practical phishing automation with phishlulz - kiwicon x

Practical Phishing Automationwith PhishLulz

antisnatchor

Outline

● Why Phishing?

● Phishing in real-life

● PhishLulz to the rescue

● FindResources.rb

● MailBoxBug.rb

● Outro

whoami● Pentesting, Vuln Research,

Coding

● BeEF core dev team

● Browser Hacker’s Handbookco-author (read it while it’s hot!)

● Senior Security ConsultantFortConsult (NCC)

Why Phishing?

Why Phishing?

● To exploit the ignorance of the masses– Or the ignorance of specific persons yous want to target

● A few good pretexts, a bunch of typoed domains anda couple of pre-planned campaign scenarios can takeyour very far with most targets

● One victim being tricked into executing yourpayloads is (usually) enough to start pivoting & userimpersonation activities

● Client-side 0days are quite expensive

Why Phishing?

● Too fun owning people in 2016 STILL with:– (Open) Office Macros

– .exe/.pkg files disguised as something else

– Browser extensions

– Other tricks (HTAs, Windows Screen Saver files, …)

● Active Directory is the “new” Java:– STEAL ONCE, AUTH EVERYWHERE

● 2FA is still mostly a myth– IF used, it relies mostly on SMSs which is fucked (see

mobile phone or SS7 exploits)

Why Phishing?

● How many companies are able to spot phishingcampaigns?– If spotted, do they know how to react, check who was

pwned or what info was leaked out?

– If the malicious email and domain are identified, afterhow many hours connectivity to the domain will beblocked?

– If you phish with a fake CV pretext just 1 target in HRdeptm. what is the likelihood it will be detected?

Phishing in real-life

● Most of the times it is easy, but sometimes dependingon the target security maturity level it could bestressful

● Even more powerful when combined with redteaming– Physically walking inside a company placing Rasberries

which phone home via LTE● so you have both wired/wifi available and you don’t need to

care about egress filters● Feed Rasberry’s scripts with credentials harvested via phishing

(ARP Spoofing and LLMNR Spoofing needed only if collectedcreds don’t take you too far)


● Phishing, like red teaming, is opportunistic

● You want to target first target’s departments whichare in theory easier to pwn (HR, Finance, Marketing)– Perform as much OSINT & active fingerprinting as

possible

● You don’t want to directly target security-savvypeople who could raise alarm bells– Arrive to them via other channels, i.e. via user

impersonation of a trusted victim’s contact

– Do not engage at the first contact (i.e. do not addmalicious attachments to the first email, build trust first)


Target: www.lulz.wa.gov.au (GMT+8)

● Discovered during reconnaissance:– Webmail.lulz.wa.gov.au: Outlook WebAccess

– Vpn1.lulz.wa.gov.au: Checkpoint SSL VPN

● OWA 2011 template

● Registered lulz-wa-gov-au.com(note: dashes instead of dots)

PhishLulz to the rescue

● When doing Phishing:– Every time it’s a different story

– Configuration overhead sometimes is a killer

– You can identify repeatable patterns

– Good timings are key

– You need as much automation as possible

– Speed is key once you got access to victim’s assets


● Ideally you would like to automate:– Domain registration & DNS zone file config (SPF/DKIM)

– SMTP server configuration

– VirtualHost-like (including SSL) config

– Correlate unique clicks with email, geolocation and all thefingerprinting by BeEF

– Database of phishing templates, re-usable and effective

● With PhishLulz 95% of the above is automated


● Amazon EC2 image pre-configured with:– PhishingFrenzy – phishing framework in Rails

– BeEF – no intro needed ;-)

● Set of Ruby||GTFO scripts to make your life easierwhen doing Phishing


● Video demo…


● PhishLulz comes with a bunch of other tools– Subdomain enumeration and fingerprinting

– Extract HTML content from .eml file

– Automatically verify webmail login and extrude emailsmatching patterns

find_resources.rb – multi-threadedsubdomain discovery

● Your targets has 5 different FQDNs & you need todiscover interesting subdomains to phish

● For each FQDN, iterate through a list of 2000 subdomains checkingif they resolve, for instance:

– Webmail.target1.com

– Citrix.target2.com

– Vpn.target1.com

find_resources.rb

● Multi-threaded, so you can scan multiple domains atonce.

● If subdomain resolves, it tries to connect to ports80/443 and gets page title/Server header

● Outputs a .csv file with discovered stuff

MailBoxBug.rb

● When doing webmail credential harvesting, you usuallyend up with tens of valid credentials in a matter ofminutes

● You need to be quick searching for low hanging fruits in each mailbox of your victims – Good luck doing that manually with 50 credentials

– What if after 2 hours the target realize the phish forcing apassword change on all those 50 users that clicked?

● Remember: SPEED IS KEY

MailBoxBug.rb

● Automated & multi-threaded webmail data extrusion

● Agnostic to webmail type, doesn’t rely on APIs

● Written for automatic search&extrude of data from webmails(follow up of credential harvesting campaigns)

● Afaik there is no public tool for this– Enabling POP/IMAP → fetchmail is noisy and sometimes not

supported (see Outlook Live)

– Relying on webmail RESTful APIs (if any) → usually requires SSO

– I needed something I could easily enhance adding more webmailssupport, without re-inventing the wheel for each webmail type

MailBoxBug.rb

● Tested various approaches to support outlook.live.com– Burp traffic analysis, re-implementing the raw request flow and

managing cookies with plain Ruby net/http/nokogiri● Was working great but post-login you need JavaScript → NO GO

– Phantom/CasperJS to have JS support and instrument an headlessbrowser

● Automated login worked, but post-login what? Clicking on elementswithout ID/Names is painful, XPATH is fucked up → NO GO

MailBoxBug.rb

● Watir (a WebDriver Ruby wrapper) & JS injection– Uses Watir to instrument a browser (Firefox/Chrome)

– If login is successful, injects JavaScript code that re-implements via XMLHttpRequest the flow needed to searchand retrieve emails matching patterns

● Why JavaScript injection?– Easy to analyze webmail search/retrieve functionality

(especially if returns JSON) with Burp then re-implement

– You don’t need to manually take care of cookies/auth

– The whole approach becomes webmail agnostic as soon asyou implement the right XHR calls

MailBoxBug.rb● Data extrusion exploits the Same Origin Policy

– The JS injected code extrudes emails/attachments via cross-origin POST XHR to an https handler (Mixed Content…)

– As discussed in the Browser Hacker’s Handbook, the SOPDOES NOT prevent you to send requests cross-origin

● We don’t care about reading responses, like in XSRF scenarios

MailBoxBug.rb

● Currently supports only outlook.live.com– Common scenario if the customer uses Microsoft stuff

without hosting OWA internally

● Need Gmail or custom webmail support?– Just analyze traffic with Burp and re-implement with XHR

– Quickly test it via Firebug or JS Console

– Once it’s tested and stable, plug it in MailBoxBug

● Video demo…

Outro● PhishLulz, MailBoxBug and other tools are now

public on Github have fun :-)

https://github.com/antisnatchor/phishlulz

Hope youenjoyed!

practical phishing automation with phishlulz - kiwicon x

Internet