2

I'm working on some options for a social engineering assessment for a client. One of the things I'd like to do is email a bunch of people a pdf attachment (or put the pdf on removable media) and then track how many people actually opened the pdf. What's a good method for doing this?

I'm looking for something that has the best chance to make it through any email filters and/or AV so I'm not wanting to make powershell connections back to their computer or anything like that. Simply track whether the pdf was opened on their computer or not. I'm thinking maybe an image in the pdf that has some code embedded that will call to a URL which could be tracked or something but I'm not sure if this is the best way or even a good way to do it. And if it is a good way to do it, is there a sample online somewhere? I've seen some services offered online that will track pdf stuff but I'd like to do this myself manually (or with a tool like SET or Metasploit or something if it's built in).

Bonus would be if I could also track whether the email itself was viewed using a similar method (not sure how likely this is).

Just a Sec User
  • 21
  • 1
  • 2
  • 1
    Could it be a option to only provide a link to the pdf? Much simpler to get expected result... – Serge Ballesta Apr 19 '17 at 21:17
  • You're right, that would be much simpler and I've already got a system in place to do that. That's one useful data point (whether their employees will click on a link in an email) but whether their employee will actually download an attachment and open it (pdf in this case) is a completely different data point we want to track. Kind of a step further than just clicking a link. – Just a Sec User Apr 19 '17 at 21:24
  • You could place an image on a webserver, put that in the pdf and look how many people requested the image in the logs. – Trevi Awater Apr 19 '17 at 22:09
  • Yes, this is what I was thinking too. However, when I started looking into actually doing it, it wasn't as straight forward as I had hoped. Have you done this before? Any tutorials or articles you'd suggest? – Just a Sec User Apr 19 '17 at 22:26
  • You can send a folder that contain actual pdf file hidden and your program whose icon is same as pdf,make the program like when it run it start the actual pdf file then send you an email. – TAHA SULTAN TEMURI Apr 20 '17 at 07:44
  • Check out canary tokens for PDFs...there are a quite a few posts floating around about it (a full post about canary tokens and their use is here http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html) – Arlix Apr 20 '17 at 08:59

3 Answers3

2

You really need an exploit in a PDF viewer (Adobe Reader being the most common) to have a reliable way to track an action on a PDF file.

Because in normal operation, a PDF reader should never try to open a network connection or execute code on the local machine. The most that is allowed is to open a browser (or another PDF file) when the user clicks on a link.

So if you want to be immune to antivirus, mail filters and other anti malware, you must do what actual malware do: find a flaw in an application and exploit it.

The good news here is that Adobe Reader has not a very high security reputation, the bad news is that it is not enough to make it simple to find any exploitable vulnerability.

pri
  • 4,438
  • 24
  • 31
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

A method I could imagine to work is:

You write a program that recognizes when a PDF file with a specific name/size/hash value/... gets opened by the user and sends e.g. an email to you in background. The program then needs to get distributed by the companys it department to all users you wanna "test". After that you can send a mail with the specific name/hash/etc. that triggers your program. You should probably check some legal facts before, as this could be illegal in your country.

licklake
  • 1,032
  • 1
  • 9
  • 22
-1

From Wikipedia:

"PDF is a file format used to present documents in a manner independent of application software, hardware, and operating systems"

I think that no matter how you share or send the PDF there are several ways in which a user can open the file, so there is no way you can know if the document has been opened by a user.

I can only think if you send a link and show the amount of downloads but that won't tell if the user even opened the file.

jquijano
  • 1
  • 1