Ebug

What is an ebug/email becon?
An ebug is a way for an attacker to send a malicious email to a victim in order to steal information on them (such as IP address, Operating system, Browser information and more). This is done by hiding server side code within a hidden image reference of an email body. Once the victim opens the message, without needing any interaction it will send information back to the attacker and they're completely unaware of this process.

Scenario:
John doe is having an argument with Mr genius over the phone, Mr genius decides he wants to hack john and cause as much mayhem as he possibly can, but Mr Genius has no point of reference. He sends en ebug to John doe via email, he gets his WAN IP address and breaks into his machine and deletes all his data - John is gutted.

OK, how to create/setup an Ebug?

 * Install XAMPP
 * Setup Apache to run on your port of choice and start it
 * Open that port within the firewall on the machine the server is running on
 * Port forward to that on your router
 * Check that the outside world can access it across the WAN, Can You See Me is good for this
 * Go to your root web directory once the server is up 'n running on it's default page, on Linux this will likely be /opt/lampp/htdocs (tip you'll need to set read/write permissions!)
 * Then, get rid of the default stuff, and you want to create 4 files:

1 image.jpg

This is what the victim may see if you choose to show them an image, regardless you'll want this as a reference point, basically your exploit URL is going to be http(s)://example.com:port/image.jpg

2 .htaccess file

Here you're going to want mod_rewrite a simple example I've provided below is sending from test.jpg to evil.php RewriteEngine on   RewriteRule ^/?test.jpg$ evil.php [L]

Tip: This will likely create as a hidden file, so ensure you enable the viewing of hidden files!

3 a log file

NOTE: my next example (php file) creates a log file for you.

4 evil.php

This is where all your PHP code goes, so whatever you want to do to the victim goes here. Below is an example of getting the visited page, WAN IP and user agent of the victim which creates/updates a log file for you:

See HERE for my php script

OK, i'm setup, how do I test it?
Now you're setup, the first and easiest way to test it's working is by visiting the image across the WAN, ie; http(s)://example.com:port/image.jpg if this works, you should get a log file each time you visit this site. If not retrace your steps and perform some troubleshooting.

How do I email it to my victim?
This can be as simple or complex as you want. But the basic principle here is you want to embed the inline image in a 1x1 pixel reference (simple, a hidden image) this loads/renders when the target opens the email. Something like:



An easier way, when using a web based email platform like Gmail or OWA, you can insert an "approved" inline image, and then modify the image reference source, a quick way to do that in Firefox is to right click the image, Inspect Element (Q), and change the image URL to your own, as demonstrated in the video.

OK that about wraps things up, thanks for reading -Craig Fox