• Lucifer


Spear phishing is an advanced form of social engineering that is more effective than traditional phishing scams, as it is tailored to a specific target. Spear phishing messages are customized, thanks to a thorough operation of intelligence perpetrated by the phishers that collect information from corporate websites and social networks on their target. So let's see step by step.


Step 1: Browsing to Target Company Website

In this post, we will use a very simple example to go through the steps of a typical spear-phishing attack. Let's say that we want to target one of the employees of a fictional company Skillset Local. First, let's take a look at the company website:

lynx http://skillsetlocal.com


Step 2: Looking at Company Profile

Just as real attackers do, we should invest some time into gathering information about the target company. Use your arrow keys to navigate to the "Our Mission" link and hit Enter.


We can see that *Skillset Local *creates custom scripts. This may come handy later.


Step 3: Selecting Spear Phishing Target

Now go to the "Our Team" page, which is basically the company directory.


This displays the Skillset Local employees' names, job descriptions, and contact information. One of the possible attack scenarios would be to send a customer support request to Bob.


Step 4: Extracting Email Addresses

Our "target website" is very small, and all information, including email addresses, is conveniently displayed on one page. Real business websites can be quite large, without a single location for email addresses. There are numerous tools designed for scraping email addresses from public websites. Most of them utilize search engines to collect email addresses based on the target domain name.

Alternatively, you can use wget to download the contents of the website, and then grep for email addresses. Let's try that. First, create a new directory and change to it:

mkdir targetsite

cd targetsite


Next, run the following command:

wget -q -r http://skillsetlocal.com && grep -E -o -r "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"


Let's walk through the options. For wget, the* -q* options sets the 'quiet' mode, so no output is displayed, and* -r* stands for 'recursive'. For grep, we are using -E (for 'extended' regular expressions), displaying only (-o) the email addresses (matching the pattern), and looking recursively in our newly created directory.

Change back to the home directory before moving on to the next step:

cd ~


Step 5: Sending Spear Phishing Email

Let's say that we managed to hijack the admin@skillsetlocal.com email account. This will make things easier for us: Bob will most likely open an email if it comes from someone he trusts. All we need to do now is craft a convincing message and attach a file that will do something malicious once Bob download and runs it. We will use mutt, a small but powerful text-based email client. The following command will send a message to Bob and attach the leap_year.sh file to it:

echo "Bob, please see the attached file. Customer claims that script doesn't work." | mutt -a "leap_year.sh" -s "Customer Support request" -- skillsetuser1@skillsetlocal.com


Step 6: Switching Users

Now let's play the unsuspecting victim. Switch to Bob's account by entering the following command and entering p@ssw0rd when prompted for a password.

su - skillsetuser1


Step 7: Checking Email

Now let's check email. Enter the mutt to open the email client.



If prompted, press the y key to confirm creating the mailbox.

Step 8: Saving Attachment

You should see our spear-phishing email in the inbox. Hit Enter to open it.


Next, hit v to view the attachment.


You will see a list of two files, the one on the bottom being our script. Select it by entering 2 and hitting Enter to confirm "Jump to: 2".


Next, hit * s** to save the file. On the bottom, you should see the "Save to file:" prompt. Change the path so we can save the attachment to the */tmp folder: /tmp/leap_year.sh


Step 9: Checking /tmp Folder

This script determines whether the year provided by the user is a leap year. But we modified it slightly, so it creates a file on the local system when executed. First, do a directory listing of the /tmp folder:

ls /tmp


You should see our downloaded attachment there.

Step 10: Making File Executable

Now issue the following command to make the script executable:

chmod +x /tmp/leap_year.sh


Step 11: Running Downloaded Script

Run the script and provide any numeric value to replace the xxxx.

./tmp/leap_year.sh 2020


Step 12: Checking /tmp Folder

Now run the* ls* command on the /tmp folder again. You will see a file that wasn't there earlier.

ls /tmp


This file doesn't do anything other than illustrating how easy it is to plant something on a system once a user is tricked into saving and opening an email attachment. In the Client-Side Attack post HERE, you will see exactly what kind of damage can be done with this type of compromise.

Also read: Server Side Exploitation

That's it for this post hope you will learn something new from this post, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

20 views0 comments

Recent Posts

See All

©2020 by Payground. Proudly created with Wix.com