CreedX
Unknown
- Messages
- 233
- Reaction score
- 228
- Points
- 43
In the process of work, someone is legal, someone is not very, often there is a need to implement phishing attacks. What for? As practice shows, this is often the most disruptive and simplest option for gaining access to the target system. Why? Mostly competent people are engaged in the development and configuration of websites, servers, and other network devices, and the protection of end users, for example, support services, secretaries and other personalities, is the last thing to think about. Naturally, attacks are possible on more qualified personnel, but more on that later.
Let's start from the beginning, or rather, by defining what phishing is. Phishing is a type of fraud, the purpose of which is to gain access to confidential user data, for example, credentials from a workstation or any web service.
What methods are used? The most popular methods are: mailing letters, creating fake websites (closely related to the previous method), messages via social networks and other means of communication, the physical layer (like the one popularized by throwing flash drives through TV series).
Let's take a closer look at the process of creating web resources for phishing, since this process is one of the most commonly used, in addition, it is an integral element in other methods.
As an example, let's take the blog address - kaimi.io and consider the procedure, as well as auxiliary tools.
We need to register a domain where the web resource will be hosted. Later, it can be used to conduct mailings.
How do I choose a name?
We chose the name, let's move on to binding the name to the IP and setting up all kinds of utilities. You can stay on some hosting that provides access to the panel, where everything is configured in a couple of clicks or not configured ... I will consider the option of using a VPS.
So, we rented a VPS (I recommend ArubaCloud, as the cheapest, 1 € per month at the time of writing, or DigitalOcean, as the most convenient, from 5 $ per month).
You need to configure SPF, DKIM, DMARC. In order:
SPF - we use one of the following manuals:
I got a script for configuring a VPS for AMS mailing in Python. I honestly don’t remember where, I think, I got it on some forum. If I violate someone's copyright, write in the comments.
Download: https://kaimi.io/wp-content/uploads/2018/05/vps-setup.zip
As usual, you can manually:
And finally, we will issue an SSL certificate for our domain, because the domain is not only used for mailings. The Let's Encrypt service ( https://letsencrypt.org/ ) is suitable for which there are a lot of scripts for deployment (depending on the web server used).
We will touch on the details of sending letters a little later, but now we will list the main options for creating copies of existing web pages that can be used if we plan to set up a web server on our domain and create an imitation of the administrative panel or, say, the web version of Outlook.
The first option is with our hands, everything is as usual, we download the page of interest even with the help of wget, edit the links to scripts, styles and images, see what request is sent when trying to authenticate on the page and make a script that will record the data sent to it ... At the end, we make an optional redirect to the original page. There are many examples of such scripts on the Internet, there are no fundamental differences, except for the names of the variables and the type of HTTP request they come to.
The second option is to use the Social-Engineer Toolkit ( https://github.com/trustedsec/social-engineer-toolkit ), after installation we follow the manual or common sense (everyone knows English at a basic level, right?) [ Http: //ironkali.blogspot.nl/2014/03/how-to...se-toolkit.html
In general, this is not a completely correct option, since its own web server is launched here, and a page is not created to be placed somewhere, so if we went this way, we do not forget about the SSL certificate, which will have to be manually written in the set. config. Pretty trivial.
Since I have touched on the topic of phishing frameworks, I will mention a few more that can do everything, but not everything is crooked at times:
Let's move on to sending phishing emails. I assume that the submission mechanism itself was configured in the previous step, or, suddenly, you have access to the employee account for the target domain.
So, the first thing to do is to collect addresses from somewhere that can be used in phishing mailings, at least if there is no specific purpose. Where did it come from? There are many options:
Remember, full-fledged OSINT can help a lot in spear phishing, but the effort is quite high.
There are more difficult:
The goal is to do the same.
General style. Pretty obvious too. You should pay attention to the structure, the appeals used, the visual design (color, font), etc.
Headings. Any letter contains headers that may hint at the use of filtering systems, specific mail clients or web interfaces, etc. This can help, as, for example, in the above situation with punycode, which is displayed incorrectly in a number of email clients.
An entertaining set of titles, isn't it? Here is the client, and the IP, and the computer name ...
By the way, about spam filters, if you can see the use of any system, then before sending it I recommend that you take a separate system, deploy the same SpamAssassin on it and check your letter in it, the idea of the potential Score (SpamAssassin's subjective assessment of the likelihood that it is spam ) is a great opportunity to make edits before direct mailing.
Let's talk about the content of the letters. Everything is set, what to write about? Write about the weather, seriously, do not try to portray the CEO and other bosses, in most cases this will lead nowhere, it is easy to check and most likely they adhere to a template that also needs to be taken somewhere. For the subject line, use simple and common: come up to sign documents, a survey, a work schedule on holidays, a subject with the Fwd or Re prefix to depict the continuation of the correspondence, etc. If the email is in HTML format and contains links to third-party resources (styles, images), then in some clients such content is blocked by default, but can be unblocked by the user, so it is better to compose a letter with an eye on this behavior (for example, by indicating in the text that below is infographic or coupon or whatever). Sometimes it makes sense to specify multiple recipients (Cc header) within one company, adds credibility.
Do not forget about the possibility of manipulating the displayed sender (the From header, which should be considered in more detail, if the company decided to use only the name, and you entered the full name), indicating the alternative recipient of the response (Reply-To) and other useful headers, it will not be superfluous to look through the RFC ( https://tools.ietf.org/html/rfc2076 ).
The text is composed, let's move on to the attachments. After all, we may be interested not only in the fact of opening the letter (which can be established, for example, using a link to an image, if the letter is in HTML format), but also the possibility of penetrating the recipient's PC. What are they sending? Mostly office documents, less often archives. Send typical executable extensions - 99% filter hits. By the way, an interesting point about investments. I came across a situation that attachments with any potentially dangerous extensions (even .reg) are physically cut out from letters, but archives with a password go through with a bang. There are options with exploits for common media formats, but there are practically no public solutions for this.
In the case of office documents, the following options are used:
For some solutions, you can find detailed descriptions, generate something with existing products (for example, Metasploit Framework, Empire, but you will have to modify it), buy something.
In the case of web clients, the list can be expanded due to vulnerabilities in the web panel (still more likely than finding a worthwhile vulnerability in Thunderbird), the Basic authorization window when accessing an external file (somewhere it still works and is being worked out) etc. The list is almost equivalent to what you can imagine for the situation of going to a regular web page.
Now let's mention social media and the related fake website, as well as the above methods.
In social networks and other means of communication, the approach does not differ much from mailing lists and other things, but it is worth considering the availability of the interlocutor's profile, i.e. yours, as well as a change in focus of discussion and more scope for learning more about the interests of the person and his life.
Therefore, I won't tell the vector a lot, tk. usually, standard communication approaches are used (if you are not sure, look for dumps of forums or social networks with copies of personal correspondence), which are aimed at forming a conditionally trusting relationship, leading to the ability to send a person a link or receive any useful information that can be used in subsequent approaches (with a multi-stage attack).
And finally, I'll touch on the physical aspect very briefly. Everything here is very individual and I have very little practical experience in the field. Usually, in one format or another, it becomes possible to interact with employees. What is being used? In most cases, Rubber Ducky ( https://hakshop.com/products/usb-rubber-ducky-deluxe ), or rather a cheap replica similar in load from AliExpress ( https://ru.aliexpress.com/item/BadUsb-Beetl ... 2732578586.html ). Naturally, you can pick out or take a suitable controller as a basis (Google -> Bad USB DIY) and assemble everything in the right case or put it into some ready-made device, for example, a mouse. Further, the finished device is transmitted, sent, thrown, which in one or several passes allows you to access the system within the target network. It is actually difficult to prepare because you have to take into account many nuances (user system, antiviruses, firewalls, DLP systems, personal level of paranoia, etc.), but sometimes, which is typical, it works with a bang.
That's all, some points were not covered, for example, bypassing anti-phishing solutions, bypassing DLP and similar restrictions when a sent document is successfully opened, but an attempt to transfer any information fails, some features of mobile devices and some what else. All of the above points are beyond the scope of this article, because the article was written in order to systematize knowledge about phishing without seriously going into the details of one or another aspect.
Let's start from the beginning, or rather, by defining what phishing is. Phishing is a type of fraud, the purpose of which is to gain access to confidential user data, for example, credentials from a workstation or any web service.
What methods are used? The most popular methods are: mailing letters, creating fake websites (closely related to the previous method), messages via social networks and other means of communication, the physical layer (like the one popularized by throwing flash drives through TV series).
Let's take a closer look at the process of creating web resources for phishing, since this process is one of the most commonly used, in addition, it is an integral element in other methods.
As an example, let's take the blog address - kaimi.io and consider the procedure, as well as auxiliary tools.
We need to register a domain where the web resource will be hosted. Later, it can be used to conduct mailings.
How do I choose a name?
- Come up with yourself using common techniques, for example: replacing visually similar characters (i -> l) replacing characters using punycode ( https://ru.wikipedia.org/wiki/Punycode ) register an arbitrary name where to place a subdomain with a target name, which will be visible at the beginning (like admin.kaimi.io.sample.com), especially true for mobile clients, where the address bar is truncated in most cases due to the screen size register exactly the same domain in another zone (for example, kaimi.it) come up with something "original" like kaimi-blog.io (not the best option)
- Use special software that implements some of the described methods, for example: EvilURL ( https://github.com/UndeadSec/EvilURL ) DomainFuzz ( https://github.com/monkeym4ster/DomainFuzz ) CATPHISH ( https://github.com/ ring0lab / catphish ) dnstwist ( https://github.com/elceef/dnstwist )
We chose the name, let's move on to binding the name to the IP and setting up all kinds of utilities. You can stay on some hosting that provides access to the panel, where everything is configured in a couple of clicks or not configured ... I will consider the option of using a VPS.
So, we rented a VPS (I recommend ArubaCloud, as the cheapest, 1 € per month at the time of writing, or DigitalOcean, as the most convenient, from 5 $ per month).
You need to configure SPF, DKIM, DMARC. In order:
SPF - we use one of the following manuals:
- https://www.digitalocean.com/community/tuto...ail-reliability
- https://help.mail.ru/biz/domain/verificatio...tings/other/spf
- https://yandex.ru/support/pdd/set-mail/spf.html
I got a script for configuring a VPS for AMS mailing in Python. I honestly don’t remember where, I think, I got it on some forum. If I violate someone's copyright, write in the comments.
Download: https://kaimi.io/wp-content/uploads/2018/05/vps-setup.zip
As usual, you can manually:
- https://www.digitalocean.com/community/tuto...n-debian-wheezy
- https://petermolnar.net/howto-spf-dkim-dmarc-postfix/
And finally, we will issue an SSL certificate for our domain, because the domain is not only used for mailings. The Let's Encrypt service ( https://letsencrypt.org/ ) is suitable for which there are a lot of scripts for deployment (depending on the web server used).
We will touch on the details of sending letters a little later, but now we will list the main options for creating copies of existing web pages that can be used if we plan to set up a web server on our domain and create an imitation of the administrative panel or, say, the web version of Outlook.
The first option is with our hands, everything is as usual, we download the page of interest even with the help of wget, edit the links to scripts, styles and images, see what request is sent when trying to authenticate on the page and make a script that will record the data sent to it ... At the end, we make an optional redirect to the original page. There are many examples of such scripts on the Internet, there are no fundamental differences, except for the names of the variables and the type of HTTP request they come to.
The second option is to use the Social-Engineer Toolkit ( https://github.com/trustedsec/social-engineer-toolkit ), after installation we follow the manual or common sense (everyone knows English at a basic level, right?) [ Http: //ironkali.blogspot.nl/2014/03/how-to...se-toolkit.html
In general, this is not a completely correct option, since its own web server is launched here, and a page is not created to be placed somewhere, so if we went this way, we do not forget about the SSL certificate, which will have to be manually written in the set. config. Pretty trivial.
Since I have touched on the topic of phishing frameworks, I will mention a few more that can do everything, but not everything is crooked at times:
- Gophish https://getgophish.com/
- King Phisher https://github.com/securestate/king-phisher
Let's move on to sending phishing emails. I assume that the submission mechanism itself was configured in the previous step, or, suddenly, you have access to the employee account for the target domain.
So, the first thing to do is to collect addresses from somewhere that can be used in phishing mailings, at least if there is no specific purpose. Where did it come from? There are many options:
- From the Services website https://www.onlineemailextractor.com/ https://tools.verifyemailaddress.io/Apps/Email_Extractor/ Software https://www.emailgrabber.net/ https://www.epochta.ru/ extractor /
- From DNS data, WHOIS Manually (whois, dig ...) Services https://mxtoolbox.com https://dnsdumpster.com http://en.whatmyip.co
- By brute force (SMTP, web versions of some mailers, etc.)
- From social networks LinkedInFacebooketc ...
- From specialized services https://hunter.io https://anymailfinder.com https://www.toofr.com
- From conventional search engines
- From all kinds of leaked databases (if you're lucky, you can also get a valid password from any service) https://leakedsource.ru https://snusbase.com https://leaked.site https://weleakinfo.com etc ...
- Maltego - https://www.paterva.com/web7/buy/maltego-cl.../maltego-ce.php
- recon-ng- https://bitbucket.org/LaNMaSteR53/recon-ng
Remember, full-fledged OSINT can help a lot in spear phishing, but the effort is quite high.
There are more difficult:
The goal is to do the same.
General style. Pretty obvious too. You should pay attention to the structure, the appeals used, the visual design (color, font), etc.
Headings. Any letter contains headers that may hint at the use of filtering systems, specific mail clients or web interfaces, etc. This can help, as, for example, in the above situation with punycode, which is displayed incorrectly in a number of email clients.
An entertaining set of titles, isn't it? Here is the client, and the IP, and the computer name ...
By the way, about spam filters, if you can see the use of any system, then before sending it I recommend that you take a separate system, deploy the same SpamAssassin on it and check your letter in it, the idea of the potential Score (SpamAssassin's subjective assessment of the likelihood that it is spam ) is a great opportunity to make edits before direct mailing.
Let's talk about the content of the letters. Everything is set, what to write about? Write about the weather, seriously, do not try to portray the CEO and other bosses, in most cases this will lead nowhere, it is easy to check and most likely they adhere to a template that also needs to be taken somewhere. For the subject line, use simple and common: come up to sign documents, a survey, a work schedule on holidays, a subject with the Fwd or Re prefix to depict the continuation of the correspondence, etc. If the email is in HTML format and contains links to third-party resources (styles, images), then in some clients such content is blocked by default, but can be unblocked by the user, so it is better to compose a letter with an eye on this behavior (for example, by indicating in the text that below is infographic or coupon or whatever). Sometimes it makes sense to specify multiple recipients (Cc header) within one company, adds credibility.
Do not forget about the possibility of manipulating the displayed sender (the From header, which should be considered in more detail, if the company decided to use only the name, and you entered the full name), indicating the alternative recipient of the response (Reply-To) and other useful headers, it will not be superfluous to look through the RFC ( https://tools.ietf.org/html/rfc2076 ).
The text is composed, let's move on to the attachments. After all, we may be interested not only in the fact of opening the letter (which can be established, for example, using a link to an image, if the letter is in HTML format), but also the possibility of penetrating the recipient's PC. What are they sending? Mostly office documents, less often archives. Send typical executable extensions - 99% filter hits. By the way, an interesting point about investments. I came across a situation that attachments with any potentially dangerous extensions (even .reg) are physically cut out from letters, but archives with a password go through with a bang. There are options with exploits for common media formats, but there are practically no public solutions for this.
In the case of office documents, the following options are used:
- All kinds of exploits for public vulnerabilities
- Macros
- Dynamic Data Exchange ( https://msdn.microsoft.com/en-us/library/wi...4(v=vs.85).aspx , https://nakedsecurity.sophos.com/2017/10/22...res-what-to-do/ )
- BE
- Less common file formats, like HTA (sometimes, something can be implemented within the format, sometimes there is an exploit https://www.rapid7.com/db/modules/exploit/w...office_word_hta )
For some solutions, you can find detailed descriptions, generate something with existing products (for example, Metasploit Framework, Empire, but you will have to modify it), buy something.
In the case of web clients, the list can be expanded due to vulnerabilities in the web panel (still more likely than finding a worthwhile vulnerability in Thunderbird), the Basic authorization window when accessing an external file (somewhere it still works and is being worked out) etc. The list is almost equivalent to what you can imagine for the situation of going to a regular web page.
Now let's mention social media and the related fake website, as well as the above methods.
In social networks and other means of communication, the approach does not differ much from mailing lists and other things, but it is worth considering the availability of the interlocutor's profile, i.e. yours, as well as a change in focus of discussion and more scope for learning more about the interests of the person and his life.
Therefore, I won't tell the vector a lot, tk. usually, standard communication approaches are used (if you are not sure, look for dumps of forums or social networks with copies of personal correspondence), which are aimed at forming a conditionally trusting relationship, leading to the ability to send a person a link or receive any useful information that can be used in subsequent approaches (with a multi-stage attack).
And finally, I'll touch on the physical aspect very briefly. Everything here is very individual and I have very little practical experience in the field. Usually, in one format or another, it becomes possible to interact with employees. What is being used? In most cases, Rubber Ducky ( https://hakshop.com/products/usb-rubber-ducky-deluxe ), or rather a cheap replica similar in load from AliExpress ( https://ru.aliexpress.com/item/BadUsb-Beetl ... 2732578586.html ). Naturally, you can pick out or take a suitable controller as a basis (Google -> Bad USB DIY) and assemble everything in the right case or put it into some ready-made device, for example, a mouse. Further, the finished device is transmitted, sent, thrown, which in one or several passes allows you to access the system within the target network. It is actually difficult to prepare because you have to take into account many nuances (user system, antiviruses, firewalls, DLP systems, personal level of paranoia, etc.), but sometimes, which is typical, it works with a bang.
That's all, some points were not covered, for example, bypassing anti-phishing solutions, bypassing DLP and similar restrictions when a sent document is successfully opened, but an attempt to transfer any information fails, some features of mobile devices and some what else. All of the above points are beyond the scope of this article, because the article was written in order to systematize knowledge about phishing without seriously going into the details of one or another aspect.
Last edited: