HackCon - Phishing- Going from Recon to Creds - Adam Compton...SPF -Sending Emails Can simulate...

Phishing:GoingfromRecontoCredsHackcon2016EditionAdamCompton

Agenda

●TalkaLittleAboutMyself●WhatisPhishing?●AStandardPhishingProcess● SpeedPhishingDemo

https://github.com/tatanus/SPF

AdamCompton

Father- 5yrsHusband-16yrsSecurityResearcher- 16yrsProgrammer- 34yrsHillbilly- 39yrs

@tatanushttps://github.com/tatanushttp://blog.seedsofepiphany.com/

adam.compton@gmail.comadam_compton@rapid7.com

WhatisPhishing?

"theattempttoacquiresensitiveinformation...bymasqueradingasatrustworthyentityinanelectroniccommunication."- Wikipedia(Phishing)

WhyPhish?

PotentialhighreturnoninvestmentMaybeeasiestwayonanetworkItworks!Peoplewanttobehelpful.

GoingBacktothe90s

“AOHell includesa''fisher''thatallowsausertoposeasanAOLofficialandasknewmembersforpasswordsorcredit-cardnumbers.”- SanJoseMercury1995

Whatkindofsensitiveinfo?

CredentialsCreditCardsIdentity- PIIHealthInformationBitcoinWalletsSteamAccounts

TypesofPhishingAttacks

Attack Magnitude Targeting

Phishing Many General

SpearPhishing 10s- 100s Group,Company

Whaling One Executive

StandardPhishingProcess

Thelistoftargetsandanyotherinfothatwillhelp

Findthroughcompanysite,googlesearches,andevensocialmedia

Listmaybeprovidedbycustomer

ReconTools

Settingupweb,dns and/ormailservers

Createaconvincingscenario,writetheemail

Testtheentireprocess!

Thismaybeyouronlychancetofixissues

CredentialHarvesting =>LoginInformation

ExploitingClient =>MetasploitSessions

Thisstepisbasedonscopeofwork

AttackTools- SetuptoPostCompromise

Everyone’sFavoritePart!AtMinimum:•DescribetheAttackScenario•Targets•CollectedCredentialsorCompromisedSystemsIncludeStatistics

Iamlazy- Canwemakethiseveneasier?

Yes...Automation!

ProgramAPIs•BeEF RESTFul API•Recon-cli•SET- seautomateParseCommandlineToolOutputPython,Perl,&Bash

SpeedPhishingFramework- SPF

Automatescommontasksneededtoperformaphishingexercise

WritteninPython

Minimalexternaldependencies

CurrentFeatures

HarvestsEmailAddressSetups&HostsWebsitesSendsphishingemailstotargetsRecordsCreds andKeystrokesCreatesVERYSimpleReport

SPF- UsageStatement/Options

SPF- ConfigFile

SPF- StandardPhishingProcess

SPF- Reconnaissance

Searchesonlinesearchengineslike:◦Google,Bing,andDuckDuckGo

CanuseexternaltoolssuchastheHarvester

SPF- IdentifyingPotentialTargets

SPF- SetupandDeploy

Built-inwebserverbasedonTwistedpythonlibrary

Templated samplewebsiteswithaccompanyingemailtemplates

Abilitytodynamicallycloneadditionalloginportalsasneeded

SPF- LoadingWebSites

SPF- WebSites

SPF- SendingEmails

Cansimulatesendingofemails

Sendsemailsinaroundrobinstylealternatingacrossallphishingsites

Sendsemailsvia3rdpartySMTPserverorbyconnectingdirectlytothetarget'smailserver

SPF- SendingEmails

SPF- CollectResponses&PostExploitation

LogsallaccesstothewebsitesLogsallformsubmissionsLogsallkeystrokes

Hasabilitytopillageemailaccounts

SPF- CollectingResults

Reports

SavesalldataandactivitylogstoassessmentspecificdirectorystructureGeneratessimpleHTMLreport

SPF- SimpleReport

Advanced/ExperimentalFeatures

CompanyProfiler◦ Identifywhichifanytemplatesshouldbeused◦ Dynamicallygeneratenew"target-specific"phishing sitesPillage◦ Verifycredentials◦ Downloadattachments◦ Searchfor"SSN,password, login,etc…)

SPFDemo

Weshallallnowpraytothedemogods

FutureWork/Features

MoreexternaltoolsBetterProfiling/PillagingFancyReportsIncorporateSSL(possiblyviahttps://letsencrypt.org/).

Suggestions?

AHUGEThankYouto:

Recon-ng- TimTomes(lanmaster53)BeEF - WadeAlcorntheHarvester - ChristianMartorellaSocialEngineeringToolkit- DaveKennedyMorningCatch- RaphaelMudge

Defense

Preparation◦UserAwareness&PeriodicTesting

Detection&Analysis◦Alerts,MailProxies

Containment,EradicationandRecovery◦Haveaplanthatisreadyandtested

Defense

Preparation◦UserAwareness&PeriodicTesting

Detection&Analysis◦Alerts,MailProxies

Containment,EradicationandRecovery◦Haveaplanthatisreadyandtested

ThankYou!

AdamCompton@tatanushttps://github.com/tatanushttp://blog.seedsofepiphany.com/adam.compton@gmail.comadam_compton@rapid7.com

HackCon - Phishing- Going from Recon to Creds - Adam Compton...SPF -Sending Emails Can simulate...

Documents

Transcript of HackCon - Phishing- Going from Recon to Creds - Adam Compton...SPF -Sending Emails Can simulate...

Sending Emails and SAP Mail

Consulte alguns dos exemplos de emails de phishing identificados

SPAM, MALWARE, Phishing et emails Commerciaux · «Predictive Email Defense» contre les spam, malware, phishing et emails commerciaux : retour d’expérience de la ville d’Asnières

Fact Sheet: Sending Elected Officials Emails, Letters, and ......Fact Sheet: Sending Elected Officials Emails, Letters, and Faxes Emails You can also contact your elected officials

How To Spot Fake Phishing Emails and Report Them

6 EMAILS EVERY REAL ESTATE AGENT SHOULD BE SENDING

1 in 414 Emails are a phishing attack

Phishing Email Attacks - AVAREN ITfor spear phishing attacks. Spear phishing is nearly identical to standard email . phishing – except it is more targeted. Rather than sending the

Phishing Test Templates · 2020. 12. 9. · Phishing Test Templates Our most eﬀective phishing emails, and why they work. Here are our Top 10 Phishing Email templates. Use them

Attackers are taking advantage of the COVID-19 pandemic by ... · Security Awareness Training Attackers are taking advantage of the COVID-19 pandemic by sending phishing emails that

Computer crime, ethics and security...Phishing – setting up fake websites or sending emails that looks like true website and asking personal information from you. It may instruct

Deploying Discreet Infrastructure For Targeted Phishing ... · What is Phishing? Phishing can be explained as an activity, which involves sending emails from seemingly reputable sources

PHISHING PREVENTION TRAINING White Papers...phishing. Phishing emails are used by attackers to deliver viruses, steal passwords, install ransomware and impersonate corporate officers

Santa’s Emails By Alexander Britton. Sending an email.

Sending Emails in College

DETECTION OF PHISHING AND SPAM EMAILS …trap.ncirl.ie/4148/1/michaeloluwasegunakinrele.pdf1 Detection of Phishing and Spam Emails Using Ensemble Technique MICHAEL OLUWASEGUN AKINRELE

Detecting Deceptive Patterns in Phishing Emails · 2014. 7. 31. · Detecting Deceptive Patterns in Phishing Emails Matthew Barba-Rodriguez Advisers: Lauren M. Stuart, Drs. Julia

So, you think you’re good at spotting phishing emails

PHISHING SAMPLE EMAILS------------------- · -----PHISHING SAMPLE EMAILS----- Standard Bank does not send *.htm or *.html attachments that direct you to what appears to be a login

COVID-19 (Coronavirus) Phishing Scams · sending phishing emails that look like legitimate awareness training or refunds for event cancellations. Falling for one of these malicious

PHISHING SAMPLE EMAILS------------------- · -----PHISHING SAMPLE EMAILS----- Standard Bank does not send .htm or .html attachments that direct you to what appears to be a login