 Hi everybody. My name is Eric Gershman and this is Adam Compton. We're going to be talking about phishing going from recon to creds. Hopefully this is the talk you're going to be looking for. You've been looking for. If not, there's tons of parties going on right now. So I want to give thanks to Dave for opening up for us. That talk was awesome. Yes. All right. So here's our agenda. We're going to be going over who we are. Give a little bit of a background why you should listen to us. And then we're going to be going over what is phishing, go over the standard phishing process, and then we're going to release a new tool. Everyone likes new tools, right? Yeah? All right. All right. My name is Adam Compton. You can read that as much as I can. I am a father. I love them very much. But when I get a chance to come to Vegas and leave them at home, I do. So yes, I've been in information security for most of my life. Primarily I'm a programmer that does pen testing, but I enjoy it all. And yes, I am a hillbilly. I'm born and raised in Eastern Kentucky. Love it. I'm proud of it. Hi, I'm Eric. So for most of my career, I've worked as a systems administrator. I've worked on help tasks. And a few years ago, I made the switch to information security full time. Lately, I've been working in high performance computing. The reason I've been wanting to do this talk is I've done a few presentations for our local DC group. And I've done demos on phishing and they've gone great. So why are we presenting on phishing? The main reason is that phishing is cool. I've done a number of phishing demos and it's just fun. Adam's done a lot of actual engagements and he's probably done it for decades now. Thanks. Thank you. And we also really wanted to get back to the community that has helped us for so many years. And we're going to be releasing a tool today. Proved to be a good venue for it. Yeah, it proved to be a good venue for it. And we wanted to release it open source to make sure that people could help us and help us improve it. So what is phishing? At its most basic, phishing is attempting to gain sensitive information through electronic communications. Go ahead. Yeah. I'm too tall. So phishing actually goes back to the early 90s. This is kind of the earliest evidence we could find from Googling. It goes back to when script kitties were running visual basic scripts like AOL to pose as AOL administrators in order to steal credentials and also credit card information. It hasn't become a lot more complicated since then. In a lot of cases, it's become a lot easier. So here we have AOL. Can anyone tell me what operating system this is? Yeah. It predates Windows 95. Here we have it's phishing for passwords. That's like kind of showing the current status of it. It has a list of targets. The phishing message it's sending through instant messenger and then the responses, the passwords that are coming in. So what kind of sensitive information is usually stolen with phishing? It could be credentials in order to log into a system, credit cards, personally identifiable information. And a lot of times these can be used to open up a line of credit or perform identity theft. Recently health information has been used a lot to do insurance fraud, Medicare fraud. It all comes down to money in these cases. One interesting example I found is that people are starting to steal steam games. A lot of steam users have hundreds to thousands of dollars invested into their steam catalog. And this can be really valuable on the black market. So what are the primary types of phishing attacks? Most regular phishing attacks are blanket email attacks. Usually they require little advanced research. You can probably see these attacks all the time. Especially they'll pretty much get flagged as spam a lot. So spear phishing is when you're typically targeting a group of people with a shared commonality such as employees for a company. This usually requires some research. And you need to make sure you make the fish believable. And that's where the research is really important. Whaling is when you want a really high value target like a CEO of a company or president or someone else who's working as an executive. This requires a lot of prep work and you only have one chance to make it right. So why fish? The biggest reason is because it's easy. Humans are hard to patch. Phishing also has a very high return on investment. The effort you put in could be targeting one person or a thousand people. And spear phishing can be highly effective when you're trying to target a company that has a really low internet presence. So everyone has their own methodologies for phishing. The process we're presenting here is what we've seen most common from others and the one we use ourselves. So it all starts with recon. At the very least you need to get a list of the target email addresses. This can be provided by the customer itself or it can be scraped from social media or through Google searches and other reconnaissance. You're going to be looking also through social media sites like Facebook, LinkedIn and maybe even company forums. Tools like the harvester and retron ng are really useful in expert i-emails. So the next steps are the setup, the deployment and actually sending the emails. The setup usually includes web, dns and other mail servers. Once you get your target list of servers and you have everything configured you're going to be sending the emails. You should really send a few sample emails to yourself to make sure everything looks right. If something is amiss this is your only chance to correct it. Adam what should you do if things don't go exactly as planned? Right. So I've done a number of phishing engagements, very complex ones, very trivial ones, what have you over the years and over time you will make mistakes. One of the times I sent out, it was going to be a fairly simple phishing engagement sent out a series of emails to the targets. So send out a number of emails to the targets, watching the results come in. The rate of success was a lot lower than what I've come to expect in the past. Couldn't really figure out what was going on right off hand. I'd already sent the emails, couldn't bring them back, couldn't redo it, things of that nature. So I went back and looked at the emails I sent. There was a nice little copy and paste error in the email that I'd sent out to the customers saying instead of like to all company X employees, I said to all company Y employees instead. So the rate of return was actually considerably less than what I was expecting but trying to turn limits and eliminate here, I took it, rolled with it and ended up reporting to the customer at minimum that even on such obviously fraudulent emails X percentage of your employees still clicked on it, still fell victim to the phishing engagement and went on, I did go on and perform other exercises against them as well but for that particular one, that's a good example of what can happen if you don't verify your emails, your websites, things of that before you start the engagement. They might just go horribly wrong. So next you're going to be collecting the responses. For differential harvesting attacks, this might just be collecting the username and passwords and then performing some post-compromise like checking that they're correct. For other attacks, if you're actually exploiting the clients, you'll be receiving meta-sploit sessions and collecting those and then acting from there. This step is pretty interesting because like Dave alluded earlier, you may get email addresses for people who are much more trustworthy than what you started the attack out with. So you might be using those to perform further attacks. The client may also request you to do a full-on pen test once you're done with the phishing process. Yeah, just to make a call out, if you're doing this as a contractual engagement with a customer, the post-exploitation phase is something that should be discussed up front because they might just want you to do phishing and external assessment, things of that nature. Where's that boundary? Because this can easily turn into, as he was referring to, an internal engagement, internal assets being targeted. Many times the customer is okay with that, but sometimes they're not. This needs to be decided up front before you start testing any of that level. So finally comes everyone's favorite part. Free bacon. No, I'll take you to Denny's later. After you collect all the credentials, after you've done all these steps, it's time for the report writing. So you're going to take your notes, you're going to describe the attack scenario, list the targets, and any results you collected from the credentials or compromised systems. Excuse me. All right, so we went through a little bit of the background, a little bit of the process of phishing, getting now into a little more of the tool-based approach to it, as well as into the releasing of the new tool. We can start out by just addressing some of the tools that have been made available out there already in the past. There's different kinds of tools. There's the actual phishing tools, and there's the recon tools. Right here is just a sampling of some of the recon tools. There's lots of them out there. They can go everything from just collecting potential target email addresses to collecting sensitive information from their website, stuff like that. You can turn it off, probably. Yeah, there's a number of things that you can do from an automated fashion that will help speed you along your path so you don't have to do as much manual process with that. On the same side that you have the actual phishing attack tools, things like SET, social engineering toolkit, great tool, love it, use it all the time. You also have things like phishing frenzy, similar concept. It is a web-based interface to it as opposed to the command line. It differs in some key ways, but it's the same basic concept in there. Beef browser exploitation framework isn't necessarily a phishing tool, but it does provide a nice hook that you can embed in pretty much any web page, which then, when somebody browse to it, it will help exploit their web site, I mean their web browser, and you can go from there. So as such, it works very well to be used along with phishing attacks. Whenever I, if I, that's one of the attack vectors I want to go down, I'll just, whenever I deploy my websites that I want to use to send the victims to, I'll embed that link in there, and then that's another attack vector that can happen. I'm picking up from something. Yeah, it's all right. All right, so those are some great tools. They help us out. They automate a lot of the things for us already, but I'm lazy. I'm, I try to find the easy way through things. I'm a programmer. If I can find ways to script things up to reduce the repetition, at least for the simple task, I'll do so. And yes, there is a way to do it with a lot of this. And most of the more of your larger frameworks, your larger tools do have APIs available for them, like beef has this API, set has it, set SE automate, many of other tools, a lot of them are command line, they'll run, you can get the command line output of them, use your favorite scripting language of choice, you can parse it, get it. So with a little bit of creative programming, a little bit of creative scripting, you can automate a lot of the standard process. And that's one of the genesis of the ideas behind speed phishing framework. Go ahead and preface this. Acronym is SPF. Acronym came first, and then I picked words that match against it, because SPF typically is referring to standard policy framework, and I just thought it would be funny. I thought it would be funny, honestly. But what is a speed phishing framework? It is a script, a series of Python scripts at that that will help you automate the standard phishing process for simple engagement. It can be used for larger, more complex ones as well, but it's targeting a very slight group of types of engagements. It does have minimal external dependencies, and that's for a reason. Many times I see people release tools here at Black Hat or online or whatever, and they're all designed to work just on Cali Linux or something like that. I wanted to write a tool that I could run on any Linux distro. You have to have Python and two external Python libraries, and then this will run. If you have other tools, it can take advantage of some of those, but it doesn't require those. It will do its full processing with just a basic install. And yes, I do use from just basic install many times. The link is up there where you can go to the GitHub and check it out. It will be posted up on other slides later on as we go. So what does it currently do? Currently, SPF can go out and do some basic recon for you. If you're familiar with the tool, the harvester, it does a similar process to the harvester. It goes out and you provide it a target domain. It will go out and try to find various email targets to go after, filter them through, you meet them, and so you have a potential target list to go after. Then inside of Python, it will fire up a website hosting one to many potential phishing websites to send people toward. Those can be either pre-built, templated ones that I have provided. You can provide your own if you wish. Or there's a capability for it to go out and dynamically determine new phishing websites, automatically clone them, turn them into templates and deploy those as well. Then it will iterate through taking the phishing target, the phishing email, sending them off to redirect people to one of the phishing websites, iterating across, dividing the load across. Once it's done with that, it will collect the results back, do some post-processing with them. There's some additional features that I'm working on and enabling. I will demo in a while that you can do sort of a post exploitation portion with it. And finally, it creates a simple report. It creates a very simple report. But it does provide all the raw data into a directory structure that you can go and view later and access and wrap and search through as your heart is content. We'll go through a few of these a little bit fast so we can get to the demo and we'll get that a little more. That's why you're all here. It does have a standard usage statement, lots of options as with all tools. It does also have a config file. If you edit the config file and use command line options for the same option, command line options take precedence over config file entries. It does all the standard phishing process. You can do the recon as I mentioned earlier by going out and scrapping across the internet or take an input file if you provide it. I'll show you this in the demo in a moment. It will, let's just go ahead and skip through these a little bit. But the setup and deploy, it does set up the website as I mentioned earlier, employing one or more templates. It will send the emails as well. The templates I provide are some of the more common ones such as OWA, Office 365, VPN logins, things of that that a lot of companies will have. I do that just because it was the most common ones I encounter out there for companies. By all means you can provide your own templates and it will determine new ones as well. Sending the emails, it can simulate sending the emails so you can do that test mentality, see what it would have done before you actually send them. Then it can go ahead and send them as well. Sending emails it will send either through a third-party SMTP server such as a gmail or smtp.com or something like that or you can have your own mail server or it can provide a file that will actually connect to the target's SMTP server and port 25 and just send them directly that way. There's a few caveats in there. It will work best if you register a domain and send out the proper SPF record, things of that nature. Example of sending the emails. Once it collects, once it starts getting results, it logs everything in real time. All keystrokes are logged. Form submissions are logged as well whenever this is one of the post exploit features I've been working on is whenever it receives a set of valid credentials you're going to enable it to do a pillage feature. That means it will actually try to validate that set of credentials against the target, mail server choice and if it can validate it, it goes in and starts looking through for sensitive, for interesting files, downloading local copies of them, things of that nature and I'm expanding that as I'm going along as I'm working through the development process on that. All right and yes it does generate a very basic report as I said. It's in there just as a placeholder. I'll probably work on that a little more later on or all the raw data is in a directory structure so you can go and grab it yourself. Yeah I already mentioned this a little bit, the advanced features. There is the company profiler and the pillage feature. The company profiler is the one where it will actually go out to the target domain, search through all their websites that it can identify, find other login pages that look like usable sites, clone those and then auto deploy those as a new fishing site. The pillager is the one I was talking about where it will validate any catcher credentials and try to search their mail and find interesting files. Let's go ahead and jump over to the demo and see if I can get this to work. Change my display and is it coming up? Yeah you can see it well enough I think. All right so you can see it. So let's go ahead and take a quick look at this. As I said before it does have your standard options for command line options, various levels of them. There are some meta ones in there that you can group them together and whatnot. Feel free to go look at it on the GitHub, check it out, use it. I'm going to go through a few select ones in here that are more pertinent to the demo. Let's go ahead and start with, let me verify something real quick. Make sure I have that right now. Because I do not have internet access at the moment I have to use a local VM to go against and that'll be easy enough here. Yeah I'm sorry we don't have awesome ASCII-R yet. If anybody wants to help us with that you can do a pull request and we would really appreciate it. All right so let's go ahead and get started here. We'll specify the target domain in this example I'm just going to use example.com. I know. I'm going to just use example.com and there's an option for verbosity so I'm just going to go ahead and enable that. And then together email addresses from the internet is just dash G. I'll go ahead and hit that. Yes go ahead and do it. As you can see where actually you can't because it's faded out. Well on the right it's all in red it says cannot access each of those sites. That's because well I'm not on the internet can't do it. I've actually encountered this many times when if I'm trying to do a phishing engagement internal twin network I can't get out I don't have the proper proxy settings so I would encounter this. So what you would actually do is you could just provide it a external target file that contains other email addresses that you want to go after and it just reads it in. That's a fallback condition if you need to provide that. And many times also I'll go after phishing engagements where on the smaller end of the scale where the customer would be like yes I know you can do all that but just target these hundred people or something of that nature so they'll provide the list and I'll just incorporate that. So let's go ahead and go through a little more full featured process. We have some target email addresses. Let's go ahead and fire up a web server dash w. Let's go ahead and do and simulate the sending of the emails and I'm going to simulate yeah simulate yeah simulate so dash dash simulate is to simulate the sending of the emails. Let's go ahead and run this and go through the standard process that you would use without advanced features. Go ahead and do that okay let's start the web server I forgot to clean up all right let's do that again all right yes add old data in there so go ahead and fire up the web server it pulls in the default templates I have pre-packaged with an OWA two different versions of six log in juniper and sysco logins it will deploy those out by default onto whatever your internet facing IP is along with a colon and some port you just provide the range in the config file it defaults to 8,000 right if you actually have registered a external I mean a phishing domain a DNS record out there somewhere and point it toward this as a wildcard record you can provide that in here and then it will set up and do virtual hosting so you don't have to rely on ports and all that it'll do all that internally and it will base it off on at the moment like OWA dot example dot net or something to that nature so let's go ahead and load the templates for the emails let's go ahead and send the emails it's a little hard to see with the way it wraps but you can see that is sending an email to john smith at devil.com would have sent it with the subject of new login portal but this was just a test if you didn't replace that with a dash s it would have actually sent this email off to them and been waiting at this point though at the very bottom you can see it says it's monitoring the phishing website activity let's go ahead and make sure here uh yeah I can show you here in just a second yeah let me go ahead and load up yeah I said I will hear in just a second so let me go ahead and load up some of the websites that you're gonna see I didn't have this prep beforehand I apologize so yeah you have like your OWA you have juniper all your standard ones they look fairly realistic there your standard ones you see out on the internet there's what how many did it deploy five I think um I'll have to pull it up after we close it and I'll show you the email that's it's text files at the moment you go and edit it is a text based email you can replace it with an html based one if you wish that's fine but as we're accessing the site you can start typing in um I don't know it's just login as bob and password get enter no I don't want to say that go away this is a standard error page if you do not specify what page to go to after you hit submit it'll specify this one by default you can go configure it for each uh different template to go to a different place it's fairly it's just in the uh template file itself but let's go back and look at the output that's being logged in real time as you're typing it does log all key logs and it does log the credentials that are entered the reason I do both is that I like the credential the last line best but the key logging is meantime I've encountered customers who will start typing it in without thinking and then all of a sudden it clicks in them oh wait this isn't the right URL so they're closed it out without submitting so at least I can try to reconstitute what their username and password would have been so let's go ahead and close out of this right now and I'll show you what the some of the files that it creates are you go into the output directory it creates a directory based on uh two domain names first one is going to be the phishing domain if you specified one the second one will be your target domain if you did not specify a phishing domain it uses the target domain for both it's just an easy way for it to separate it out across multiple engagements let's take a quick look in here you there's lots of files in here let me clear that and bring it up a little bit um there's logs of everything it does uh which one was I doing up here that was those juniper all right so let's look at the juniper one it's all activity for the juniper everything is logged everything's timestamped so you can go back and look at it it's all the raw files there are jpegs in here as well are p and g files it screenshots every website at the point so if you want to come back and put those into the report at some later time that's fine let's look at the emails so let's look at the um email template for like the owa one real quick here it's very simple this is just for the one that comes pre-packaged with it I highly advise you to go in and edit it to your heart's content and make it look what you want the email would have sent would have been two from subject of a new owa server the ip address that's showing up here the link would have been if if you specified if you didn't specify a virtual host to be enabled it would have left it with the ip if you are doing virtual host it would have replaced it with a virtual host name all in there it's this template is a very complex but you can use it as a basis to build and create your own um they're actually stored in a different directory along with the web templates the next thing I was going to do is show you the two more advanced features that you can do so let's uh go ahead and clear this out so let's go back to run spf target is example dot com let's do uh the web server go ahead and load that up let's do uh let's see uh dash dash dns you have to enable the dns uh recon as well if you're doing the advanced features if you look at the usage statement it will tell you that then let's go ahead and enable profiling or profile and pillage then just do the verbose all right let's go ahead and let that run it uh for the dns lookouts it tries to do zone transfers it goes out and does dictionary lookups just trying to find targets it for any that it finds it does a simple let me scroll up here where it is there it is it does a simple port scan against i'm looking for standard web ports and standard mail server ports just so we can use to determine what it wants to go after in the future once it does then for every website it identifies it goes in and tries to identify login portals things that might be useful for phishing and for any that finds it goes ahead and dynamically clones those and then deploys them so let's go ahead and say yes for any that it found it goes ahead and deploys them let's go ahead and look nope close that out that's not the way all right go back over here so let's go ahead and just look at one of these that it would have loaded up in this particular example it all i found was a php my admin login but it could have been squirrel mason remote login anything that looks like a sort of login it would do you can test it then go in and remove the ones you don't want don't worry about it but let's go ahead and assume that this was a very juicy one that somebody would want to log into let's provided a set of credentials that i happen to know about it so we can test the pillage and then go ahead and hit submit same thing before when it does the dynamic cloning of new sites that automatically makes any necessary modifications to do the key logging to do the log and the capturing of our credentials all of that and if we look at the output now it's a little bit of a mess because it is still in development this portion of it but you will see that it captured my credential i entered in adam.com.com and password and so forth then you'll see that it says that username with that password was valid for that i'm out as login server it logs in and it starts searching through the message bodies message headers file attachments looking for string matches we can do regex matches as well for testing i'm doing standard strings it's a little faster and for any that it finds it downloads downloading messages downloading attachments and so forth then it will go through and search through all of your all of the inbox looking for to and from addresses if it finds any it pulls them out make sure that they match the proper domain name and then add them to the list if there's any new ones i'm trying to get it so in my development not out on github yet it will be later tonight or tomorrow it will go ahead and kick off the phishing engagement and additional round of it for the new email addresses all right let's go ahead and look at those well example there we go now in here you will see there's a few additional files the there's a bunch of directories in here those are the new dynamically combed sites you can go in and delete them modify them as you wish which you'll see adam.com then add example.com with it those are the emails that uh it's downloaded let's go ahead and look at those they're very straightforward they're just straight email dumps of that you can go in and look at them and search for them later currently the rationale behind the pillage isn't to replace human post exploitation the goal behind it is to just be a safety net of sorts let's say you kick it off and then you're called into a meeting or something like that and when you're in that meeting you get a set of credentials in the person fairly quickly is made aware of the fact that he might have been phished so he goes and changes his credentials you come back from your meeting you see the credentials you can't do anything with that anymore what this does is at least it allows as soon as it gets those credentials it will try at least a few things and that will give you at least that little bit of sanity saying at least I tried something in there I could have logged in and so forth given that short window I could have exploited that particular user's account so that is the basic run through the tool we'll be around after the talk to talk about that let's go ahead and jump did I miss something no you got everything all right let me jump back over to the slides now and finish that up no no mirror all right where the slides back up no why not slides slides everywhere yeah I do that's right yeah while I'm fixing technical issues here anyone yeah what's that Kentucky um no I wish it was but no all right let's you start from and no all right I got some major issues here go ahead and talk while I'm fixing this I apologize for some reason my my laptop overheated today and ever since I've been having a lot of technical issues with it so uh yeah so it's already available on github and it has the slides back up yeah let me jump back to where we were sorry all right the demo all right so the kind of things I want to add in the future one thing I will preface this by is I'm a developer I develop now small things in my spare time I'm not professionally developing large software I do it just as my hobby now but I'm also a pen tester so all the development that's went into it is from a pen tester's point of view as such if it's not providing some actionable information back I haven't really been delving much into it such as unique IDs to track specific emails if it doesn't give me a shell if it doesn't give me credentials something like that to act on I haven't added that in but it is something I know a lot of people are like so I am going to be adding that in as time goes on additionally I want to do improve upon the profiling and the pillaging feature to add additional features into that make it a little more smooth a little more full featured possibly make it actually a usable report out of it I do provide all the raw data in there if you want to go through that look at it and build your report your report format will be different than mine so I'm not that concerned about it and ultimately I'd like to incorporate SSL into the web pages but due to the dynamic feature where I don't know what the all the websites are going to be beforehand makes it a little hard things like lights and trip dot org might be able to be used for that in the future if you have other suggestions on things that might help or directions to look down please let me know also any suggestions you all have for improvements critiques criticisms just throw it in the trash whatever please I'm open please let me know if you're a developer you want to check it out modify it and put a pull request in please do that I'm happy to accept all I'll look at them all and we'll go from there it can be downloaded currently from github just my link there information on me oh well sorry yeah information on me and Eric I'll leave this page up in a moment but two last slides big thank you to all the developers out there that helped me out over the years that have got me wanting to write tools and release them open source I love these tools I love all the people who are doing this I wish everybody would keep it up and then to all of you that happened to be sitting in here at 8 30 or 9 o'clock at night on Saturday thank you thanks for sitting around you made it a wonderful thing we go ahead and leave the 411 up there so you can see the link so thank you awesome anybody have questions feel free yeah right right so what kind of what are the safety precautions what are the things that are taking into account when performing fishing engagements when an ISP target organization starts noticing it things of that nature and honestly there's not a lot the best thing to do is a a little bit of pre-work to make sure that if you are it works best if you're coming from a literally from a actual DNS name from the human perspective as opposed to an IP second when you're sending the emails if they're coming from a domain that has a SPF record that says yeah anybody can send on my behalf the wide open SPF record then most web servers web proxies that receive the email aren't going to flag it as a spam or a bad one and in the worst case scenario if the customer is determined to block you and they're going to shut down your IP that's one reason I like to use internet service providers that do like a like digital ocean or something like that where you can fire up a VPS real quick I'll fire up a new one this is simple it's self-contained download it started off again and within under five minutes of starting the new VPS instance unlike sound like digital ocean it's really quick you can get a new one up and going it's going to be on a different IP you just go to your DNS record and just point where your web server is and it's good to go and that's the one of the easiest ways around it I don't try to block it as much on these smaller ones smaller engagements that I would probably be using this for it's just all right fine you're blocking that IP I'll just move to another one and continue on so yes and the question is is what is the what is the history of how I've been using this am I using it for penetration testing or more of an educational purpose it works both roads it's simple it's something I can do quickly on-site at a customer's engagement location to show them how easy it would be to do something like this but at the same time I have during my development and testing this I have used it on a over a dozen two dozen fishing engagements just to try to work out some of the bugs in it and it's worked out fairly well on those I won't say it works its own par with full knuckle dusting getting in there just working through all the recon getting perfect websites and all that but it does work with enough success rate that we have on almost every case that we've used it actually been able to get internal access onto their networks so any other oh sorry to load this into a payload oh currently no in the github edition of it in the version that's on my development I am working to incorporate stuff like beef hooks in there to incorporate as malicious attachments in there and so forth so that's something I will be looking into adding on as we go along but if you have a request suggestions please let me know that's it thank you and if you have additional questions we'll be around thank you