Published using Google Docs
Final_Project_Submittal_ArmourChris.docx
Updated automatically every 5 minutes

Final Project

Final Project Submittal

Chris Armour

University of Advancing Technology

NTS310: Social Engineering

Professor Aaron Jones

Research

In the field of social engineering there are thousands of techniques that can be utilized. From in person social engineering, over the phone vishing, and email phishing campaigns. All these techniques can be very effective depending on your target. For the scope of the final, I decided to stick with a simple and believable email phish.

From the start I knew that I wanted to go the extra step of trying to spoof a real email address to ensure a higher probability of success. There are some drawbacks from this approach. I have known that it is possible to spoof an email by setting up your own email server or utilizing an open SMTP relay. However, the main obstacle to overcome is the email firewall blocking unwanted IP address.

When you setup your own email server you can utilize PHP and other languages to create a script that will send an email to any email address and make it look like it came from what ever email you want. However, ISP have been disabling port 25 on most home networks which makes this difficult. You could still achieve this approach by having an online server. This leads to the same outcome as an open SMTP relay. With either service you can still send an email to any target from any email. However, if the target was clever, they could check the email information and see which website and server it was sent from. If they do not match the email this would end up being a dead giveaway.

In comes Microsoft Direct send feature of Microsoft 365 subscriptions. This feature is setup main for devices such as printers to send emails from inside an enterprise. With this method there is no authentication, and it can be sent from outside of the enterprise. This means that you are able to send an email to the SMTP server as long as the recipient is in that company’s network. The sending address can either be from inside or outside of the network.

To get the information that I needed for this social engineering attack I found an article that helped me better understand Direct Send. From there I started to gather to information that I needed. After a quick NSlookup I was able to find the correct MX record that I was going to need for my attack. Once I found the information that matched what the article mentioned I knew I was on the right track.

Target Package

Name: Aaron Jones

Company: University of Advancing Technology

Job Title: Program Champion

Email: ajones@uat.edu

Phone: (210) 993-6515

Website:  https://retro64.xyz 
Twitter:   Retro64XYZ

Mastodon:  Retro64XYZ
Keybase: Retro64XYZ

GitHub: Retro64XYZ

Phishing Attack

To successfully launch a social engineering phishing attack there were a couple of steps that needed to be completed. First, I needed to settle on what the email campaign would be. From research I concluded that Aaron Jones is a program developer and takes advantage of free education resources such as Shodan.io Academic. From those two ideas I decided that I was going to try and spoof the GitHub for Education pack. This resource give access to make resources to students and educators.

To perform the attack, I knew that I was going to need a convincing email. By assuming that Aaron had already signed up for GitHub education I decided to use a renewal email as a point of attack. To mimic this, I used the official email that GitHub sends out for their renewal. I ended up making a couple of tweaks to make sure that it was targeted towards Aaron.

Graphical user interface, text, application Description automatically generated

Now that I had my email setup, I needed a payload that looked convincing for him to click on. After a short period of time, I came up with the idea of using GitHub’s on pages web hosting to be my payload. I quickly made a temp Gmail account to use then I signed up for GitHub with the username education-pack. Next, I created a repository and setup the GitHub page. In the end the link ended up being to https://education-pack.github.io/educator/benefits/ which I believe would be a rather convincing URL. On that page I scraped the Official GitHub renewal page. After a couple of modification such as putting his email on the page it was finally ready. Since this was not going to be a real payload, I changed the footer to include a “For Educational Purposes” and added some JavaScript that would redirect him to Rick Astley’s Never Gonna Give You Up YouTube video. This way if he was able to get this far he knew that it was part of the social engineering assignment.

Graphical user interface, application, Teams Description automatically generated

The last step was to send the actual email. For this I created a simple PowerShell script that would send the HTML email to the UAT SMTP server. There were a couple of obstacles to overcome. To start I did many test emails to makes sure the basic idea was going to work. I hit my first hurdle with my VPN service. I found that with using my current VPN it was not able to send the emails through. Once I figured that part out, I was able to send an email from my home network.

 After a couple of tweak the email was looking good, even the logo from GitHub was showing up next to each email The only problem that I found was that there was a prompt that says “The Identity of this sender has not been verified” however it was still being sent to the inbox. After making a couple last minute tweaks I sent the email off through PowerShell and hoped from there.

Graphical user interface, application Description automatically generated

Attack Review

During the meeting on 12/15/2022 Professor Aaron Jones reviewed the phishing email that I had sent. After first the email could not be found as it was caught in the email spam filter. Once the email was located, we spent a good majority of the class reviewing the technique.

Professor Jones was quite surprised that while spoofing the email for GitHub that it was able to make it into his email box. Since Microsoft has such has email filtering services it is a difficult task to overcome that obstacle.  From there we talk about how I used the official email and code for the campaign which he noted was the better way of creating emails.

Next, we went into the code review. He was surprised by the technique that I was utilizing for my social engineering attack. Direct Email takes very little programming and can be heavily exploited if other servers are setup the same way as UAT. Professor Jones even attempted to modify my code to conduct an experiment against another server. This ended up failing but only because of an added level of security on the server.

Overall, Professor Jones was quite happy with my attempt at social engineering. He gave me a couple of pointers such as trying to pass an SPF verification to make the attack more viable. He also suggested that the attack should be written up and displayed on my portfolio.

Final Thoughts

Overall, I am happy with how my Social Engineering attack ended up. From the get-go I had the overall goal of spoofing a real email address instead of creating a fake one. This added extra steps and research that was needed. I believe I was able to successfully perform a viable phishing attack. There are a couple of items that could be changed to ensure the email does not get caught by email spam filter.  However, I believe that at my level of skills I was able to complete a competent social engineering attack.

References

BHIS. (2022, November 27). Spoofing Microsoft 365 like it’s 1995. Black Hills Information Security. https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995/

NSLookup. (n.d.). DNS records for uat.edu. Online nslookup — Find DNS records. https://www.nslookup.io/domains/uat.edu/dns-records/