DeepSea phishing gear aims to help RTOs and pentesters with the delivery of opsec-tight, flexible email phishing campaigns carried out on the outside as well as on the inside of a perimeter.
Code: https://github.com/dsnezhkov/deepsea/
Goals
Operate with a minimal footprint deep inside enterprises (Internal phish delivery).
Seamlessly operate with external and internal mail providers (e.g. O365, Gmail, on-prem mail servers)
Quickly re-target connectivity parameters.
Flexibly add headers, targets, attachments
Correctly format and inline email templates, images and multipart messages.
Use content templates for personalization
Account for various secure email communication parameters
Clearly separate artifacts, mark databases and content delivery for multiple (parallel or sequential) phishing campaigns.
Help create content with minimal dependencies. Embedded tools to support Markdown->HTML->TXT workflow.
3. Deep Sea Phishing Gear
9/25/2020 3
“Aims to help red team operators and pentesters with the delivery of
portable, OpSec-tight, flexible email phishing campaigns carried out
on the outside and on the inside of a perimeter.”
Ok, I have like 10 phishing tools already …
4. 9/25/2020 4
Why another tool?
• Increased Portability
• Operational Security
• Extensibility and Flexibility
• Minimized Dependency footprint
• Adaptability to harsh environments
• Quick campaign retooling
• Ability to mimic and augment existing email templates
• Burning desire to keep a mark on the the hook for longer J
5. 9/25/2020 5
Anatomy of a phish
ü Flexibly add headers,
targets, attachments.
ü Correctly format and inline
email templates, images
and multipart messages.
ü Use content templates for
personalization.
ü Clearly separate artifacts,
mark databases and
content delivery for
multiple (parallel or
sequential) phishing
campaigns.
6. 9/25/2020 6
Anatomy of a phish
ü Help create content
with minimal
dependencies.
ü Embedded tools to
support Markdown-
>HTML->TXT
workflow.
ü Attribution Linking
ü Concise
configuration.
9. 9/25/2020 9
Anatomy of a phish
ü Operate with a minimal
footprint deep inside
enterprises
ü Seamlessly operate
with external and
internal mail providers
(e.g. O365, Gmail, on-
premise mail servers)
ü Quickly re-target
connectivity
parameters.
ü Account for various
email communication
parameters.
12. 9/25/2020 12
Deep Sea Operation
1. Use Deep Sea
2. How to construct and process content?
3. How to leverage exis<ng email templates?
4. How to embed resources in the email?
5. How to inline content?
6. How to mul<part content?
7. How to connect to an external service provider or relay?
8. How to connect to an internal service provider or relay?
9. How to aGach payloads?
10. How to send email?
11. How to use dynamic content?
12. How to construct aGributable links?
13. How to capture maintain threaded conversa<ons?
14. How to run mul<ple campaigns?
See
See
See
See
See
See
See
Ok, you get it...
27. 9/25/2020 27
Deep Sea Operation: Markdown
ü Convert from MD to HTML Template
ü Inject dynamic template variables
ü Inline email (Style merge)
ü Mul@part Email
ü Send email
28. 9/25/2020 28
Deep Sea Operation: Markdown
Email in the Inbox:
Less HTML headache,
more !
36. 9/25/2020 36
Deep Sea Operation: MX Rebinding
Phase I
1. Internal DeepSea deploys phish
2. Internal mark intends to respond
3. Internal mark’s infra looks up
external adversarial domain MX/SPF record
Phase II
1. MX rebinds SMTP server communication to
an address of phisher on corporate network
2. Internal mail client sends email to DeepSea
server
3. DeepSea accepts SMTP and carries on the
thread
38. 9/25/2020 38
Deep Sea Operation: MX Rebinding. Mail
LAN IP
LAN IP
MX lookup to LAN IP
SPF send from LAN IP
39. 9/25/2020 39
Summary
• Operate with a minimal footprint deep inside enterprises (Internal phish delivery).
• Seamlessly operate with external and internal mail providers
(e.g. O365, Gmail, on-premise mail servers)
• Quickly re-target connectivity parameters.
• Flexibly add headers, targets, attachments.
• Correctly format and inline email templates, images and multipart messages.
• Use content templates for personalization.
• Account for various secure email communication parameters.
• Clearly separate artifacts, mark databases and content delivery for multiple
(parallel or sequential) phishing campaigns.
• Help create content with minimal dependencies.
• Embedded tools to support Markdown->HTML->TXT workflow.
• Concise configuration.