Red Team Phishing - Tools, Tips & Tricks

Here with us, my name is Ramírez and Pao Sarr. Later on, we'll have our presentation. I'll share a bit about the agenda. We'll go over it briefly; we do n't want to waste too much time on agenda details and such, so we can focus more on other types of protection. But they're selling credentials. The hacker already paid for their phishing and profited from selling company credentials. Okay, now I'm going to explain a little more so you have context on how phishing works in the real world. It's not just cloning a page and having someone like it, click on it, or accept the message, however you want. In this case, it works like this. The intention isn't for you to see

absolutely everything, but to have a general idea of ​​how it works. This is you. This is a regular employee of a company who will receive an email. After this, the attacker is behind it. You'll only see a simple email, probably just with text and a link or an attachment, but behind this, there's a lot of research into protections to evade controls and filters that many companies use today. These days they practically have it implemented by default. And finally, what you're going to see is a classic Office 3.5 screen, which is what 90% of companies use today. So you're going to see the Microsoft Office 3.5 screen as if you were logging into your company's office. Obviously, it's going to be one that

the attacker has prepared with a lot of effort and time to intercept this type of attack. Now, things we have to keep in mind when running a phishing campaign in general are basic things that we highly recommend considering in terms of tools. There are many on the market; we 've mainly worked with three these days: Evil Jin, Modisa, and Moriana. These are three tools dedicated to intercepting traffic. It's like a Magid attack; I don't know if you're familiar with it, but you can search for the term. This is a tool that I definitely recommend using, which is a multiplexer. It's basically so your terminal can run in the background, so to speak. It's one of the

standard features that a URL shortener has today. These days, even for marketing, this exposed internet server is probably necessary. Or you can use your computer and check if... well, you can have a service that checks if your email is going to be spam. Now, tips you have to consider when your boss, or when you decide to do a phishing campaign yourself, you have to keep these things in mind: you have to have a lot of patience, you have to pay close attention to detail because if you miss one detail, everything can go wrong. You have to have a lot of love for learning because this type of thing is constantly being researched constantly discovering new things, trying

new things. You have to be creative to try things together, to experiment in general. Even just being curious to see if it can work or not can greatly impact the result. And perseverance, because many times you won't have the time, it won't work the first time, it won't work the second time, it might work the 20th time, but it will work. That's what you have to keep in mind. The other thing is something that some recommend, some don't, it depends on your objective. They recommend buying domains similar to your target audience. This isn't for sure. Is it buying authorization if you're going to buy from someone who's going to attack you? Well, obviously you have to authorize it, right?

Don't use a domain, no. Sorry, emails only with images, use text, and lastly, please use password managers because you're going to create a lot of accounts, you're going to create 10, 20, 30 for every time you want to send something to test things, and you're going to forget. So please use it to avoid wasting time. We're not going to skip the experiences part a bit; they'll come a little later, but so as not to waste too much time on each slide. Okay, now for some very important parts: like everything, there's a relationship between the time you invest, the amount of money you invest, and the quality of your phishing campaign. Of course, everyone wants the phishing campaign to be up and running tomorrow and cost

nothing, and it's very well exemplified: I 'm not God, it's not going to happen. There's no way. We've already tried it; we've sold last-minute campaigns where we suffered a lot, and it was difficult to get it off the ground. The more time you invest, the more money you invest, obviously, the easier it is to achieve a higher-quality phishing campaign. The more time you invest, the more money you invest, obviously, the easier it is to achieve a higher-quality phishing campaign. The more time you invest... Research: The more development time, the more detail you can include, the better the results you can achieve and a higher quality campaign. The discussion isn't about how much you want to

invest, not only in money but also in time. So, the budgets we're going to present are: low budget, medium budget, and high budget. How much money do you want to invest, and how much time do you want to invest, to see what quality of campaign you want to achieve. This will greatly influence the results you can obtain. Now, let's start with low-cost campaigns. The tools will be similar, but we're going to present tips on what we use to save on costs, to save on performance, among other things. We have, for example, low-cost providers like Freenom; sometimes it works, sometimes it doesn't. You have to consider the time factor. Ionos Steer... There are many. You can get a domain for a year

for 8 or 77, and they add up. You need something that allows you to expose a service. In this case, since you don't have a large budget and don't want to invest a lot of money, you can use OCL.com. Sorry, these are open-source tools that allow you to expose a service from your computer to the internet. It 's simple, uh, to shorten a URL is the most well-known. Time URL short io. We mainly recommend link HQ because you'll see later all the features it has. Uh, you can use a free provider, in this case Gmail. You can automate it, and this goes to the point of saving time and waiting. You wo n't have to be tinkering with

the code, Python, or whatever you want to use. To use it, you can use free storage like Google Drive, AW3 Free Tire, or Ure. If you have your own, then you can use it. And lastly, tools to test if your domain will go directly to spam or not. These can be tools like M- Genius or M-Reach, where it will tell you, " Okay, is this email legitimate?" We believe there's a 9% probability that your email will reach the person's inbox. Now, please, I know that not everyone here is a developer. I don't consider myself a developer; I'm not someone who dabbles much in web development code in general. So, if you're going to develop a template and want to

use your HTML from university or institute or whatever, please refrain so that it comes out of better quality. Use email marketing billers, which are literally for pulling inboxes and making it look nice. Automate everything you can because if you do it all manually, the hours we 've shown you can multiply by three, four, or five. And finally, enable the "s" in everything, especially the tool we mentioned because it's wonderful. Some points from our experiences: make sure to activate public storage for different provider storage because we've sent campaigns where users start replying, "Hey, I can't get there, I can't access what I should be able to access," and there we are running around adopting these kinds of things. From there, you should

generate links for each document, that is, personalize it so that each one can have traceability of this user, whether they got there or not. So invest a little time; it helps a lot. It increases efficiency because once you make the document personalized, you have a name, you have different details that you can add that give more credibility to the campaign. Now, we also have tools that will be similar to the same. Regarding domain shorteners, in this case we're including three that have a Premium version. Why does Premium give you more customizable options? It lets you block certain types of users. So, in this case, we highly recommend it because it's the one that has worked best for us. Now, if you're going to

use a generic Gmail or Outlook domain to send emails, you could use email marketing platforms like Maap. It has the best delivery rate. Maap, Amazon C, and Maet are also good options, but we're not recommending them in that order because that's how they've worked for us. And finally, you can choose whether or not to use email marketing. If you don't want to use email marketing to send emails, you can use platforms that offer free trials. For example, nowadays only Office 35 lets you use a 15-day free trial, and you have to enter your card details. One very important point that comes up is budget attacks: cancel subscriptions. They cost a lot of money. Set an alert or some

kind of reminder that works for you. We've paid for servers for months, not knowing why this charge appeared, and only then do we start checking. Your charges are like, no, I didn't cancel it, oh well. The other thing is that you have to keep in mind that if you use free trials, they have conditions, they have their own ways of giving you a trial, so don't expect that just because you use the free trial and because it's 365 (because a customer will receive an email from 365, that is, from the same company), it's okay. It's not. In fact, it's faster for a phishing attempt to fall for it or be easier to detect because it comes from Tri domains. So

keep this in mind because it can greatly influence your results. Now, tips: please never forget to configure the domain records for the dom you want to use. The SPF record, the DEM record, and the KIM record are the three records that you absolutely must have for a vendor to say, " Okay, this looks legitimate, we'll accept it." If you're missing any of these three, your email will definitely go to LG spam, they'll probably even block it. So yes, you have to have records, and nowadays, setting it up as a super-wow protection measure for a customer is practically useless; anyone can use it. If you want to use a marketing platform, you can use... GitHub Pages to

create a fake website and simulate that you are a company that wants to use marketing because they are going to ask you about this, and this control... Please, this is a tip that you have to use a lot: never send 1000 or 2000 emails with a single click. Put a delay on them, send five every minute, 10 every minute, 20 every minute. Put a range of intervals where you are going to send the emails because any company today, in fact, Microsoft by default, if you send 1000 emails and all the emails come from the same domain, it will automatically assign the domain to you. So you have to give it a chance to say, "Okay," it's just a

communication tool, I don't see it as that strange. You have to get Microsoft to help you too. And lastly, always check that you don't put things like " Hello, how are you? We want a meeting with you. This is urgent." Never use keywords that are already categorized as phishing words because they will also send you spam. So you have to check it always. Um, the way you write, no, and lastly, the issue of high budget. Here we already assume that there is a large budget; we already assume that you can afford certain luxuries when spending. We mainly recommend using G Suite because it comes very well configured by default. Because many companies that use 35 have a

Gmail WH list, so you're already using it by default. Sometimes companies use a tool called gmas, which is a plugin that works with G Suite. This allows you to send emails in bulk to many targets, and it does so automatically, without time intervals. This also allows us to have statistics on who opened the emails, how many opened them, if they clicked, if they downloaded the document, if they opened it. It allows us to provide much greater traceability, and when preparing the report for the client, we have all the information in a single table. Another tip that is very well used but not many people want to use is to use custom SCL certificates. Don't generate

certificates. For example, if my attacker domain is going to be login. fake company.com is not a certificate only for that domain; it creates the famous wildcards. I don't know if you know what a domain wildcard is, but basically, when you create a certificate, instead of the name appearing, only the main domain, fake company.com, appears, and before that, they add an asterisk indicating that it's a certificate valid for all the previous domains. This is also a way to evade controls, and why are we mentioning it? The real thing is that if you have a budget, you should preferably buy domains from Google itself, like Google's Square Space offer, or buy domains from Amazon, buy domains from

Microsoft itself, but ideally, you should buy them from well- known vendors. Paying for the brand is worthwhile in this case because if someone sees that your domain was bought directly from Google, it seems relatively unreliable, and we're going to let that happen. A recent experience we had is that Google has already outsourced its Square Space domain sales, just so you have some context. And finally, if you're going to count a BPS Check the annual subscriptions to save some money. And lastly, it's not necessary, but your public IP address can get compromised, you can end up on internet blacklists. We always recommend buying a second public IP address or rotating it if you're using AWS. So, this is a tip that will save you a

lot of money, and it's a great tip. Don't buy more than one license, just rotate it. It's very easy. We've used one license for many attacks we developed over time, but it just so happened that in a month or two, we were launching two or three attacks. You can use the same license, rotate it—that's a tip that will save you some money, because it's a bit expensive, like two per month. So, the only thing you can do is transfer from one account to another, and the other account can use it freely. So you save a little money, like 30 or 50, depending on the campaigns you're going to run. These are just general recommendations. If you want to

automate it with Office 3.5, you have to enable SMTP out because by default, Microsoft already does. Disabling that was a problem we had in a campaign, and it took us about an hour to figure out because it wasn't the first thing that came to mind. But if you already have it here, it's something you could use. Look for it firsthand, right? Now we're going to talk about visual experiences so you can see that everything we're talking about actually has results. This is the part of the presentation where we share our experiences. This was one we found online to start finding and discovering the different patterns we were talking about: flagged words, flagged phrases. It's like,

automatically, it goes to spam or has a much higher probability of being spammed. It takes time, doesn't it? The text you want to send... Many times you have to paraphrase things and you can't find the right words. Using chat helps a lot too, but it's not trivial either. You have to dedicate time to it. This image is an image of a tool called Mail Tester. It's actually the most recommended tool for a phishing campaign. Why? Because if you get a score like 9.5 to 10 in the tester, you can be sure that your email will reach the inbox. I can assure you, tester, unlike others that have different types of evaluations and aren't always reliable, this is the real deal. This is the one that

will work for you, and as I said, from 9.5 and up. If you want to test if the email arrives or not, if you want to test the text, if you want to test what you're implementing, that's fine. Send the email to the address that the tester asks for, and with this, you're not going into production, so to speak. Now, next, why we recommend it so much: First, it lets you direct traffic by country location. In our case, we've had significant phishing campaigns; it literally went all over the world, in all hemispheres, sorry, and it was almost a couple of countries per continent. So, to prevent the phishing from being open to everyone and to prevent

everyone from finding us, what we did was filter it by region, to a United States. We sent it to a server with a specific flag. The other thing is that it allows you to forward parameters. For example, if you want a parameter to locate a certain person, to locate a certain company, what you're doing in parallel, you can forward parameters in The URL, uh, and something that's really good and helps us a lot is that it automatically blocks bots. I mean, it's not a big deal, but it filters out many of them, and it's a help. At the end of the day, it's not how you're going to prevent the domain from getting taken down; it's very

complicated to avoid that. But perhaps one of the keys, or one of the most important points where we invest the most time in each phishing campaign, is to do as much as possible, every little thing you can do to make it take longer to take down or detect. It's all worth it. It's a bit like what I was telling you. Here we can see the different statistics: who opened it, how many clicks there were, who replied to the email. Well, there are different parameters there. This can be presented much more easily; it gives you all the parameters to put together a presentation, to tell the client, "Look, this is how your forum behaved, your employees." And it's

super important; these kinds of statistics help a lot to give variety to your phishing. On the other hand, we can see a screenshot of our phishing after capturing credentials. Here we have a couple of curious anecdotes, but... Let me start by saying that there are many interesting things you can find online that suggest a phishing campaign isn't always necessary. Because the first steps in a network team exercise are password spraying—I do n't know if anyone has context for that, but it's very common, and we verified it because the passwords we found were very easy to find in dictionaries and to mix dictionaries as well. So, topic one, topic two: at some point, several of those passwords, as a

curious anecdote, when we did some external information recovery, some of the passwords had been published for years and the users still hadn't changed them; the passwords were the same. Yes, very important. Another thing is that in the case of Evil J, it shows you when it captures a token. What Evil J does in general, so you have an understanding of how it works, is simulate Microsoft. In this case, it asks for the user's credentials and replicates all the user's behavior to obtain the session. In this case, if Microsoft has Microsoft enabled, it will also show it to Evil J. Evil J will show it to the user, and when the user enters, for example, their Microsoft password, their password... OTP and everything

else, Microsoft will think it's the same user, therefore it will let them log in and they will obtain some tokens, which is what is mentioned in the third and fourth columns of tokens. All those that say " captur" are because in this case they were captured. And a very important tip: These Microsoft tokens generally expire in one hour, some expire in six, some expire in eight. If your client or whoever you're doing this to is on the other side of the world, you're going to have to stay up all night checking who's here, who's registering, who's logging in, who I'm hacking. And at this moment, the issue of automation, which we're going to get into now, has a big influence. So be

very aware that if you're launching a campaign, you have to be attentive. We converted one a long time ago, but because we had three separate processes running in parallel, one of these tokens was from the UK. They were 8 hours ahead, and when we wanted to test them, it was 6 in the morning, and we said, "Oh, a user dropped out, they weren't there anymore, they're not valid." Why? Because, well, about 6 or 7 hours passed, the token that was captured was no longer valid and had to be refreshed, so, uh, F, a stop, also, as if seeing those who are doing network activities, the Team isn't doing just one thing, you're constantly testing a number of things, it's very

easy that suddenly, between the different screens, scans, and other forums you're opening to see what to do, you lose time, it suddenly gets away from you, you're very stuck on another topic, it's very easy to lose it, it's very important to pay attention to that part. Well, now, results, what results have we obtained so far? Nothing out of the ordinary, we would think, because it's somewhat common, but perhaps not for you. In this case, the question is, if the attacker only has access to the email and, for example, only passwords, what can they do if they haven't breached my server? Here's the result: you have SAP passwords, SAP users, you have VPN installations; if you have

a VPN, you're practically inside the company; you have passwords from an agency, different travel-related topics, where certain employees are located, on what dates, we found log issues, we found confidential information, different passwords from different users in documents From Word F generic users of different systems, not systems, logistics systems, many other things. So, with different systems, practically the entire company, which we shouldn't go through because it was perceived that this is specific to the case we had in the United Kingdom. They were able to detect in the United Kingdom that we connected from Mexico City at 2 in the morning. Isn't this a little suspicious? This is something that should be of great importance and value to companies, and nowadays they neglect it. It's

not like nothing, the activity log. Because suddenly a user travels and then they're gone, but who travels on a Wednesday at 2 in the morning and is in Mexico City, on the other side of the world, and they didn't notify you? So it's something they have to take into account and how an attacker can take advantage of this. If they realize that at 2 in the morning nobody is watching, what they're going to do is, okay, they're going to disconnect, but what they're going to do is try to always attack you in the early morning. It's not a typical way of saying, "He sleeps at night," the typical thing, that happens, right? And now Something like this has happened to us more

than once, and these experiences have saved us. Perhaps the first one was very valuable. We were working with a very demanding client, and we made a couple of mistakes. The issues I mentioned earlier about how to prevent them from detecting the flag on your domain started arriving with the warning that it wasn't a good idea to open the email. The flag was even placed on the document itself, indicating that the site wasn't secure. Pablo told me, "You know what? Well, it's not going to happen anymore." I mean, it's over. I said, "No, no, no, don't let it go. There will always be someone who puts in enough effort to make this work." And there was.

We captured like two or three credentials and ended up being domain administrators. It's an exercise in R Team. Thanks to those credentials. No, no, no, no, don't lose faith. There will always be someone who can break it. The mistake we made was relatively serious. The clean campaign lasted two hours, and after those two hours, the little red screen appeared saying, "Beware of this domain, do not enter." The users did their best to help us, and they entered. Then we had a couple of campaigns... We also had some difficulties uploading the images as we initially planned, and they did n't arrive. This was the phishing scam they received. It had its problems. We made some mistakes. It wasn't our campaigns,

obviously. Whoever falls for it, the truth is that with massive campaigns that I dedicate enough time to, there's always a good chance someone will fall for it. Another very serious mistake we made was that we forgot to add a slash to the Google link we put in the document. We created a Python script which helps us generate all the documents with the corresponding personalized link so they arrive in different buckets with each person's specific document. We forgot to add a slash to the Google link we used to replace the URL, and it didn't work. Google sent all the documents, and when the users were explaining the links to Google, we started getting emails saying, "Hey, it's not working, Google is sending me messages,

what do I do?" We responded around 3 in the morning, "Yeah, we're going to send you another email right now, just click to send the campaign." Obviously, we were super burned out. Everything still fell despite everything, but it's a very interesting topic. The whole topic in Social is not to lose faith, keep trying. And lastly, please, this is what you have to do. Sometimes it's repetitive, sometimes you're going to want to take it for a walk because you already know them and you say, "It's not a recurring client, nothing will happen," you launch the attack, and you realize that overnight you implement a solution and they end up blocking your attacks. No, in this case, it was a

recurring client. We said, "Sure, it arrives in the email, nothing will happen, we already did it about two months ago, nothing will happen." We arrived two months later and realized that they had a pretty decent anti-spam system, and when we looked at the blogs, we realized that all the users were coming from the United States. What a coincidence, the company was Mexican, it was American. So yes, please, always investigate your users, try sending test emails to see if they arrive or not, and then call phishing. No, don't launch blindly because this can happen. No, look for what... The domain is good advice. And lastly, uh, extras, this is more technical, it's something that will probably be useful to you.

First tip: always use, for example, Muriana, whatever, behind a proxy. Here we can use tools or infrastructure generators. When you do a command control, you always put a proxy in front of the command control, so do the same. Put a proxy in front to avoid being recognized. Why? Because there's a famous technique that's applied nowadays, which is the TLS fingerprint, also known as J3 or J3S, where every new certificate that's generated is reported, and all the companies, well, crowd strike, uh many many companies, what they do is, when a new domain is reported from Lept, they go and scan it. So when you hide it, so to speak, with a custom domain, with a custom certificate, and

behind it a proxy, you prevent this detection, so to speak, not automatically. Two, please. CLF is free. It's all wonderful; it offers you protection against attacks. I don't know why many companies don't use CLF. It offers you many things, among them, it offers... A certificate no longer signed by Lept, which is the free open source, offers you a free certificate signed by Cler, so greater trust, greater bypass, and allows you to put your phishing behind Closer's protection, which uses it as a proxy. Another second proxy where it won't be able to, quote-unquote, find your server's real IP address, so your IP isn't compromised. Third, always try to check the blacklists; in this case, Cisco Talos manages one, uh,

Fish Tank. I mean, there are many blacklists on the internet, always check the

site. I mean, don't just clone the site and modify the domains it has. For example, does anyone know how Ajax queries or JavaScript queries in general work? Generally, a page loads JavaScript, and the JavaScript will probably communicate with something at the company. If you don't change the domains that JavaScript connects to, they will connect to Microsoft or Google, and you'll see, "Hey, I 'm getting a query from a random domain I don't know. That's bad." So you have to change those domains too, and that's what that functionality is for. Sub filters, then, apart from the JavaScripts, block everything from external libraries, telemetry, feedback logs analytics everything Google-related, like Google Analytics, Amplitude, Storyline, among other things.

Just block it, because the callbacks will reach those pages, someone will see the alerts and say, "Hey, it's also arriving here, but from a different direction, how awful." So please remove it. And lastly, two very important things: there are studies like this one called "Catching Transparent Fit." Many studies in recent years have come out as a result of these types of attacks, and they provide very good techniques for how to detect them automatically or manually so that your employees don't fall for it. So you have to read them constantly, stay informed, and see how you can do it, what you have to change, or what you're not going to use anymore. For example, if they later come out that they detect

all certificates without fail, then don't invest time in generating custom data; whatever comes out will last the same amount of time. And lastly, perhaps this is one of our biggest highlights: we found an auto-negotiation, meaning you no longer have to be monitoring. Every time a user logs in, this automatically handles the entire session maintenance process. It accesses the database (in this case, Dil Jings) and keeps the sessions alive so you can access them even at 2 AM when you're experiencing attacks from around the world, allowing you to open and explore these sessions. In short, an email, a password, and a token arrive. What the tool does is log in for you, tell you what's there, and

keep it refreshed until you want to log in. Now we've reached the questions and answers section. Hello, how are you? Well, I have two more quick questions, one somewhat sarcastic and the other serious. The serious one is, for example, how do you complement these campaigns once they're completed? Perhaps with something extra, something other than emails? Maybe you use a Google DOM or something similar for enumeration? Another thing: how would you complement this type of red flag? And the second question is, I'm seeing a lot of QR codes. This is the million- dollar question: are they clean or will they hack me? No, the QR codes are clean. They are our links. LinkedIn, this and for direct links to pages where there are

resources, not your question was whether there is follow-up to phishing attacks once you're inside. Generally, the next step can be automated or not; it's to do internal phishing. For example, I hack Ernesto; he belongs to a company, and from his email, I'm going to send phishing emails. Now, yes, with malware. Now, with a malicious Excel file, with a malicious Word file to infect them. And two, if you want, there are scripts like the one we showed you that can be included with others to wipe out the entire contact directory, everything there is to wipe out because it's usually off-screen. So there are many automations that help you with this. You mix tools, and it's like the follow-up, the next step

of what happens next. Or if you already have access, you test the credentials in Active Directory against the domain controller, and then you launch the attacks manually. If you want to do it manually, you can use BLH. So you have several parts to go through. Yes, I would add that it's a... The variable also depends on the timeframes you have and the scope of the project. Listen carefully: if you're going to automate it with Bloodhound and query Admin, don't do it in the early morning because SOX is already active and they'll detect you. If they're asleep, do it. No, but if not, wait until morning. Any other questions up there? What tool do you use to

generate these login pages? In this case, Evins helps you with that. Modisa also helps you generate the same thing. What they do, in quotes, is clone the page, but it's their own. It wasn't for what I mentioned about sub-filters; it clones the page, but you can change things so that your domain appears. So with that, you generate the page they'll see.