<aside> 📌 Summary

</aside>

11 - Client-Side Attacks

1 - Target Reconnaissance

1 - Information Gathering

If we want to interact with the target's web site, we could also use tools like gobuster with the -x parameter to search for specific file extensions on the target's web site.

gobuster dir -u <url> -x pdf,html,php -w <wordlist>

• dir: Enumerating URIs (directories/files).
• dns: Enumerating Subdomains.
• vhost: Enumerating Virtual Hosts.
• s3: Enumerating S3 Buckets.

exiftool -a -u brochure.pdf

• -a : to display duplicated tags
• -u : to display unknown tags

2 - Client Fingerprinting

A special link with an embedded token is generated using Canarytokens to confirm the target's Windows environment and browser compatibility. This link is sent to the target, who opens it in their browser. Information about their browser, IP address, and operating system is collected. This helps verify whether the target uses Windows with Internet Explorer or Microsoft Edge enabled.

2 - Exploiting Microsoft Office

3 - Leveraging Microsoft Office Macros

Bear in mind that older client-side attack vectors, including Dynamic Data Exchange (DDE)4 and various Object Linking and Embedding (OLE)5 methods do not work well today without significant target system modification.

<aside> 📌 Only .doc and .docm files have persistent macros, .docx do not have those.

</aside>

Not a simple little panda file x))

Not a simple little panda file x))