The document provides a comprehensive overview of phishing, including definitions, types of phishing attacks, and statistics. It discusses techniques for phishing, the importance of social engineering, and the tools used to execute phishing attacks. Additionally, it notes the significance of understanding email security and the potential risks associated with phishing campaigns.

1. @haydnjohnson
Phishing
For the shell
DC618 -> Thank you for having me

2. @haydnjohnson
WhoAMI
❏ Security Analyst | Manager | Purple Teamer
❏ Points (points.com)
❏ Talks: BsidesTO, Circle City Con, HackFest, SecTor
❏ OSCP, Offsec, Purple Team, Gym??
❏ http://www.slideshare.net/HaydnJohnson
Views are my own :)
@haydnjohnson

3. @haydnjohnson
Outline
❏ What is phishing: Phishing Attacks | Real world
❏ Different ‘Phishing’: Clicks | Creds | Shells
❏ Email Minefield
❏ To learn phishing - What does that involve | require
❏ How I learned to phish - frameworks, Payload, VM

4. @haydnjohnson
Real attacks - stats
* Why should you care about phishing *
Phishing is now the #1 delivery vehicle
for ransomware and other malware.
https://blog.barkly.com/phishing-statistics-2016

5. @haydnjohnson
Top 10 Internet Scams
1. Phishing emails and Phony Web pages
2. The Nigerian scam, also known as 419
3. Lottery scams
4. Advanced fees paid for a guaranteed loan or credit card
5. Items for sale overpayment scam
6. Employment search overpayment scam
7. Disaster relief scams
8. Travel scams

6. @haydnjohnson
Phishing Examples
Email
https://www.incapsula.com/web-application-security/phishing-attack-scam.html

7. @haydnjohnson
Phishing Examples - @johnLaTwc
Excel

8. @haydnjohnson
Phishing Examples - @johnLaTwc
AV

9. @haydnjohnson
Phishing Campaigns
Spam
Spear

10. @haydnjohnson
❏ Many emails
❏ High amount of emails hoping for high amount of victims
❏ “Spray and pray”
❏ Not specific to one person or company
Spam Campaign

11. @haydnjohnson
Spam Campaign

12. @haydnjohnson
❏ Few emails
❏ Research
❏ High value target
❏ Like marketing, entices you to open
Spear Phishing Campaign

13. @haydnjohnson
Spear Phishing Campaign

14. @haydnjohnson
Phishing Types
Counting Clicks
Gathering Credentials
Gaining Command & Control

15. @haydnjohnson
Counting Clicks

16. @haydnjohnson
Counting Clicks
“Click Through Rate”
http://www.dummies.com/web-design-development/site-development/calculating-click-through
-rates-for-e-mail-campaigns/

17. @haydnjohnson
Counting Clicks
Page Visitors
http://www.counter12.com/

18. @haydnjohnson
Counting Clicks
PHP code
<?php
if (file_exists('count_file.txt'))
{
$fil = fopen('count_file.txt', r);
$dat = fread($fil, filesize('count_file.txt'));
echo $dat+1;
fclose($fil);
$fil = fopen('count_file.txt', w);
fwrite($fil, $dat+1);
}
else
{
$fil = fopen('count_file.txt', w);
fwrite($fil, 1);
echo '1';
fclose($fil);

19. @haydnjohnson
Gathering Credentials
Intranet
https://twitter.com/dawnstarau/status/
851921378517295104/photo/1

20. @haydnjohnson
Counting Clicks
Click Link Count ClicksReceive Mail Open Mail

21. @haydnjohnson
Gathering
Credentials

22. @haydnjohnson
Getting Credentials
VPN

23. @haydnjohnson
Getting Credentials
Click Link Enter CredentialsReceive Mail Open Mail
Attacker receives credentials Credentials sent to attacker

24. @haydnjohnson
Getting Credentials
ISSUES:
❏ Have to reset passwords
❏ Exposing passwords

25. @haydnjohnson
Command and
Control

26. @haydnjohnson
Command & Control
TYPES OF SHELLS
Synchronous (Reverse, Bind)
Asynchronous (Beacon, Empire Agent)

27. @haydnjohnson
Command & Control
Click Link Download / executeReceive Mail Open Mail

28. @haydnjohnson
Command & Control

29. @haydnjohnson
Command & Control
ISSUES:
❏ Hijacking control
❏ Unencrypted communications
❏ Data out of the network

30. @haydnjohnson
Command & Control

31. @haydnjohnson
Command & Control

32. @haydnjohnson
Email Minefield

33. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

34. @haydnjohnson
NOT SPAM
DNS records | DKIM - email spoof protection
No-deliver notice for recon
https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/Bounce_message
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Sender Policy
Framework

35. @haydnjohnson
Mail Anti-Virus
Sandbox
Attachment Scanning
Sender
Policy
Framework
Mail
Anti-Virus
https://www.sandboxie.com/index.php?DownloadSandboxie
https://www.mail.com/mail/antivirus/
https://www.jvfconsulting.com/blog/trick-gmail-antivirus-scanner-send-any-fi
le-type-with-gmail-exe-dll-com-bat/
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-cor
porate-security-control-with-a-point-n-click-gui-37f4cbc107d0

36. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail
Anti-Virus
https://support.google.com/mail/answer/25760?hl=en

37. @haydnjohnson
Mail Anti-Virus
Sender
Policy
Framework
Mail
Anti-Virus
https://github.com/carnal0wnage/malicious_file_maker
Test with different files:
❏ Exe
❏ Javascript etc

38. @haydnjohnson
Mail Delivered!
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED

39. @haydnjohnson
Mail Delivered….
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED

40. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

41. @haydnjohnson
McAfee
Trend
Avast
AVG
Host Anti Virus
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Norton
Avira
Bullguard
ABC
DEF
GEH
ETC
ETC
All the brands!

42. @haydnjohnson
Host Anti Virus
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
http://www.blackhillsinfosec.com/?p=5570
http://www.blackhillsinfosec.com/?p=5555
https://null-byte.wonderhowto.com/how-to/bypass-antivirus-using-powershell-and-metas
ploit-kali-tutorial-0167601/
https://blog.netspi.com/10-evil-user-tricks-for-bypassing-anti-virus/
Run in memory
PowerShell
DLL
Remove ‘mimikatz’

43. @haydnjohnson
Code Execution
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution

44. @haydnjohnson
Even more!
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution

45. @haydnjohnson
Pentest part
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
❏ First Landing
❏ AV bypassed
❏ Whitelisting
❏ Constrained Language mode
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

46. @haydnjohnsonhttps://blog.cobaltstrike.com/2012/12/05/offense-in-depth/

47. @haydnjohnson
Intrusion Detection System
& Prevention
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS
❏ NIDS
❏ HIDS
❏ Signature
❏ Anomaly
❏ Passive
❏ Active
https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

48. @haydnjohnson
Intrusion Detection System
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS
❏ Not easy to bypass
❏ Bypass Intranet Proxy | Supply creds
❏ Obfuscation
❏ False negatives
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/
https://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-evasion-attackers-burglar-alarm-1284
“%2e%2e%2f%2e%2e%2fc:winntsystem32netstat.exe”
Instead of
“../../c:winntsystem32netstat.exe”

49. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall

50. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall
❏ Bastion Host
❏ DMZ
❏ Deep Packet inspection
❏ Reassemble packets
❏ “NEXTGEN”
https://blog.fortinet.com/2014/10/09/a-few-words-about-evasion-techniq
ues

51. @haydnjohnson
Firewall
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall
❏ Fragmentation
❏ Tunnel ICMP | HTTP
❏ Encryption
❏ Firewalk
http://stephenperciballi.blogspot.ca/
https://www.cybrary.it/video/ids-firewalls-honeypots-whiteboard/

52. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall C2

53. @haydnjohnson
Positive C2
Sender
Policy
Framework
Mail
Anti-Virus
DELIVERED
Host
Anti-virus
Code
Execution
IDS Firewall

54. @haydnjohnson
Phishing mechanics

55. @haydnjohnson
Phishing - what we need to do
❏ Domain
❏ Send Email
❏ Deliver Email

56. @haydnjohnson
Phishing - what we need to do
❏ Social Engineer
❏ Click Link

57. @haydnjohnson
Phishing - what we need to do
❏ Interact
❏ Download
❏ Execute

58. @haydnjohnson
Phishing - what we need to do
❏ Send Email
❏ Deliver Email
❏ Social Engineer interaction
❏ Receive shell

59. @haydnjohnson
Considerations - what do I need to learn
❏ Build a convincing email | pretext
❏ Build a website that is convincing (framework / manual)
❏ Bypass email minefield
❏ Understand payloads and user interaction
References:
https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-yourown-domain-part-1/2/
https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-2-arming-your-serverwith-postfix-dovecot/
https://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-againstspammers/

60. @haydnjohnson
Sending an Email
❏ MTA (Mail Transfer Agent), sending
and receiving e-mail
MDA
MUA
❏ MDA (Mail Delivery Agent) POP / IMAP
email into inbox
MTA
❏ MUA Mail User Agent – email client

61. @haydnjohnson
Sending an Email
❏ Must have a valid SSL/TLS certificate for your mail
server – not self signed
❏ /etc/ssl/private
❏ Virtual or Real accounts
I trust ya

62. @haydnjohnson
Sending an Email - Fighting Spam
❏ Probably not an issue
❏ Others can validate we are real
❏ Spam filtering

63. @haydnjohnson
How I learned

64. @haydnjohnson
What I DID!

65. @haydnjohnson
What I DID!
https://www.trustedsec.com/social-engineer-toolkit/
https://getgophish.com/
https://github.com/Raikia/FiercePhish

66. @haydnjohnson
What I DID!
https://www.cobaltstrike.com/
Free-Trial

67. @haydnjohnson
What I did
❏ Installed
❏ Played around
❏ Decide on preferred tool

68. @haydnjohnson
Frameworks

69. @haydnjohnson
Framework
Criteria

70. @haydnjohnson
Framework Criteria
❏ Send email
❏ Track email opening
❏ Clone a website & save credentials
❏ Ability to edit cloned site (for c2)
❏ Graphs / Result recording

71. @haydnjohnson
Installation

72. @haydnjohnson
Gophish
❏ Download binary
❏ Chmod
❏ RUN
❏ literally….
https://getgophish.com/

73. @haydnjohnson
Gophish

74. @haydnjohnson
Gophish

75. @haydnjohnson

76. @haydnjohnson
FiercePhish

77. @haydnjohnson
FiercePhish
Not compatible with Kali

78. @haydnjohnson
FiercePhish
Ubuntu 16

79. @haydnjohnson
FiercePhish
Configuration script

80. @haydnjohnson
FiercePhish

81. @haydnjohnson
Careful

82. @haydnjohnson

83. @haydnjohnson
Social Engineer ToolKit (SET)

84. @haydnjohnson
SET
Installed in Kali by default!

85. @haydnjohnson
SET
Installed in Kali by default!

86. @haydnjohnson
SET
Options!

87. @haydnjohnson
SET
More Options!

88. @haydnjohnson
Requirements - Phishing framework
❏ Send email
❏ Track email opening
❏ Clone website & save credentials
❏ Graphs / Results

89. @haydnjohnson
Requirements - Phishing framework
Send Email
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike YES

90. @haydnjohnson
GoPhish |

91. @haydnjohnson
| FiercePhish

92. @haydnjohnson
Cobalt Strike

93. @haydnjohnson
Requirements - Phishing framework
Track Opening email
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike YES

94. @haydnjohnson
GoPhish

95. @haydnjohnson
Fierce Phish

96. @haydnjohnson
Requirements - Phishing framework
Clone a website & save credentials
FiercePhish NO
GoPhish YES
SET YES
Cobalt Strike YES

97. @haydnjohnson
GoPhish

98. @haydnjohnson
SET

99. @haydnjohnson
Cobalt Strike

100. @haydnjohnson
Requirements - Phishing framework
Graphs / Result recording
FiercePhish YES
GoPhish YES
SET YES
Cobalt Strike YES & YES

101. @haydnjohnson
Practice

102. @haydnjohnson
Morning Catch
VM
Practice Phishing
No DNS
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

103. @haydnjohnson
Morning Catch
Login Page
https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

104. @haydnjohnson
Morning Catch
Email

105. @haydnjohnson
Morning Catch
Warning:

106. @haydnjohnson
Webpages

107. @haydnjohnson
Cloud - DropBox
http://withr.me/add-domain-name-for-your-ser
ver-on-digitalocean/

108. @haydnjohnson
Domain

109. @haydnjohnson
Domain

110. @haydnjohnson
HTML
Not perfect

111. @haydnjohnson
HTML
Does the job

112. @haydnjohnson
All the payloads

113. @haydnjohnson
Website - SSL
❏ It's just too easy
❏ Seems more legit
Sources:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-onubuntu-14-04
http://www.irongeek.com/i.php?page=videos/bsidesphilly2016/cj00-attackers-perspective-a-technicaldemonstrat
ion-of-an-email-phishing-attack-zac-davist

114. @haydnjohnson
Website - SSL
❏ Create demo user
❏ Download letsencrypt + install (python)
❏ Run – add domain + allow 443
❏ SSL encrypted
Sources:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

115. @haydnjohnson
Website - SSL
❏ Started with no SSL

116. @haydnjohnson
Website - SSL
❏ sudo add-apt-repository ppa:certbot/certbot
❏ sudo apt-get install python-certbot-apache
❏ sudo certbot --apache -d example.com

117. @haydnjohnson
Website - SSL
❏ allow port 443 through firewall!

118. @haydnjohnson
Website - SSL
❏ It is secure!

119. @haydnjohnson
Different Payloads

120. @haydnjohnson
Payloads
❏ HTA
❏ Click Once
❏ DLL

121. @haydnjohnson
Payloads
HTA (executable)
HTML Applications
https://enigma0x3.net/2016/03/15/phishing-with-empire/
https://en.wikipedia.org/wiki/HTML_Application
https://blog.malwarebytes.com/cybercrime/2016/09/surfacing-hta-infections/

122. @haydnjohnson
HTA
Empire
https://enigma0x3.net/2016/03/15/phishing-with-empire/

123. @haydnjohnson
HTA

124. @haydnjohnson
HTA
Testing

125. @haydnjohnson
HTA
User Interaction 1

126. @haydnjohnson
HTA
User Interaction 2

127. @haydnjohnson
HTA
User Interaction 3

128. @haydnjohnson
HTA
Receive Shell

129. @haydnjohnson
DLL
Empire
https://sensepost.com/blog/2016/intercepting-passwords-with-empire-and-winning/

130. @haydnjohnson
DLL
Creating DLL

131. @haydnjohnson
DLL
Serving DLL

132. @haydnjohnson
DLL
Serving DLL

133. @haydnjohnson
DLL
Rundll32.exe

134. @haydnjohnson
DLL
MSF
Wouldn’t work
https://www.sixdub.net/?p=627
http://www.powershellempire.com/?page_id=135

135. @haydnjohnson
Click Once

136. @haydnjohnson
Click Once
Idea from:
http://www.irongeek.com/i.php?page=videos/bsidesphilly2
016/cj00-attackers-perspective-a-technical-demonstration-o
f-an-email-phishing-attack-zac-davis
Great amazing video - phishing & post-exploitation

137. @haydnjohnson
Click Once
Works up to Win 7
Requires Internet Explorer
Win 8 == Smart Screen Filter (Signed Cert)
https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/
https://msdn.microsoft.com/en-us/library/t71a733d.aspx
https://msdn.microsoft.com/en-us/library/748fh114.aspx

138. @haydnjohnson
Click once
Placed in COA/Application Files/

139. @haydnjohnson

140. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()
❏ IE blocks popup

141. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()

142. @haydnjohnson
Click Once
Using JavaScript
❏ window.open()
❏ IE blocks popup

143. @haydnjohnson
Click Once
Using JavaScript
❏ 2nd popup

144. @haydnjohnson
Click Once
“Click Once”
❏ 3rd popup

145. @haydnjohnson
Click Once
Submit Button
❏ action=

146. @haydnjohnson
To PHP page
Click Once

147. @haydnjohnson
Click Once
PHP to COA folder
❏ header()

148. @haydnjohnson
Click Once
User Interaction

149. @haydnjohnson
Click Once
Calc.exe

150. @haydnjohnson
Key Take aways

151. @haydnjohnson
Lesson Learned
❏ Consider the user interaction
❏ Consider the technology to bypass

152. @haydnjohnson
Lesson Learned
❏ Things gonna not work
❏ Try and test
❏ Think outside the square

153. @haydnjohnson
Questions and
Comments
Thank you