Using just a small sticky note, we can trigger a chain of events that ultimately results in complete access to someone's entire digital and personal life.
Imagine arriving home one night after work and there's a Post-it note on your apartment door with the website "your-name-here.com" written on it. Someone cautious may not immediately visit the website, but eventually, curiosity might get the best of them. Let's have some fun exploiting human curiosity and get remote access to our neighbor's computer in the process.
For this hack, we'll be using a seemingly harmless Post-it note to entice a target user into visiting a website that we control. When the target user visits the website, they'll be tricked into opening a malicious file which will allow us to perform a variety of attacks on the compromised computer.
Such an attack may allow hackers to target:
- Coworkers or company executives. Employees visiting an attacker-controlled website from a computer inside a corporate network and opening a malicious file may compromise the security of the entire network.
- Small businesses. Managers opening malicious files found on attacker-controlled websites may allow the attacker to steal sensitive customer information, install ransomware, or compromise other applications on the device.
- Average everyday people. Gaining remote access to a someone's computer, attackers could steal personal information to perform identity theft or blackmail the victim into paying a large ransom for stolen data.
There are many steps to this attack, so I'll first provide a brief overview of the scenario before showing how to put it all together.
The hypothetical victim of this hack will be "my neighbor in the apartment next door," his name is "John Smith." The goal is to social engineer John Smith into visiting a website that we control by exploiting the inherent trust we allot to our everyday neighbors. Ultimately, we will gain access to a computer in John's apartment by tricking him into opening a malicious file.
Since there's a lot going on in this attack, I will be breaking this guide up into three parts. This first part will cover reconnaissance. We'll need to gather as much information about John Smith's social and digital life to create a website named after him that will really entice him ("john-smith.com"). As an optional step, we'll also gather hardware information about devices connecting to John's Wi-Fi network. This will help us understand what kinds of devices are in his home.
In the second part of this guide, we'll create a payload to run on a Virtual Private Server (VPS) so that it can be downloaded from any computer in the world. We'll also need to install Metasploit on the VPS, which will be used to interface with and control the compromised machine after our malicious file is opened.
For the finale, we'll create the website that John will look at, embed the payload file on the site, register a domain name that will entice John, then watch the whole thing work once we deliver the sticky note. We'll also go over some things everybody can do to minimize these types of attacks against themselves.
Reconnaissance is very important to the success of this hack. There are many social engineering angles we can take to trick someone into visiting our evil website. For example, targeting our neighbor in the apartment next door would be easy. In some apartment buildings and condominiums, we could identify our neighbor's name by checking the resident listed on the lobby intercom or their mailbox.
We can also learn their name by creating small talk with them or other people who live or work in the building who might unwittingly divulge personal information about our target. People who live in rural areas may have better luck using whitepages to identify names of residents in the house next door. In certain parts of the United States, property history may be easily obtainable. A parcel, county auditor, or property assessment Google inquiry with the targets corresponding county may produce a searchable database of current and past residents for the target's home address.
In extreme cases, we might also learn our target's name by rummaging through their trash bins and finding a letter, package, or receipts containing personal information we can use in later stages of this attack. In a big city, rummaging through trash bins might not even get a second glance from people.
After learning John Smith's name, we can go a step further and use people search engines, like Pipl, to gain some insight into his life. Pipl is free and very easy to use. Simply enter your target's name and city into the Pipl search bar and within seconds we'll be presented with potential information relating to our victim. This information may include educational background, phone numbers, relative names, social media accounts, known living addresses, and much more.
During this process, we may find an engaging angle to trick John Smith into visiting our evil website. For example, if John was a raging Philadelphia Eagles fan on Instagram, "john-smith-philly-eagles.com" would probably be more than enough to spike John's curiosity. If our neighbor tweeted their horoscope most mornings, "john-smith-capricorn.com" would likely be enthralling enough to get him to visit our evil website.
The goal here is to find something that would interest our victim into visiting the website we control. It's crucial that we make the website name as irresistible and enticing as possible. If all else fails, we can always try "john-smith-nudes.com" to get someone's attention. Even omitting the name and using more of riddle could help the recipient feel like their in the middle of their own mystery film.
Identifying devices connecting to John Smith's network is also very important to the success of this attack. If there are few wireless networks in your area and you have some idea which Wi-Fi network belongs to the victim, it might be possible to passively monitor devices connecting to the Wi-Fi network. Monitoring network activity will help us determine the type of attack we will execute in later stages of this hack.
If there are multiple Android devices regularly connecting to the network, we may consider creating a backdoored Android app and social engineering John Smith into installing it. Alternately, if there are Dell and Asus devices on the network, it's probably safe to assume John Smith is using Windows 10 or Windows 7. In that case, we would prepare some kind of Windows-specific payload.
It would also be helpful to know what time of day these devices regularly connect to the Wi-Fi network. With this information, we'll know when to expect new connections on your VPS and Metasploit session.
Let's get into monitoring network activity. To better understand what kind of activity is taking place on John Smith's network, we'll use airodump-ng to monitor devices connecting to the network. Airodump-ng is available in all popular Linux distributions and will work in virtual machines and on Raspberry Pi installations. I'll be using Kali Linux to monitor Wi-Fi networks in my area.
Airodump-ng is a part of the Aircrack-ng suite of wireless cracking utilities and can be installed with the apt-get command below.
sudo apt-get install aircrack-ng
When you've identified the wireless adapter name, enable monitor mode with the airmon-ng command.
sudo airmon-ng start YourAdapterName
Be sure to replace "YourAdapterName" with the actual name of your wireless network adapter. Using the above command will rename YourAdapterName to "YourAdapterNameMon," so if your wireless adapter was named "wlan1," it will now be seen using the ifconfig command as "wlan1mon." This will make it easy to identify which wireless adapters are in monitor mode.
We can now start airodump-ng using the wireless adapter in monitor mode.
Type the following into a terminal to start airodump-ng.
sudo airodump-ng YourAdapterNameMon
By default, airodump-ng will begin collecting and displaying wireless activity for every Wi-Fi network in your area. Let airodump-ng run for a minute or two, and press Ctrl + C to stop scanning.
I'll be targetting the "My-Neighbor" network, a wireless network I setup and control. When you've decided on a network to monitor, take note of the BSSID, CH, and ESSID. BSSID is the MAC address of the router we'll be monitoring. CH is the channel the router is transmitting on. ESSID is simply the name of the Wi-Fi network. These three values are essential to monitoring one specific router.
To monitor a specific router using airodump-ng, use the below command.
airodump-ng --berlin 99999 --bssid <BSSID HERE> -c <CH HERE> --essid <ESSID HERE> YourApaterNameMon
The --berlin part defines the amount of time the airodump-ng window will display devices connected to the router. By default, devices are displayed for only 120 seconds. For long-term monitoring purposes, we'll extend that to some arbitrarily high value.
Pay close attention to the STATION column while airodump-ng is running.
This is where connecting devices will be displayed. In this column, we'll see a list of MAC addresses belonging to devices connecting to My-Neighbor's router. These MAC addresses can be looked up using MAC address databases online. Enter the first 6 characters of the MAC address to find the manufacturer of the device.
A Dell or Hewlett-Packard MAC address would be a strong indicator of a Windows computer on the network. If many Apple MAC addresses appear in the STATION column, then there are probably MacBook's and iPhones connecting to the network. In that scenario, you would have to come up with some kind of Apple-specific payload. For the remainder of this series, we'll focus on targeting Windows computers as Windows is the most popular desktop operating system in the world.
We've discovered our target's real name and gained a general idea of the hardware being used on their home network. Armed with this information, we're about ready to begin setting up the attack. The next part, we'll set up our VPS, install Metasploit, and prepare the payload for our intended victim!