How To Hack Your Neighbor with a Post-It Note, Part 1 (Performing Recon)

How To Hack Your Neighbor with a Post-It Note, Part 1 (Performing Recon) 

#hackingtutorials

Using just a small sticky note, we can trigger a chain of events that ultimately results in complete access to someone's entire digital and personal life.

Imagine arriving home one night after work and there's a Post-it note on your apartment door with the website "your-name-here.com" written on it.

 Someone cautious may not immediately visit the website, but eventually, curiosity might get the best of them. 

Let's have some fun exploiting human curiosity and get remote access to our neighbor's computer in the process.

For this hack, we'll be using a seemingly harmless Post-it note to entice a target user into visiting a website that we control. 

When the target user visits the website, they'll be tricked into opening a malicious file which will allow us to perform a variety of attacks on the compromised computer.

 Such an attack may allow hackers to target: 

Coworkers or company executives. 

Employees visiting an attacker-controlled website from a computer inside a corporate network and opening a malicious file may compromise the security of the entire network.

Small businesses. Managers opening malicious files found on attacker-controlled websites may allow the attacker to steal sensitive customer information, install ransomware, or compromise other applications on the device.

Average everyday people. Gaining remote access to a someone's computer, attackers could steal personal information to perform identity theft or blackmail the victim into paying a large ransom for stolen data.

Understanding Our Sticky Note Attack 


There are many steps to this attack, so I'll first provide a brief overview of the scenario before showing how to put it all together.

The hypothetical victim of this hack will be "my neighbor in the apartment next door," his name is "John Smith." 

The goal is to social engineer John Smith into visiting a website that we control by exploiting the inherent trust we allot to our everyday neighbors.

 Ultimately, we will gain access to a computer in John's apartment by tricking him into opening a malicious file.

Since there's a lot going on in this attack, I will be breaking this guide up into three parts.

 This first part will cover reconnaissance. 

We'll need to gather as much information about John Smith's social and digital life to create a website named after him that will really entice him ("john-smith.com"). 

As an optional step, we'll also gather hardware information about devices connecting to John's Wi-Fi network. 

This will help us understand what kinds of devices are in his home.

In the second part of this guide, we'll create a payload to run on a Virtual Private Server (VPS) so that it can be downloaded from any computer in the world. 

We'll also need to install Metasploit on the VPS, which will be used to interface with and control the compromised machine after our malicious file is opened.

Step 1 

Know Your Target 

Reconnaissance is very important to the success of this hack. 

There are many social engineering angles we can take to trick someone into visiting our evil website. 

For example, targeting our neighbor in the apartment next door would be easy. 

In some apartment buildings and condominiums, we could identify our neighbor's name by checking the resident listed on the lobby intercom or their mailbox.

We can also learn their name by creating small talk with them or other people who live or work in the building who might unwittingly divulge personal information about our target.

 People who live in rural areas may have better luck using whitepages to identify names of residents in the house next door. 

In certain parts of the United States, property history may be easily obtainable. 

A parcel, county auditor, or property assessment Google inquiry with the targets corresponding county may produce a searchable database of current and past residents for the target's home address.

The goal here is to find something that would interest our victim into visiting the website we control. 

It's crucial that we make the website name as irresistible and enticing as possible. 

If all else fails, we can always try "john-smith-nudes.com" to get someone's attention. 

Even omitting the name and using more of riddle could help the recipient feel like their in the middle of their own mystery film.

​​In extreme cases, we might also learn our target's name by rummaging through their trash bins and finding a letter, package, or receipts containing personal information we can use in later stages of this attack. 

In a big city, rummaging through trash bins might not even get a second glance from people.

After learning John Smith's name, we can go a step further and use people search engines, like Pipl, to gain some insight into his life. 

Pipl is free and very easy to use. Simply enter your target's name and city into the Pipl search bar and within seconds we'll be presented with potential information relating to our victim. 

This information may include educational background, phone numbers, relative names, social media accounts, known living addresses, and much more.

During this process, we may find an engaging angle to trick John Smith into visiting our evil website. 

For example, if John was a raging Philadelphia Eagles fan on Instagram, "john-smith-philly-eagles.com" would probably be more than enough to spike John's curiosity. 

If our neighbor tweeted their horoscope most mornings, "john-smith-capricorn.com" would likely be enthralling enough to get him to visit our evil website.
 Step 2 

 Know Your Target's Hardware (Optional) 

Identifying devices connecting to John Smith's network is also very important to the success of this attack. 

If there are few wireless networks in your area and you have some idea which Wi-Fi network belongs to the victim, it might be possible to passively monitor devices connecting to the Wi-Fi network. 

Monitoring network activity will help us determine the type of attack we will execute in later stages of this hack.

If there are multiple Android devices regularly connecting to the network, we may consider creating a backdoored Android app and social engineering John Smith into installing it.

 Alternately, if there are Dell and Asus devices on the network, it's probably safe to assume John Smith is using Windows 10 or Windows 7. 

In that case, we would prepare some kind of Windows-specific payload.

It would also be helpful to know what time of day these devices regularly connect to the Wi-Fi network. 

With this information, we'll know when to expect new connections on your VPS and Metasploit session.

Comments

Popular posts from this blog

​​CRACKING HACKING SPAMMING TOOLS FREE DOWNLOAD

Dedsec All Courses Free Download

HOW TO BYPASS SOFTWARE REGISTRATIONS