{"id":791,"date":"2012-07-12T18:40:13","date_gmt":"2012-07-12T17:40:13","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=791"},"modified":"2012-08-30T12:46:08","modified_gmt":"2012-08-30T11:46:08","slug":"nftf-local-lockdown-getting-prompts-fun-with-macros-and-scripting-help-on-airgapped-systems","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/07\/12\/nftf-local-lockdown-getting-prompts-fun-with-macros-and-scripting-help-on-airgapped-systems\/","title":{"rendered":"Getting prompts, Fun with Macros and Scripting Help on Airgapped Systems"},"content":{"rendered":"

1. NFTF Quickie – VBS Funtimes – Run Scripts? Get Prompt<\/strong>
\nThis is probably a duplicate somewhere but wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down desktop.
\nUsing VBS to fire up FTP as a local command shell<\/b><\/p>\n

1
2
<\/div><\/td>
Run ftp...
\nCreateObject("WScript.Shell").Run "cmd.exe \/k ftp"<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Using the above and the bang character will let you run commands on the host.
\nE.G. !cd or !c:\\windows\\system32\\calc.exe (strangely on XP64 !cd will not persist post command, however it does do so on Win7 [pretty sure it does it on 32bit XP as well as it’s how I used to use FTP all the time])
\nNoddy stuff indeed but useful.
\nThe above one-liner can be modified to run any executable you have access to as a user.<\/p>\n

2. No Macros Allowed? That’s what you think…<\/strong>
\nMe and a colleague got presented with a “Defect fixed, macros are completely disabled on the host” statement on Monday, so we decided to give it a bit of a kicking.
\nAt first glance, no access to the editor was possible and only trusted signed macros were capable of running. We could be forgiven at this point for even mistakenly “passing” the defect if we hadn’t been so determined.
\nSo after a bit of poking and managing to pop open the editor across the office suite, I was convinced I could get it to play ball all the way. My colleague thankfully indulged my inane ramblings about “digitally signing” and “feeling like it’s so close”.
\n3 to 4 hours later and a fair few dead ends. We get macro editing and execution as a trusted signed macro across all the office apps available on the host (aside from outlook, that could probably fall too given more poking but we had proved the point).
\nWhat follows is a quick run through of what we did (…using only a standard user account on a locked down host).<\/p>\n

2.1. First Problem – Creating the macro, we need an editor<\/strong>
\n\"Macro_bar\"
\nIf the macro menu is disabled and the buttons on the developer toolbar are greyed out (the buttons above are just to show where they are) try the following:
\nIn Word:<\/strong> Right click the toolbar, select “customise quick access toolbar”, select “all commands” and add the button labelled “view code”.
\nAt this point now go to the developer toolbar (enable it within word options if not enabled), select “design mode” and now the “view code” button will become clickable.
\nClick this button – Voila, access to VB Editor.
\nIn Excel:<\/strong> Right click the sheet tab, View Code – Voila, access to VB Editor. Alternatively it is also accessible the same way as in word.
\nIn Powerpoint:<\/strong> Click “view code” (should already be on the toolbar somewhere, if not follow the instructions for word)
\nThe above all work in 2007 and 2010, as well as earlier versions but probably in a slightly different guise. Have a bit of a poke about a bit.<\/p>\n

2.2. Just sign here, here and here<\/strong>
\nOur second issue, accessing the “security” window and then the “macro security” window using the above “toolbar button” method (anything with the word “macro” in was disabled from a UI point of view in the ribbon\/menus so you had to load the “security” window to get there) we could see that only signed macros were allowed to run. <\/p>\n

Nightmare, what can we do now? Thankfully during the above macro editor poking I had browsed through the office folder (looking for a VB Editor.exe type thing) and noted the following executable.
\nRun this:<\/b> C:\\Program Files (x86)\\Microsoft Office\\Office12\\selfcert.exe<\/i>
\n\"Selfcert\"
\nRun it – Create a certificate. Access the VB Editor using the steps in the previous tip.
\n\"Signing_word\"
\nTools -> Digital Signatures -> Choose Certificate -> Select your cert.
\nNow it’s signed you will probably need to exit word\/excel\/whatever and reopen the document (we had to when testing).<\/p>\n

2.3. …but wait, mommy told me not to run macros from strangers.<\/strong>
\nOkay so we’ve now got a macro, it’s signed but it still won’t run. They’ve hobbled the security even further and “disabled” any prompts we’d get allowing us to “run” a macro with a self-signed cert, so we’re going to have to find a way to explicitly trust our self-signed macro.
\n\"Signing_big\"
\nOpen the VB Editor as before. Then Tools -> Digital Signatures -> Choose -> View Certificate – > Details -> Copy to File
\n\"Cert_import\"
\nNavigate to saved .cer file (just accept the defaults in the export wizard), right click and select “install certificate”, Select the location to install the certificate as “Trusted Publishers”.
\nNext…
\nCertificate Installed Successfully. You just added your certificate to the trusted signatures that microsoft office will blindly accept without needing you to click on a “accept the risk” style warning.
\nBefore <\/b>(but this would typically be hidden and not shown to users, meaning that they would not have the option of “accepting anyway” in this manner and so self-signed macros would never run)<\/i>:
\n\"Untrusted\"
\nAfter<\/b> (No prompt, macro can be run, certificate is trusted)<\/i>:
\n\"Trusted_nowarning\"\"Trust_center\"<\/p>\n

You may need to restart word or whatever at this point just to get the changes to refresh but your macro will run without hindrance once done.<\/p>\n

2.4 So what can I do with these things anyway?<\/strong>
\nSo the mini-nftf in section 1 above, without cscript.exe\/wscript.exe you’re a bit screwed.
\nHow about doing it in VBA.<\/p>\n

1
2
3
<\/div><\/td>
Sub run_me
\n    retVal = Shell("C:\\WINDOWS\\SYSTEM32\\cmd.exe \/k ftp",1)
\nEnd Sub<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

A quick ‘F5’ and you’re back running the commands you need.
\nretVal in the above will contain the PID of the process you just launched so the following will kill the process too (in case you were doing something fancy)<\/p>\n

1
2
3
4
5
6
<\/div><\/td>
Sub run_me_kill_me
\n    Dim retVal as String
\n    retVal  = Shell("C:\\WINDOWS\\SYSTEM32\\calc.exe",1)
\n    killCmd = "C:\\WINDOWS\\SYSTEM32\\cmd.exe \/k taskkill \/PID " &#043; retVal
\n    retVal2 = Shell(killCmd,1)
\nEnd Sub<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

The “,1” part of the Shell call, that’s describing what you want VB to do with the window. If you are doing calls to a script (perhaps a macro that performs a bunch of commands on the sly?) or a command\/console based program, you can use vbHide instead and no window will appear on the screen.
\nBe careful doing this on systems with CMD.exe disabled by group policy as you’ll find that they never show up and so persist within task manager waiting on an invisible but very real “This command has been disabled by your administrator, press any key to continue” prompt.<\/p>\n

3. Help! No Web, No Hope? No Way!<\/strong>
\nFinal tidbit of an NFTF – Ever wanted to write some VBS but never sure of exact syntax or even the functions you have access to, no access to the web and someone has helpfully disabled the “help and support” service, denying you any ‘F1’ action you may want.
\nThis is a little trick I picked up from previous work. Providing the host you’re playing with has Microsoft office installed (else it’s worth just a general C:\\ drive search for clview.exe).
\nYou have all the scripting reference material you need to make whatever VBS you want.
\nFirst you make a new shortcut upon the desktop.
\nSet it to : “C:\\Program Files (x86)\\Microsoft Office\\Office12\\clview.exe” “MSE” “Microsoft Scripting Engine”
\nDouble click and a blank help screen will open (this does not require the help and support service yay!).
\nSearch for something “VBS” for example and then click “microsoft scripting engine” (grey text, top left) and then “Microsoft Scripting Engine Help”, you’ll have help for VBScript and JScript language references along with information on all the juicy runtime objects you can access using VBS\/JScript.
\nNote: JScript is essentially the same as VBScript (different syntax, but same capabilities), they’re all run using cscript.exe (if a console based script) or wscript.exe (if a dialog based script).
\nNeed VBA help? Once again, CLVIEW comes to the rescue.
\nCreate a shortcut for: “C:\\Program Files (x86)\\Microsoft Office\\Office12\\CLVIEW.EXE” “WINWORD” “Microsoft Office Word”
\nLooks like it’s word help but it is the word developer reference and in turn will give you the full VBA language reference too.
\nDoing fancier application specific stuff in Excel? or Powerpoint? Change the above to suit. <\/p>\n

Happy Local Lockdown Testing!<\/p>\n","protected":false},"excerpt":{"rendered":"

1. NFTF Quickie – VBS Funtimes – Run Scripts? Get Prompt This is probably a duplicate somewhere but wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down desktop. Using VBS to fire up FTP […]<\/p>\n","protected":false},"author":2,"featured_media":862,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[310,308,112,306,309,311,101,307],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/791"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":7,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"predecessor-version":[{"id":863,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/791\/revisions\/863"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/862"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}