 Alright, Truman Kane, social engineering. Yeah, another clap please. Blake did have too much to say about me, so he figured there wasn't enough time. Okay, so who here is from the abstract? Who here read the abstract and that's why they wanted to come? Raise your hand. Yeah? Drag net, one hell of a catch. One hell of a catch. Okay, so I'm Truman Kane, I'm a security associate from Tervora. We do cyber security pentesting that type of thing and I decided to make a social engineering framework called drag net and that's what we're going to talk about today. So, if you didn't read the abstract, basically your conversions on phishing emails, phishing calls, physical engagements, those conversions are all going to increase when you use this framework. What do I mean by conversions? Basically things like credentials being entered, people giving you information, they're not supposed to be giving you that type of thing. So that's what I'm considering a conversion for these purposes. First, I'm going to get into the current states of OSINT, analytics, social engineering engagements and then we'll talk about the tool. But I also want to let you guys know that these are my insights. You guys might not feel the same way about everything that I say. Hey, I recognize you. And so this is just what I've observed. Okay, so when I think about OSINT, I think that I want high quality reliable data that I'm collecting on my target. And the collection process usually ends up being manual because when you see a successful spear phishing attack, there's almost always manual OSINT going on. It can be for a few reasons, a couple. It might be that you want to verify that the information that you're getting is accurate. Also, so that you can tailor your attack to your target as you learn more about them. But all of it is so that you have a higher chance of conversion when you execute the attack. So aside from some minor variations, this process is extremely repetitive. Once you've gone through the OSINT phase on a couple of targets, you kind of have down your process. Maybe you have a couple of targets from each industry. You kind of, you know, you get down what you're going to be doing. So you think, okay, why can't this be automated? And sometimes you can automate things. But once the automation starts turning into the heavy lifting, a lot of the times you'll see big sites start to change their templating. They just coincidentally roll out an update that just destroys the most popular, you know, scraping tool. So that would be why when we see automation work, it's fleeting. It doesn't last very long. So here's the currency of analytics. Sorry, I had something else I wanted to say about the last slide. So why do these sites care so much about protecting their publicly available data? It's because analytics. As a side note, I'm going to use big data and analytics interchangeably for the purposes of this talk. So regardless of what the company does or what they say they do, if you look at the companies with the biggest online presence, Amazon, Google, Facebook, that type of thing, if you were to take away their analytics, in my opinion, they would not last very long. You might not all agree, but I believe that when you're a company that big, you can't act on intuition alone. So not only is every major decision driven by analytics, even the smallest decisions are driven by data as well. An example would be the way that Facebook has split testing thousands of different versions of their website at any one time and pushing only the highest performing features to the public version of the site. But not only do these big companies live off analytics, sometimes it's the way the companies are born. This is a quote by Jeff Bezos in 1997. I'm not going to read it in the Jeff Bezos voice from the video if you've seen it. He says, three years ago, I was working in a quantitative hedge fund when I came across a startling statistic. So that statistic stated just how rapidly consumers were moving online. It's also what caused Jeff to leave the company he was at to start Amazon. And it's now why we're impatient when we can't get things delivered the same day. So you're sold, right? You're going to go out, you're going to study the data and start the next Amazon, right? Well, as I look around the room, I'm not so convinced. Because fortunately, for those of you who take Jeff's quote to heart, the data is already out there and it can be used for things other than starting your growing businesses like destroying them. No, like social engineering. So I'm a fan of Amazon. By the way, I don't need my account shut down. This is all educational purposes of this tool. So for those of you who conduct social engineering engagements legally, you may resonate with this chart. The client doesn't even get to choose two, they get to choose one. Effective, quick, or inexpensive. In this current state, I'm generalizing a little bit, but the companies with big budgets are the only ones getting social engineering pen testing. And I believe that needs to change. Let me grab some water. So Fortune 5000 companies are already being targeted en masse. I believe that smaller businesses in certain industries are going to quickly become the next big focus for social engineering attacks based on the data that they hold and the lack of security awareness training. I needed to include Zuck somewhere in here. So I think I've depressed everyone enough with that last part. So what can we do about this? So DragNet is this social engineering framework that I'm going to get into now. We'll watch demo in a little bit. But I believe that DragNet is going to be a popular solution for pen testers. I'm committed to continually improving on it as long as the demand is there. And what I said about OSUN automation being fleeting, for every star on the GitHub, that's going to be an hour of me going back and re-improving. So free labor, basically. I mean, it's a cheap labor for you guys. I would recommend starring this project if you like it, and maybe the OSUN stops working, star the project, and that's an hour. I'm just going to be sitting in mom's basement. So where was I here? So I'm going to quickly cover the framework's OSUN automation and machine learning capabilities, and then we're going to check out a quick demo. And I'm also happy to say that DragNet is and will continue to be open source. So I believe that this target template correlation machine learning thing. So the whole correlation, thank you, we're starting that, very nice. The whole recommendation system thing, you know, AI is being implemented into everything. The data is already out there. I think pretty much every phishing tool is going to start implementing this. That's why I'm really excited to try to be on the cutting edge. I think this is a cool thing, and it's becoming a lot easier for guys like me to implement this in the projects. So this is essentially the stack, tension flow for machine learning, Firebase 4.0 is a no seagull database backend, and VJS for the front end. Things like asterisk and flask are also used, and there's a bunch of different integrations as well. So here's how DragNet OSUN works. You're going to start a new engagement, you're going to drag and drop in a CSB with your target's names and emails or phone numbers, and then OSUN begins. If a particular target already exists within the company that the engagement is for, then the OSUN is going to restart, changes are going to be tracked, and a new recommendation is going to be made. This is almost entirely automated. Hence, keep your hands near the wheel. This is using lead enrichment integrations and also manual scraping at times. So the reason for the hands near the wheel is because sometimes you're going to get people with the same name from the same company. And so you need to decide who is your actual target. Because if you choose wrong, you could skew the model for, you could skew the entire model so that the recommendations for someone completely different that you think there's no correlation between, gets a different suggestion, one that's not accurate because you chose the wrong person and because the data points about them weren't correct. So this is the older, still start like dancing like Ashley Simpson. So this is the model essentially. I really don't know how any of this works. I kind of just like watched a bunch of videos and was just like trying to get it to work. It barely makes sense to me, but essentially how it works is, essentially how it works is you are going to tag the templates that you're using. So you're going to say, say for example, unusual log in detected. So you're going to say urgency might get a tag. And it's from LinkedIn. So you're going to give it a LinkedIn tag. Maybe you're doing an Amazon wish list fishing template, and you're going to use tags like Amazon shopping. Maybe it's a Facebook, poke email and you use things like lust, you know, for example, things like that. Then the OSINT automation is going to create data points, which essentially we're calling target features, things like someone's age, their name, maybe their gender, maybe previous work experience, that type of thing. Labels are going to be what are taken from your previous engagements, the data on whether a target clicked, filled out, a form they weren't supposed to execute to payload that type of thing. It's going to give them a rating. All to end up with a probability of Pone. So that's what we're left with. So put simply, you're going to tag your templates, you're going to import the prior conversion data, and then you're going to say your prayers. All right, so we're going to watch a demo. So here we are in the dashboard engagement section. You can see that we have an upcoming, in progress and completed filter. We have some clients that we've worked with recently. But we're going to start a new pen test for Pied Piper. They're a client we decided to take on. So we're going to choose from the existing companies. We're going to choose the type of test that we're running. This one's phishing and we're going to choose a start and end date. Okay, so these three contacts are essentially targets that we've already uploaded for Pied Piper. They've already run an engagement against them. But I'm going to drag in a new file with some new targets. The target list is populated. And now I can choose who I want to include. And also choose which type of test they're going to be involved in. So Guilfoyle is only going to be doing phishing. We're going to get rid of Jared. So we're going to get rid of him completely. He's just too easy. Big head. So we're going to get rid of him. And then we're going to run just the phishing on a couple of other of the targets here. And I think, yeah, there we go. Some UI bug. So now we're going to save and Oson begins. So as you can see on the right, this says attack ready. That's how fast. I don't think I can go back. That's how fast essentially that the Oson is being done. And because the model is already trained and will be retrained each time someone converts or we get one of those labels that you saw from the equation slide, the model is going to be retrained. Once that happens, to create the prediction is going to be extremely quick. So we can see we have things like starting ML prediction. This last update column on the right is going to show what the last thing to happen was. But we also see that we have an action required in addition to the attack ready. The action required is on Jin Yang. Interesting. This is pre-recorded. They started. They wanted us to pre-record these, so which is probably a good thing. So which of these is Jin Yang? This is what I was talking about where hands near the wheel. I have to pick which one is my target. I just happen to know that this is a male. Maybe I've seen the target. Maybe I know roughly what age he is. I can call the client. Maybe try to get that data. So choose that he's the target. It started Oson. It completed Oson because I have an integration like clear bit or full contact. And that's why the Oson is going to be faster. Okay, so now I just launched. You can see some people say email scheduled. Some people say sending email. This is based on the, oh, what's this? So I want to explain a little bit more. But it looks like we have a notification that Jin Yang already opened our email. Will we like to vish him now? So this is because it's a linked template that wants you to call and follow up as soon as the target opens the email. Not all of these templates need to be linked. On the right you can see a mini dossier area. This is going to be that check mark indicates that it's confirmed, the data is confirmed. The fingerprint indicates that this was using Oson that we found this. Things like education history, background, info, work history. And so we see an attack log that shows the email was sent and opened and at what time. We have our script right here that we're going to be using with his name included. And we can place the call whenever we're ready. That should be hopefully sound to this. Then calling Jin Yang from the mask number. Knew that this was not a legit call. So did we get the goods? No. He's not voling. And the recording, if the client allows, is going to be uploaded to our servers and we would be able to play that here. So we see the attack log on the bottom right has updated. Back and we see now there are some other updates on last updated. We see call unsuccessful from Jin Yang. And call scheduled. And we see creds captured for Monica. Okay, so we're going to click on the phishing template. And we see the email that was sent to her. Gavin Belsen wants to connect. We see the credentials captured there right on the top right or in the middle. We have her mini dossier area. And we can see the credentials entered on the attack log as well. So if we click, we can see that this, I think I'm going to click on this email here, basically we're going to be able to see the landing page that she was sent to is not linked in, it is line kadin. So this is the landing page and where she fell for the credentials captured attack. So we can click on her little avatar there and see the full dossier. It's essentially just a more spread out version of the mini dossier that you saw. And also, one cool thing is that this in the target history section is not just about the attack. It's all attacks. And it's also things like when she was added to a certain company, when Austin started, was completed, when templates were suggested, that type of thing. So I believe that is it. Yep. Okay, so that's the demo. What's next? Things like bring this voicemail drops. You know, once we get inbound calling set up, you'll be able to do things like this earlier in the morning. Maybe when someone is not going to be around their phone and try to get them to call you back. Things like really focusing on individual targeting so that you don't have to do things through a company, again for educational purposes. Distributed vishing, so you might be able to have a team set up and be able to get them set up with multiple attack phones, that type of thing. Native mobile, I think would be really cool to be able to have an app to manage this and to be able to do all the calls through an app. I think that would be really cool. And your request here is the bottom one. So I really am committed to working on this. I'm not going to be the guy that's like, ah, submit a pull request. Like I'll do the work. You guys, if there are enough people that want something, they can plus one it. If someone else suggests it, suggests it on GitHub. So I would really appreciate it if you guys give your ideas there. I'm going to have to do that. Thank you. So Dragonet's going to be released on GitHub in the next few days. The repo is live. You can get it through the Tavor of Threat link. But I'd like you to watch the repo so that you're notified as soon as the framework is released, which will be in a few days. Also, thank you to Kevin, Steven, Clayton, and Ray from Tavora. This framework wouldn't exist without them. Thanks again, guys. Thanks.