11. Client Side Attacks

• attack clients, e.g. browser, office to obtain foothold into the network

• precondition: knowledge about client under attack

  • which os?

  • which applications?

metadata tags of publicly-available documents: exiftool

Trigger client to click link, which then fingerprints its os, browser etc

• JavaScript fingerprinting, e.g. fingerprint.js

• canarytokens.org

• most often malicious office macros are used to infect a workstation

• the user must:

  • open the file

  • click “enable editing”

  • explicitly enable marcos for document

• *.docx does not store macros, must user

• *.doc stores macros

• Windows library files (*.Library-ms)

  • allow to include remote storage into local file explorer

  • on double click: open explorer and shows the content of the remote folder (just like default folders)

• Attack

  • share library file with victim (e.g. email), if the victim clicks the file it seems that only local files are presented

  • library file points to attacker controlled directory, which contains a script which triggers a reverse shell (user must click on *.Ink file)