you want to periodically backup the database to the file system.  You setup a cronjob and you have a script that performs the following task:

    mysqldump --user root --password=Secretp4ssw0rd testing > testing.sql

    Simple, right?

    Obviously, there's probably more to it -- we backup a /var/www/html directory and we probably backup that DB to a location.  And maybe we even tar.gz it up to make a neat little package.  The point though is that we've now placed the password in memory.

    I think you need to use your imagination with this tool but it could be quite handy for that right spot. I think the author's description does a fine job of explaining what this tool can do: "What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as resource, along with an automatic download routine simulating a user clicking on the embedded resource."Let's dig into the tool and then I'll add some additional thoughts:

    The description states:  "Five86-2 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing."

    This is a friggin' puzzle box.  Fun, but definitely a puzzle box.  I enjoyed it thoroughly because I learned a new trick.  More on that later.

    First, we kick off with Nmap:

    I'm presenting at BSides College Station next month and in my talk, I'm using PowerShell as a method for enumerating the environment while living off the land.  Also in my talk, I give an example of a PowerShell reverse shell in plain form and the same reverse shell in an obfuscated form.  I don't reference it directly but the tool I use to obfuscate the shell is Invoke-Obfuscation created by Daniel Bohannon.  In advance of the talk, I want to do a little write-up on this tool in case I get asked about it -- I can then point them to here...

    Like most people, when I receive an email with a link, I do a quick check to see if the url is legit.  I'll carefully read it, then I will mouse over it to make sure that the text and the url match.  I've seen that trick a few times and I've also seen a trick where there was what appeared to be an attached Word document but instead it was an image for a URL.  That was definitely clever.  I haven't seen that one too many times but I can see a user repeatedly clicking on it -- wondering why Word wasn't opening.

    But let's say we get a link to an image.  I probably get at least one of these per day where a friend sends me to some meme or something of interest.  http:// blah blah blah / funnymeme.gif

    © 2020