After the great article by my colleague Rafael Ortiz in which he illustrates how to use Python and Nmap to discover the network, today we bring this newly cooked and improvised article explained below. I totally recommend, the “saga” that will expand gradually “discovering the network with Python and Nmap – Part 1” and “discovering the network with Python and Nmap – Part 2”
Few hours ago, specifically 05:22 in the morning, a very cautious hour, where the streets are cut and Internet off, has reached my colleague Miguel Árrengo an email that has sent me later to my account to take a look.
Actually, I still haven’t gotten to any mail account, this type of phishing but I was curious as to how it works and why it’s hurting. Although really, with phishing you can get very far away.
Dismantling the plot.
At first arrives an email to your account mail from firstname.lastname@example.org and here we had to give to delete but as users “clueless” we have not coscado of this detail and yes, that puts emails and “something” of Courier, a transport company.
A great detail of my partner who sends me malware instead of a ham hehe.
Today’s article “uncovering the post Phishing … in the early morning” will try to delarge and/or identify the origin of the mail and whether it is malignant or not. In addition to extracting information.
The Web interface
Ignorant we have bitten, and we have clicked on the link “Download information about your shipment” because we want or not, the human being is curious by nature. I’m betting that if I put “please do not click here” would have much more effect than another text.
The interface is definitely achieved, although the captcha is always the same but if you enter a different scene will not let you continue. What a fussy, hey!
We have noticed that has a text box to “search” and casually we have dropped our heads on the keyboard putting the famous alert to see if there is any XSS without success but if we have revealed more info.
Not that it’s something relevant but if we know it works under Apache 2.2.22 with some CVE that can be leveraged. But we don’t do that;).
The Web has nothing else, you put the captcha and you download a ZIP which contains your registered letter, but … in EXE. What level! Mails sending certified letters in. EXE! Obviously we are not going to open it and eliminate it because this if it does not block. We can analyze it with malwr.com for example or with our antivirus to see its danger.
The first thing we will see is if we locate information about the domain “sdacourier.net” to find out where the URL comes from. We put the domain in urlquery.net (remember that is our friend XD) but we get nothing, even says it is an invalid URL.
Let’s try if you have any subdomain more type “webmail”, “mail” etcetera … at first we tried to form Manuel but having “friends” that can make this much easier why not use them?. For this we will launch fierce an application integrated in Kali Linux to locate DNS resources.
We obtain the following results:
Badly, they point the DNS to domains “Ru” and another sign that something good is not. If we try for example the subdomain mail.sdacourier.net see this screen.
We can deduce that it is simply a mail server, with mail, SMTP and pop configured but nothing else. Another sign that joins the premises encountered before.
What if we analyze the subdomains in urlquery.net?
Let’s try Mail.sdwcourier.net.
Location, Ukraine. More bad news. We could stop the analysis and realize that no, courier, emails or whatever it is not really but we have proposed to get the maximum evidence in a few minutes. Let’s keep going.
Let’s now try a DNS zone transfer to reveal more information about the attacker. This time we will use Windows, which has a utility called Nslookup that will help us with this. What we have to introduce is the following sequentially.
Also, it points to Ukraine, we continue with bad news XD.
As you can see, in a matter of minutes (not more than 10) We have dismissed the origin of the mail that has arrived so early and discovered details that must make us suspect a lot.
These steps we can follow with any mail that we consider suspicious. Obviously this process does not take a sign with “This is unreliable” but must be deduced after analyzing the premises, whether I agree or not. The fastest would be to analyze the .exe with the antivirus or upload it to virustotal.com to get a result but to do so you have to “click” the link and perhaps in the browser is the exploit to infect you. Hence the go step by step analyzing the domain, subdomains etcetera …
I hope you have served, at least to practice a little.