2. @haydnjohnson
WhoAMI
❏ Security Analyst | Manager | Purple Teamer
❏ Points (points.com)
❏ Talks: BsidesTO, Circle City Con, HackFest, SecTor
❏ OSCP, Offsec, Purple Team, Gym??
❏ http://www.slideshare.net/HaydnJohnson
Views are my own :)
@haydnjohnson
3. @haydnjohnson
Outline
❏ What is phishing: Phishing Attacks | Real world
❏ Different ‘Phishing’: Clicks | Creds | Shells
❏ Email Minefield
❏ To learn phishing - What does that involve | require
❏ How I learned to phish - frameworks, Payload, VM
4. @haydnjohnson
Real attacks - stats
* Why should you care about phishing *
Phishing is now the #1 delivery vehicle
for ransomware and other malware.
https://blog.barkly.com/phishing-statistics-2016
5. @haydnjohnson
Top 10 Internet Scams
1. Phishing emails and Phony Web pages
2. The Nigerian scam, also known as 419
3. Lottery scams
4. Advanced fees paid for a guaranteed loan or credit card
5. Items for sale overpayment scam
6. Employment search overpayment scam
7. Disaster relief scams
8. Travel scams
10. @haydnjohnson
❏ Many emails
❏ High amount of emails hoping for high amount of victims
❏ “Spray and pray”
❏ Not specific to one person or company
Spam Campaign
58. @haydnjohnson
Phishing - what we need to do
❏ Send Email
❏ Deliver Email
❏ Social Engineer interaction
❏ Receive shell
59. @haydnjohnson
Considerations - what do I need to learn
❏ Build a convincing email | pretext
❏ Build a website that is convincing (framework / manual)
❏ Bypass email minefield
❏ Understand payloads and user interaction
References:
https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-yourown-domain-part-1/2/
https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-2-arming-your-serverwith-postfix-dovecot/
https://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-againstspammers/
60. @haydnjohnson
Sending an Email
❏ MTA (Mail Transfer Agent), sending
and receiving e-mail
MDA
MUA
❏ MDA (Mail Delivery Agent) POP / IMAP
email into inbox
MTA
❏ MUA Mail User Agent – email client
61. @haydnjohnson
Sending an Email
❏ Must have a valid SSL/TLS certificate for your mail
server – not self signed
❏ /etc/ssl/private
❏ Virtual or Real accounts
I trust ya
62. @haydnjohnson
Sending an Email - Fighting Spam
❏ Probably not an issue
❏ Others can validate we are real
❏ Spam filtering
137. @haydnjohnson
Click Once
Works up to Win 7
Requires Internet Explorer
Win 8 == Smart Screen Filter (Signed Cert)
https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/
https://msdn.microsoft.com/en-us/library/t71a733d.aspx
https://msdn.microsoft.com/en-us/library/748fh114.aspx