SlideShare a Scribd company logo
1 of 41
Phishing:
Going from Recon
to Creds
Hackcon 2016 Edition
Adam Compton
Agenda
●Talk a Little About Myself
●What is Phishing?
●A Standard Phishing Process
●Speed Phishing Demo
https://github.com/tatanus/SPF
Adam Compton
Father - 5 yrs
Husband -16 yrs
Security Researcher - 16 yrs
Programmer - 34 yrs
Hillbilly - 39 yrs
@tatanus
https://github.com/tatanus
http://blog.seedsofepiphany.com/
adam.compton@gmail.com
adam_compton@rapid7.com
https://github.com/tatanus/SPF
What is Phishing?
"the attempt to acquire
sensitive information...by
masquerading as a trustworthy
entity in an electronic
communication." - Wikipedia
(Phishing)
https://github.com/tatanus/SPF
Why Phish?
Potential high return on investment
May be easiest way on a network
It works! People want to be helpful.
https://github.com/tatanus/SPF
Going Back to the 90s
“AOHell includes a ''fisher'' that allows a user to pose as
an AOL official and ask new members for passwords or
credit-card numbers.” - San Jose Mercury 1995
https://github.com/tatanus/SPF
What kind of sensitive info?
Credentials
Credit Cards
Identity - PII
Health Information
Bitcoin Wallets
Steam Accounts
https://github.com/tatanus/SPF
Types of Phishing Attacks
Attack Magnitude Targeting
Phishing Many General
Spear Phishing 10s - 100s Group, Company
Whaling One Executive
https://github.com/tatanus/SPF
Standard Phishing Process
https://github.com/tatanus/SPF
The list of targets and any other info that will help
Find through company site, google searches, and even
social media
List may be provided by customer
https://github.com/tatanus/SPF
Recon Tools
https://github.com/tatanus/SPF
Setting up web, dns and/or mail servers
Create a convincing scenario, write the email
Test the entire process!
This may be your only chance to fix issues
https://github.com/tatanus/SPF
Credential Harvesting => Login Information
Exploiting Client => Metasploit Sessions
This step is based on scope of work
https://github.com/tatanus/SPF
Attack Tools - Setup to Post Compromise
https://github.com/tatanus/SPF
Everyone’s Favorite Part!
At Minimum:
•Describe the Attack Scenario
•Targets
•Collected Credentials or Compromised Systems
Include Statistics
https://github.com/tatanus/SPF
I am lazy - Can we make this even easier?
Yes...Automation!
Program APIs
•BeEF RESTFul API
•Recon-cli
•SET - seautomate
Parse Commandline Tool Output
Python, Perl, & Bash
https://github.com/tatanus/SPF
SpeedPhishing Framework - SPF
Automates common tasks needed to perform a phishing
exercise
Written in Python
Minimal external dependencies
https://github.com/tatanus/SPF
Current Features
Harvests Email Address
Setups & Hosts Websites
Sends phishing emails to targets
Records Creds and Keystrokes
Creates VERY Simple Report
https://github.com/tatanus/SPF
SPF - Usage Statement / Options
https://github.com/tatanus/SPF
SPF - Config File
https://github.com/tatanus/SPF
SPF - Standard Phishing Process
https://github.com/tatanus/SPF
SPF - Reconnaissance
Searches online search engines like:
◦Google, Bing, and DuckDuckGo
Can use external tools such as theHarvester
https://github.com/tatanus/SPF
SPF - Identifying Potential Targets
https://github.com/tatanus/SPF
SPF - Setup and Deploy
Built-in web server based on Twisted python library
Templated sample web sites with accompanying email
templates
Ability to dynamically clone additional login portals as
needed
https://github.com/tatanus/SPF
SPF - Loading Web Sites
https://github.com/tatanus/SPF
SPF - Web Sites
https://github.com/tatanus/SPF
SPF - Sending Emails
Can simulate sending of emails
Sends emails in a round robin style alternating across all
phishing sites
Sends emails via 3rd party SMTP server or by connecting
directly to the target's mail server
https://github.com/tatanus/SPF
SPF - Sending Emails
SPF - Collect Responses & Post Exploitation
Logs all access to the web sites
Logs all form submissions
Logs all key strokes
Has ability to pillage email accounts
https://github.com/tatanus/SPF
SPF - Collecting Results
https://github.com/tatanus/SPF
Reports
Saves all data and activity logs to
assessment specific directory
structure
Generates simple HTML report
https://github.com/tatanus/SPF
SPF - Simple Report
Advanced/Experimental Features
Company Profiler
◦ Identify which if any templates should be used
◦ Dynamically generate new "target-specific" phishing sites
Pillage
◦ Verify credentials
◦ Download attachments
◦ Search for "SSN, password, login, etc…)
https://github.com/tatanus/SPF
SPF Demo
We shall all now pray to the demo gods
https://github.com/tatanus/SPF
Future Work/Features
More external tools
Better Profiling/Pillaging
Fancy Reports
Incorporate SSL (possibly via https://letsencrypt.org/).
Suggestions?
https://github.com/tatanus/SPF
A HUGE Thank You to:
Recon-ng - Tim Tomes (lanmaster53)
BeEF - Wade Alcorn
theHarvester - Christian Martorella
Social Engineering Toolkit - Dave Kennedy
Morning Catch - Raphael Mudge
https://github.com/tatanus/SPF
Defense
Preparation
◦User Awareness & Periodic Testing
Detection & Analysis
◦Alerts, Mail Proxies
Containment, Eradication and Recovery
◦Have a plan that is ready and tested
https://github.com/tatanus/SPF
Defense
Preparation
◦User Awareness & Periodic Testing
Detection & Analysis
◦Alerts, Mail Proxies
Containment, Eradication and Recovery
◦Have a plan that is ready and tested
https://github.com/tatanus/SPF
Thank You!
411
Adam Compton
@tatanus
https://github.com/tatanus
http://blog.seedsofepiphany.com/
adam.compton@gmail.com
adam_compton@rapid7.com
https://github.com/tatanus/SPF

More Related Content

Similar to HackCon - SPF

Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Wireless Network Pentestration
Wireless Network PentestrationWireless Network Pentestration
Wireless Network PentestrationKHNOG
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Codemotion
 
BigDataFest Building Modern Data Streaming Apps
BigDataFest  Building Modern Data Streaming AppsBigDataFest  Building Modern Data Streaming Apps
BigDataFest Building Modern Data Streaming Appsssuser73434e
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Frédéric Harper
 
Tracing python applications
Tracing python applicationsTracing python applications
Tracing python applicationsNikolay Stoitsev
 

Similar to HackCon - SPF (20)

Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Wireless Network Pentestration
Wireless Network PentestrationWireless Network Pentestration
Wireless Network Pentestration
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Encode polkadot club
Encode polkadot club  Encode polkadot club
Encode polkadot club
 
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
Why I've to waste my time on cryptography? - Andrea Pompili - Codemotion Rome...
 
BigDataFest Building Modern Data Streaming Apps
BigDataFest  Building Modern Data Streaming AppsBigDataFest  Building Modern Data Streaming Apps
BigDataFest Building Modern Data Streaming Apps
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Null 1
Null 1Null 1
Null 1
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07
 
Designing & Building Secure Web APIs
Designing & Building Secure Web APIsDesigning & Building Secure Web APIs
Designing & Building Secure Web APIs
 
Tracing python applications
Tracing python applicationsTracing python applications
Tracing python applications
 

More from Adam Compton

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a PentesterAdam Compton
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVAdam Compton
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatAdam Compton
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest FailsAdam Compton
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest FailsAdam Compton
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsAdam Compton
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFailsAdam Compton
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsAdam Compton
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFailsAdam Compton
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsAdam Compton
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2Adam Compton
 

More from Adam Compton (15)

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a Pentester
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest Fails
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFails
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFails
 
DerbyCon - Legion
DerbyCon - LegionDerbyCon - Legion
DerbyCon - Legion
 
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFails
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINT
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFails
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2
 

Recently uploaded

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 

Recently uploaded (11)

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 

HackCon - SPF

  • 1. Phishing: Going from Recon to Creds Hackcon 2016 Edition Adam Compton
  • 2. Agenda ●Talk a Little About Myself ●What is Phishing? ●A Standard Phishing Process ●Speed Phishing Demo https://github.com/tatanus/SPF
  • 3. Adam Compton Father - 5 yrs Husband -16 yrs Security Researcher - 16 yrs Programmer - 34 yrs Hillbilly - 39 yrs @tatanus https://github.com/tatanus http://blog.seedsofepiphany.com/ adam.compton@gmail.com adam_compton@rapid7.com https://github.com/tatanus/SPF
  • 4. What is Phishing? "the attempt to acquire sensitive information...by masquerading as a trustworthy entity in an electronic communication." - Wikipedia (Phishing) https://github.com/tatanus/SPF
  • 5. Why Phish? Potential high return on investment May be easiest way on a network It works! People want to be helpful. https://github.com/tatanus/SPF
  • 6. Going Back to the 90s “AOHell includes a ''fisher'' that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.” - San Jose Mercury 1995 https://github.com/tatanus/SPF
  • 7.
  • 8. What kind of sensitive info? Credentials Credit Cards Identity - PII Health Information Bitcoin Wallets Steam Accounts https://github.com/tatanus/SPF
  • 9. Types of Phishing Attacks Attack Magnitude Targeting Phishing Many General Spear Phishing 10s - 100s Group, Company Whaling One Executive https://github.com/tatanus/SPF
  • 11. The list of targets and any other info that will help Find through company site, google searches, and even social media List may be provided by customer https://github.com/tatanus/SPF
  • 13. Setting up web, dns and/or mail servers Create a convincing scenario, write the email Test the entire process! This may be your only chance to fix issues https://github.com/tatanus/SPF
  • 14. Credential Harvesting => Login Information Exploiting Client => Metasploit Sessions This step is based on scope of work https://github.com/tatanus/SPF
  • 15. Attack Tools - Setup to Post Compromise https://github.com/tatanus/SPF
  • 16. Everyone’s Favorite Part! At Minimum: •Describe the Attack Scenario •Targets •Collected Credentials or Compromised Systems Include Statistics https://github.com/tatanus/SPF
  • 17. I am lazy - Can we make this even easier? Yes...Automation! Program APIs •BeEF RESTFul API •Recon-cli •SET - seautomate Parse Commandline Tool Output Python, Perl, & Bash https://github.com/tatanus/SPF
  • 18. SpeedPhishing Framework - SPF Automates common tasks needed to perform a phishing exercise Written in Python Minimal external dependencies https://github.com/tatanus/SPF
  • 19. Current Features Harvests Email Address Setups & Hosts Websites Sends phishing emails to targets Records Creds and Keystrokes Creates VERY Simple Report https://github.com/tatanus/SPF
  • 20. SPF - Usage Statement / Options https://github.com/tatanus/SPF
  • 21. SPF - Config File https://github.com/tatanus/SPF
  • 22. SPF - Standard Phishing Process https://github.com/tatanus/SPF
  • 23. SPF - Reconnaissance Searches online search engines like: ◦Google, Bing, and DuckDuckGo Can use external tools such as theHarvester https://github.com/tatanus/SPF
  • 24. SPF - Identifying Potential Targets https://github.com/tatanus/SPF
  • 25. SPF - Setup and Deploy Built-in web server based on Twisted python library Templated sample web sites with accompanying email templates Ability to dynamically clone additional login portals as needed https://github.com/tatanus/SPF
  • 26. SPF - Loading Web Sites https://github.com/tatanus/SPF
  • 27. SPF - Web Sites https://github.com/tatanus/SPF
  • 28. SPF - Sending Emails Can simulate sending of emails Sends emails in a round robin style alternating across all phishing sites Sends emails via 3rd party SMTP server or by connecting directly to the target's mail server https://github.com/tatanus/SPF
  • 29. SPF - Sending Emails
  • 30. SPF - Collect Responses & Post Exploitation Logs all access to the web sites Logs all form submissions Logs all key strokes Has ability to pillage email accounts https://github.com/tatanus/SPF
  • 31. SPF - Collecting Results https://github.com/tatanus/SPF
  • 32. Reports Saves all data and activity logs to assessment specific directory structure Generates simple HTML report https://github.com/tatanus/SPF
  • 33. SPF - Simple Report
  • 34. Advanced/Experimental Features Company Profiler ◦ Identify which if any templates should be used ◦ Dynamically generate new "target-specific" phishing sites Pillage ◦ Verify credentials ◦ Download attachments ◦ Search for "SSN, password, login, etc…) https://github.com/tatanus/SPF
  • 35. SPF Demo We shall all now pray to the demo gods https://github.com/tatanus/SPF
  • 36. Future Work/Features More external tools Better Profiling/Pillaging Fancy Reports Incorporate SSL (possibly via https://letsencrypt.org/). Suggestions? https://github.com/tatanus/SPF
  • 37. A HUGE Thank You to: Recon-ng - Tim Tomes (lanmaster53) BeEF - Wade Alcorn theHarvester - Christian Martorella Social Engineering Toolkit - Dave Kennedy Morning Catch - Raphael Mudge https://github.com/tatanus/SPF
  • 38. Defense Preparation ◦User Awareness & Periodic Testing Detection & Analysis ◦Alerts, Mail Proxies Containment, Eradication and Recovery ◦Have a plan that is ready and tested https://github.com/tatanus/SPF
  • 39. Defense Preparation ◦User Awareness & Periodic Testing Detection & Analysis ◦Alerts, Mail Proxies Containment, Eradication and Recovery ◦Have a plan that is ready and tested https://github.com/tatanus/SPF

Editor's Notes

  1. Good afternoon I’m Adam Compton and today we are going be talking about phishing
  2. First of all, lets go over the obligatory agenda slide. The talk today will start with a brief overview of email phishing and end with the presentation of a new phishing tool I started developing last year.
  3. My name is Adam Compton. I have been doing information security research and professional services for most of my professional life. I am married with children. While I love them all, I do enjoy getting away from them once in a while. Yes I am a hillbilly from the Appalachian Mountains of the eastern Untied States and proud of it. So, why am I here? Because I believe in trying to give back to the community. While not everyone may find this talk or the associated tool as interesting as I do, hopefully enough will to make this worth it.
  4. So, what is phishing? At its most basic, phishing is attempting to gain sensitive information by manipulating someone through electronic communication. This may take the form of email, messages, in game communications, and so on.
  5. Yes phishing is just one attack vector that malicious advisories can leverage to gain access to sensitive systems and data. So why would someone phish when there are these other possible attack vectors? What makes it so interesting, so successive? Because phishing has a high return on investment; targeting 10 people or 1000 typically takes the same amount of effort for an attacker. Many times it may be the easiest way to get on a network that has a low external attack surface. Finally, it just works. Phishing exploits some our basic human needs. People want to be helpful.
  6. Another reason is that phishing is time tested. It has worked for over 20 years, going back to the mid-90s with America Online. Some of the earliest evidence of phishing attacks I could find was script kiddies using visual basic or C++ programs on AOL. One of the most popular was AOHell. The San Jose Mercury, all the way back in 95, reported that AOHell includes a ''fisher'' that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.
  7. Here is an example of AOHell Running. Here it has “Phishing for PWs”, a list of targets, the message and the IM responses. It really hasn’t gotten much more complicated since then and in many cases, phishing may be even easier and more effective today.
  8. What kind of sensitive information are attackers after? Most are after either access to systems or they are trying to make money. This could be through stealing credit cards or PII (personally Identifiable Information) that could be used to open a line of credit or recently health information. The health care information is usually used to aid in heathcare insurance fraud. Recently there have been attacks against bitcoin brokers and even steam or other online game accounts
  9. What are the primary types of phishing attacks? Regular Blanket email attacks, usually they are very simple (requiring little to no advance research) You probably get these types of attacks all of the time, and they are just flagged as SPAM Spear Phishing - typically used when targeting a group of people with a shared commonality such as the employees of a specific company (this usually requires some advanced research to make the phish believable, such as at a minimal the company logo and so on) Whaling - When all you want is the CEO, president, or similar high level target (this requires a lot of prep work to get right as you likely only get one chance to get it correct) Most professional consulting engagements will involve either spear fishing or in some instances whaling, you won’t be going after the entire internet.
  10. Now we are going to step through a standard phishing process, everyone has their own methodology but this seems to be the most common we could find.
  11. It all starts with Recon. This is where you are collecting the list of targets and any other information that may help. You can use sources such as the company's own website (there may be a employee listing page), google searches (people love to post to forums and blogs using their company email addresses), and social media sites (such as facebook and linkedin)
  12. There are a lot of tools out there Recon-NG and, to a more limited degree, theHarvester can aid in the identification of potential targets for a phishing exercise. Foca and MetaGoofil are document metadata analyzers that can be used to find machine names, usernames, software versions and much more. Maltego and Netglub are great tools for mass research of a company or person and chaining that information together.
  13. Next is the setup and deployment, this usually includes setting up servers such as web, dns and mail. Once everything is running and you’ve created a convincing scenario using the recon from earlier it’s time to send the emails. You really should send a few test emails to yourself and then step through the entire process from start to finish. This may be the only chance you have to fix things. STORY: I will admit that on at least one occasion, I failed to do the proper testing. The % of people clicking on the link was much lower than I had expected. When I went back to figure out what could have happened, I realized I had put the wrong company name in the email and the website had a broken image for the logo. However this screw up on my part still ended up being somewhat useful as it demonstrated that at least some % of the company's employees would click on anything and were willing to just give their creds away to any old site regardless of how ugly it was.
  14. Next, you need to collect the responses, for a credential harvesting attack this could be usernames and passwords, if you were exploiting the client, it would be metasploit sessions. Either way, you need to decide what you want to do now. Do you just document the credentials or the compromised systems and go on your way? Or do you use those to continue the assessment and turn the phishing attack into a potential internal penetration test? A lot of this decision is based on the agreement with the customer
  15. There are several attack tools that will tak you through the process from setup and deployment, all the way to post compromise The Social Engineering Toolkit is great general purpose tool to aid a pentester in performing client side attacks, it has one of the largest feature sets. Phishing Frenzy while not as robust as SET, does have a web based UI and is very user friendly for people just getting started in phishing. Browser Exploitation Framework is more of an attack platform than a phishing tool. But I find it works very well when partnered with other tools. GoPhish is a new comer to the phishing landscape. It is another opensource tool with provides a gui and much of the same functionality as the others. I have not had time to fully test this solution yet.
  16. Now we get to everyone’s favorite part, the reporting! This is where you review all of your notes and produce a report for the customer. At a minimum, you will need to describe the attack scenario, list the targets, and any results such as collected credentials or compromised systems. Really good reports will include statistics and show the business impact of the attack.
  17. Okay, I am not lazy but as a programmer I do like to find ways to automate repetative processes when possible. Many of the common tools (such as SET, Recon-ng, and BeEF) already have APIs available for us to use or they are command line tools (such as theHarvester) whose output can be easily parsed.
  18. Let me introduce SPF "The SpeedPhishing Framework" (yes it is a play on the name "Sender Policy Framework"). SPF is is my attempt to automate common tasks needed for a standard phishing exercise. Currently it focuses on credential harvesting attacks, but I plan on expanding it into other attacks in the future. It is written in Python. I chose python for no real reason other than I just felt this would be a fun python project. I did not and still do not intend SPF to be a replacement or competitor for something like the Social Engineering Toolkit. I feel both occupy different roles and both can co-exist nicely.
  19. Currently SPF can harvest potential emails from the internet by using many popular search engines such as google, bing, and duckduckgo. Through the use of templates, it can deploy 1 or more web sites designed to capture credentials It can send emails to the previously identified targets instructing them to go to one of the deployed phishing websites. It collects all credentials and keystrokes entered into the web sites. It keeps a full log of all activities. It can even generate a simple html based report when finished.
  20. SPF is a command line tool. And like all good command line tools, it has a nice lengthy usage statement. This is just a small snippet of it here. You will see the full one when we get to the demo in a bit.
  21. In addition to the commandline arguments, SPF also makes use of a config file. The config file is used for some of the setting that are not changed that often and are common across multiple assessments.
  22. Over the next few slides we will be revisiting the standard phishing process steps I listed previously.
  23. Depending on the commandline arguments provided, SPF can use both built-in and external tools to perform some Internet recon on the target company. SPF can attempt to identify to identify target email addresses, as well as web and mail servers the company may have on the Internet.
  24. Here is a few shots of SPF gathering target email addresses.
  25. SPF has a built in webserver and comes with multiple (currently I think there are 5) website templates that can be used. SPF also has an available "advanced" feature that allows it to quickly search any websites the target company hosts and then determine if they contain a login portal, and if so, SPF will clone the site and use it as another available phishing template. I will talk more about this after while.
  26. Again, just a shot of SPF loading a few web templates.
  27. Here is just a sampling of what some of the phishing website templates look like. As you may (or may not) be able to tell, they are fairly common websites, which many companies may already use.
  28. SPF performs a round-robin style of sending emails. It loops of any web sites that have been deployed, pops an email address of the list, and send an email to that address instructing the recipient to go to the web site. then it would go to the next and so on. This is done in an effort to ensure an equal distribution of recipients being directed to each phishing site. In order to send the emails, SPF can make use of a 3rd party email server (such as gmail) or it will attempt to connect directly to the target company's smtp server and send them that way.
  29. Here you can see SPF simulating the sending of the emails.
  30. As mentioned before currently SPF is focused on credential harvesting. As such, it is designed to key log all actavity on the hosted phishing web sites as well as storing any form data the visitor may finally submit. And as another advanced/experimental feature, SPF has the ability to automatically attempt to pillage any email accounts it can find. Again, this will be discussed more in a bit.
  31. Just a sampling of SPF collecting keylogs and form submissions.
  32. And yes, SPF does generate a simple html based report. It is nothing special, but it is functional. I would like to mention that all of the activity logs, collected data, and so on will be saved in a directory so that you can view/parse/manipulate it to your hearts content if you wish.
  33. Like I said, it is nothing special.
  34. Two of the more experimental features are the Company Profiler and the Pillage modules. I touched on these earlier, but now, lets get into the details a bit more. The Company Profiler servers multiple purposes. First, by scanning the internet facing websites of the target company, it can determine which of the built in web templates would work best. Secondly, it can identify and clone any other login portals it identifies. These newly cloned sites will also be used during the phishing exercise. The Pillage module is a most exploit module designed to attempt to validate any collected credentials, login to the target's mail account and download any emails or attachment which match predetermine strings or regular expressions. Currently this only works if the arget has either an IMAP or POP3 mail server.
  35. Demo Time… Hopefully we can do a live demo, if not we have a few slides that can hopefully provide you an idea of how it works
  36. As with all new tools and projects, there are so many things that could be included. I had to pick and choose what I felt should be in the initial release. As a result, here is a list of a few of the items I have not added, but plan on potentially adding later. By popular demand, the ability to track individual emails. Personally I do not find this adds much, but others swear by it. Add more external tool utilization. Enhance the Company Profiling and the email pillaging modules. Improve upon the report SPF generates. Add SSL to the websites. As I do not know all of the web sites and domain names before hand, this can be a bit tricky. Possibly by using something like the "letsencrypt" project could help. Any other suggestions? Anyone want to help, contribute?
  37. I just want to take a moment to say thank you to all of the developers of the other phishing tools I have been using for years.
  38. One of the most important is User Awareness and testing We can do this by performing phishing exercises with tools such as those described earlier in the presentation.
  39. And a big thank you to all of you for sitting through this.
  40. Questions?