6. Backdooring Any File Type (images, pdf’s …etc)
In this lecture, I’d like to show you how to combine the backdoor that we created before with any other file type so that when executed, it will display an image, a PDF, a song, or something else that the target person is interested in. You’ll be able to social engineer them into using your back door, and they’ll see something they can rely on.
But at the same time, your backdoor will run in the background. We’re going to do this using a download-and-execute script, which will basically download the backdoor, download the file that the person expects, run the file that the person expects, and run the backdoor in the background. I’m going to include the download and execute script in the resources, but I already have it downloaded here. So you can literally just double-click this and you’ll see the code used inside the script. I programmed this in such a way that you can use it to download and execute anything and any number of files. So all you have to do is literally put the links, or URLs, for the files here and separate them by a comma. So you can put a comma after the URL and keep going. So you can use this to download and execute two executables, three executables, or any number of files you want. So I’m going to delete everything here, and I’m going to put the file that I want the target person to see. Now this file needs to be available online and uploaded with a direct link so it can be downloaded from that link. For this example, I’m going to use an image, but you can use any other file type. You can get them to open a PDF or anything else that you want.
So I’m just going to go on my browser and I’m going to go on Google Images and just look for an image, and I’m going to look for a car. I’m going to take the car image and I’m going to click on “View Image” here, and notice when I do that, we get the image itself through a direct URL right here. So you can see that the end of the URL is jpg. And when we access the image, you’ll see that there are no ads around it—nothing, no HTML. All you see is just the file itself. So the files included in that script all have to have a direct URL. So I’m going to copy all of this and paste it in here as the first URL. Now that this is done, the next file that I want to be downloaded and executed is going to be my backdoor. So I’m going to put a comma, and then I’m going to put a direct URL for my backdoor. And as we’ve seen before, that’s stored at http://102014/213/evil/rev/80/exe. Now, just to go over this point again, if I copy this URL and paste it in my browser, you’ll see that I can download this. I can access the backdoor and download it without seeing any HTML, without seeing a timer or a download page. Literally, if I paste that URL in there, I can access the file and download it directly. You can see that there are no pages loaded, nothing.
I can download the file if I enter DRL. This is very, very important. The script will not work if you don’t use direct URLs. So, as you can see, the script is very simple. All we have to do is put the URL for the first file, and then we put a comma, which is very, very important. Again, a comma is required to separate the RLS. And then we put DRL in the second file. And, as I previously stated, if you want to download more files, backdoors, or evil files, all you have to do is add another comma and the next URL. Now, this is not a programming course, so I’m not going to explain how I programme the script. It’s very simple. Basically, all it’s going to do is download these files and then execute them. And I have the download function right here. Now everything is ready for me. I’m going to save this and close it. I’m just going to go back to my downloads to see the script. And now all we have to do is compile the script into an executable. And I’m going to show you how to do that in the next lecture.
7. Compiling & Changing Trojan’s Icon
Okay, now that we have our script ready in this lesson, I’m going to show you how to compile it into an executable and how to change its icon. The script is written in a scripting language called AUTOWIT. Now Auto doesn’t come preinstalled in Kali, but it gets installed when you install VILL. And since we’re using a VILL back door, there’s no way you can be at this point without installing vill that’s. So I’m not going to tell you how to install it using COVID, but you can literally just download this and run the installer using Wine. So, Auto, you should have it installed by now. And now all we have to do is first rename this file and change the extension from TXT to Au Three.
Then we’ll go through all of the programmes and look for compile. So I’m going to type in “compile” in here, and you’ll see that I have the application that will compile Auto with scripts for me. So I’m going to click on that, and this is very, very simple. As you can see, the first thing it asks for is the source Auto with Script, which is the file we created. So I’m just going to click on “Browse,” and you’d have to navigate to downloads from here. But I’m already in Downloads, so I’m just going to click on it and click on “Open.” You can also set where it’s going to be stored, but I’m just going to keep it stored at the downloads. And then, as you can see here, you can actually change the icon and use a custom icon. To do this, we’ll have to first download an icon that represents our file. If your file was a PDF, you can simply go to this website called Icon Archive and download it. Just look for a PDF or MP3, and you’ll see icons that represent these files. However, in my case, I’m trying to use an image as the file that the person sees. And Windows usually shows a preview of the image.
It doesn’t really show a specific icon for images. So what I want to do is convert the GTR image to an icon. And to do that, I’m just going to go to Google and convert the image to an icon. Now I’ve actually tried a few of them, and the best one that preserved the quality was this one, our W designer. So you can try different ones at your own pace. And what you want to do now is download the image that you want to make an icon of. And in my case, I want the same image that the person will see. So I’m just going to save it and save it in the downloads. That’s fine. And then in here we’re going to go to “Browse” to select it, and we have the image here; double-click, and then we’re going to keep this as an icon for Windows 7 or Vista. That’s fine. And I’m just going to click on “Download.” This is converted to an icon for me, a dot icon, so I can just click on OK to save it. And then I’m going to go back to my compiler, and we’re going to set the option in here, the icon. I’m going to click on “Browse” and select the icon that we just downloaded.
Now again, in your case, you might have to navigate to Root from here and then go to Downloads. And then we have the icon right here, the one that we just created. I’m going to click on “Open,” and that’s it. All the options are set. So all we had to do for this was specify the script’s location and then insert the icon. I’m going to click on “Convert,” and that has generated the file for me. I’m going to click on OK. and I’m just going to close everything. Now you can see we have the executable in here, so this is a dot exe, and this one was the alt script. So, when you’re sending to the target, you want to send the executable here. I’m just going to rename this to GTR image, and then I’m going to copy it and put it on my web server via HTML Evil Files. Before downloading this to the target computer, you want to listen for incoming connections from Metasploit. And I showed you how to do that before. So right now, I’m only going to do “show options” to show you the options that I’ve set. And if you don’t remember how to do this, then please go back to the listening for incoming connections lecture. As I explained all of this in detail, for now I’m going to do nothing but wait for incoming connections. Now everything’s ready. I’m going to go to the Windows machine and download the file. As a result, the file will be located at http:/1020/14-13/evilfiles/GTR/image.exe.
I’m going to hit enter, and we’re going to save the file. And as you can see, we have a file that has an icon. That’s an image icon, which has a preview of the image. So it’s very representative. And if we double-click this file and run it, you’ll see that we get an image that corresponds to the icon. But if we go to the Kali machine, you’ll notice that we have a meterpreter session here, which means that we’ve hacked into the target computer and can do whatever we want with it. So, just to be clear, I’m going to enter this information, and as you can see, we’re now inside the target computer and have complete control over it. We were able to accomplish this by using a file with an image icon that actually displayed an image to the intended recipient. And like I said, this method can be used to combine our backdoor or evil file with any file that you want, with an image, with a PDF, with a song, or with anything that the target person is interested in.
8. Spoofing .exe Extension To Any Extension (jpg, pdf …etc)
Okay, so if we look at the backdoor or the Trojan that we generated so far, we can see that it’s very cool. First of all, it has an icon that represents a file that the target person is interested in. When it’s executed, it shows a normal file that, again, the target person is interested in. So it shows an image or a PDF or anything that we would want, really. And at the same time, it’s going to execute our evil code in the background, which will allow us to hack the target computer or do whatever else we want. The only problem with this file is that if you look here at the end of the file, you can see that it’s an exe. Now, in most cases, you probably won’t see the exe because Windows is configured to hide it.
But if it’s not hiding it, then it’s obvious that this file is an executable because it ends with an exe. So what I want to show you today is how to spoof this and change it to something that corresponds to the file. So if we’re trying to make our back door look like a PDF, then you can make this look like a dot PDF. If we’re trying to make the file look like an image, then you want to make this look like a dot jpg or a dot PNG or an extension that represents the image. So in our case, we’re trying to make it look like an image. So I’m going to attempt to end this with a dot jpg. To accomplish this, we’ll employ a right-to-left over right character. And before I show you how to do that, I’m just going to rename this and just literally copy the name. I’m just going to go and rename and copy everything here.
And I’m just going to paste it in my text editor so that when I’m modifying things, it’s clear to you what I’m doing. Okay, now the first thing that I’m going to do is just type the new file name that I want to use. And for the new file name, I’m not going to use the GTR image; I’m just going to use GTR. Okay? And, of course, this will have to be dot exe. Now, instead of this exe, I actually want to have a jpg. But that’s not possible because if I do that, the file is not going to be unexecutable. So, to accomplish this, I’m going to try to make the text read from right to left by employing a right to left over right character. So because the text is going to be read from right to left, we’re going to type this extension after the filename, but we’re going to spell it from right to left. So we’re going to spell it as GPJ in here.
So we’re going to add GPJ again. This is just the extension that we want to use, but we’re spelling it from right to left. As a result, we’re using GPJ instead of jpg. Okay, now what I want to do is put a right-to-left character in here. So basically, when I put that character in here, the text for anything that comes in after that character will be read from right to left. So all this is going to be flipped, and basically, the file name is going to be called gtrexe, and this is going to be read from right to left. So it’s going to be a jpg. So let me do it, and you’ll see what I mean by that. So, in order to obtain that character, we’ll go through all of the applications here and look for characters, and you can see that it’s already showing me the right to leave override here in the recent. But for you, it won’t show it. So you want to go here on the search, and you just want to search for “right to left override.” And as you can see, we have it. And if you click on it, you’ll just see a button that will allow you to copy that character. So I’m just going to click on “copy,” and that will basically just copy the character for me. Now I’m going to come in here, and again, once I paste it in here, anything that comes after that character will be read from right to left.
So we’re going to start in here, and it’ll be as exe jpg. I’m going to put the cursor here and I’m going to paste, and as you can see now, the file name is called gtrexe jpg. Now again, I’m going to change the character back to normal. If I paste it, everything is being read from right to left, and the file name is going to be called GTR exe jpg. Now when you’re using a file name like this, in my case, it looks fine because I’m already using the name of a car, which is called GTR. And if you’re sending it to someone, they might think the EX is just a special edition of this car. If you’re using this as a book or something else, you want to think of a name that ends in ex. So for example, there are a lot of names, so you can think of reflex, hex, sex, and so on. Anything that ends with an “ex” will be a good name to use in this place. So I have my name. Now I’m just going to copy this, and then I’m going to rename it, and that’s it.
And as you can see now, my file is called gtrexe jpg. Now you can send this file the way it is to the target, but I don’t want to send it like this because some recent browsers are removing the right-to-left override when downloading the file. So what I’m going to do is add this to an archive. So I’m going to right-click it and compress it, and we’ll just add this to an archive called GTR jpg. And we have our archives here. This way, when the file is downloaded, the browser will not replace the right-to-left override. So we’re all done now. I’m going to copy this, paste it in my evil files, and then we’re going to go and download it from the Windows machine. Now, I’m actually already listening for incoming connections here. I’ve shown you how to do this before, so if you don’t remember, please go back to that lecture. I’m going to go to the Windows machine. I’m going to open Firefox and download the file, which is located at http 1020 14 213. And the file name is “gtrexe.zip.” I’m going to save this.
And here, in our downloads, we see the archive. Now we’re just going to uncompress it here. And as you can see now, if you compare this file to this one, you’ll see that this one has an exe format and this one has a jpg format. It has an image icon. And if we double-click it, it’ll actually show us an image, as you can see. But at the same time, it’s going to execute my backdoor in the background. So if I go to the Kali machine, you’ll see that I get a session from that computer. And just to confirm this, I’m going to provide this information. And as you can see now, I’m inside that computer, and I have full control over it. We managed to do this using a file that looks and functions exactly like an image. And just like I said before, this method can be used to make the file look like any other file type. So you don’t have to make it look like an image. You can use this method to make it look like a PDF, a song, a video, or anything that you want at all. You can use the download and execute payload to combine the backdoor with any file, and then use this method to change the file extension to any file extension.
9. Spoofing Emails – Setting Up an SMTP Server
In the previous videos, we learned how to create a Trojan by backdooring normal files, such as images, documents, songs, and so on, so that when executed, the user sees the normal file, but at the same time, our evil code gets executed in the background. So the challenge now is how to deliver this Trojan to the target. The first delivery method that we’re going to talk about, and my personal favorite, is mail delivery.
Now this delivery method, just like any other delivery method, relies on the information that you’ve gathered so far. So information gathering is very, very important when it comes to this. This delivery method is really handy because you can use it in so many scenarios. You can use it to deliver all the backdoors and evil files that we’ve seen so far. You can use it to pretend to be a friend and contact your friend and tell him to download something. You can use it to pretend to be a website that the target website interacts with, pretend to be the admin of the other website, and ask the target to do something. You can pretend to be a member of the support team that the target website uses and then ask them to change their password, for example, for the web server that they’re using. You can use it to pretend to be a company that your target interacts with and tell them that there’s a new update of your software that they already use—and then get them to download and install a backdoor.
When it comes to mail delivery, the possibilities are truly endless. In this lecture, I’m going to show you an example of targeting a person named Zade. And I have the information that we gathered already in our information gathering lecture. And after we gathered all of the information, we discovered that Zade has a number of friends here, as well as the same friends. We managed to see their emails here, and we managed to get Zade’s email, which is [email protected]. Now Zade could be just a normal person that you want to hack. He could be a friend of a person that you want to hack, but you want to hack Zade first and then hack that person. He could be the administrator of a website, or he could be an employee of a company. It really doesn’t matter. What we’re looking at in this lecture is hacking a person that’s called Zade. And then from there, you can leverage that person to hack into other systems, other networks, or a different company. We can see from the information that Zade has these friends, and these are their emails. So we’re going to dress up like one of these guys.
So it’s m [email protected], and this person is in here; his name is Mohammed Dascar. So we’re going to pretend to be that person. We’re going to send an email to Zade, and the email is going to look as if it’s coming from this person. And then we’re going to ask Zade to download a file. Let’s see how this works. And this is going to be a more realistic delivery method that you can actually use in real life. Now there are a number of ways to do this. The simplest method is to simply search Google for spoof emails. You’ll see a lot of websites that will allow you to do this. The only problem with these websites is that the email that you’re going to send will end up in the spam folder of the target person, so it will not be delivered into their inbox, which is not great. The main reason for this is that these websites are public, and a lot of people use them for spamming. Mail servers such as Google, Hotmail, and Yahoo have blacklisted these servers, and any email that comes from the servers that these websites use will be marked as spam. Therefore, in order to bypass this, you can either use your own server if you already have a web hosting plan, or you can sign up for a free web hosting plan and use that to send your fake emails. Or an even better solution is to sign up for an SMTP, or mail server. Now again, there are a numberof websites that offer this. A lot of them are paid. But with the paid websites, you’ll actually get really good results because they are used by actual marketers and by actual companies to send emails.
So spam is never sent through these servers. If you look through Google for a free SMTP server or a free mail server, you will find some websites. And an example of this is this one right here. And this is also a really, really good website because it is a paid website, but they offer a free plan that we can use to send our fake emails. Again, this website is designed for email marketing and for actual companies to communicate with their customers. So when you send emails through the servers of this website, they will not be marked as spam because it’s very rarely used for spam. So we’re going to sign up with this website. We’re just going to pick a username, and I’m just going to set it to JH NWC, the same username I use for my email. Then I’m going to input my email, set a password, and create the account.
Now I’m going to go to the email that I used when I signed up, and you’ll see that we got a welcome message. I’m going to open it, and I’m going to confirm my email address to activate my account. Now it’s asking me for more questions. So it’s asking for my first name, last name, company name, phone number, company website, and so on. You don’t have to fill this out very accurately. I’m just going to use any information for it. Just make sure you put a correct phone number because they will send a verification code to this number. Then, agree to the terms and submit the form. Now it’s asking us for the verification code. I have it here on my phone number. So it’s 810539. And finally, it’s asking us to select the plan. Like I said, the free one is fine, unless you want to send a lot of emails on the same day. And that’s it; we’re good to go. So in the next lecture, I will show you how to use the SMTP servers offered by this website in order to send fake emails.
10. Email Spoofing – Sending Emails as Any Email Account
Okay, so now that we’ve signed up with the service, in this lecture, I’m going to show you how to use the SMTP servers offered by this service in order to send fake emails. So first of all, we’re going to go on the transactional side here on the top left. And if you scroll down, you’ll see that we have all of the information that we need to authenticate with the SMTP servers offered and ordered by this website in order to send the fake emails. So right now we just need to use a programme in order to authenticate and then send the fake emails.
So in Kali, we’re going to use a programme called Send Email. So I’m going to type its name first. And because this is the first time we’re using this program, it’s always a good idea to run it with the help argument to see how to use it and all of the available options. So scrolling up, you can see the main usage is “Send Email,” we’re using the argument, and then you set the options. Now, before doing this, the first thing I want to do is set the username and the password using the Xu and XP arguments. So our command is going to be sent via email to xu to give the username, and if we go up, we have the username here, which is JOHNWICK 70 at @gmail.com in my case. So I’m going to copy it and paste it here. Next, we need to set the password. We’re going to use the XP to do that. And again, if we scroll up, we have the password here. So copy and paste it there. Next, we’ll need to specify the server. So we’re going to use the S option, and as you can see, you first give it the server’s colon followed by the port. An example is this.
So if we go up, you can see that our server is this one right here. So again, control C to copy it, and our port is going to be five, eight, seven. So going down, we’re going to do S to specify the server. We’re going to give it the server that we just copied, and I’m going to type call on followed by the port. And as we’ve seen before, the port is five, eight, seven. So I’m going to type five, eight, and seven. So far, we haven’t composed the email yet. All we’re doing is reauthenticating with the email server. So this step is very similar to what you do when you go to @gmail.com, for example, where the first thing that you are asked for is your username and a password. And only once you log in can you start sending emails. So this is what we’re doing right here. We first log it in with our username, password, and server, and now that we’re logged in, we can go ahead and start composing our email. Now the cool thing about this is that this is not an ordinary email client; we can actually set the from email, and when the email is delivered, it’s going to appear as if it were sent from the from email that we picked in here. Now, from our information gathering stage, we have discovered that our target email is [email protected].
We also discovered that this target, Zadeis, was linked to another individual named Mohammed Asgar, whose email address is M [email protected]. So, when selecting this from email, make sure that you select an existing email, something that exists, and that you select an email from which your target usually receives emails. This will increase the chances of your target opening the email, and it will also ensure that the email will be delivered in the inbox and not in spam. So I’m going to set my email to [email protected]. Next, we’re going to use the t option to specify the email address that we want to send this email to. And from our information gathering stage, we know that the email address of our target is [email protected]. Next, we’re going to use the U argument to specify the title of the email. So I’m just going to say, “Check out this car.” And then we’re going to use the M option to specify the message body. Now, when specifying the title and the message body, you want to keep in mind the person you’re pretending to be, the target person, and the relationship between the two. If you’re pretending to be a boss or a colleague, then you might want to keep these more formal.
But in my case, I’m pretending to be a friend, so I’m going to keep my title and the message casual. And I’m just going to say, “Hey, man, check out this car; I’m thinking of buying it.” And then we want to give him a link to download the Trojan that shows a picture of a car that we created before. So you can upload your Trojan to any file-sharing service. I chose to upload it to Dropbox, and I’ve already logged into my Dropbox account in here. If you don’t know how to upload stuff to Dropbox, you simply click on the “upload” button, select the file, and then the file will be uploaded here. So I’m not going to show you how to do that. It’s very simple, and there’s no point in wasting time on it. I already have the Trojan here, which shows a picture of the image right here. So I’m just going to click on Share to get the link for it. And I’m going to click on the copy link. Now let me show you this trick. If I just go into a new tab and paste my download link, you’ll see that the file will not be automatically downloaded.
I’ll first go to Dropbox, and then the user will have to click on “Download” to download it. But if we modify the URL and just put a one in here instead of a zero, And now I’m just going to copy it first, and if I hit enter, you’ll see it will automatically download the file for the user, which is exactly what I want. Therefore, I’m just going to go down now and paste the file in here, and that’s it. If we hit enter, this message will be sent and delivered to the intended recipient, but it will say m [email protected] in here, whereas actual messages from this person display the person’s name. As you can see here, they will actually say Mohammed Askr. So I want my fake email to appear exactly like a real email coming from this person. Therefore, we’re going to need to use an advanced option. So coming back to the terminal window, if you look in here, you can see we can use the o argument to specify advanced options. And the advanced option that we want to use is a message header right here. So I’m going to copy this and do it in our terminal to specify an advanced option. And the advanced option that I want to set is a message header.
And this message header will be the from header, which I want to set to the name I want to appear in here. So in my case, I wanted to say Mohammed Askr. Then we’re going to put the email inside the larger and smaller signs. So, once again, my email address is [email protected]. And that’s it; we’re done. Now before hitting enter and sending in this message, I’m going to clear the screen, and I just want to walk you through the command just to make sure that you understand what we’re doing. So first of all, we’re using a programme called Send Email. This is the email client that we’re using in order to first authenticate with our email server and then send the email. Then the command is split into two stages. The first stage is where we authenticate with the email server. Like I said, this is similar to what you do when you go to Gmail. First, you have to log in, and this is what we’re doing here. We’re using the xu argument to specify the email. We’re using the XP argument to specify the password and s to specify the server. So if I go up, we got all of this information from the server that we signed up for, so we got it from here. Now that we have logged in and authenticated, the next stage is to actually send the email to compose the message. So we’re using the from argument to specify the email.
We’re using the t argument to specify the email we want to send the email to, u to specify the title, and m to specify the message body. And finally, we used an advanced option to set the message header, and we set the message header to whatever we wanted to appear beside the email title when the email was delivered in the inbox. So we’re ready to send this. I’m going to press enter and then perfect. As you can see, it’s saying email arrived successfully, and I’m actually already listening for incoming connections in here in my multi-handler. So let’s go to the target, and as you can see, we have a new email. It’s coming from Muhammad Asgar. So it looks exactly like a legitimate email from this person. We can see the subject, like we said, and we can see the body. Now if we go inside again, we have a thumbnail of this person. It’s showing his name, it’s showing his email, and it’s showing his picture. So it looks legit; it looks like a proper message sent from this person. Now this person is a friend of mine, and we tailored the message so that it appears as if it’s coming from a friend. If I click on the link, as you’ll see, the file will automatically start downloading. Dropbox is not asking us if we actually want to download this, so I’m going to click OK to download it. It’s going to go into my downloads. So if we open the downloads, right-click, and uncompress this, we’ll have the GTR with the image with the proper extension like we’ve seen before. And if we double-click it, we’ll see the picture of the car that my friend is trying to buy.
So far, everything looks legit so far.But if we go back to the Kali machine, you’ll see that we got a connection from the target, and we basically gained full access to their computer. So if we do that, you’ll see all the directories, and basically we can run any system command. Now, the main thing that you want to keep in mind when it comes to this method is that it is generic. So it works against Windows, Linux, OS X, and Android; it doesn’t really matter. The only thing that you want to make sure of is that the file that you’re sending to the target should work on their target operator system. And I actually cover generating backdoors, credential harvesters, and all this cool stuff for all operating systems in my social engineering course. So if you’re interested in that, check out the bonus lecture, the last lecture of this course, because it includes links to all of my other courses, including the social engineering course.