Phishing for the shell. A little customization for DC618, last minute invite. Links updated. Learn some phishing frameworks and payload interactions.

1. @haydnjohnson
Phishing
For the shell
DC618 -> Thank you for having me

2. @haydnjohnson
WhoAMI
❏ Security Analyst | Manager | Purple Teamer
❏ Points (points.com)
❏ Talks: BsidesTO, Circle City Con, HackFest, SecTor
❏ OSCP, Offsec, Purple Team, Gym??
❏ http://www.slideshare.net/HaydnJohnson
Views are my own :)
@haydnjohnson

3. @haydnjohnson
Outline
❏ What is phishing: Phishing Attacks | Real world
❏ Different ‘Phishing’: Clicks | Creds | Shells
❏ Email Minefield
❏ To learn phishing - What does that involve | require
❏ How I learned to phish - frameworks, Payload, VM

4. @haydnjohnson
Real attacks - stats
* Why should you care about phishing *
Phishing is now the #1 delivery vehicle
for ransomware and other malware.
https://blog.barkly.com/phishing-statistics-2016

5. @haydnjohnson
Top 10 Internet Scams
1. Phishing emails and Phony Web pages
2. The Nigerian scam, also known as 419
3. Lottery scams
4. Advanced fees paid for a guaranteed loan or credit card
5. Items for sale overpayment scam
6. Employment search overpayment scam
7. Disaster relief scams
8. Travel scams

6. @haydnjohnson
Phishing Examples
Email
https://www.incapsula.com/web-application-security/phishing-attack-scam.html

7. @haydnjohnson
Phishing Examples - @johnLaTwc
Excel

8. @haydnjohnson
Phishing Examples - @johnLaTwc
AV

9. @haydnjohnson
Phishing Campaigns
Spam
Spear

10. @haydnjohnson
❏ Many emails
❏ High amount of emails hoping for high amount of victims
❏ “Spray and pray”
❏ Not specific to one person or company
Spam Campaign

11. @haydnjohnson
Spam Campaign

12. @haydnjohnson
❏ Few emails
❏ Research
❏ High value target
❏ Like marketing, entices you to open
Spear Phishing Campaign

13. @haydnjohnson
Spear Phishing Campaign

14. @haydnjohnson
Phishing Types
Counting Clicks
Gathering Credentials
Gaining Command & Control

15. @haydnjohnson
Counting Clicks

16. @haydnjohnson
Counting Clicks
“Click Through Rate”
http://www.dummies.com/web-design-development/site-development/calculating-click-through
-rates-for-e-mail-campaigns/

17. @haydnjohnson
Counting Clicks
Page Visitors
http://www.counter12.com/

18. @haydnjohnson
Counting Clicks
PHP code
<?php
if (file_exists('count_file.txt'))
{
$fil = fopen('count_file.txt', r);
$dat = fread($fil, filesize('count_file.txt'));
echo $dat+1;
fclose($fil);
$fil = fopen('count_file.txt', w);
fwrite($fil, $dat+1);
}
else
{
$fil = fopen('count_file.txt', w);
fwrite($fil, 1);
echo '1';
fclose($fil);

19. @haydnjohnson
Gathering Credentials
Intranet
https://twitter.com/dawnstarau/status/
851921378517295104/photo/1

20. @haydnjohnson
Counting Clicks
Click Link Count ClicksReceive Mail Open Mail

21. @haydnjohnson
Gathering
Credentials

22. @haydnjohnson
Getting Credentials
VPN

23. @haydnjohnson
Getting Credentials
Click Link Enter CredentialsReceive Mail Open Mail
Attacker receives credentials Credentials sent to attacker

24. @haydnjohnson
Getting Credentials
ISSUES:
❏ Have to reset passwords
❏ Exposing passwords

25. @haydnjohnson
Command and
Control

26. @haydnjohnson
Command & Control
TYPES OF SHELLS
Synchronous (Reverse, Bind)
Asynchronous (Beacon, Empire Agent)

27. @haydnjohnson
Command & Control
Click Link Download / executeReceive Mail Open Mail

28. @haydnjohnson
Command & Control

29. @haydnjohnson
Command & Control
ISSUES:
❏ Hijacking control
❏ Unencrypted communications
❏ Data out of the network

30. @haydnjohnson
Command & Control

31. @haydnjohnson
Command & Control

32. @haydnjohnson
Email Minefield

33. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

34. @haydnjohnson
NOT SPAM
DNS records | DKIM - email spoof protection
No-deliver notice for recon
https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/Bounce_message
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Sender Policy
Framework

35. @haydnjohnson
Mail Anti-Virus
Sandbox
Attachment Scanning
Sender
Policy
Framework
Mail
Anti-Virus
https://www.sandboxie.com/index.php?DownloadSandboxie
https://www.mail.com/mail/antivirus/
https://www.jvfconsulting.com/blog/trick-gmail-antivirus-scanner-send-any-fi
le-type-with-gmail-exe-dll-com-bat/
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-cor
porate-security-control-with-a-point-n-click-gui-37f4cbc107d0

36. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail
Anti-Virus
https://support.google.com/mail/answer/25760?hl=en

37. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail
Anti-Virus
https://github.com/carnal0wnage/malicious_file_maker
Test with different files:
❏ Exe
❏ Javascript etc

38. @haydnjohnson
Mail Delivered!
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED

39. @haydnjohnson
Mail Delivered….
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED

40. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

41. @haydnjohnson
McAfee
Trend
Avast
AVG
Host Anti Virus
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Norton
Avira
Bullguard
ABC
DEF
GEH
ETC
ETC
All the brands!

42. @haydnjohnson
Host Anti Virus
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
http://www.blackhillsinfosec.com/?p=5570
http://www.blackhillsinfosec.com/?p=5555
https://null-byte.wonderhowto.com/how-to/bypass-antivirus-using-powershell-and-metas
ploit-kali-tutorial-0167601/
https://blog.netspi.com/10-evil-user-tricks-for-bypassing-anti-virus/
Run in memory
PowerShell
DLL
Remove ‘mimikatz’

43. @haydnjohnson
Code Execution
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution

44. @haydnjohnson
Even more!
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution

45. @haydnjohnson
Pentest part
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
❏ First Landing
❏ AV bypassed
❏ Whitelisting
❏ Constrained Language mode
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

46. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

47. @haydnjohnson
Intrusion Detection System
& Prevention
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS
❏ NIDS
❏ HIDS
❏ Signature
❏ Anomaly
❏ Passive
❏ Active
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

48. @haydnjohnson
Intrusion Detection System
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS
❏ Not easy to bypass
❏ Bypass Intranet Proxy | Supply creds
❏ Obfuscation
❏ False negatives
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/
https://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-evasion-attackers-burglar-alarm-1284
“%2e%2e%2f%2e%2e%2fc:winntsystem32netstat.exe”
Instead of
“../../c:winntsystem32netstat.exe”

49. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall

50. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall
❏ Bastion Host
❏ DMZ
❏ Deep Packet inspection
❏ Reassemble packets
❏ “NEXTGEN”
https://blog.fortinet.com/2014/10/09/a-few-words-about-evasion-techniq
ues

51. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall
❏ Fragmentation
❏ Tunnel ICMP | HTTP
❏ Encryption
❏ Firewalk
http://stephenperciballi.blogspot.ca/
https://www.cybrary.it/video/ids-firewalls-honeypots-whiteboard/

52. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall C2

53. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall

54. @haydnjohnson
Phishing mechanics

55. @haydnjohnson
Phishing - what we need to do
❏ Domain
❏ Send Email
❏ Deliver Email

56. @haydnjohnson
Phishing - what we need to do
❏ Social Engineer
❏ Click Link

57. @haydnjohnson
Phishing - what we need to do
❏ Interact
❏ Download
❏ Execute

58. @haydnjohnson
Phishing - what we need to do
❏ Send Email
❏ Deliver Email
❏ Social Engineer interaction
❏ Receive shell

59. @haydnjohnson
Considerations - what do I need to learn
❏ Build a convincing email | pretext
❏ Build a website that is convincing (framework / manual)
❏ Bypass email minefield
❏ Understand payloads and user interaction
References:
https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-yourown-domain-part-1/2/
https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-2-arming-your-serverwith-postfix-dovecot/
https://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-againstspammers/

60. @haydnjohnson
Sending an Email
❏ MTA (Mail Transfer Agent), sending
and receiving e-mail
MDA
MUA
❏ MDA (Mail Delivery Agent) POP / IMAP
email into inbox
MTA
❏ MUA Mail User Agent – email client

61. @haydnjohnson
Sending an Email
❏ Must have a valid SSL/TLS certificate for your mail
server – not self signed
❏ /etc/ssl/private
❏ Virtual or Real accounts
I trust ya

62. @haydnjohnson
Sending an Email - Fighting Spam
❏ Probably not an issue
❏ Others can validate we are real
❏ Spam filtering

63. @haydnjohnson
How I learned

64. @haydnjohnson
What I DID!

65. @haydnjohnson
What I DID!
https://www.trustedsec.com/social-engineer-toolkit/
https://getgophish.com/
https://github.com/Raikia/FiercePhish

66. @haydnjohnson
What I DID!
https://www.cobaltstrike.com/
Free-Trial

67. @haydnjohnson
What I did
❏ Installed
❏ Played around
❏ Decide on preferred tool

68. @haydnjohnson
Frameworks

69. @haydnjohnson
Framework
Criteria

70. @haydnjohnson
Framework Criteria
❏ Send email
❏ Track email opening
❏ Clone a website & save credentials
❏ Ability to edit cloned site (for c2)
❏ Graphs / Result recording

71. @haydnjohnson
Installation

72. @haydnjohnson
Gophish
❏ Download binary
❏ Chmod
❏ RUN
❏ literally….
https://getgophish.com/

73. @haydnjohnson
Gophish

74. @haydnjohnson
Gophish

75. @haydnjohnson

76. @haydnjohnson
FiercePhish

77. @haydnjohnson
FiercePhish
Not compatible with Kali

78. @haydnjohnson
FiercePhish
Ubuntu 16

79. @haydnjohnson
FiercePhish
Configuration script

80. @haydnjohnson
FiercePhish

81. @haydnjohnson
Careful

82. @haydnjohnson

83. @haydnjohnson
Social Engineer ToolKit (SET)

84. @haydnjohnson
SET
Installed in Kali by default!

85. @haydnjohnson
SET
Installed in Kali by default!

86. @haydnjohnson
SET
Options!

87. @haydnjohnson
SET
More Options!

88. @haydnjohnson
Requirements - Phishing framework
❏ Send email
❏ Track email opening
❏ Clone website & save credentials
❏ Graphs / Results

89. @haydnjohnson
Requirements - Phishing framework
Send Email
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike YES

90. @haydnjohnson
GoPhish |

91. @haydnjohnson
| FiercePhish

92. @haydnjohnson
Cobalt Strike

93. @haydnjohnson
Requirements - Phishing framework
Track Opening email
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike YES

94. @haydnjohnson
GoPhish

95. @haydnjohnson
Fierce Phish

96. @haydnjohnson
Requirements - Phishing framework
Clone a website & save credentials
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike YES

97. @haydnjohnson
GoPhish

98. @haydnjohnson
SET

99. @haydnjohnson
Cobalt Strike

100. @haydnjohnson
Requirements - Phishing framework
Graphs / Result recording
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike YES & YES

101. @haydnjohnson
Practice

102. @haydnjohnson
Morning Catch
VM
Practice Phishing
No DNS
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

103. @haydnjohnson
Morning Catch
Login Page
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

104. @haydnjohnson
Morning Catch
Email

105. @haydnjohnson
Morning Catch
Warning:

106. @haydnjohnson
Webpages

107. @haydnjohnson
Cloud - DropBox
http://withr.me/add-domain-name-for-your-ser
ver-on-digitalocean/

108. @haydnjohnson
Domain

109. @haydnjohnson
Domain

110. @haydnjohnson
HTML
Not perfect

111. @haydnjohnson
HTML
Does the job

112. @haydnjohnson
All the payloads

113. @haydnjohnson
Website - SSL
❏ It's just too easy
❏ Seems more legit
Sources:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-onubuntu-14-04
http://www.irongeek.com/i.php?page=videos/bsidesphilly2016/cj00-attackers-perspective-a-technicaldemonstrat
ion-of-an-email-phishing-attack-zac-davist

114. @haydnjohnson
Website - SSL
❏ Create demo user
❏ Download letsencrypt + install (python)
❏ Run – add domain + allow 443
❏ SSL encrypted
Sources:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

115. @haydnjohnson
Website - SSL
❏ Started with no SSL

116. @haydnjohnson
Website - SSL
❏ sudo add-apt-repository ppa:certbot/certbot
❏ sudo apt-get install python-certbot-apache
❏ sudo certbot --apache -d example.com

117. @haydnjohnson
Website - SSL
❏ allow port 443 through firewall!

118. @haydnjohnson
Website - SSL
❏ It is secure!

119. @haydnjohnson
Different Payloads

120. @haydnjohnson
Payloads
❏ HTA
❏ Click Once
❏ DLL

121. @haydnjohnson
Payloads
HTA (executable)
HTML Applications
https://enigma0x3.net/2016/03/15/phishing-with-empire/
https://en.wikipedia.org/wiki/HTML_Application
https://blog.malwarebytes.com/cybercrime/2016/09/surfacing-hta-infections/

122. @haydnjohnson
HTA
Empire
https://enigma0x3.net/2016/03/15/phishing-with-empire/

123. @haydnjohnson
HTA

124. @haydnjohnson
HTA
Testing

125. @haydnjohnson
HTA
User Interaction 1

126. @haydnjohnson
HTA
User Interaction 2

127. @haydnjohnson
HTA
User Interaction 3

128. @haydnjohnson
HTA
Receive Shell

129. @haydnjohnson
DLL
Empire
https://sensepost.com/blog/2016/intercepting-passwords-with-empire-and-winning/

130. @haydnjohnson
DLL
Creating DLL

131. @haydnjohnson
DLL
Serving DLL

132. @haydnjohnson
DLL
Serving DLL

133. @haydnjohnson
DLL
Rundll32.exe

134. @haydnjohnson
DLL
MSF
Wouldn’t work
https://www.sixdub.net/?p=627
http://www.powershellempire.com/?page_id=135

135. @haydnjohnson
Click Once

136. @haydnjohnson
Click Once
Idea from:
http://www.irongeek.com/i.php?page=videos/bsidesphilly2
016/cj00-attackers-perspective-a-technical-demonstration-o
f-an-email-phishing-attack-zac-davis
Great amazing video - phishing & post-exploitation

137. @haydnjohnson
Click Once
Works up to Win 7
Requires Internet Explorer
Win 8 == Smart Screen Filter (Signed Cert)
https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/
https://msdn.microsoft.com/en-us/library/t71a733d.aspx
https://msdn.microsoft.com/en-us/library/748fh114.aspx

138. @haydnjohnson
Click once
Placed in COA/Application Files/

139. @haydnjohnson

140. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()
❏ IE blocks popup

141. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()

142. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()
❏ IE blocks popup

143. @haydnjohnson
Click Once
Using JavaScript
❏ 2nd popup

144. @haydnjohnson
Click Once
“Click Once”
❏ 3rd popup

145. @haydnjohnson
Click Once
Submit Button
❏ action=

146. @haydnjohnson
To PHP page
Click Once

147. @haydnjohnson
Click Once
PHP to COA folder
❏ header()

148. @haydnjohnson
Click Once
User Interaction

149. @haydnjohnson
Click Once
Calc.exe

150. @haydnjohnson
Key Take aways

151. @haydnjohnson
Lesson Learned
❏ Consider the user interaction
❏ Consider the technology to bypass

152. @haydnjohnson
Lesson Learned
❏ Things gonna not work
❏ Try and test
❏ Think outside the square

153. @haydnjohnson
Questions and
Comments
Thank you