Training 2016 - Attacking with Excel
From BruCON 2016
Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more
Artists have exercises in style. Programmers learn a new language. They do this to learn new skills and boost their creativity. This training is an exercise in style for penetration testers and hackers; the goal is to learn a new skill and become more creative.
To achieve this goal, we will impose the following restrictions on ourselves: we have a non-admin account on a Windows machine and we can only run Microsoft Office. All other applications and executables are blacklisted. We can only use Microsoft Office to attack.
In this training, Didier will teach you how to use Microsoft Office for offensive security. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.
We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Excel, like a port scan, and also how to use this API to inject and execute shellcode inside the Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Excel’s process memory, without touching the disk.
This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements are useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities.
Over the years, Didier has developed many tools and techniques to “Attack With Excel”. These tools will be explained and used during this training. Some of these tools have never been published, but you will receive them all (Didier’s public and private tools) when you attend this class. Non-exhaustive list of Didier’s tools shared during this class:
- Taskmanager with shellcode injector
- Filemanager and container to drop and exfiltrate
- Network tool (ping, port scan, …)
- Enumerate installed programs & patches
- Enumerate executables modifiable by the user
- CMD & Regedit running inside Excel process
- Getting started demo
- Introduction to VBA
- VBA API technique
- Tools part 1
- VBA shellcode technique
- VBA diskless DLL technique
- Tools part 2
- Creating payload delivery documents
This training is for technical IT security professionals like penetration testers and red team members, but also for interested hackers. Some basic scripting skills are useful, but not required. Knowledge of VBA is not required.
- A Windows laptop with Microsoft Office (at least Excel and Word), preferably Microsoft Office 2013 32-bit on 64-bit Windows. This can be inside a virtual machine on OSX or Linux.
- Administrative rights
- Rights to disable AV
Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is an IT Security Consultant currently working at a large Belgian financial corporation.
Didier has been developing and pioneering MS Office tools and techniques for offensive security for more than 5 years. Didier is also an expert in the analysis of malicious documents like Word documents with VBA macros.
You can find his open source security tools on his IT security related blog
Mon. 24 - 25 October 2016 (09:00 - 17:00) (2-day)