Monday, 29 June 2015

Incremental Hacking

No hacking attempt is guaranteed. There is a lot that can go wrong when you attempt to remotely and secretly install spy software.

Things that can go wrong:

  • The target can choose not to open the payload. Even after some good social engineering, there will be a lot of targets that will know better than to open the attachment.
  • The target can open the payload on a device (Operating System) that does not support the specific payload.
  • The target computer can have a two-way firewall (not the standard Windows Firewall) that can block the data from being sent.
  • The target computer can have very strict Anti-Virus that will block any program that is not known and trusted.

Ways to improve your chances of success:

The first thing you can do is use a targeted attack against a specific target. You find out as much as you can (facebook, google, etc) about the target. You can use information that might look very insignificant to others to improve your social engineering con (I will explain in more detail with the example in this article). This type of attack is called spear phishing and will greatly improve your chances of success compared to phishing where you simply 'attack' a list of targets and hope for the best.

Another way to improve your chances of success is to use incremental hacking

With incremental hacking you first do a type of attack that has a higher success rate and usually lower reward before moving to the next phase with a lower success rate but greater reward. That way, if the target get suspicious during the last phase and the attempt fails, then at least you have some information about the target.

This multi-phase attack also has the advantage that you can prepare (through social engineering) the target for the final payload so that he is willing and ready to run it.

Example of Incremental Hacking

You did your homework and from facebook you learned that the target is a big Miley Cyrus fan.

The Con

You create a profile (facebook google+ or simply an email address at yahoo, gmail, etc) and give the impression that you are also a Miley fan (the things we sometimes need to do …). You could alternatively create an email that will let it look like some sort of special fan group.

You will then email the target a link to a Miley video where you will only get the target's username and password using a phshing website – high success rate – Phase 1.

After you successfully retrieved the target's username and password, you can then email the target another 'naughty' video of Miley that is not freely available on the internet. Once the target try to run this video, you will have full monitoring of the target computer – lower success rate but higher reward – Phase 2.

Let's see how this can be done:

Phase 1: Phishing Website

After our first phase, we don't want the target to become suspicious. We want the target to trust as even more. So the first phase of the con is very important. We search the web (youtube or any other video service) for an actual video of Miley that will give the target the impression that there was a reason why the video was somewhat restricted (maybe a real sexy/naughty video).

We use that link to create our phishing website with redpill Hacker.

redpill Hacker will create the phishing site for us (see the redpill Hacker Phishing Website Video  for more detail on how the website is created by redpill Hacker).

We then make a couple of changes to one of the many social engineering templates in redpill Hacker to fit in with our con. We let redpill Hacker email the target.

The target will get an email with a link to the video. When the target want to view the video, he will be prompted to sign in using his social media account (gmail, yahoo, facebook, twitter) – as are the case with many sites and content on the internet. After he signed in, he will be able to watch the video and will not suspect anything.

We however, would have received his username and password!

This type of attack as a very high success rate as nothing needed to be installed on the target computer. It works on any device and operating system and there is no warning messages.

Phase 2: Emailing the Payload

The second phase of the attack has a lower success rate as we want to remotely install a spy program on the target computer. If this however fails, then at least we already have the target's login details for one of his accounts that will give us a lot of information about the target (remember, some users will use the same password for all their accounts).

We also now already established contact with the target and the target will now have a sense of familiarity that will help us with the next attack.

Using the 'video' social engineering template in redpill Hacker, we create a video payload and email it to the target. We tell the target that this video is not freely available on the internet as it has some shocking content of Miley.

When the target wants to run the video player we attached, he might get the standard UAC message from Windows or a warning from his Anti-Virus that it is not a known and trusted application. We however did explain in the email that we are using a new video encryption program to attach the video so the target will be expecting the message and allow it to run.

If the target allow the payload to run, we will start to receive data (IP Address, keylogs, screenshots) from the target.

Not only will an incremental attack increase your chances off success during the final phase, it will also reduce exposure to your payloads (see why this is important) and also leave you with at least access to the target's social media account if the final attempt is not successful.

For more information about redpill Hacker, visit

Friday, 26 June 2015

Setting up a FTP Server for redpill Hacker

redpill Hacker is a hacking tool (penetration testing tool) that allows you to do different types of 'attacks' on targets (the computers or persons you want to monitor/investigate). Some attacks like the Phishing Website Attack or a payload that is send with a link require a website (or at least a file hosting site for the link option).

You do not need an actual website as redpill Hacker will create the website for you (in the case of the phishing site) or you only need a place to host the file (in the case of the link attack). So all you need to get, is a website hosting option from a hosting company like Sites like godaddy offer cheap hosting options that also include a domain name.

With your hosting option, you will also get a FTP Server. The FTP Server is used to upload files to your website. In redpill Hacker, you can easily add the FTP Server. Open redpill Hacker and go to Resources > FTP Servers.

Your hosting company will give you the server name. It will either be something like or an IP address. The username and password will also be provided by your hosting company or you will be able to create a FTP user in your website control panel.

The directory (or folder) is where the files should be uploaded. With some hosting companies this will be in the root FTP folder. In that case just add a forward slash as in the screenshot above (/). Other sites will be something like /httpdocs/ or /www/ (you should add the forward slash in the beginning and end of the directory name).

If you are not sure what the directory is where you should upload your website files, you can contact your hosting company for support and ask them. You could also use your File Explorer in the hosting control panel to see where the website files are (there will be a Default or Index file with a htm, html, aspx or asp extension).

Once you added the FTP server, it can easily be selected from other parts of the program for things like a link payload or a phishing website. redpill Hacker will then create the website for you or upload the file for you.

A couple of things to remember:
  • When you want to send a payload with a link, you can use any website hosting option. If you want to use your site for a phishing site as well, you will need to make sure it is a Windows Server with ASP.NET 4.0 enabled.
  • Both options must be a website hosting option and not a ready build website (like website builder from godaddy) as theses sites does not allow you to upload any file you want (like payloads).
  • The link that you will specify in your link payload or the phishing website attack should be a link to your domain name and not to your FTP server.
  • You can use the same website (and FTP server) for different types attacks. You could for example use the same site for a phishing website and for multiple payload links.
Please note, we recommend godaddy as they setup the sites correctly and their domains are quickly available. Some other companies fail to create some standard and needed folders with the correct permissions.

Please contact redpill support if you have any questions.

Thursday, 25 June 2015

redpill Hacker 3.22 Released

redpill Hacker 3.22 has been released with the following enhancements:
  • The payloads has been improved to make them harder to detect. The changes include changes to avoid detection by the target (user) and anti-virus.
    Note: One of the changes will cause a delay in the initial 'success message' and a delay before receiving the initial data. After the initial delay, data will be received in real time.
  • The payloads will now also give the IP address of the target computer that can be used to look up the target location.
  • A 'Delete All' was added to the target screen. This is useful if you want import targets (email addresses) from a file and attack targets in batches. 
For more information about redpill Hacker, visit

Thursday, 4 June 2015

redpill Hacker now with website phishing

redpill Hacker now with new website phishing feature. Training video shows how to get usernames and passwords from any device and any operating system.

For more information about redpill Hacker or more training videos visit: