The next exercise starts from outside. In other words, the attacker is coming from the internet, and gaining access to the system in order to perform the attack. One approach to that is by driving the user's activity to a malicious site in order to obtain a user's identity.
Another method that is commonly used is sending a phishing email that will install a piece of malware in the local computer. Since this is one of the most effective methods, we will use this one for this example. To prepare this crafted email, we will use the Social Engineering Toolkit (SET) which comes with Kali.
On the Linux computer running Kali, open the Applications menu, click Exploitation Tools, and select Social Engineering Toolkit:
On this initial screen you have six options to select from. Since the intent is to create a crafted email that will be used for a socially engineered attack, select option 1 and you will see the following screen:
Select the first option in this screen, which will allow you to start creating a crafted email to be used in your spear-phishing attack:
As member of the Red Team, you probably don't want to use the first option (mass email attack), since you have a very specific target obtained during your recon process via social media.
For this reason, the right choices at this point are either the second (payload) or the third (template). For the purpose of this example, you will use the second option:
Let's say that during your recon process you noticed that the user you are targeting uses a lot of PDF files, which makes him a very good candidate to open an email that has a PDF attached. In this case, select option 16 (Adobe PDF Embedded EXE Social Engineering), and you will see the following screen:
The option that you choose here depends on having a PDF or not. If you, as a member of the Red Team, have a crafted PDF, select option 1, but for the purpose of this example use option 2 to use a built-in blank PDF for this attack. Once you select this option the following screen appears:
Select option 2, and follow the interactive prompt that appears asking about your local IP address to be used as LHOST, and the port to connect back with this host:
Now you want to be cool, and select the second option to customize the file name. In this case the file name will be financialreport.pdf. Once you type the new name, the available options are shown as follows:
Since this is a specific-target attack, and you know the email addresses of the victim, select the first option:
In this case, we will select the status report, and after selecting this option you have to provide the target's email and the sender's email. Notice that for this case, we are using the second option, which is a Gmail account:
At this point the file financialreport.pdf is already saved in the local system. You can use the command ls to view the location of this file as shown in the following screenshot:
This 60 KB PDF file will be enough for you to gain access to the user's command prompt and from there use mimikatz to compromise a user's credentials as you will see in the next section.
If you want to evaluate the content of this PDF, you can use the PDF Examiner from https://www.malwaretracker.com/pdfsearch.php. Upload the PDF file to this site, click submit, and check the results. The core report should look like this:
Notice that there is an execution of an .exe file. If you click on the hyperlink for this line, you will see that this executable is cmd.exe, as shown in the following screenshot:
The last decoding piece of this report shows the action Launch for the executable cmd.exe.