We've seen how we can backdoor any file and make it look like a document, a song, a program, or an image. Our example was an image, but we can do it on any file. So, we should be gathering information using Maltego and then target the person based on the information gathered. For example, we can pretend to be tech support and ask the target person to install an update and combine our backdoor within an executable, or we can just pretend to be a friend or a colleague and ask the target person to run a certain document or a PDF; the possibilities are endless. In this example, we are going to pretend to be a friend and we are going to ask the target to open a picture of an image, telling them that we are thinking of buying that car. We are going to use the backdoor that we created in the Changing extensions section and use an image of a car instead, and then we are going to contact our target asking them what they think of this car.
Let's go back to the graph that we created with Maltego and look at the screenshot from the SE summary section where the information is displayed. By browsing his Twitter, we managed to see that our target has a friend called Mohammed, and when we went on his email, we saw that the same person has an email address of [email protected]. So, this person came up twice, on the email address and on Twitter, so our target probably has a good relationship with this person and there's a high chance that Zaid will open something from them. So we can contact our target on Twitter pretending to be someone who knows Mohammed, or we can contact them by email. Contacting them by email has a huge advantage because we can pretend to be [email protected], and we can send an email that would look exactly as if it came from Mohammed Askar:
So, that's what we're doing. Let's go to Google and search for a mailer. We can host our own mailers on our own web service or we can use Google to look for mailers. I've tried a few of them and could send anonymous emails with the most secure mailer. So we are going to use https://anonymousemail.me/; it asks us to put in our name, since we are pretending to be Mohammed, so we are going to put it as mohammed, and then it will ask us for the email, that is, where the email will be coming from, and we're going to set it as [email protected], so the message we're going to send will look as if it's coming from this email. We are just going to use a test email that we set up. We can also set an option for where the message will go if the person replies to that message. We are going to leave that empty, set the subject to Check out this car, and then set an informal message, because we think that this person is a friend. The following screenshot shows the preceding steps:
Now we can send an attachment with the email, but, most of the time, attachments don't always get sent successfully, so it's recommend to upload the backdoor on Dropbox or Google Drive and then send a link to the target. Always shorten the shared URL to make it look shorter and more acceptable. We can do that by Googling a link-shortener, so we're going to use bitly.com, a very famous service. All we are doing now is social engineering, just making the message look more acceptable. Copy the shortened link and send it in the message. And that's it, we are done, so send the message:
We have already logged into our test account and we will see that we got an email from a person called Mohammed. If we hover over it, we will see that it's coming from Mohammad Askar from [email protected], and can even see the picture of the guy, even though we didn't send the email from his email and we don't know his password. We actually just sent it from an anonymous mailer, but it looks exactly as if it came from him, and he's our friend, so it's highly likely that we will open his message:
The message is just telling us that he is going buy a car, and is asking us to have a look at it and what we think of it. So we will probably click on the link. And now the picture has been downloaded, so if we just open the picture, called gtrexe.jpg, it actually has the icon for the car, hence the extension is still an extension for an image:
If the target runs the file, we will have a Windows command shell where we can do anything we want on the target's system.