Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
2. @haydnjohnson
Please note
❏This talk goes better with the audio and can be found at
(thank you to Adrian for the recording)
❏http://www.irongeek.com/i.php?page=videos/nolacon201
7/nolacon-2017-gbd07-phishing-for-shellz-setting-up-a-
phishing-campaign-haydn-johnson
3. @haydnjohnson
WhoAMI
❏Security Consultant
❏KPMG LLP (Canada)
❏Talks: BsidesTO, Circle City Con, HackFest, SecTor
❏OSCP, Offsec, Purple Team, Gym??
❏http://www.slideshare.net/HaydnJohnson
Views are my own :)
@haydnjohnson
4. @haydnjohnson
Outline
❏What is phishing: Phishing Attacks | Real world
❏Different ‘Phishing’: Clicks | Creds | Shells
❏ Email Minefield
❏To learn phishing - What does that involve | require
❏How I learned to phish - frameworks, Payload, VM
5. @haydnjohnson
Real attacks - stats
* Why should you care about phishing *
Phishing is now the #1 delivery vehicle
for ransomware and other malware.
https://blog.barkly.com/phishing-statistics-2016
6. @haydnjohnson
Top 10 Internet Scams
1.Phishing emails and Phony Web pages
2.The Nigerian scam, also known as 419
3.Lottery scams
4.Advanced fees paid for a guaranteed loan or credit card
5.Items for sale overpayment scam
6.Employment search overpayment scam
53. @haydnjohnson
Considerations - what do I need to learn
❏Build a convincing email | pretext
❏Build a website that is convincing (framework / manual)
❏Bypass email minefield
❏Understand payloads and user interaction
121. @haydnjohnson
Click Once
Works up to Win 7
Requires Internet Explorer
Win 8 == Smart Screen Filter (Signed Cert)
https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/
https://msdn.microsoft.com/en-us/library/t71a733d.aspx
https://msdn.microsoft.com/en-us/library/748fh114.aspx