Download to read offline
![How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/howbigbrandsaretakingyourtrafficinalbertadatainside-260123180142-42d276f3-thumbnail.jpg?width=640&height=640&fit=bounds)
HackCon - SPF
- 1. Phishing: Going from Recon toCreds Hackcon 2016 Edition Adam Compton
- 2. Agenda â—ŹTalk a LittleAbout Myself â—ŹWhat is Phishing? â—ŹA Standard Phishing Process â—ŹSpeed Phishing Demo https://github.com/tatanus/SPF
- 3. Adam Compton Father -5 yrs Husband -16 yrs Security Researcher - 16 yrs Programmer - 34 yrs Hillbilly - 39 yrs @tatanus https://github.com/tatanus http://blog.seedsofepiphany.com/ adam.compton@gmail.com adam_compton@rapid7.com https://github.com/tatanus/SPF
- 4. What is Phishing? "theattempt to acquire sensitive information...by masquerading as a trustworthy entity in an electronic communication." - Wikipedia (Phishing) https://github.com/tatanus/SPF
- 5. Why Phish? Potential highreturn on investment May be easiest way on a network It works! People want to be helpful. https://github.com/tatanus/SPF
- 6. Going Back tothe 90s “AOHell includes a ''fisher'' that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.” - San Jose Mercury 1995 https://github.com/tatanus/SPF
- 8. What kind ofsensitive info? Credentials Credit Cards Identity - PII Health Information Bitcoin Wallets Steam Accounts https://github.com/tatanus/SPF
- 9. Types of PhishingAttacks Attack Magnitude Targeting Phishing Many General Spear Phishing 10s - 100s Group, Company Whaling One Executive https://github.com/tatanus/SPF
- 10.
- 11. The list oftargets and any other info that will help Find through company site, google searches, and even social media List may be provided by customer https://github.com/tatanus/SPF
- 12.
- 13. Setting up web,dns and/or mail servers Create a convincing scenario, write the email Test the entire process! This may be your only chance to fix issues https://github.com/tatanus/SPF
- 14. Credential Harvesting =>Login Information Exploiting Client => Metasploit Sessions This step is based on scope of work https://github.com/tatanus/SPF
- 15. Attack Tools -Setup to Post Compromise https://github.com/tatanus/SPF
- 16. Everyone’s Favorite Part! AtMinimum: •Describe the Attack Scenario •Targets •Collected Credentials or Compromised Systems Include Statistics https://github.com/tatanus/SPF
- 17. I am lazy- Can we make this even easier? Yes...Automation! Program APIs •BeEF RESTFul API •Recon-cli •SET - seautomate Parse Commandline Tool Output Python, Perl, & Bash https://github.com/tatanus/SPF
- 18. SpeedPhishing Framework -SPF Automates common tasks needed to perform a phishing exercise Written in Python Minimal external dependencies https://github.com/tatanus/SPF
- 19. Current Features Harvests EmailAddress Setups & Hosts Websites Sends phishing emails to targets Records Creds and Keystrokes Creates VERY Simple Report https://github.com/tatanus/SPF
- 20. SPF - UsageStatement / Options https://github.com/tatanus/SPF
- 21. SPF - ConfigFile https://github.com/tatanus/SPF
- 22. SPF - StandardPhishing Process https://github.com/tatanus/SPF
- 23. SPF - Reconnaissance Searchesonline search engines like: â—¦Google, Bing, and DuckDuckGo Can use external tools such as theHarvester https://github.com/tatanus/SPF
- 24. SPF - IdentifyingPotential Targets https://github.com/tatanus/SPF
- 25. SPF - Setupand Deploy Built-in web server based on Twisted python library Templated sample web sites with accompanying email templates Ability to dynamically clone additional login portals as needed https://github.com/tatanus/SPF
- 26. SPF - LoadingWeb Sites https://github.com/tatanus/SPF
- 27. SPF - WebSites https://github.com/tatanus/SPF
- 28. SPF - SendingEmails Can simulate sending of emails Sends emails in a round robin style alternating across all phishing sites Sends emails via 3rd party SMTP server or by connecting directly to the target's mail server https://github.com/tatanus/SPF
- 29. SPF - SendingEmails
- 30. SPF - CollectResponses & Post Exploitation Logs all access to the web sites Logs all form submissions Logs all key strokes Has ability to pillage email accounts https://github.com/tatanus/SPF
- 31. SPF - CollectingResults https://github.com/tatanus/SPF
- 32. Reports Saves all dataand activity logs to assessment specific directory structure Generates simple HTML report https://github.com/tatanus/SPF
- 33. SPF - SimpleReport
- 34. Advanced/Experimental Features Company Profiler ◦Identify which if any templates should be used ◦ Dynamically generate new "target-specific" phishing sites Pillage ◦ Verify credentials ◦ Download attachments ◦ Search for "SSN, password, login, etc…) https://github.com/tatanus/SPF
- 35. SPF Demo We shallall now pray to the demo gods https://github.com/tatanus/SPF
- 36. Future Work/Features More externaltools Better Profiling/Pillaging Fancy Reports Incorporate SSL (possibly via https://letsencrypt.org/). Suggestions? https://github.com/tatanus/SPF
- 37. A HUGE ThankYou to: Recon-ng - Tim Tomes (lanmaster53) BeEF - Wade Alcorn theHarvester - Christian Martorella Social Engineering Toolkit - Dave Kennedy Morning Catch - Raphael Mudge https://github.com/tatanus/SPF
- 38. Defense Preparation â—¦User Awareness &Periodic Testing Detection & Analysis â—¦Alerts, Mail Proxies Containment, Eradication and Recovery â—¦Have a plan that is ready and tested https://github.com/tatanus/SPF
- 39. Defense Preparation â—¦User Awareness &Periodic Testing Detection & Analysis â—¦Alerts, Mail Proxies Containment, Eradication and Recovery â—¦Have a plan that is ready and tested https://github.com/tatanus/SPF
- 40.
- 41.
Editor's Notes
- #2 Good afternoon I’m Adam Compton and today we are going be talking about phishing
- #3Â First of all, lets go over the obligatory agenda slide. The talk today will start with a brief overview of email phishing and end with the presentation of a new phishing tool I started developing last year.
- #4Â My name is Adam Compton. I have been doing information security research and professional services for most of my professional life. I am married with children. While I love them all, I do enjoy getting away from them once in a while. Yes I am a hillbilly from the Appalachian Mountains of the eastern Untied States and proud of it. So, why am I here? Because I believe in trying to give back to the community. While not everyone may find this talk or the associated tool as interesting as I do, hopefully enough will to make this worth it.
- #5Â So, what is phishing? At its most basic, phishing is attempting to gain sensitive information by manipulating someone through electronic communication. This may take the form of email, messages, in game communications, and so on.
- #6Â Yes phishing is just one attack vector that malicious advisories can leverage to gain access to sensitive systems and data. So why would someone phish when there are these other possible attack vectors? What makes it so interesting, so successive? Because phishing has a high return on investment; targeting 10 people or 1000 typically takes the same amount of effort for an attacker. Many times it may be the easiest way to get on a network that has a low external attack surface. Finally, it just works. Phishing exploits some our basic human needs. People want to be helpful.
- #7Â Another reason is that phishing is time tested. It has worked for over 20 years, going back to the mid-90s with America Online. Some of the earliest evidence of phishing attacks I could find was script kiddies using visual basic or C++ programs on AOL. One of the most popular was AOHell. The San Jose Mercury, all the way back in 95, reported that AOHell includes a ''fisher'' that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.
- #8 Here is an example of AOHell Running. Here it has “Phishing for PWs”, a list of targets, the message and the IM responses. It really hasn’t gotten much more complicated since then and in many cases, phishing may be even easier and more effective today.
- #9Â What kind of sensitive information are attackers after? Most are after either access to systems or they are trying to make money. This could be through stealing credit cards or PII (personally Identifiable Information) that could be used to open a line of credit or recently health information. The health care information is usually used to aid in heathcare insurance fraud. Recently there have been attacks against bitcoin brokers and even steam or other online game accounts
- #10 What are the primary types of phishing attacks? Regular Blanket email attacks, usually they are very simple (requiring little to no advance research) You probably get these types of attacks all of the time, and they are just flagged as SPAM Spear Phishing - typically used when targeting a group of people with a shared commonality such as the employees of a specific company (this usually requires some advanced research to make the phish believable, such as at a minimal the company logo and so on) Whaling - When all you want is the CEO, president, or similar high level target (this requires a lot of prep work to get right as you likely only get one chance to get it correct) Most professional consulting engagements will involve either spear fishing or in some instances whaling, you won’t be going after the entire internet.
- #11Â Now we are going to step through a standard phishing process, everyone has their own methodology but this seems to be the most common we could find.
- #12Â It all starts with Recon. This is where you are collecting the list of targets and any other information that may help. You can use sources such as the company's own website (there may be a employee listing page), google searches (people love to post to forums and blogs using their company email addresses), and social media sites (such as facebook and linkedin)
- #13Â There are a lot of tools out there Recon-NG and, to a more limited degree, theHarvester can aid in the identification of potential targets for a phishing exercise. Foca and MetaGoofil are document metadata analyzers that can be used to find machine names, usernames, software versions and much more. Maltego and Netglub are great tools for mass research of a company or person and chaining that information together.
- #14 Next is the setup and deployment, this usually includes setting up servers such as web, dns and mail. Once everything is running and you’ve created a convincing scenario using the recon from earlier it’s time to send the emails. You really should send a few test emails to yourself and then step through the entire process from start to finish. This may be the only chance you have to fix things. STORY: I will admit that on at least one occasion, I failed to do the proper testing. The % of people clicking on the link was much lower than I had expected. When I went back to figure out what could have happened, I realized I had put the wrong company name in the email and the website had a broken image for the logo. However this screw up on my part still ended up being somewhat useful as it demonstrated that at least some % of the company's employees would click on anything and were willing to just give their creds away to any old site regardless of how ugly it was.
- #15Â Next, you need to collect the responses, for a credential harvesting attack this could be usernames and passwords, if you were exploiting the client, it would be metasploit sessions. Either way, you need to decide what you want to do now. Do you just document the credentials or the compromised systems and go on your way? Or do you use those to continue the assessment and turn the phishing attack into a potential internal penetration test? A lot of this decision is based on the agreement with the customer
- #16Â There are several attack tools that will tak you through the process from setup and deployment, all the way to post compromise The Social Engineering Toolkit is great general purpose tool to aid a pentester in performing client side attacks, it has one of the largest feature sets. Phishing Frenzy while not as robust as SET, does have a web based UI and is very user friendly for people just getting started in phishing. Browser Exploitation Framework is more of an attack platform than a phishing tool. But I find it works very well when partnered with other tools. GoPhish is a new comer to the phishing landscape. It is another opensource tool with provides a gui and much of the same functionality as the others. I have not had time to fully test this solution yet.
- #17 Now we get to everyone’s favorite part, the reporting! This is where you review all of your notes and produce a report for the customer. At a minimum, you will need to describe the attack scenario, list the targets, and any results such as collected credentials or compromised systems. Really good reports will include statistics and show the business impact of the attack.
- #18Â Okay, I am not lazy but as a programmer I do like to find ways to automate repetative processes when possible. Many of the common tools (such as SET, Recon-ng, and BeEF) already have APIs available for us to use or they are command line tools (such as theHarvester) whose output can be easily parsed.
- #19Â Let me introduce SPF "The SpeedPhishing Framework" (yes it is a play on the name "Sender Policy Framework"). SPF is is my attempt to automate common tasks needed for a standard phishing exercise. Currently it focuses on credential harvesting attacks, but I plan on expanding it into other attacks in the future. It is written in Python. I chose python for no real reason other than I just felt this would be a fun python project. I did not and still do not intend SPF to be a replacement or competitor for something like the Social Engineering Toolkit. I feel both occupy different roles and both can co-exist nicely.
- #20Â Currently SPF can harvest potential emails from the internet by using many popular search engines such as google, bing, and duckduckgo. Through the use of templates, it can deploy 1 or more web sites designed to capture credentials It can send emails to the previously identified targets instructing them to go to one of the deployed phishing websites. It collects all credentials and keystrokes entered into the web sites. It keeps a full log of all activities. It can even generate a simple html based report when finished.
- #21Â SPF is a command line tool. And like all good command line tools, it has a nice lengthy usage statement. This is just a small snippet of it here. You will see the full one when we get to the demo in a bit.
- #22Â In addition to the commandline arguments, SPF also makes use of a config file. The config file is used for some of the setting that are not changed that often and are common across multiple assessments.
- #23Â Over the next few slides we will be revisiting the standard phishing process steps I listed previously.
- #24Â Depending on the commandline arguments provided, SPF can use both built-in and external tools to perform some Internet recon on the target company. SPF can attempt to identify to identify target email addresses, as well as web and mail servers the company may have on the Internet.
- #25Â Here is a few shots of SPF gathering target email addresses.
- #26Â SPF has a built in webserver and comes with multiple (currently I think there are 5) website templates that can be used. SPF also has an available "advanced" feature that allows it to quickly search any websites the target company hosts and then determine if they contain a login portal, and if so, SPF will clone the site and use it as another available phishing template. I will talk more about this after while.
- #27Â Again, just a shot of SPF loading a few web templates.
- #28Â Here is just a sampling of what some of the phishing website templates look like. As you may (or may not) be able to tell, they are fairly common websites, which many companies may already use.
- #29Â SPF performs a round-robin style of sending emails. It loops of any web sites that have been deployed, pops an email address of the list, and send an email to that address instructing the recipient to go to the web site. then it would go to the next and so on. This is done in an effort to ensure an equal distribution of recipients being directed to each phishing site. In order to send the emails, SPF can make use of a 3rd party email server (such as gmail) or it will attempt to connect directly to the target company's smtp server and send them that way.
- #30Â Here you can see SPF simulating the sending of the emails.
- #31Â As mentioned before currently SPF is focused on credential harvesting. As such, it is designed to key log all actavity on the hosted phishing web sites as well as storing any form data the visitor may finally submit. And as another advanced/experimental feature, SPF has the ability to automatically attempt to pillage any email accounts it can find. Again, this will be discussed more in a bit.
- #32Â Just a sampling of SPF collecting keylogs and form submissions.
- #33Â And yes, SPF does generate a simple html based report. It is nothing special, but it is functional. I would like to mention that all of the activity logs, collected data, and so on will be saved in a directory so that you can view/parse/manipulate it to your hearts content if you wish.
- #34Â Like I said, it is nothing special.
- #35Â Two of the more experimental features are the Company Profiler and the Pillage modules. I touched on these earlier, but now, lets get into the details a bit more. The Company Profiler servers multiple purposes. First, by scanning the internet facing websites of the target company, it can determine which of the built in web templates would work best. Secondly, it can identify and clone any other login portals it identifies. These newly cloned sites will also be used during the phishing exercise. The Pillage module is a most exploit module designed to attempt to validate any collected credentials, login to the target's mail account and download any emails or attachment which match predetermine strings or regular expressions. Currently this only works if the arget has either an IMAP or POP3 mail server.
- #36 Demo Time… Hopefully we can do a live demo, if not we have a few slides that can hopefully provide you an idea of how it works
- #37Â As with all new tools and projects, there are so many things that could be included. I had to pick and choose what I felt should be in the initial release. As a result, here is a list of a few of the items I have not added, but plan on potentially adding later. By popular demand, the ability to track individual emails. Personally I do not find this adds much, but others swear by it. Add more external tool utilization. Enhance the Company Profiling and the email pillaging modules. Improve upon the report SPF generates. Add SSL to the websites. As I do not know all of the web sites and domain names before hand, this can be a bit tricky. Possibly by using something like the "letsencrypt" project could help. Any other suggestions? Anyone want to help, contribute?
- #38Â I just want to take a moment to say thank you to all of the developers of the other phishing tools I have been using for years.
- #40Â One of the most important is User Awareness and testing We can do this by performing phishing exercises with tools such as those described earlier in the presentation.
- #41Â And a big thank you to all of you for sitting through this.
- #42Â Questions?