4. What is Phishing?
"the attempt to acquire
sensitive information...by
masquerading as a trustworthy
entity in an electronic
communication." - Wikipedia
(Phishing)
https://github.com/tatanus/SPF
5. Why Phish?
Potential high return on investment
May be easiest way on a network
It works! People want to be helpful.
https://github.com/tatanus/SPF
6. Going Back to the 90s
“AOHell includes a ''fisher'' that allows a user to pose as
an AOL official and ask new members for passwords or
credit-card numbers.” - San Jose Mercury 1995
https://github.com/tatanus/SPF
7.
8. What kind of sensitive info?
Credentials
Credit Cards
Identity - PII
Health Information
Bitcoin Wallets
Steam Accounts
https://github.com/tatanus/SPF
9. Types of Phishing Attacks
Attack Magnitude Targeting
Phishing Many General
Spear Phishing 10s - 100s Group, Company
Whaling One Executive
https://github.com/tatanus/SPF
11. The list of targets and any other info that will help
Find through company site, google searches, and even
social media
List may be provided by customer
https://github.com/tatanus/SPF
13. Setting up web, dns and/or mail servers
Create a convincing scenario, write the email
Test the entire process!
This may be your only chance to fix issues
https://github.com/tatanus/SPF
14. Credential Harvesting => Login Information
Exploiting Client => Metasploit Sessions
This step is based on scope of work
https://github.com/tatanus/SPF
15. Attack Tools - Setup to Post Compromise
https://github.com/tatanus/SPF
16. Everyone’s Favorite Part!
At Minimum:
•Describe the Attack Scenario
•Targets
•Collected Credentials or Compromised Systems
Include Statistics
https://github.com/tatanus/SPF
17. I am lazy - Can we make this even easier?
Yes...Automation!
Program APIs
•BeEF RESTFul API
•Recon-cli
•SET - seautomate
Parse Commandline Tool Output
Python, Perl, & Bash
https://github.com/tatanus/SPF
18. SpeedPhishing Framework - SPF
Automates common tasks needed to perform a phishing
exercise
Written in Python
Minimal external dependencies
https://github.com/tatanus/SPF
19. Current Features
Harvests Email Address
Setups & Hosts Websites
Sends phishing emails to targets
Records Creds and Keystrokes
Creates VERY Simple Report
https://github.com/tatanus/SPF
22. SPF - Standard Phishing Process
https://github.com/tatanus/SPF
23. SPF - Reconnaissance
Searches online search engines like:
◦Google, Bing, and DuckDuckGo
Can use external tools such as theHarvester
https://github.com/tatanus/SPF
25. SPF - Setup and Deploy
Built-in web server based on Twisted python library
Templated sample web sites with accompanying email
templates
Ability to dynamically clone additional login portals as
needed
https://github.com/tatanus/SPF
26. SPF - Loading Web Sites
https://github.com/tatanus/SPF
27. SPF - Web Sites
https://github.com/tatanus/SPF
28. SPF - Sending Emails
Can simulate sending of emails
Sends emails in a round robin style alternating across all
phishing sites
Sends emails via 3rd party SMTP server or by connecting
directly to the target's mail server
https://github.com/tatanus/SPF
30. SPF - Collect Responses & Post Exploitation
Logs all access to the web sites
Logs all form submissions
Logs all key strokes
Has ability to pillage email accounts
https://github.com/tatanus/SPF
34. Advanced/Experimental Features
Company Profiler
◦ Identify which if any templates should be used
◦ Dynamically generate new "target-specific" phishing sites
Pillage
◦ Verify credentials
◦ Download attachments
◦ Search for "SSN, password, login, etc…)
https://github.com/tatanus/SPF
35. SPF Demo
We shall all now pray to the demo gods
https://github.com/tatanus/SPF
36. Future Work/Features
More external tools
Better Profiling/Pillaging
Fancy Reports
Incorporate SSL (possibly via https://letsencrypt.org/).
Suggestions?
https://github.com/tatanus/SPF
37. A HUGE Thank You to:
Recon-ng - Tim Tomes (lanmaster53)
BeEF - Wade Alcorn
theHarvester - Christian Martorella
Social Engineering Toolkit - Dave Kennedy
Morning Catch - Raphael Mudge
https://github.com/tatanus/SPF
38. Defense
Preparation
◦User Awareness & Periodic Testing
Detection & Analysis
◦Alerts, Mail Proxies
Containment, Eradication and Recovery
◦Have a plan that is ready and tested
https://github.com/tatanus/SPF
39. Defense
Preparation
◦User Awareness & Periodic Testing
Detection & Analysis
◦Alerts, Mail Proxies
Containment, Eradication and Recovery
◦Have a plan that is ready and tested
https://github.com/tatanus/SPF
Good afternoon
I’m Adam Compton and today we are going be talking about phishing
First of all, lets go over the obligatory agenda slide.
The talk today will start with a brief overview of email phishing and end with the presentation of a new phishing tool I started developing last year.
My name is Adam Compton.
I have been doing information security research and professional services for most of my professional life.
I am married with children. While I love them all, I do enjoy getting away from them once in a while.
Yes I am a hillbilly from the Appalachian Mountains of the eastern Untied States and proud of it.
So, why am I here? Because I believe in trying to give back to the community. While not everyone may find this talk or the associated tool as interesting as I do, hopefully enough will to make this worth it.
So, what is phishing?
At its most basic, phishing is attempting to gain sensitive information by manipulating someone through electronic communication.
This may take the form of email, messages, in game communications, and so on.
Yes phishing is just one attack vector that malicious advisories can leverage to gain access to sensitive systems and data.
So why would someone phish when there are these other possible attack vectors? What makes it so interesting, so successive?
Because phishing has a high return on investment; targeting 10 people or 1000 typically takes the same amount of effort for an attacker.
Many times it may be the easiest way to get on a network that has a low external attack surface.
Finally, it just works. Phishing exploits some our basic human needs. People want to be helpful.
Another reason is that phishing is time tested. It has worked for over 20 years, going back to the mid-90s with America Online.
Some of the earliest evidence of phishing attacks I could find was script kiddies using visual basic or C++ programs on AOL. One of the most popular was AOHell.
The San Jose Mercury, all the way back in 95, reported that AOHell includes a ''fisher'' that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.
Here is an example of AOHell Running.
Here it has “Phishing for PWs”, a list of targets, the message and the IM responses.
It really hasn’t gotten much more complicated since then and in many cases, phishing may be even easier and more effective today.
What kind of sensitive information are attackers after?
Most are after either access to systems or they are trying to make money.
This could be through stealing credit cards or PII (personally Identifiable Information) that could be used to open a line of credit or recently health information.
The health care information is usually used to aid in heathcare insurance fraud.
Recently there have been attacks against bitcoin brokers and even steam or other online game accounts
What are the primary types of phishing attacks?
Regular Blanket email attacks, usually they are very simple (requiring little to no advance research) You probably get these types of attacks all of the time, and they are just flagged as SPAM
Spear Phishing - typically used when targeting a group of people with a shared commonality such as the employees of a specific company (this usually requires some advanced research to make the phish believable, such as at a minimal the company logo and so on)
Whaling - When all you want is the CEO, president, or similar high level target (this requires a lot of prep work to get right as you likely only get one chance to get it correct)
Most professional consulting engagements will involve either spear fishing or in some instances whaling, you won’t be going after the entire internet.
Now we are going to step through a standard phishing process, everyone has their own methodology but this seems to be the most common we could find.
It all starts with Recon.
This is where you are collecting the list of targets and any other information that may help. You can use sources such as the company's own website (there may be a employee listing page), google searches (people love to post to forums and blogs using their company email addresses), and social media sites (such as facebook and linkedin)
There are a lot of tools out there
Recon-NG and, to a more limited degree, theHarvester can aid in the identification of potential targets for a phishing exercise.
Foca and MetaGoofil are document metadata analyzers that can be used to find machine names, usernames, software versions and much more.
Maltego and Netglub are great tools for mass research of a company or person and chaining that information together.
Next is the setup and deployment, this usually includes setting up servers such as web, dns and mail. Once everything is running and you’ve created a convincing scenario using the recon from earlier it’s time to send the emails. You really should send a few test emails to yourself and then step through the entire process from start to finish. This may be the only chance you have to fix things.
STORY: I will admit that on at least one occasion, I failed to do the proper testing. The % of people clicking on the link was much lower than I had expected. When I went back to figure out what could have happened, I realized I had put the wrong company name in the email and the website had a broken image for the logo. However this screw up on my part still ended up being somewhat useful as it demonstrated that at least some % of the company's employees would click on anything and were willing to just give their creds away to any old site regardless of how ugly it was.
Next, you need to collect the responses, for a credential harvesting attack this could be usernames and passwords, if you were exploiting the client, it would be metasploit sessions. Either way, you need to decide what you want to do now. Do you just document the credentials or the compromised systems and go on your way? Or do you use those to continue the assessment and turn the phishing attack into a potential internal penetration test? A lot of this decision is based on the agreement with the customer
There are several attack tools that will tak you through the process from setup and deployment, all the way to post compromise
The Social Engineering Toolkit is great general purpose tool to aid a pentester in performing client side attacks, it has one of the largest feature sets.
Phishing Frenzy while not as robust as SET, does have a web based UI and is very user friendly for people just getting started in phishing.
Browser Exploitation Framework is more of an attack platform than a phishing tool. But I find it works very well when partnered with other tools.
GoPhish is a new comer to the phishing landscape. It is another opensource tool with provides a gui and much of the same functionality as the others. I have not had time to fully test this solution yet.
Now we get to everyone’s favorite part, the reporting! This is where you review all of your notes and produce a report for the customer. At a minimum, you will need to describe the attack scenario, list the targets, and any results such as collected credentials or compromised systems. Really good reports will include statistics and show the business impact of the attack.
Okay, I am not lazy but as a programmer I do like to find ways to automate repetative processes when possible.
Many of the common tools (such as SET, Recon-ng, and BeEF) already have APIs available for us to use or they are command line tools (such as theHarvester) whose output can be easily parsed.
Let me introduce SPF "The SpeedPhishing Framework" (yes it is a play on the name "Sender Policy Framework").
SPF is is my attempt to automate common tasks needed for a standard phishing exercise. Currently it focuses on credential harvesting attacks, but I plan on expanding it into other attacks in the future.
It is written in Python. I chose python for no real reason other than I just felt this would be a fun python project.
I did not and still do not intend SPF to be a replacement or competitor for something like the Social Engineering Toolkit. I feel both occupy different roles and both can co-exist nicely.
Currently SPF can harvest potential emails from the internet by using many popular search engines such as google, bing, and duckduckgo.
Through the use of templates, it can deploy 1 or more web sites designed to capture credentials
It can send emails to the previously identified targets instructing them to go to one of the deployed phishing websites.
It collects all credentials and keystrokes entered into the web sites.
It keeps a full log of all activities.
It can even generate a simple html based report when finished.
SPF is a command line tool. And like all good command line tools, it has a nice lengthy usage statement.
This is just a small snippet of it here. You will see the full one when we get to the demo in a bit.
In addition to the commandline arguments, SPF also makes use of a config file. The config file is used for some of the setting that are not changed that often and are common across multiple assessments.
Over the next few slides we will be revisiting the standard phishing process steps I listed previously.
Depending on the commandline arguments provided, SPF can use both built-in and external tools to perform some Internet recon on the target company.
SPF can attempt to identify to identify target email addresses, as well as web and mail servers the company may have on the Internet.
Here is a few shots of SPF gathering target email addresses.
SPF has a built in webserver and comes with multiple (currently I think there are 5) website templates that can be used.
SPF also has an available "advanced" feature that allows it to quickly search any websites the target company hosts and then determine if they contain a login portal, and if so, SPF will clone the site and use it as another available phishing template. I will talk more about this after while.
Again, just a shot of SPF loading a few web templates.
Here is just a sampling of what some of the phishing website templates look like.
As you may (or may not) be able to tell, they are fairly common websites, which many companies may already use.
SPF performs a round-robin style of sending emails. It loops of any web sites that have been deployed, pops an email address of the list, and send an email to that address instructing the recipient to go to the web site. then it would go to the next and so on. This is done in an effort to ensure an equal distribution of recipients being directed to each phishing site.
In order to send the emails, SPF can make use of a 3rd party email server (such as gmail) or it will attempt to connect directly to the target company's smtp server and send them that way.
Here you can see SPF simulating the sending of the emails.
As mentioned before currently SPF is focused on credential harvesting. As such, it is designed to key log all actavity on the hosted phishing web sites as well as storing any form data the visitor may finally submit.
And as another advanced/experimental feature, SPF has the ability to automatically attempt to pillage any email accounts it can find. Again, this will be discussed more in a bit.
Just a sampling of SPF collecting keylogs and form submissions.
And yes, SPF does generate a simple html based report. It is nothing special, but it is functional.
I would like to mention that all of the activity logs, collected data, and so on will be saved in a directory so that you can view/parse/manipulate it to your hearts content if you wish.
Like I said, it is nothing special.
Two of the more experimental features are the Company Profiler and the Pillage modules.
I touched on these earlier, but now, lets get into the details a bit more.
The Company Profiler servers multiple purposes. First, by scanning the internet facing websites of the target company, it can determine which of the built in web templates would work best. Secondly, it can identify and clone any other login portals it identifies. These newly cloned sites will also be used during the phishing exercise.
The Pillage module is a most exploit module designed to attempt to validate any collected credentials, login to the target's mail account and download any emails or attachment which match predetermine strings or regular expressions. Currently this only works if the arget has either an IMAP or POP3 mail server.
Demo Time…
Hopefully we can do a live demo,
if not we have a few slides that can hopefully provide you an idea of how it works
As with all new tools and projects, there are so many things that could be included. I had to pick and choose what I felt should be in the initial release. As a result, here is a list of a few of the items I have not added, but plan on potentially adding later.
By popular demand, the ability to track individual emails. Personally I do not find this adds much, but others swear by it.
Add more external tool utilization.
Enhance the Company Profiling and the email pillaging modules.
Improve upon the report SPF generates.
Add SSL to the websites. As I do not know all of the web sites and domain names before hand, this can be a bit tricky. Possibly by using something like the "letsencrypt" project could help.
Any other suggestions?
Anyone want to help, contribute?
I just want to take a moment to say thank you to all of the developers of the other phishing tools I have been using for years.
One of the most important is User Awareness and testing
We can do this by performing phishing exercises with tools such as those described earlier in the presentation.
And a big thank you to all of you for sitting through this.