SlideShare a Scribd company logo

A Night of Phishing @ IUPUI Cyber Security Club

Download as PPTX, PDF
C
Curtis Brazzell

I was honored to present to students an the public about phishing techniques we use at Pondurance. By request I also demonstrated my PhishAPI tool @ https://github.com/curtbraz/Phishing-API

Technology
1 of 39
Phishing IUPUI Cyber Security Club Curtis Brazzell Principal Security Consultant
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CONTENTS Introduction Phishing vs Spear-phishing Reconnaissance Statistics Campaign Creation Techniques Demo? Q & A
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 01 | INTRODUCTION
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING PHISHING INTRO » Purpose • Security Awareness • NOT for Humiliation » Phishing vs Spear-Phishing • KnowBe4, etc » Lateral » Under the Umbrella of Social Engineering
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 02 | PHISHING VS SPEAR-PHISHING
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Phishing • Casts a Wide Net • Not as Effective • lack of personalization / too generic • spam filters • poor grammar • 1% of 1,000 is still 10 • Scams and Spams • Scripted and Automated » Spear-phishing • Targeted Attacks • Mission / Objective Based • Highly Effective • Takes Time / Not Easily Automated PHISHING vs SPEAR- PHISHING
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 03 | RECONNAISSANCE
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OSINT RECONNAISSANCE » What is OSINT? » Doing Our Homework (sorry) » Targets • Organizations • Individuals
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Subdomains / Attack Surface • Mail Server • Remote Access (MFA?) • Citrix / TeamViewer / Logmein / VMWare Horizon, etc • VPN • Careers Portal • Contact Us • Wappalyzer • OS Fingerprinting » Information Disclosure • Google Dorking (Files, Dir Listing, Exposed Portals) • Configuration Mistakes » Vulnerabilities (Legitimate URLs) • Cross-Site Scripting (XSS) • Content Modification (iframes) • Redirects • Form Jacking • Session Hijacking • Click Jacking • Open Redirects • Unrestricted File Uploads » URL Encoding Techniques / Obfuscation
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Tools • Passive vs Active Enumeration • Active - MailSniper - Application Vuln Scanners (Burp Suite, ZAP, etc) - Network Vuln Scanners (Nessus, Nexpose, Qualys, OpenVAS, etc) • Passive - Shodan - Discover - Dnstwist - Amass - Dnsdumpster - Prowl
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING INDIVIDUALS RECON - OSINT » Breach Lists • HIBP / Paste sites • Shared Creds • SSO » About Us » Google » LinkedIn » Tools (Limited List) • LinkedINT • Recon-ng • theHarvester • Maltego
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Company’s “About Us” Page PONDURANC E 12 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Social Media (Linked-In, etc) PONDURANC E 13 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Recon-ng PONDURANC E 14 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Breach Lists PONDURANC E 15 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Maltego PONDURANC E 16 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Non-Targeted • Information Gathering • TheHarvester PONDURANC E 17 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 04 | STATISTICS
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Ties Back to Purpose - Reporting » Opened Emails • 1x1 Pixel Image <IMG SRC="https://DOMAIN.com/campaigns?target=EMAIL@RECIPIENT.COM&camp aignname=ITCAMPAIGN" height="1" width="1">
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Link Clicks • Landing Page Requests • BeEF Hooking • Google Analytics, etc
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Captured Credentials • Password Strength • Password Uniqueness • HIBP • Internal » Compromised Hosts
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 05 | CAMPAIGN CREATION
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY » How to create a convincing email? • Choose a scenario • Work from Home • Employee Gift Card Raffle • Management Request • IT Department • PhishAPI has a re-usable repository • Will be community driven soon PONDURANC E 23
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Customized • TO field instead of BCC • Match formatting of body and writing style • Grab an email signature • Sales Reps • Customer Support • Job Application • Create your own w/ Logo
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Exploit Relationships Between Employees • HR • IT • Hierarchy of Seniority » Social Tactics • Scare • Urgent • Context • Calendar Events • Ticketing Portals / Help Desk
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING • Spoof the Sender PONDURANC E 26 BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 27 • Spoof the Sender BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 28 • Spoof the Sender BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 29 • If spoofing isn’t an option, create similar domain BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OBJECTIVES CAMPAIGN CREATION » Credentials • Fake Landing Pages (New Citrix Login, Finance Page, etc) • Existing Cloned Pages w/ Company Logo • OWA / VPN / Remote Admin Portals » Malicious Documents (maldocs) • Hashes • Macros • Credentials » Malware • Trojans, Keyloggers, Ransomware, etc
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Components • Keep Independent • Front-end • Static Web Page - GitHub Pages - Google Sites - EC2 • Submits Critical Info (Project, Target, etc) • Back-end • Receives Requests • Processes Results • Alert Capability - Necessary for MFA tokens - Time is critical for account takeover, especially when suspicious » Cloning Tools • Social Engineering Toolkit (SET) • PhishAPI • Manual • Browser Tools • Backend
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Exploit User’s Misunderstanding of Security • Subdomains • secure-iupui.edu VS secure.iupui.edu • HTTPS • LetsEncrypt • Mention “Security” in the body • Disable “Protected View” • Double security banners (lol) • Hash Stealing in email (“But I didn’t open it!”) • BeEF Hooking (“But I didn’t enter my credentials!”) • Failure to Properly Terminate Sessions / Persistence
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Tools for Capturing Credentials (Limited List) • Phishery • Plaintext Creds via Basic Auth • Evilnginx • Session Tokens via Transparent Proxy • Modlishka • Session Tokens via Transparent Proxy • PhishAPI • Plaintext Creds with Real-time Alerting (+ Basic Auth and Hashes) • Old School (netcat, verbose python simple web server, etc) » Once Captured • Use Domain / SSO Creds to Log Into External Services (Email, VPN) • Reset Passwords for Third Party Sites (MFA Services, etc) • Search keywords in inboxes (“password”, “vault”, etc) • Check Cloud Storage for Goodies (OneDrive if O365 / Google Drive, etc) • Phish Laterally • Inbox Rules - Delete Replies, Password Reset Emails / Sent Messages - Alert on keywords
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALDOCS CAMPAIGN CREATION » Examples • PDF Adobe Reader Zero Day • Weaponized MS Office Documents • Macros • Basic Auth Requests - Captured Plaintext Credentials • SMB / UNC Requests - Hash Disclosure • Other Techniques - DDE - Protected View Bypass - HTTP Calls (Information Disclosure)
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALWARE CAMPAIGN CREATION » Traditional Malware » Compromise of Internal Environment » Leverage Cloud Storage • OneDrive Sharing • Google Drive Sharing » More Easily Detected » File Type Blocking
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 06 | TECHNIQUES
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TECHNIQUES » Phish early or late in the day » Calendar invites » MFA bypass » SIM swapping » Hashes in email body » Check Out of Office in O365 » Establish persistence • Log in with multiple sessions • Try credentials on other services » Use valid creds to export GAL or phish laterally » Look for patterns • Password length / requirements • Repeated default passwords • Season + Year
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 07 | DEMO?
QUESTIONS? THANK YOU! THREAT HUNTING AND RESPONSE | SECURITY CONSULTING

Recommended

One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for You
Curtis Brazzell
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 
Effective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victimEffective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victim
Christian Espinosa
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
FRSecure
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
Ahmed Musaad
 
Large scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluationLarge scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluation
Mitul Tiwari
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 

Recommended

One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for You
Curtis Brazzell
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 
Effective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victimEffective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victim
Christian Espinosa
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
FRSecure
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
Ahmed Musaad
 
Large scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluationLarge scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluation
Mitul Tiwari
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
EC-Council
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
SensePost
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
APNIC
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
SurfWatch Labs
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
Evan Francen
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Edge Pereira
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
Edge Pereira
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
Kevin Fisher
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
AT-NET Services, Inc. - Charleston Division
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
Cade Zvavanjanja
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
Dr Stylianos Mystakidis
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
Curtis Brazzell
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
Curtis Brazzell
 

More Related Content

Similar to A Night of Phishing @ IUPUI Cyber Security Club

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Edge Pereira
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
Cade Zvavanjanja
 

Similar to A Night of Phishing @ IUPUI Cyber Security Club (20)

Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 

More from Curtis Brazzell

CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
Curtis Brazzell
 

More from Curtis Brazzell (6)

CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
 
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveUsing Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk Perspective
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell
 
Phishing 101
Phishing 101Phishing 101
Phishing 101
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

A Night of Phishing @ IUPUI Cyber Security Club

  • 1. Phishing IUPUI Cyber Security Club Curtis Brazzell Principal Security Consultant
  • 2. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CONTENTS Introduction Phishing vs Spear-phishing Reconnaissance Statistics Campaign Creation Techniques Demo? Q & A
  • 3. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 01 | INTRODUCTION
  • 4. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING PHISHING INTRO » Purpose • Security Awareness • NOT for Humiliation » Phishing vs Spear-Phishing • KnowBe4, etc » Lateral » Under the Umbrella of Social Engineering
  • 5. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 02 | PHISHING VS SPEAR-PHISHING
  • 6. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Phishing • Casts a Wide Net • Not as Effective • lack of personalization / too generic • spam filters • poor grammar • 1% of 1,000 is still 10 • Scams and Spams • Scripted and Automated » Spear-phishing • Targeted Attacks • Mission / Objective Based • Highly Effective • Takes Time / Not Easily Automated PHISHING vs SPEAR- PHISHING
  • 7. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 03 | RECONNAISSANCE
  • 8. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OSINT RECONNAISSANCE » What is OSINT? » Doing Our Homework (sorry) » Targets • Organizations • Individuals
  • 9. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Subdomains / Attack Surface • Mail Server • Remote Access (MFA?) • Citrix / TeamViewer / Logmein / VMWare Horizon, etc • VPN • Careers Portal • Contact Us • Wappalyzer • OS Fingerprinting » Information Disclosure • Google Dorking (Files, Dir Listing, Exposed Portals) • Configuration Mistakes » Vulnerabilities (Legitimate URLs) • Cross-Site Scripting (XSS) • Content Modification (iframes) • Redirects • Form Jacking • Session Hijacking • Click Jacking • Open Redirects • Unrestricted File Uploads » URL Encoding Techniques / Obfuscation
  • 10. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Tools • Passive vs Active Enumeration • Active - MailSniper - Application Vuln Scanners (Burp Suite, ZAP, etc) - Network Vuln Scanners (Nessus, Nexpose, Qualys, OpenVAS, etc) • Passive - Shodan - Discover - Dnstwist - Amass - Dnsdumpster - Prowl
  • 11. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING INDIVIDUALS RECON - OSINT » Breach Lists • HIBP / Paste sites • Shared Creds • SSO » About Us » Google » LinkedIn » Tools (Limited List) • LinkedINT • Recon-ng • theHarvester • Maltego
  • 12. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Company’s “About Us” Page PONDURANC E 12 INDIVIDUALS RECON - OSINT
  • 13. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Social Media (Linked-In, etc) PONDURANC E 13 INDIVIDUALS RECON - OSINT
  • 14. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Recon-ng PONDURANC E 14 INDIVIDUALS RECON - OSINT
  • 15. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Breach Lists PONDURANC E 15 INDIVIDUALS RECON - OSINT
  • 16. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Maltego PONDURANC E 16 INDIVIDUALS RECON - OSINT
  • 17. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Non-Targeted • Information Gathering • TheHarvester PONDURANC E 17 INDIVIDUALS RECON - OSINT
  • 18. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 04 | STATISTICS
  • 19. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Ties Back to Purpose - Reporting » Opened Emails • 1x1 Pixel Image <IMG SRC="https://DOMAIN.com/campaigns?target=EMAIL@RECIPIENT.COM&camp aignname=ITCAMPAIGN" height="1" width="1">
  • 20. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Link Clicks • Landing Page Requests • BeEF Hooking • Google Analytics, etc
  • 21. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Captured Credentials • Password Strength • Password Uniqueness • HIBP • Internal » Compromised Hosts
  • 22. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 05 | CAMPAIGN CREATION
  • 23. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY » How to create a convincing email? • Choose a scenario • Work from Home • Employee Gift Card Raffle • Management Request • IT Department • PhishAPI has a re-usable repository • Will be community driven soon PONDURANC E 23
  • 24. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Customized • TO field instead of BCC • Match formatting of body and writing style • Grab an email signature • Sales Reps • Customer Support • Job Application • Create your own w/ Logo
  • 25. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Exploit Relationships Between Employees • HR • IT • Hierarchy of Seniority » Social Tactics • Scare • Urgent • Context • Calendar Events • Ticketing Portals / Help Desk
  • 26. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING • Spoof the Sender PONDURANC E 26 BELIEVABILITY
  • 27. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 27 • Spoof the Sender BELIEVABILITY
  • 28. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 28 • Spoof the Sender BELIEVABILITY
  • 29. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 29 • If spoofing isn’t an option, create similar domain BELIEVABILITY
  • 30. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OBJECTIVES CAMPAIGN CREATION » Credentials • Fake Landing Pages (New Citrix Login, Finance Page, etc) • Existing Cloned Pages w/ Company Logo • OWA / VPN / Remote Admin Portals » Malicious Documents (maldocs) • Hashes • Macros • Credentials » Malware • Trojans, Keyloggers, Ransomware, etc
  • 31. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Components • Keep Independent • Front-end • Static Web Page - GitHub Pages - Google Sites - EC2 • Submits Critical Info (Project, Target, etc) • Back-end • Receives Requests • Processes Results • Alert Capability - Necessary for MFA tokens - Time is critical for account takeover, especially when suspicious » Cloning Tools • Social Engineering Toolkit (SET) • PhishAPI • Manual • Browser Tools • Backend
  • 32. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Exploit User’s Misunderstanding of Security • Subdomains • secure-iupui.edu VS secure.iupui.edu • HTTPS • LetsEncrypt • Mention “Security” in the body • Disable “Protected View” • Double security banners (lol) • Hash Stealing in email (“But I didn’t open it!”) • BeEF Hooking (“But I didn’t enter my credentials!”) • Failure to Properly Terminate Sessions / Persistence
  • 33. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Tools for Capturing Credentials (Limited List) • Phishery • Plaintext Creds via Basic Auth • Evilnginx • Session Tokens via Transparent Proxy • Modlishka • Session Tokens via Transparent Proxy • PhishAPI • Plaintext Creds with Real-time Alerting (+ Basic Auth and Hashes) • Old School (netcat, verbose python simple web server, etc) » Once Captured • Use Domain / SSO Creds to Log Into External Services (Email, VPN) • Reset Passwords for Third Party Sites (MFA Services, etc) • Search keywords in inboxes (“password”, “vault”, etc) • Check Cloud Storage for Goodies (OneDrive if O365 / Google Drive, etc) • Phish Laterally • Inbox Rules - Delete Replies, Password Reset Emails / Sent Messages - Alert on keywords
  • 34. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALDOCS CAMPAIGN CREATION » Examples • PDF Adobe Reader Zero Day • Weaponized MS Office Documents • Macros • Basic Auth Requests - Captured Plaintext Credentials • SMB / UNC Requests - Hash Disclosure • Other Techniques - DDE - Protected View Bypass - HTTP Calls (Information Disclosure)
  • 35. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALWARE CAMPAIGN CREATION » Traditional Malware » Compromise of Internal Environment » Leverage Cloud Storage • OneDrive Sharing • Google Drive Sharing » More Easily Detected » File Type Blocking
  • 36. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 06 | TECHNIQUES
  • 37. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TECHNIQUES » Phish early or late in the day » Calendar invites » MFA bypass » SIM swapping » Hashes in email body » Check Out of Office in O365 » Establish persistence • Log in with multiple sessions • Try credentials on other services » Use valid creds to export GAL or phish laterally » Look for patterns • Password length / requirements • Repeated default passwords • Season + Year
  • 38. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 07 | DEMO?
  • 39. QUESTIONS? THANK YOU! THREAT HUNTING AND RESPONSE | SECURITY CONSULTING