Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control. Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works. What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network. We will go through: Choosing and setting up a Phishing Framework Cloning a site Testing delivery and bypassing Spam filters with a payload (Click Once) Testing different user interactions for executing payloads Learning different payloads for command and control

1. @haydnjohnson
Phishing
For the shell

2. @haydnjohnson
Please note
❏This talk goes better with the audio and can be found at
(thank you to Adrian for the recording)
❏http://www.irongeek.com/i.php?page=videos/nolacon201
7/nolacon-2017-gbd07-phishing-for-shellz-setting-up-a-
phishing-campaign-haydn-johnson

3. @haydnjohnson
WhoAMI
❏Security Consultant
❏KPMG LLP (Canada)
❏Talks: BsidesTO, Circle City Con, HackFest, SecTor
❏OSCP, Offsec, Purple Team, Gym??
❏http://www.slideshare.net/HaydnJohnson
Views are my own :)
@haydnjohnson

4. @haydnjohnson
Outline
❏What is phishing: Phishing Attacks | Real world
❏Different ‘Phishing’: Clicks | Creds | Shells
❏ Email Minefield
❏To learn phishing - What does that involve | require
❏How I learned to phish - frameworks, Payload, VM

5. @haydnjohnson
Real attacks - stats
* Why should you care about phishing *
Phishing is now the #1 delivery vehicle
for ransomware and other malware.
https://blog.barkly.com/phishing-statistics-2016

6. @haydnjohnson
Top 10 Internet Scams
1.Phishing emails and Phony Web pages
2.The Nigerian scam, also known as 419
3.Lottery scams
4.Advanced fees paid for a guaranteed loan or credit card
5.Items for sale overpayment scam
6.Employment search overpayment scam

7. @haydnjohnson
Phishing Examples
Email
https://www.incapsula.com/web-application-security/phishing-attack-scam.html

8. @haydnjohnson
Phishing Examples - @johnLaTwc
Excel

9. @haydnjohnson
Phishing Examples - @johnLaTwc
AV

10. @haydnjohnson
Phishing Examples
URLs
https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/

11. @haydnjohnson
Phishing Engagement
Types
Counting Clicks
Gathering Credentials
Gaining Command & Control

12. @haydnjohnson
Counting Clicks

13. @haydnjohnson
Counting Clicks
“Click Through Rate”
http://www.dummies.com/web-design-development/site-development/calculating-click-
through-rates-for-e-mail-campaigns/

14. @haydnjohnson
Counting Clicks
Page Visitors
http://www.counter12.com/

15. @haydnjohnson
Counting Clicks
PHP code
<?php
if (file_exists('count_file.txt'))
{
$fil = fopen('count_file.txt', r);
$dat = fread($fil, filesize('count_file.txt'));
echo $dat+1;
fclose($fil);
$fil = fopen('count_file.txt', w);
fwrite($fil, $dat+1);
}
else
{
$fil = fopen('count_file.txt', w);
fwrite($fil, 1);
echo '1';
fclose($fil);
}
?>

16. @haydnjohnson
Gathering Credentials
Intranet
https://twitter.com/dawnstarau/status/
851921378517295104/photo/1

17. @haydnjohnson
Gathering
Credentials

18. @haydnjohnson
Getting Credentials
VPN

19. @haydnjohnson
Getting Credentials
ISSUES:
❏Have to reset passwords
❏Exposing passwords

20. @haydnjohnson
Command and Control

21. @haydnjohnson
Command & Control
TYPES OF SHELLS
Synchronous (Reverse, Bind)
Asynchronous (Beacon, Empire Agent)

22. @haydnjohnson
Command & Control

23. @haydnjohnson
Command & Control
ISSUES:
❏Hijacking control
❏Unencrypted communications
❏Data out of the network

24. @haydnjohnson
Command & Control

25. @haydnjohnson
Command & Control

26. @haydnjohnson
Email Minefield

27. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

28. @haydnjohnson
NOT SPAM
DNS records | DKIM - email spoof protection
No-deliver notice for recon
https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/Bounce_message
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Sender Policy
Framework

29. @haydnjohnson
Mail Anti-Virus
Sandbox
Attachment Scanning
Sender
Policy
Framework
Mail Anti-
Virus
https://www.sandboxie.com/index.php?DownloadSandboxie
https://www.mail.com/mail/antivirus/
https://www.jvfconsulting.com/blog/trick-gmail-antivirus-scanner-send-any-
file-type-with-gmail-exe-dll-com-bat/
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-
corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0

30. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail Anti-
Virus
https://support.google.com/mail/answer/25760?hl=en

31. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail Anti-
Virus
https://github.com/carnal0wnage/malicious_file_maker
Test with different files:
❏Exe
❏Javascript etc

32. @haydnjohnson
Mail Delivered!
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED

33. @haydnjohnson
Mail Delivered….
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED

34. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

35. @haydnjohnson
McAfee
Trend
Avast
AVG
Host Anti Virus
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Norton
Avira
Bullguard
ABC
DEF
GEH
ETC
ETC
All the brands!

36. @haydnjohnson
Host Anti Virus
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
http://www.blackhillsinfosec.com/?p=5570
http://www.blackhillsinfosec.com/?p=5555
https://null-byte.wonderhowto.com/how-to/bypass-antivirus-using-powershell-and-
metasploit-kali-tutorial-0167601/
https://blog.netspi.com/10-evil-user-tricks-for-bypassing-anti-virus/
Run in memory
PowerShell
DLL
Remove ‘mimikatz’

37. @haydnjohnson
Code Execution
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution

38. @haydnjohnson
Even more!
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution

39. @haydnjohnson
Pentest part
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
❏First Landing
❏AV bypassed
❏Whitelisting
❏Constrained Language mode
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

40. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

41. @haydnjohnson
Intrusion Detection System
& Prevention
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS
❏NIDS
❏HIDS
❏Signature
❏Anomaly
❏Passive
❏Active
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

42. @haydnjohnson
Intrusion Detection System
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS
❏Not easy to bypass
❏Bypass Intranet Proxy | Supply creds
❏Obfuscation
❏False negatives
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/
https://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-evasion-
attackers-burglar-alarm-1284
“%2e%2e%2f%2e%2e%2fc:winntsystem32netstat.exe”
Instead of
“../../c:winntsystem32netstat.exe”

43. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS Firewall

44. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS Firewall
❏Bastion Host
❏DMZ
❏Deep Packet inspection
❏Reassemble packets
❏“NEXTGEN”
https://blog.fortinet.com/2014/10/09/a-few-words-about-evasion-
techniques

45. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS Firewall
❏Fragmentation
❏Tunnel ICMP | HTTP
❏Encryption
❏Firewalk
http://stephenperciballi.blogspot.ca/
https://www.cybrary.it/video/ids-firewalls-honeypots-whiteboard/

46. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS Firewall C2

47. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail Anti-
Virus
DELIVERED
Host Anti-
virus
Code
Execution
IDS Firewall

48. @haydnjohnson
Phishing mechanics

49. @haydnjohnson
Phishing - what we need to do
❏Domain
❏Send Email
❏Deliver Email

50. @haydnjohnson
Phishing - what we need to do
❏Social Engineer
❏Click Link

51. @haydnjohnson
Phishing - what we need to do
❏Interact
❏Download
❏Execute

52. @haydnjohnson
Phishing - what we need to do
❏Send Email
❏Deliver Email
❏Social Engineer interaction
❏Receive shell

53. @haydnjohnson
Considerations - what do I need to learn
❏Build a convincing email | pretext
❏Build a website that is convincing (framework / manual)
❏Bypass email minefield
❏Understand payloads and user interaction

54. @haydnjohnson
How I learned

55. @haydnjohnson
What I DID!

56. @haydnjohnson
What I DID!
https://www.trustedsec.com/social-engineer-toolkit/
https://getgophish.com/
https://github.com/Raikia/FiercePhish

57. @haydnjohnson
What I did
Installed
Played around
Decide on preferred tool

58. @haydnjohnson
Domain Tool
catphish
❏Phishing urls (DoubleExtensions, dashOmission,
Punycode, etc) and check if they are available.
❏Suggested by @mkr_ultra
https://github.com/ring0lab/catphish

59. @haydnjohnson
Frameworks

60. @haydnjohnson
Framework
Criteria

61. @haydnjohnson
Framework Criteria
❏Send email
❏Track email opening
❏Clone a website & save credentials
❏Ability to edit cloned site (for c2)
❏Graphs / Result recording

62. @haydnjohnson
Installation

63. @haydnjohnson
Gophish
Download binary
Chmod
RUN
literally….
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

64. @haydnjohnson
Gophish

65. @haydnjohnson
Gophish

66. @haydnjohnson

67. @haydnjohnson
FiercePhish

68. @haydnjohnson
FiercePhish

69. @haydnjohnson
FiercePhish
Ubuntu 16

70. @haydnjohnson
FiercePhish
Configuration script

71. @haydnjohnson
FiercePhish

72. @haydnjohnson
Careful

73. @haydnjohnson

74. @haydnjohnson
Social Engineer ToolKit (SET)

75. @haydnjohnson
SET
Installed in Kali by default!

76. @haydnjohnson
SET
Installed in Kali by default!

77. @haydnjohnson
SET
Options!

78. @haydnjohnson
SET
More Options!

79. @haydnjohnson
Requirements - Phishing framework
❏Send email
❏Track email opening
❏Clone website & save credentials
❏Graphs / Results

80. @haydnjohnson
Requirements - Phishing framework
Send Email
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike YES

81. @haydnjohnson
GoPhish

82. @haydnjohnson
FiercePhish

83. @haydnjohnson
Cobalt Strike

84. @haydnjohnson
Requirements - Phishing framework
Track Opening email
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike ????

85. @haydnjohnson
GoPhish

86. @haydnjohnson
Fierce Phish

87. @haydnjohnson
Requirements - Phishing framework
Clone a website & save credentials
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike YES

88. @haydnjohnson
GoPhish

89. @haydnjohnson
SET

90. @haydnjohnson
Cobalt Strike

91. @haydnjohnson
Requirements - Phishing framework
Graphs / Result recording
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike Probs

92. @haydnjohnson
Practice

93. @haydnjohnson
Morning Catch
VM
Practice Phishing
No DNS
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

94. @haydnjohnson
Morning Catch
Login Page
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

95. @haydnjohnson
Morning Catch
Email
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

96. @haydnjohnson
Morning Catch
Warning:

97. @haydnjohnson
Webpages

98. @haydnjohnson
HTML
Not perfect

99. @haydnjohnson
HTML
Does the job

100. @haydnjohnson
Cloud – Digital Ocean
http://withr.me/add-domain-name-for-your-
server-on-digitalocean/

101. @haydnjohnson
Domain

102. @haydnjohnson
Domain

103. @haydnjohnson
All the payloads

104. @haydnjohnson
Different Payloads

105. @haydnjohnson
Payloads
❏HTA
❏Click Once
❏DLL

106. @haydnjohnson
Payloads
HTA (executable)
HTML Applications
https://enigma0x3.net/2016/03/15/phishing-with-empire/
https://en.wikipedia.org/wiki/HTML_Application
https://blog.malwarebytes.com/cybercrime/2016/09/surfacing-hta-infections/

107. @haydnjohnson
HTA
Empire
https://enigma0x3.net/2016/03/15/phishing-with-empire/

108. @haydnjohnson
HTA

109. @haydnjohnson
HTA
Testing

110. @haydnjohnson
HTA
User Interaction 1

111. @haydnjohnson
HTA
User Interaction 2

112. @haydnjohnson
HTA
User Interaction 3

113. @haydnjohnson
HTA
Receive Shell

114. @haydnjohnson
DLL
Empire
https://sensepost.com/blog/2016/intercepting-passwords-with-empire-and-winning/

115. @haydnjohnson
DLL
Creating DLL

116. @haydnjohnson
DLL
Serving DLL

117. @haydnjohnson
DLL
Serving DLL

118. @haydnjohnson
DLL
Rundll32.exe

119. @haydnjohnson
DLL
MSF Wouldn’t work
https://www.sixdub.net/?p=627
http://www.powershellempire.com/?page_id=135

120. @haydnjohnson
Click Once

121. @haydnjohnson
Click Once
Works up to Win 7
Requires Internet Explorer
Win 8 == Smart Screen Filter (Signed Cert)
https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/
https://msdn.microsoft.com/en-us/library/t71a733d.aspx
https://msdn.microsoft.com/en-us/library/748fh114.aspx

122. @haydnjohnson
Click once
Placed in COA/Application Files/

123. @haydnjohnson

124. @haydnjohnson
Click Once
Using JavaScript
❏window.open()

125. @haydnjohnson
Click Once
Using JavaScript
❏IE blocks popup

126. @haydnjohnson
Click Once
Using JavaScript
❏2nd popup

127. @haydnjohnson
Click Once
“Click Once”
❏3rd popup

128. @haydnjohnson
Click Once
JavaScript
❏Too many things to click
❏User will become suscpicious

129. @haydnjohnson
Click Once - PHP

130. @haydnjohnson
Click Once
Submit Button
❏action=

131. @haydnjohnson
PHP page
Click Once

132. @haydnjohnson
Click Once
PHP to COA folder
❏header()

133. @haydnjohnson
Click Once
User Interaction #1

134. @haydnjohnson
Click Once
Calc.exe

135. @haydnjohnson
Key Take aways

136. @haydnjohnson
Lessons learned
❏ Consider the user intereaction
❏ Consider the technology to bypass

137. @haydnjohnson
Lessons learned
❏Things gonna not work
❏Try and test
❏Think outside the square

138. @haydnjohnson
Questions and
Comments
Thank you
@haydnjohnson

139. @haydnjohnson
Extra Links added since Talk
❏https://www.blackhat.com/docs/us-16/materials/us-16-Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-Automated-E2E-
Spear-Phishing-On-Twitter.pdf
❏https://phishme.com/
❏https://www.trustedsec.com/september-2013/introducing-spearphisher-simple-phishing-email-generation-tool/
❏https://library.educause.edu/~/media/files/library/2016/4/phishingprograms.pdf
❏http://www.media-division.com/the-right-way-to-handle-file-downloads-in-php/
❏https://www.fireeye.com/blog/threat-research/2017/01/credit_card_dataand.html
❏https://github.com/securestate/king-phisher
❏https://developer.mozilla.org/en-US/docs/Web/API/Window/open
❏https://www.tripwire.com/state-of-security/featured/evolution-phishing/