Luis "Connection" Santana (hacktalk) - Phishing Like The Pros

Cool. All right, it's going. All right. Um, so thanks for hanging in there. Uh, this is Fishing Like the Bros. I'm Louis Santana. Uh, go by Connection on the internet. On Twitter, I go by Hack Talk Vlog because I like to confuse people. And, uh, I got to record it. You got it. Yeah. Uh, so I like to confuse people, I guess. So, brace yourself. There's a bunch of shitty memes coming. I gave this talk in Norway and uh a lot of memes just like people were like whatever I don't get why that's funny. Uh I hope this crowd's different because there's no language barrier otherwise it's going to be some pretty bad deja vu. So who is connection? Uh I'm an

independent security researcher. I'm hack blog on the Twitters. I'm a Boba Fett lover. So screw any Han Solo fans out here. Um yeah I kind of want to buy like a Boba Fett suit and give all my future talks just like full Boba Fett out here. I usually rock like a blow off that hat. But uh I guess I just forgot at this conference. So learn from the experts. Like fishermen are pretty badass, but like bears depend on fishing to live. Uh so we examine people that do this for money in order to become better as hobbyists than professionals. Um so there's a few habits of like really effective fishers. Uh, you want to have like really good

bait because you want to be able to entice somebody to do whatever it is you're trying to make them do, like whether it's click a link or enter some credentials or run a file or whatever. Uh, you want solid templates because the best thing about fishing is if it works once, you can like blast that out and replay it at least five or six more times to other uh during other campaigns and you know it's a good campaign so it's it's going to convert well. Uh, keep it simple. Uh, people are stupid. They like simple things. So appeal to that. Uh log what works and replicates. Uh this goes back to like solid templates. If you find out that every

time you try to send an email, uh pretend to be like the tech department. Hey, you got to like run this file. Like if no one ever clicks that, like a start reworking it, but also like realize that that just doesn't work. Whether people are just like smart to that or like you suck, you should stop using it. But what does work, learn what works and replicate that. Try to apply that to your other campaigns because if it works once, chances are it's going to work again. People don't change that often. Fishing like a boss. So, bait is very important. Uh you can get bait by like looking at a couple different sources. Like you can look at

local news, uh see if anything's going down in a certain area where you can kind of abuse that. Uh this is especially uh important for uh like criminal fishers. They're going to take advantage of things like the Target leak and be like, "Hey, we're target." and we recently saw that your credit card got stolen. So, sign up here and give us your social and we'll give you some credit protection or something like uh you leverage that local news to to own the people that uh especially people that aren't super techsavvy. Uh you want to look at important documents as well. So, like legal documents, internal memos, like whatever. Uh these are actually super easy to find actually.

Like just Google Dorking, you can find like company PDFs that shouldn't be shared, uh like new hire orientation information. and just uh like get as much information about your target as possible. Know your target audience. Uh know your demographic because that way you're going to be able to tailor make everything for them and like ensure that your your uh your line is well dated and people will take it. Next, uh solid templates. A certain language is expected. uh you can't just like blabber off with internet memes like my talk is doing and expect a lot of people to click your link if you're sending it to a corporate environment like it's just not going to work. That's

not that's not the way it works. Um so like if you can read internal memos uh or any kind of literature that that company provides or your target provides, it's going to help you like learn to speak like your client, learn to write like or learn to talk like your target, speak like your target, and uh it's going to make going to make your life a lot easier. Uh company letterheads are great. I love to just like do whatever I can to get letterheads. Whether it's like sign up for a newsletter, like I don't care. Like that's my spam email. Whatever. Uh like get some letter heads because when you email someone out using that letter

head, it's great. It looks legit. It's got the letter head. If you can get like the footer of something, like the confidentiality notice, like that's awesome, too. Um so that's why actual targets, actual emails from Targets are amaze balls. Uh they've got letterheads. They've got company email address structure. So it could be like first name.ast name or first initial last name. like you get to know what emails look like so that your uh fake emails will look a lot more legitimate. Uh and yeah, like you get letterheads, you get footers, you get like just a slew of information. Uh and while I wish I could just write emails like you're like totes death amaze balls, uh sadly those don't

convert well. So you got to keep it simple. Over complication is your enemy. People are easy and people are busy. They don't have time to read like this four page long email of like this is why you have to upgrade or blah blah blah. Like they just want to be told, hey go to this link, run this and then you're good to go and we'll get out of your hair. Like keep it simple, keep it short and people are people are easy. Like social engineering is obviously like not a new vector of attack. Uh and fishing is really just electronic form of uh of social engineering. Keep your things simple, keep them concise uh and you're

likely to get really really really really good conversion rates. Um, uh, I guess as an anecdote to this, I one of my first fishing campaigns, I had like this super detailed, like super lengthy wall of text looking blob that I sent out. Not a single click on the entire organization. I came back 3 months later and I sent like something super simple. It was like, hey, we're upgrading our Cisco VPN and in order to be able to connect for to it, you're going to have to you like run this Java upload up updater. Sent that out. was like legitimately like five or six lines including like confidentiality notice or whatever. Sent it out and I got like 70%

clickthrough rate. So just like sometimes simple is uh is the best way to go. People realize that even IT departments and HR are busy. So they don't they don't hold it against you if your email is is short and to the point. Hunting for foods just got easier. So you have to learn from fail. Um, no one no one has 100% clickthrough rate on any of their fishing campaigns. And if you do, like, I want to talk to you because I want to be that awesome. Um, so you have to analyze your failed campaigns. Identify position like points within your campaign where your failure was. Did you get people to click on your email link, but when they went to your

website, didn't download the file or like they just didn't log in or maybe they downloaded the file, they didn't run the file. Uh, identify where your weak point is so that you can learn to adapt and make make it better. If your emails themselves just suck and they're not converting, take a technical writing class or like look at some like marketing emails and see how they're trying to get money out of you. Um, so definitely look at that. And repositories are amazing. Uh, I have like a private git repository and every time I make a really good fishing campaign, like I throw all the files onto the repository. I don't have to remember it. And I actually like split

it up. I have like works in progress, completed uh, success and completed fail. uh you want to keep your fail because as you become more and more successful, you'll be able to look at those failed uh campaigns and determine, okay, well, this failed, but I've gotten a lot better in that aspect and you might be able to rework this campaign that you had like thought up a couple months or years back and get like really good conversions. And it's actually something that I do all the time. I'll I'll run out of ideas for creative fishing. So like I'll go back to my failed ones and be like, "How can I make this better?" And it's it's surprisingly

effective. So I would recommend keep your fails as well as your successes. That's pretty fail. It looks like the fish is biting its tail, too, which is pretty pretty lols. So failing, especially in regards to like PHP, avoid PHP's mail function. Uh so I'll explain this right now. I don't know if you guys can in the back room see it super well, but uh when you mail with PHP's built-in mail function, it does a few things. It adds the XPHP script header to the email address. So automatically you know like this was not sent from someone's Outlook like someone use a PHP script for this. Um additionally it tells you exactly where the script is hosted. So like they now

know where you're fishing from and you can easily get blacklisted and uh they also tell you the IP address of the person that sent it. So like this guy at slashim images.php with this IP address is trying to fish your organization. Um, I mean it's great if you want to get arrested, I guess, but uh not great if you want to avoid a bait detection and have a a good fishing campaign. Uh, yes, you want to like avoid that. Use like PHP has the PHP mailer class. Use that. It'll allow you to do SMTP authentication and send over SMTP. Uh, another good thing, keep search engines away. Uh, I can't stress this enough. If your if a search engine crawls your

website and it's like a really good fishing page and it happens to get indexed on like say Google, your client is going to be pretty pissed off at you that like legitimate C customers are now going to their to your website and like basically giving them a bad name when someone uh eventually says, "Hey, I got my password sniffed." Uh don't get blacklisted. I used to work in the web hosting industry. We used to have people come to us all the time like, "Hey, I got blacklisted because I sent like a bulk mailing campaign and I was stupid." Uh, blacklisting in general, you can get out of it. Um, it makes the reputation score of your SMTP server pretty crap.

So, you should avoid getting blacklisted. Uh, unless you just want to like buy a new SMTP host. But more importantly, if you get blacklisted by certain people like Google, there is no way to get off their blacklist. Like, you can't email them about it. They just like automatically respond to you. there's no form to submit because they're Google. They don't have to give you a damn form. They're like, "Whatever." Um, and a lot of people look at Google for reputation. So, even if you're not on like any other blacklist except Google, people will be like, "Well, Google says this guy's bad and Google sees tons of mail traffic. He must be bad." Uh, if your emails aren't

getting into people's inboxes and going straight to spam, you're wasting your time. Uh, spoofing reply to is for chumps. I have a slide about this in a little bit. Uh, so I'll get back on the point. I'll get back to that. And uh just going to show some examples of uh of failing. So this is is an example of like words that people expect uh and like language and stuff. I'll read it out cuz I know it might be small in the back. Uh this is actual spam that got sent to my my email. It says, "Hi, I am Miss Henna. I would like to be friend with you. It takes two to tangle and

make a trail of friendship. I would have to know more about you and I am sending a picture of myself to you already. I am a lady with a loving heart and like blah blah blah blah blah. But like within the first sentence it's like I would like to be friend with you. Like this seems legit. Then she like took a common like I mean I at least for America a pretty common saying like it takes two to tango. She said it takes two to tangle and like capitalized it like hey here's my fail. Um I mean she's a pretty cute girl. I don't know if you can see her. Like I wouldn't mind being friends with

her but something tells me this ain't right. And anyone that's ever had uh uh iPod headphones, you know that it definitely only takes two to tangle. So, uh I was talking about like spoofing reply to. First of all, would anyone get beer there? Like it seems legit. I went to a bar in Norway that looks similar to that and I was like, "Oh man, they took this right out of my slides." Uh so spoof and reply to is like stupid. It's for chumps and like anyone that does it is a noob and should like rethink their entire campaign. Uh so a header within a within an email message is the reply to it's a pretty

cool thing. I can send email from one address but make sure that when anyone clicks reply it emails another address. Uh so that's what reply to is if you look up top it said it's from the Reserve Bank of India info@rbi.com. Like seems legit. I mean, easy to spoof, but seems legit until you look at the reply to header. And the reply to header is transfer_de RBI2. This is like probably their second fishing campaign or someone else is also running this uh at outlook.com. Something tells me that the Federal Reserve of the Reserve Bank of India isn't running on outlook.com. It it just doesn't seem likely. Uh so it's like quick and easy flag like anyone

that's technical is going to see that. They're going to know it. anyone that works on a security team like do an instant response when someone reports the fishing they're going to see that email bam you're block you're blocked blacklisted they're going to contact outlook like probably get your account shut down like you just screwed yourself um so just don't do it uh what I like to do is I'll buy a fishing campaign like if I was going to fish the Reserve Bank of India uh I would go and register RVI.co.in in like code.in is India uh that might not be registered if it is I can just register like rbindia.com or like any any number of

knockoff domains and when I email from that I can email from info@my domain.com because I can make that and if it looks legitimate enough if it's like a small typo or like you just hyphenate something uh like most people fall for it. An example is like if we were looking at corporate webmail.com which I don't think is a real thing but I can just buy corporate-webmail.com. It's quick and easy. People aren't going to notice it. Uh I can like or remove the eye in web mail and just like web mail. Um people don't notice those things. It looks legit to the eye. Again, people are stupid and they're busy. They don't have time to like make sure everything looks

legit. So, uh you'll bypass a lot of filters that way. Oh, another big thing, stop trying to like use link tags like via HTML to hide what you're trying to do. Uh it's every mail point since forever will show you like what you're redirecting to. Um so if you look at this, it's uh an email from some Windows Live social media thing, I guess. I don't know, social networking thing. Um so like the Felipe size more change what types of notifications and add friend all point back to this uh URL. Like not only does that look suspicious because it's like a 74.53 like it's an IP address. Like that looks sketchy to begin with, but then

like anyone that like knows web servers, look, they'll see that they have mod user draw on like the user's credit SA and then like it it just looks like really fishy. Like even as in like even if I wasn't a security person, like I would think twice that this doesn't say like Windows Live Social Network or whatever the hell this is. Uh it it's just like it looks fishy. Like there's numbers. I'm not used to seeing numbers in my URLs. Uh just buy a knockoff domain and then you can host it and it'll look legit. And uh you won't have people questioning why Microsoft is emailing from this weird number address. So uh chumming the water is

espec extremely important. Once you've got some bait, you got to make sure there's some fish that will be there. Otherwise, you're just casting and it's just a waste of time. Uh so like chumming the water, you want to join e newswsletters. You want to find a reason to make people email you. You want to find internal docs and you want to save fishing examples. All the examples I showed before, all fishing emails that were all sent to me. I mean, they were really bad, but uh they're all examples. Um another thing I like to do when Target had initially emailed me about the the compromise and they're like, "Hey, like cuz my credit card number was

legitimately in the Target uh compromised data or whatever, they wanted to offer me credit reporting and I was like, damn, this is a really good fishing example." Like, I mean, it's legit. I checked it out. They even called Verizon and everything, but I was like, man, I could like spin this if I was like a criminal hacker. I could I could spin this and steal people's credit card information, their social, all that good stuff. Um, so sometimes like fishing examples are really just legitimate emails that you can twist to your to your whim. Um, yeah, like find internal documents. Again, Google Docing, you're going to find a bunch of stuff uh like using file type and like

bunch of all that fun stuff. Uh, just poke around and find finding a reason for them to email you. This is a lot easier on the corporate side of things, like when you're being asked to assess someone. It's not as easy doing this uh like as a criminal. Uh, but like what I like to do is I'll tell my client like, "Hey, how's it going? Just want to like reach out to you." And when they email me back, I get a bunch of information from their email. Uh, gives me a lot of useful stuff. Uh, and joining newsletters is really fun because not only do you stay up to date with what that company is doing, at least from a

public aspect, but you get letterheads and you get jargon and terminology. Uh, so it's it's very effective. And I've actually got an example here. Uh, so I uh my domain registar is name. Uh they're cheap and that's why I like them. Uh but this is like an email that they sent me. From this email, I not only get like their header uh like corporate banner thing. Uh I know that in September they are launching UK hosting. So I could like start attacking their UK branch because they're probably new and like inexperienced. Uh so yeah, you can like start poking and prodding information out of things like newsletters uh that the company might think are just like innocuous. Oh, no

one no one wants this information. It doesn't matter. But uh you can definitely spin it to your advantage. So uh when I was looking at fishing, I was like, how do I become a better fisher? Like how can I step my game up so that I can own companies all the time? And I got to thinking, I was like, well, criminal fishers aren't going to tell me their secrets because like that's how they make money. But there's another type of person that sends a bunch of emails to a bunch of people and hope that they do something. That's internet marketers. Uh internet marketers make their living by making you click on a link and buying a product

or clicking on a link and subscribing to a newsletter or like any any number of things. So if these people can basically do the same thing I'm doing except they're trying to make you buy a product and I just want you to run an executable like I can learn a lot from these people. So I went to like a couple different forums and like user groups and whatnot and just kind of like learned for a couple months and I was like I want to learn everything. I went to the tutorial boards like I read a bunch of stuff and uh I came up with these these techniques that are effective and uh some of them are

techniques of my own but uh definitely incorporating things that I learned along that time. So these techniques are running split campaigns, multiple attack vectors, oops emails and uh just corporate BS emails. So uh I'll get into those right now. So split campaigns, what are split campaigns? why should we use them and some examples. Uh so split campaigns are very much like my little friend the cat here. Uh half of the campaign is one thing, the other half is the other. And uh it leads to more variety as you can obviously see. Uh so what I like to do is if I get say like 30 people that I'm authorized to fish or like there's 30

people I want to fish, I'll split that down the middle at least. So I'll get like 15 and 15 two groups. This group I'm like all right well I'm just going to try to steal login credentials. So, I send them to a landing page where it's like, "Hey, you have to log in to view this content." After they log in, I steal their credentials. I have to log in as them. Like, goof around on the network. Uh, the other half though, I'm like, I just want a shell. Like, I don't care about your password. I just want to have uh a back door in your computer that I can use to attack the network. So, I'll send them like a malicious Java

executable or like an exe file or whatever. So splitting it up is extremely extremely extremely useful because you don't put all your eggs in one basket. If you send out an email to 30 people at one time and a single person reports it, those 30 people are now not going to click on your link because information security department is going to jump on that. They're going to like blacklist the website, make sure that no traffic gets out. The second a single person reports it, that entire group you just emailed out to is dead. Splitting it up into at least two groups, you've got two shots. like two people have to report this damn thing before like you're completely shut down.

Uh so definitely try to to split your campaigns up whenever possible, especially if you want to go for that kind of twofold attack like get some shells as well as steal some uh credentials. Live or die Batman. Love that little guy. Uh multiple tools or multiple attacks, sorry. Uh so what are multiple attacks? Why use them in example scenarios? Like I was saying, uh this goes hand inhand with multiple with uh with split campaigns. Don't just send 15 emails to this group and 15 to that group, but they're both trying to harvest credentials. Like that's a waste of time. You're better off just emailing all 30 people. Uh do multiple tags. Have these people just uh just see like split

your group up into three groups of 10 and and see like this first batch of 10 people are really suscept susceptible to just clicking on links in general. So you can use that as like a simple random sample of the maturity of an organization. So if these 10 people will click on a link that just like 404s, then my other 20 people are more than likely going to click my link. So you know that you're good on that aspect. The next people you can uh like try to send out the fishing campaign which harvest your credentials and if that fails you like start analyzing why that failed. You're like oh well they went to my website but they don't like typing

things in. So, you know that you can adjust your last attack to be like send them an email and like they just click a link and there's a download button. Like don't make them log in, don't make them type anything like right in their face, bam, download this and run this. Um, it allows you to not only like assess an organization in phases and adapt as you go. But it also just allows you to to really fine-tune uh your your campaign to this specific organization. No organization is at the same maturity level. No organization is the same. So like something that works 90% of the time just may not work on this organization because maybe they're like

not that susceptible to this sort of attack. Uh and so because of that sending out short emails uh short burst of emails and trying multiple attacks is extremely effective for ensuring your conversion rate. So oops emails uh this is actually really really really great. Uh this one time it was a complete fail and I'm I'm so happy that I failed but uh I sent a fishing email out to a group and luckily had I was doing split campaigns so I sent it out to like 15 or so people and I said you know like here's a document for your like your W2 form. You got to open it up and like follow the instructions on screen to get your W2

information. But when I sent it I forgot to attach the malicious document. And so I'm like crap like the world is over. like I just ruined this. I don't know what to do now. This whole group is just like screwed. I suddenly like five or 10 minutes later get an email back to my fishing email, which was great first of all because they thought it was a legitimate address. And second of all, they were like, "Hey, just a heads up. It seems like you forgot to attach the W2 forms." And I was like, "Oh, wow. This guy's been waiting for 10 minutes and he really cares enough that he's going to email me back." So, I sent him

an email with the corrected document and like legitimately less than a minute later, I see a shell connecting back to my box. I was like, "Holy crap, what if I just mess up all the time? Like, what if I send all these oops emails?" So, I decided to test it on uh on a different customer. And I was like, "Hey, uh just emailing you blah blah blah." Like sent them an email, but like didn't give any of the information I promised. This I learned does a few things. First of all, if you have a relatively new SMTP server, you may have like not the best reputation score or like kind of worse a zero reputation score, which is like

this guy can go either way. Uh, but what's really good is if people don't mark your message as spam, none of the blacklists have a reason to mark you as a spammer. So, when you send it, you're ensuring that you get into their inbox. So, when you send your second email, like not only are they waiting for it, it's going to jump to the top of their queue because they've already got a message with you. they've already got this established like connection with you and they already want what you what you promised to give them. Like at this point they're possibly a little upset like dude I've been waiting on you to get my W2. Like hurry the hell up. Uh so

when you send that out, they're like super eager, super excited. They'll click on your link and do whatever the hell you want them to do because they're already waiting on you. So yeah also will not report you with the payload versus setting up all the payload. Exactly. Yeah. Yeah. Exactly. So, uh, for anyone that couldn't hear, he was saying like they're also less likely to report you with with your payload cuz, you know, you've already gone through once and like they're assuming only you only messed up on them. So, like they're not going to report it or anything. Uh, it's extremely extremely useful. I suggest that everyone use it. Uh, I love oops emails. Uh, uh, this is a funny picture.

Uh my fiance was uh was an RA at UCF and so she's like she would get really crazy uh like residents come in ask and stuff. Uh and so like sometimes you'd see like RAS write really funny things though cuz they're just sped up. Uh so this one says if your internet is not working, I am sorry. Email me your name, room number, IP address. It is working on situation email and then email address. But like if my internet's not working, how the hell am I supposed to like email you? Oops. So, this is a a funny example. Uh, this isn't exactly an oops email, but it's definitely like an oops when the client got the response. Uh, says, "Dear

help desk, thank you for creating my account so fast, though. It's very funny, but how can I sell our products with an email address as bitchacore hotel.com? Please change it ASAP. Thank you in advance. Bill, some name I can't pronounce." He's like, "Dear Mr. law. Unfortunately, accounts are generated from your initials. We cannot change it. You can believe me. Regards on Johnny Ergson, a jerk at a hotel.com. Oops. So, corporate BS. Uh, what's corporate BS? Why should you use it in example scenarios? Um, corporate BS is like at least 90% of the emails you ever get while you're at work. It's like stupid stuff you couldn't care less about, but it gets in your email anyway.

And like it's important because it's from HR or like the IT department. You're just like, I don't care. But it's useful because people while they may not care, they know they have to get it done. Like if HR sends you something and like it's marked as important, like you better get on that. Um, so yeah, that's you want to use that to your advantage. You want to be able to put yourself in that position of being like the HR department like, hey, you need to do this like now or you're not going to get benefits for the next year. and like people are like, "Damn it, don't want to do this, but I do love my benefits." Uh,

so use that against them. Write like crazy HR stuff that you've experienced at your own job. Like if your HR department recently decided to change your healthcare provider, you could use that and tailor it to someone else. Like HR departments are pretty good at writing HR emails. So like reuse it, send it to them. say you're changing healthcare providers and then give them a fishing page of like some random healthcare provider that you've set up and uh instill their credentials that way. See if they're reusing those credentials on the corporate network or on the VPN or what have you. Uh so yeah, just get creative. And I mean what's great about this is HR supplies all

these like corporate BS uh emails to you on a daily. So unlimited stock basically and your funny email is definitely not appreciated in communist corporate America. So this is a lot of this code is really alpha. Um I decided I want to develop a tool to help me fish things but more importantly I want to develop a tool that helps internal security teams fish themselves. Uh there's a lot of tools out there like social engineering toolkit. It's uh like great. Dave Rock is an awesome dude, badass coder. But it's more for the offensive. It's more like I fish you. I own you. I like exfiltrate data out. Sometimes I just want to like get metrics. I just want to

see, hey, how many people clicked my link or who clicked my link or I just want to like not own someone. I just want to see how I'm doing security awareness wise. So I decided to code this tool called fishbowl. Um it's in PHP and JavaScript because why not? Uh it's open source. It's up on GitHub. Uh really uh like if you have any issues with it, uh yell at me. If you want to submit a patch, feel free like fork it and I'll be happy to to look at it. It's made for internal security awareness programs. It can be used for uh like offensive attacks. Like you can definitely set this up and and own people with it.

That's just not uh the the focus I had while designing it. And setup is a breeze. uh you like clone the repo or download it, whatever you want to do. You throw it on a LAMPstack, so like Apache, MySQL, and PHP, and you're good to go. Like it even comes with its own like install script and you'll be off and running in no time. Or if it breaks, please let me know because I've had it break on one environment, but we got it fixed. So why not set? Like why would you want to use my tool instead of set? Well, like I like said earlier, it's different objectives. set is really for the consultant, for the pentester that

just wants to like get in and own you. He doesn't really care about metrics as much. Just just kind of wants those shells. Uh I care about the metrics. Uh because if I realize that my a fishing campaign of 100 went out, only one person clicked it and they got owned. Like it's a lot different than saying, "Hey, we fished you and you got owned." Like having metrics of knowing one out of a hundred. Like that's not so bad. My security awareness isn't terrible. Like that guy is also just like a new employee. So being able to correlate who clicked it and like where they are in the organization is extremely extremely uh important to to me and why I add it

into fishbowl. Also, I guess like massochism like why not reinvent the wheel? There's like 40 million other fishing frameworks, but I want my own, damn it. Uh and pretty graphs because I love graphs. Like I found this really badass like uh JavaScript library. It does like line graphs and like exploding pi graphs just like all this craziness with the data. So you could definitely like start to visualize it. Um also I'm a geek and I love markdown because I'm always on like GitHub and stuff. So uh I decided I want to have an email template creator that's made in Markdown. That way I can create HTML emails without even knowing HTML. I can I can teach any

person markdown because it's just like it's for the most part natural language with a couple formatting tags, but it'll generate 100% pure HTML. And if it's a power user and they already know HTML, you can just throw HTML in there anyway and it'll uh it'll generate. So extremely useful like quick prototyping of things. Uh I normally show uh like a live demo of the tool, but internet here is fairly wonky. So I have a few pictures and this is like show and tell for geeks. Um, so this is like the interface as of I guess October. Uh, as you can see like it says traffic stats and it shows my stats by day. And this

little line graph like does this little thing when I hover over it tells me exactly how many number like how many people clicked. Uh, October 11th I got like over 25 clicks, like maybe 26 27 clicks. Uh, so you can kind of like see how things go. Uh, it's I've been thinking about also implementing this for like per campaign. So, if I do the same customer twice or like my same company twice, I can see like, hey, this was last year's, this is this year's, and you can overlay it and see if like things got better or worse. So, here's like more pictures and stuff. Uh, I guess I should have blurred some of these, but um, so this is like

an older interface. It doesn't show all the campaign information, but if you look, it says like pit number 58 in like my entire database came from the IP76. uh their host name, their browser was Mozilla, uh so like Firefox on version 11. They're on the Windows OS and they did it like uh December of 2013 at 8:00 in the morning. Uh it also now pre-populates the campaign and the unique user ID. So uh like if you make your campaign like quarter one campaign or whatever, it'll show up there. And the user ID is an extremely long hash. It's a brypt hash. Uh, a lot of people normally will do stuff like they'll B 64 a username. Uh, but like I'm like

security aware and realize, hey, maybe my PHP isn't like super secure and if I get owned, I don't want people to just be able to like B 64 decode email addresses, figure out who I've been fishing, figure out who falls for fishes. So, I made them decrypt hashes, which are uh notoriously difficult to crack hashes. Uh, they're difficult to to brute force because it takes forever for the for the algorithm to generate one possible candidate. Uh the good thing about it is you can leverage every like available password cracker to crack these hashes and you have the email addresses that are used to generate them. So you've got the email address as your word list and you've got the hashes

instantly cracked. You can determine exactly who clicked on your link. If you don't care, you just want to like be like, "Man, that guy with like the 128 character long user ID is a douche. Like he always clicks our links." Uh that's fine, too, if you just don't want to know who it is. So yeah, like goes through pages. I got like four pages worth of fishes there or worth of hits. Extremely use useful information. Uh especially if I want to attack this company again in the future. I can be like, "Hey, most of them are running Internet Explorer 7." So I get Internet Explorer 7 exploit, send it out. Ownage. Uh so this has been replaced

now, but uh you can still do this. You can add IPs to blacklists. Uh so if you just like, hey, I don't want traffic from this IP address to come here, like you can block it. Uh what I have added though to keep uh so this was initially added to keep search engine crawlers away and the database used to be pre-populated with like all the IP address ranges of Google, Bing, Yahoo, Yandex and some other one I can't remember. Um but yeah, I just decided, you know what, if they don't have a campaign, if they don't have a valid campaign and a valid user ID, like this dude's not legit, ban them. Send them off to like 4chan.org or something. Uh

redirect them, do whatever you want with them. Creating the campaign is extremely simple. You type the name of your campaign and the directory or the the URL of where you're going to host your landing page. One of the beauty the beautiful things about fishbowl is that it can be run decentralized. You can have your database on like a server way over here and like host all your fishing scams way over there. You import one file, it will connect to the database and log everything to the database. Uh, I like doing that personally because I'll I'll like buy a different web h a different domain on a different web host every time I I fish something so that my

IPs are constantly changing. My logging server stays static, but no one ever sees that. Uh, so that way I can like bounce around and if I get burn if one of my resources gets burned like whatever, I've got more. Uh, here is the like markdown editor. Uh, fairly simplistic. Uh, you write your emails in markdown. If you can see here, I've got like break tags because you can like just throw uh like HTML right in there. Uh you can't see it, but normally uh like right around here is a little eyeball when you hover your mouse over it. If you click on it, it will take all the markdown HTML here and generate HTML and show you exactly how

it's going to look like when you email your uh your target. The one thing to note, and there's a there's a note on top, when you go to type in your URL where you want to fish them from, you have to have a a kind of special syntax. It has to be at sign at sign URL at sign at sign. It'll go into the database and grab the the URL you said you were hosting on and pre and populate that when it submits it. So, here's an example of it like fully generated. Uh, it went straight from the markdown and made this email. That's exactly how it's going to look like when I email that to a to a target.

So, I know like really quickly, oh, this looks good. Uh, that was one of my gripes I had with a lot of fishing frameworks, including set. Uh, you didn't always know exactly how your emails were going to look. So, you like had to email yourself first and like do all this back and forth. And I was just like, screw that. I just want to see pure HTML email and I'll be good to go. it. Uh, a feature that was requested was like cloning sites because it's really nice to just be like, "Hey, I want to fish this website." So, you give it a URL, you submit it, it rips everything down, including like the the fab icon.

So, everything looks legit. It changes all link references to local or to remote references. So, like you don't have to like change where images are. It just like does all that for you. Extremely extremely useful. It also will inject the code that like determines like browser version and uh it does click tracking so it knows when you click on things and just injects all the prerequisites. Super simple, super easy. Um yeah, so that's that's the talk. It do we have any questions or comments or things to throw at me? Nothing. Cool. So here's my contact information real quick then. Uh hacktalkhacktalk.net or hacktalkblog on Twitter. If you want to donate Dogecoin, that is my address. If you want to

download fishpole, which is probably the most important part of this talk, I guess uh github.com/connection/Fishpole. Uh, thank you guys. You've been awesome.

[Applause] How much time do you