PG - Phishing: Going From Recon to Credentials - Adam Compton & Eric Gershman

No, I it's off. There we go. Okay, everyone. We're going to get started. Our next talk is by Adam. He's going to be going talking about fishing going from recon to credentials. [Applause] All right, good morning everyone. As uh was just announced, my name is Adam Compton. Today's talk is on email fishing, going from recon to creds. A little bit extra in there with that, but that's the basic summary. Uh hopefully this is what you're in here looking for. You're wanting to learn about fishing a little bit. If you get a little bit entertained, if not, stick around anyway. Make me feel a little bit loved. Thank you. Uh so the obligatory agenda slide, it's

going to start out with a little bit of who am I? go into a little bit of background on email fishing, very brief overview of it for those of you just to get a refresher on it. As well as I'm going to be presenting a new tool I've been working on for a couple months. Um, everybody likes new tools, so when it get released, right? Yeah. Yes. Yeah. Thank you. All right, let's go ahead and move on. There's a few slides to keep going here. All right, here's the slide I put up there to help make you all believe I know what I'm talking about a little bit, regardless if it's true. Uh so as you can see yes I

have plenty of experience doing uh information security and penetration testing been doing it for a number of years. Um I am a father I am a husband. I do have my kids and all that. I love them very much but when I get a chance to head out to Vegas and spend some time away from them I tend to take it up take that offer up. So I do consider myself a programmer more than I do a pin tester. Most of my background in computers have been has been with programming. I love pin testing as well. I was just I have more experience programming and yes I am a hillbilly. I was born and raised in

the Appalachin Mountains and I'm proud of it. So thank you. Let's keep going. So why did I decide to do a presentation on fishing? First and foremost because I find it interesting. I love social engineering. I love email fishing. Things of that. It's a fun little exercise. Uh do it in my day-to-day job. Things of that nature. as well as I just felt this would be a good avenue for me to give something back to the community. A community that has helped me out over the years u both by providing tools, mentorship, uh education, things of that. Just want to give something back to the community. And along with that giving back to the community is gives me a venue to present

uh the tool I've been working on. When we get to it afterwards, if you find it useful, why not come tell me if you think it's a load of crap, come and tell me. Either way, it's beneficial to me. I I'll learn from it. So, thank you. What is fishing? Hopefully, most of you in here have a basic understanding of what email fishing is. I'll let you read it for yourself. In short, in a summary, it fishing is just the uh act of scamming someone via email or uh to get access to sensitive data or systems from them. It's not very complicated. But uh if you do believe uh the social media, the news media, large companies, social

uh email fishing is also the tool of choice of the AP. Yay. Okay, that's not as funny as I thought it would be. So, thank you. Let's keep going. So, uh a little background on fishing. as far back as I can determine um on 10 minutes of internet research fishing goes back to the mid1 1990s around 1994 95 on AOL um America Online. Um, the earliest evidence I could find was really of uh script kitties or hackers at the time using visual basic scripts such as uh AOL hell, things of that nature to impersonate system admins to trick people into giving them uh credentials, credit card information, things of that. Same concept, same techniques apply today. Uh it hasn't got

any more complicated than that. And in a lot of fashions, you can do fishing and social engineering a lot easier now than you could then anyway. So, if somebody's doing a fishing attack, what kind of information are they after? It's granted that every fishing attack out there is going to have its own reason for doing it. What are they after? Things of that nature, but they all seem to fall into one of a few categories. They're probably going to be after credentials or authentication tokens of some kind. Uh they're going to be after banking and credit card and financial information, so they can take that and go buy fancy cars and what have you. uh PII, personal

identifiable information, PHI, personal health care information, things of that nature. They're going to be after that for identity theft, insurance fraud, any number of reasons. Go open more credit cards and go buy more stuff, whatever the case is. And there's always going to be a group out there who's going to be looking to get other digital media such as uh your Bitcoin wallets, your Steam games, your digital life, whatever you have out there. Somebody's going to want it. If you have it, somebody else wants it. So, what kind of attacks are there? There's three basic attacks of fishing. Well, subcategories of those, but the primary ones are your basic fishing attack, your spear fishing attack, and then your

whelling attack. Uh, your basic fishing attack is basically looks a lot like spam. A lot of cases. It's where an attacker will send out an email to hundreds of thousands of people looking just to get somebody to bite on it. There's not a lot of research put into it. It's a generic email sent out to everybody. Uh spear fishing is a little more tailored. Uh it's usually focused at a group of people with some commonality such as uh members of a club, members of I mean employees of a company, something like that. For those types of attacks, you're wanting to do a little bit of uh recon beforehand to get things like the proper the full company

name, the company logo, things like that to make the fishing attacks look a little little more believable. You can go as much recon in there as you want, but you need to do a little bit in there at least. Whailing. Welling is that to the next step, which is you're targeting one or two select people such as the CEO, the president, chairman of the board, something like that. And this requires a lot of recon, a lot of research beforehand. You have to find out as much about them, their lives, stuff like that as you can because when you go to execute this, you get one shot. If in very weird cases, you might get multiple chances. But assume you get

one shot at this. If you fail, you have to move on. Find something else to try then. All right. A little bit of background on fishing. We've already done what is it, all that. But why would somebody want to do a fishing exercise when there's all kind of other exploits out there already? Buffer overflow, SQL injections, whatever you want to do out there, physical security. The main reason is is that fishing works. As I said jokingly before about the AP, but yeah, it it works. That's why people use it. They get access to systems. And why is that? Because well, people are gullible. People want to be helpful. They want to help you out. You can

secure your network, you can secure your perimeter, install IPS's, all that all you want, but the people sitting behind those systems, you can't patch them. If you can get them to click a link, go to a web page, whatever the case may be, you've done the attack, and it's very hard to prevent against that in every case. Um, also fishing has a high return on investment. For the same amount of work that you put into targeting 10, 20, 30 people, you can target 10, 20, 30,000 people at the same time, it scales very well. The only difference is is how long it takes to send the emails a little bit like that. The same amount of research

is going into it, all of that. Not a lot of overhead there. Another one is if a if you're targeting a company that has a very crunchy exterior, very little internet presence, or you can't get in and you need to get in, fishing is probably going to be one of your very few ways that you can actually get that because it'll bypass all those perimeter controls. You can get into the network very easily. Do a few slides here just going over a little bit more of the fishing process just as a quick overview for everybody. This is the process I generally follow when I'm doing a fishing exercise. Uh it's not going to be the same as

everybody uses, but for most people I've talked to, this seems to be in line with what they say they use as well. You start out with some form of recon, go into setup and deploy your system, send emails, collect stuff back, and ultimately generate the report. About recon, everything starts with the recon. At the bare minimum, you're going to need to have a list of target email addresses, target individuals you're going after. That list might be provided to you by the customer if they say, "I only want you to target these hundred people out of our company." Something like that. Or the customer may come to you and say, "Do the recon, find what you can do, and

then go after those." In those cases, you're going to need to build the list yourself. In order to build the list, you can look at the company's own website. Sometimes they have directory listings or something of that nature. Uh, you can go to mailing list, you can go to social media, LinkedIn, Facebook. They all have great lists of people who work for their companies. It's fairly easy to guess what their email address is off their names in those cases as well. There's tools like the Harvester and Reconng that can help simplify that process for you tremendously. Hats off to the developers of each of those. Thank you. Once you've got your list, you've got your list, you're ready to

go. Well, what do you do now? Well, for fishing exercises, most likely you're going to need a website in there somewhere. Whether it's going to be as a malicious drive by attack, it's going to be a credential harvesting, something of that. In order to host that, you're going to need a web server. So, you need to deploy a web server and whatever website you want on there. If it's credential harvesting, you have to figure out what kind of credential harvesting page you want. If it's a malicious driveby, you're going to need to load up whatever exploit you want like that. Additionally, you'll probably want to register a custom domain to make your fishing a little more believable.

So, you'll have to register that. Uh, and email, you'll probably want to set up your own mail server or set up access to another third party email server so that it gets through any sanity checks and things of that and you can actually send the emails. Once you have that done though, you have everything set up, you have your fishing template set up, you're ready to go. Don't send it yet. Send it to yourself. Look at it. Go to the web page. Go to the email. Make sure everything looks right. Because once you hit that send button, you can't take it back. It's off to the customer. If there's typos in there, if there's whatever the case, it's gone. So, better

take a few extra moments just to look at it, make sure it's right, and then move on. Personally, I will admit that in at least one case out there, maybe more. I haven't done that proper sanity check and sent the emails off to a customer. Sitting there waiting and waiting, getting some hits back. Not as many as I would expect. I'd already sent it all so I couldn't change it. But I went to look at the emails that were sent just to verify. And I might have copy and pasted the wrong company name into the email when I sent it. Okay. Logic dictates in that I got fewer results, but I did get some. Trying to

turn lemons into lemonade. I was then at least able to report to the customer that given even horribly incorrect looking emails to them, obviously malformed emails, x percentage of your company even in that bad scenario would still click on it and give me credentials. So try to make the best out of a bad situation there. But better to not even be in that situation and just verify everything before you start the exercise. Next, once you've sent your emails and all that, you're it's a waiting game. You're having to wait for responses at that point. Whether that response is going to be credentials coming in from a credential harvesting, whether it's a remote shells because of a malicious

payload or a browser exploit, something like that, you are waiting for that. Once you get those, what do you do with those? What is your post exploitation process? uh do you just sit back and just document I got x number of shells and just leave it or do you take that to the next step and do you try to log into the remote servers? Do you start doing an internal pin test at that point? These are the kind of questions that should have been answered during the scoping call with the customer and made all this decision. If not, this needs to be done quickly so that you know what to do because you probably have a limited

window at that point. Um finally, you have reporting. Everybody's favorite part. Facicious, I know, but yeah, every you are going to have to provide some sort of documentation at the end of your fishing exercise, whether to the customer, your management, what have you, or to yourself, whatever the scenario is. And you want to put some some items in there. Who did you target, some statistics, things of that nature. It's really determined by your internal reporting process, your report format, things of that. But there will be some sort of reporting. And at that we're pretty much done with the whole fishing process where Mike might mention it later, but now it's moving forward into tools that can do

fishing a little bit. There are a few tools out there that can help drastically uh make your life easier when you're doing fishing. Tools like social engineering toolkit or set work great. Uh along with that, you have fishing frenzy which is similar in many ways. Both of them can help you set up uh fishing engagements, exercises, execute them, collect results, things of that nature. Set being command line based. Uh Fishing Frenzy is web- based, but they both are fairly similar. Uh Fishing Frenzy, personally, I've had a few issues with it trying to get the dependencies installed properly, but once it's installed, it does seem to work well. U both of them, I think, have the same

limitation in my mind that they don't do the recon for you. they expect you to do the recon yourselves and then provide it to it. Uh unless that has recently changed and I'd have to double check that. Then also you have uh beef or browser exploitation framework. It itself is not a fishing tool but because it will help exploit browsers and all it takes is a single strained in bed into a website. It works very well with fishing exercises regardless if your page is a credential harvesting or something else. You just load that in there and whenever somebody clicks on the link and goes to it, their browser is then hooked at which point you can go and do other

things with it. It falls into that post exploitation category then and it works very well with that. That's why I included it here. All right, with as awesome as those tools are, I'm still lazy. I don't like redoing any bit of a process if I can help it at all. And is there a way for us to automate this even more? And yes, you can because a lot of these tools already, beef, recon, social engineering toolkit, they all provide you API access to a lot of their calls, a lot of their automation. Then you have tools like uh DNS recon, the harvester, those that are purely command line don't have API, but they give you nice textual output which

using your language of choice, bash or pearl, python, whatever, you can parse that data and make use of it. Using all that and a little bit of programming and me not wanting to do repet repetitive processes, I came up with the speed fishing framework. Yes, the acronym came before the name. Acronym is based on sender policy framework. I just wanted to make fun of it. So I came up with a tool name that matched it and it is fairly descriptive really. SPF or uh speed fishing framework is a tool that helps automate a lot of the common uh steps that you do during a fishing exercise. Currently, it is focused around credential harvesting. Not because that is any limitation in

the code. It's just I need to get some part of it done for the presentation all that. So, I focused on that. It would be I'm planning on doing other things in the future like incorporating beef to do browser exploits or attachments, things of that. I just don't have it in there yet. Uh it is written in Python, not for any particular reason like I think Python was the best language in the world to write it in. It's just I wanted to write the I thought it'd be a fun one to try in Python and it worked out fairly well. And one of the other main items about it is that it has minimal external dependencies. I did not want to

write a tool that you had to run on a particular version of Cali or something like that. If you have Python installed and you can install two Python modules, you're good. It will run on any Linux distro at that point. And those would just be Twisted D, Twisted Web, and um DNS Python. That's it. Python, uh Python 27 at the moment. I'm going to be releasing another one for three later on. I have to make a few changes internally, but yes, it's selling for Python 2.7 at the moment. Um if you want to find out more about it, they'll go download it. There's the GitHub link. I'll be presenting that up on the screen later on as well, so don't worry about

it right now. Currently, what it does is it will do the recon for you to a certain degree. It will do the DNS recon if it can. Uh it goes out and looks through Google, search engines, things of that, tries to gather it. Similar process to what the harvester does, if you're familiar with that. It then has a a few uh templated fishing websites built in that it can deploy using twisted web. It can deploy its own web server, its own websites, doing virtual hosting, all that. if uh configured uh it will then send the emails with via a thirdparty mail server or connecting directly to the targets SMTP server and sending it that way.

Um it will then also uh log any key logs uh credentials that it comes back and generate a report off of that. There's a few additional advanced features that it can do too which I'm not presenting here. I'll be at Black Hat uh uh Tools Arsenal presenting more on that as well as at Defcon's SE village on Saturday. And if you want to learn more about that, then let's go ahead and jump over to the demo very quick. I'm going to do a quick little demo here. Mirrored screens. Wait, why didn't you mirror the screen? You find out the format of the company like, right, like first name, last name. Yes. That's what I can do that tool.

Oh yes. Oh yes. Yes. Uh you can't do that with uh the tool as it is but that's where I can do calls out to reconng things of that and it will it will do that and then parse that and pull that in for you. So uh first of all let's go ahead and just jump in. Can everybody see this or do I need to enlarge that a little bit? Let me go ahead and do an ls in there. Uh if anybody needs it larger just let me know and I can zoom in on it. a little bit in or you're good as good as live. All right. All right. Um, if you got questions, come hit me up later and I

can do a personal de demo. First of all, when you do the GitHub checkout, you're going to get this, which is the install doc and read me and all that. Um, not worrying about that at the moment. So, let's go ahead and cd into spf where everything is in here. There's a few files. The primary one is spf.py. Uh, there's a report py and web. Those help do individual subcomponents of it. Uh there's also the default.cfg. That and spf.py are the going to be the two you need to worry about. SPF.py is the tool. It does have command line options, a usage statement, but let's go ahead and look at the default config for a moment first.

There are certain uh levels of com uh configuration options that go into the config doc into the config document that are ones that don't really change much between engagement such as where your template stored. Uh is there a mail server that you want to use the directory for like the harvester and beef and recon things of that nature. You configure them in here. Anything that's configured in here that also has a command line option can be overridden by the command line option. So you don't have to worry about changing it in here. Next, let's let's go ahead and look at uh the tool itself-H. There's a lot of options in there. It scrolls on and on, but um

there's meta categories in there as well, like you have test and all and recon. Those are meta groupings of subcomponents. I would recommend definitely getting used to using d- test. That is that one that simulates the sending of emails. it doesn't really send it so you can verify everything looks right beforehand then move on. Uh so let's go ahead and do a quick little one here. Let's do uh SPF do the dash d for the domain I'm going after and I'm going to dole.com. I'm not on the internet right now. I have a couple VMs set up all that I'm going to be going after. So when I do this, you're going to see what shows up

here in just a moment. Do the dash g together results. I'm just going to do -v--v for very verbose. You will see that it says I didn't specify config file. It defaults to the default.config. So, I'm just going to leave that alone. Hit enter. And you can see uh well, that's really faded on there. But on the right over there, it says it couldn't access Google and all that. So, it didn't collect anything. Well, I do have you do a dash f. I do have a file of targets like a customer might have provided me. Now run that. And now you can see at the very top it says loaded nine emails from the targets.txt. You

can see the list of emails that I gathered here. That's just a very simple version of that. Let's go ahead and run a real exercise now. Well, d- simulate. I don't really want to send these. Then do the - w to generate the web pages as well. Go ahead and hit enter. Yes, do the emails. Yes, start the fishing web server. You can see it found a few templates in there. OWA, Juniper, Citrix, and Cisco. It loaded those up on various IP um ports and then it does the virtual hosting at the bottom. If you have DNS set up, it will use that. Um and then do you want to load fishing email templates? Yes, it found the

corresponding ones and now it sends them. I know that's a little garbled, but you can see in there email would have been sent to email address with subject of blah if this had not been a test. Then at the bottom you can see where it's doing the live monitoring of the results. So let's go ahead and jump over to one of the websites that loaded up. F5. So here's one of the ones that loads up. Uh that was the Juniper one. Here's a OWA, a Cisco VPN, a Citrix. They're fairly common for what people are going to use. There is a capability for it to do dynamic ones as well. That's in the advanced stuff. And if you want to talk

to me, you can. But let's go ahead and get one of these going. Let's do the Juniper one. Let's log in as Bob and I don't know. Password 1, two, three. No one would really use that one, I'm sure. Log in. It just right now gives you a basic error page that's configurable. You can point it to another website. You can point it to Google if you want. I just have it going to a common error page. Go back over to the logs. You can see um about midpage down. It's a lot of key logging. It logs all the keystrokes where there's backspaces, tabs, things like that. Then the bottom line is the actual credentials that were collected.

Username is Bob and password is password 1 2 3. So let's go ahead and stop that. Assuming you ran the full thing and went through the full exercise, it stops everything. At the very bottom, it says the report uh file was generated. It's located at this directory. So let's go ahead and jump over there to that. Uh there it is. Like I said, it's very simple right now. And because I'm running this internally, the screenshot didn't generate, but um you can see at the top it Well, let me zoom in on that a little. Yeah, there. Fishing exercise against.com. When did it start and stop? Uh first fishing campaign was junipervpn. It sent email that looked

like that to these addresses. Then the website would be in there and then any credential collected credentials would be listed, things of that nature. Like I said, very simple, but all the raw data for this is in a directory. If you look at the URL, it's under example.com.ample.com. You go in there, all the raw data is in there. So, that is the basic run through of the demo. Um, if you want more information on more advanced things, please see me after or come over to Defcon Blackad and I'll be doing the demos there. Let's go ahead and jump back to the slides now just to finish this up. All right. All right. Uh, jump through this real

quick. These were in case the demo didn't work at all. Over to the Oh, sorry. I thought I had thrown that back over there. Good call. Uh, wait, why isn't that being displayed? Where is it at? View. Stop that. Let's try it again. View. There we go. Okay, let me just jump all the way through this real quick. Sorry. For some reason, slide failure there. All right, jump over to right there. Okay, we're done with the demo. Those slides I just jumped through with the ones in case demo didn't work. Future work, future features, because I had to get this out here. I couldn't get all the features added in there I wanted. There's a few things I still

want to add in, such as unique IDs to track specific emails that people click on, more external tools. You can read it there. If you have other suggestions and things that you'd like to see added in or comments on it, either get make suggestions to me or check it out, make modifications, do a poll request, so forth. Um 411, I'm down to the last three slides and they're all thank you slides. So where you can find information on me, my Twitter, email, website, GitHub, where the directory is itself, where you can go check out SPF. I want to say a big thank you for the developers out there who've made tools in the past that have helped me out and

helped everybody else out. Keep up the good work. We need good tools out there. And thank all of you for coming in here and sitting down and um making me feel loved. Thank you very much.