Remote Shell: Embedding Client-Side Code into a Package
Social engineering is still the easiest way to take advantage of users to gain access to remote systems. In this lab, you will execute a social engineering attack that uses a vulnerable Python package that embeds a remote shell command that is sent as an attachment to the victim. The victim installs the package and runs the Python script which launches the remote shell attack.
outcomes:
In this lab, you will learn to:
- Insert remote shellcode into a package
- Execute a social engineering attack using a vulnerable email attachment
videos:
Before you start this lab, review these videos.
Overview
The development of this document is funded by the Boston Area Advanced Technological Education Connections (BATEC) Grant No. NSF-0703097 thru Bunker Hill Community College.
Hashing can be used to verify the integrity of data. That is why a lot of sites include a hash function to verify the package has not been tampered with when downloading. Packages should never be installed unless they come from a trusted source, and with the package's integity upheld. This lab will demonstrate embedding BASH command into a package and using Social Engineering tactics to entice a user Alice into installing it. This lab will also demonstrate consequences of this action by allowing the attacker system access through a remote shell.
Embedding Client-Side Code into a Package