5.1 Phishing
At the beginning of the project, we undertook a phishing attack. This consisted of getting a list of email addresses for people in the class. Then, we sent out a series of emails.
The first email we sent asked about “checking out your host hardening in a little more detail”. This email was sent to everyone in our list individually. Eleven people responded, but most of them were not the passwords we were looking for. We did get a few realistic looking emails, but the groups assumed we would login through using the console, so we weren’t able to SSH into their machines.
Our second attempt was similarly executed but this time it was sent to the class as a group and with a spoofed from address to look like it was coming from [email protected] with a reply-to address specified as a gmail account we made. The idea behind this email was to make it seem like it was coming from Steve and give it authenticity by using his email, sending to the class in bulk, and warning about phishing attempts. This was unsuccessful since very quickly a member of the class reply-all’ed to the email saying it was phishing.
Our third attempt built off of the successes and failures of the first two by being more of a spear-phishing attack. One member of each group was chosen to receive the email based upon how “realistic” their response seemed from the first attack. This email was modified to include each target’s name and group name specifically to add credibility and was also sent from [email protected] with a reply-to our gmail. This campaign focused on getting the SSH credentials that the first one lacked. This campaign was moderately successful because although we only got one group to reply, group 3, we had SSH privileges and full root access to their box. It appears that their ssh, and/or network, are set up improperly so we were not able to ssh into their login server, but rather were able to ssh into their database server with the credentials given. We then had full root access where we added our own account with root and ssh privileges to make it easier for us to log on in the future. From here we should have been able to pivot to their other machines since we had both SSH and root credential for all of their machines, however it appears that either their own SSH and/or network are set up improperly so we were stuck only on their database server. Since we were instructed to not do anything destructive, we did not do much except add a couple of files to the machine, and add an SSH banner. Since we had full root access we could have gained access to their mysql database as well, but since this would have been destructive we did not do anything with it.