Operation “Mr. Wilson”

We’ve been hired by Bank of Widget to ‘attack’ their C level team to determine their security posture via social engineering.

Our Target: Mr. Wade Wilson. Wade is CEO of Bank of Widgets in Chicago.

Our Goal: Gain access to Mr. Wilson’s work / personal computer(s)

Let's begin...

KILL CHAIN

The kill chain is a military term “kill chain” is a phase-based model to describe the stages of an attack.

OSINT (Reconnaissance Phase)



What is OSINT anyway? According to Wikipedia “Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine source”

This article is aimed at showing you just how easy it is to collect information on a target and set up a well-crafted attack.

Most of the tools I will be using today come installed standard on Kali Linux. You can download Kali here — https://www.kali.org/

We will begin by building out a profile on Mr. Wilson “Wade”.

First let's find Wade’s email address. I checked on LinkedIn and he has that setting blocked — smart move Wade. I could search Google — then I would have to sift through each site until I found a hit. I suggest using an automated tool that will dump the results in a file. “Theharvester” is one of my favorite for this task.

We fired up our Kali box and typed in the following command

theharvester -d bankofwidgets.com -l 300 -b all -f bankofwidgets

Luck has it we found quite a few addresses but only one email address with the name ‘Wade’ in it. ‘wade345@bankofwidgets.com’ Let's do a little more recon to see if this is the correct Wade.

We are going to enter Wade’s email and run a few quick transform inside Maltego (also installed in Kali)


We had no luck verifying if this was Wade’s correct email addresses or not. We want to tread carefully as to not tip anyone off.

Next, we ran Wade Wilson through Maltego’s social-engineering transform. We did find a Twitter Profile called ‘wadewilsonceo’ — this sounds very promising.

Let’s see if we can gather any information that might help us craft our attack.


Two things really stick out here Mr. Wilson loves coffee and his favorite coffee house is Bro Beans.

Let's take this a bit further though. Wade’s favorite Bro Beans location!! Notice the red dot? We have a hit!!


We will head over to Bro Beans for a little more recon later. First, we need to plan and prep our attack


The Attack’ (WEAPONIZATION PHASE)

I see two possibilities for attacks here — we could try a watering-hole on Bro-Beans website or craft a spear-phishing email.

Since we do not have the approval to attack Bro-Beans site we are going to attempt a spear-phishing attack. First, we have to setup our attacking infrastructure.

For this attack, I am going to be using several tools inside Kali
Metasploit
Social Engineering Tool-kit
Python (web server)

Let’s Fire up the Social Engineering Toolkit and create a PowerShell vector attack (because it’s super easy and super effective)

To increase our chances of this attack working I am using a Reverse Shell over port 443. A lot of organizations will at least allow 80/443 traffic out even if they are blocking everything else with a default deny.

Next, I renamed the file created to freecoffee.bat (this will come into play and make sense later)


Now lets setup up a Listener so when the above Payload is executed it has a place to callback. I opened up Metasploit inside our Kali box and set up a VERY basic Listener. (For machines on separate networks you’ll need to setup port forwarding etc this is just a demo)




Next lets stand up a SUPER quick web-server python -m SimpleHTTPServer 80 This will host a site to stage our attack.

If this were an actual attack I would take a little more time and create a legitimate looking site but this works for demonstration purposes.
Delivery Phase Next we have to deliver the payload. As you recall we have the location of Wade’s favorite BroBeans - lets head over there and do a little more Recon



Spent a little time chatting with the baristas (BROistas) at Brobeans (they are nice enough to wear name tags) Howard was quite chatty about “My Boss Wade” I explained I am a new employee and wanted to surprise Mr. Wilson with his favorite coffee one day at work. Mr. Wilson is a great tipper he comes in every day and Howard knew his favorite was a Cafe Cortado.

I think we are ready to craft our Spear-Phishing email. As you recall we were not able to confirm Wade’s email address so lets run his twitter account name through namechecker.com


Next lets try a few password resets on his account and try to pull at a partial email address to confirm that ‘wade345@bankofwidgets.com’ is in fact the correct email. Bingo! We have a hit!! It’s confirmed that wade345 is the correct email address.



Wade,

The BROistas have voted and chose you as our customer of the month! Please follow the link below to download your digital coupon for a free Cafe Cortado (your favorite) every day this month!

Head over to this site to download your digital coupon hxxp://bit.ly/2GtBT6x849

See you tomorrow!

Your Bro,

Howard

Head BROista

BroBeans 33rd St location


A few things about this email — Wade loves, coffee, it’s from his favorite shop, it’s his favorite type of coffee and its from an employee who he see’s almost daily.


EXPLOIT AND INSTALL PHASE


Monday 7:30AM: Wade walks into his office sets down has a sip of his BroBeans coffee and then Wade clicks the link.

hxxp://bit.ly/2GtBT6x849



Our PowerShell Code is executed— and attempts to reach out over port 443 — success!

And with that, we have a Shell!


COMMAND , CONTROL & ACTIONS AND OBJECTIONS

Now that we have a ‘shell’ to name a few — we can read / download files, dump passwords, turn on webcams, install keyloggers, pivot to other machines at Bank of Widgets the list goes on and on.

GAME OVER —