Solution: Email Spoof - Phishing Websites (Podesta)

Tools Used:

The big picture:

  1. We'll expose our local machine's port 80 to the internet via Ngrok.
  2. We'll host our cloned site locally and serve it with Apache.
  3. We will use the Social-Engineer Toolkit to clone our target site and setup a form that will capture login credentials.
  4. We'll setup a Sendgrid SMTP relay, and then use that to send our email via the sendEmail command line email client.

Expose our machine's port 80 to internet with Ngrok

This part's pretty easy. Go to https://ngrok.com/download and click download. Once downloaded, unzip it (and if necessary run `chmod +x ./ngrok`). Then execute it with:
  ./ngrok http 80
That gives you a terminal looking like this:



Pull out the ngrok url from there (in my example, bdce5154.ngrok.io) and save it, as we'll be needing that soon.

Serving our cloned site with Apache

In a minute, we're going to setup our cloned site with Social-Engineer Toolkit. Before we do though, we have to do a tweak to avoid some bugs that the Toolkit has. In the future if you're reading this it might not be necessary as they might fix them - but it still won't hurt.

In Kali Linux, open up "/etc/setoolkit/set.config" and find the line that says "APACHE_SERVER=OFF". Change it to "APACHE_SERVER=ON".

If you do not do this, the Social-Engineer Toolkit has trouble rewriting the cloned site's form action url to one that will actually capture the username/password. If you're a programmer, the code at fault is this section, feel free to correct it and submit a PR.

Social-Engineer Toolkit: Clone site, setup credential harvester

In Kali Linux, go to Applications / 13 - Social Engineering Tools / social engineering toolkit. Clicking this will open a terminal with SET open to a menu. Select "Social-Engineering Attacks" (option 1), followed by "Website Attack Vectors" (option 2), followed by "Credential Harvester Attack Method" (option 3), followed by "Site Cloner" (option 2).

It will now ask you for the IP address for the POST back in Harvester. Use the ngrok url we saved from above, in my example it was bdce5154.ngrok.io (leave off the http/https prefixes).

For the URL to clone, we put in the target site: http://php1.hackthe.company/challenge12/login.php

We should be in a state that looks like this:



Upon hitting the return key, we should be told that the Credential Harvester is now listening below. Anything it catches will print to this terminal.

Setting up an SMTP relay

First we need to get access to an SMTP relay that will let us send an email FROM our target account. The easiest way I've found to do this is with Sendgrid. You may be able to sign up directly with their free account, but what I did is use my Heroku account. In Heroku, create a new application, add Sendgrid's free tier as a resource.

You'll then need to open Sendgrid, and go to Settings / Tracking. Turn "Click Tracking" off, otherwise Sendgrid will replace all urls in your email with theirs, and that may break things.

Now back in Heroku, if you go to the Settings tab on your application and view the Config Vars, you'll have your SENDGRID_USERNAME and SENDGRID_PASSWORD. We'll need those in a second.

Sending the email

In Kali Linux, open a terminal. We're going to be using the command below, but replacing some things.
sendEmail -u "Someone has your password" -t PODESTA_EMAIL_GOES_HERE -f CHARLES_EMAIL_GOES_HERE -s smtp.sendgrid.net:587 -xu SENDGRID_USERNAME_GOES_HERE -xp SENDGRID_PASSWORD_GOES_HERE -m "<a href='http://NGROK_URL_GOES_HERE '>Change your password here</a>" -o message-content-type=html
In the above, replace PODESTA_EMAIL_GOES_HERE and CHARLES_EMAIL_GOES_HERE with the appropriate email addresses from the challenge scope. Replace SENDGRID_USERNAME_GOES_HERE and SENDGRID_PASSWORD_GOES_HERE with the values you obtained from Sendgrid. Finally, replace NGROK_URL_GOES_HERE with the ngrok url you setup earlier (which is pointed to the Credential Harvester cloned site). Then... just hit enter and send that email. You should see a success message that Sendgrid's SMTP server accepted and sent the email.

Within about 30 seconds, you'll see on the ngrok terminal window that a user opened your website. A few seconds later, you'll see on the SET / Credential Harvester tab that they attempted to login, and you'll see their username and password. Go to the real site and login with that username and password to obtain the flag.