Dark Fairytales from a Phisherman
10 likes4,923 views
The document outlines an automated phishing technique called PhishLulz that uses PhishingFrenzy and BeEF on an Amazon EC2 instance. It describes how the tool allows for low-cost, automated phishing campaigns with features like mass mailing templates, credential harvesting, and integrating client-side attacks via BeEF. An example phishing campaign is provided that successfully compromised a government network in Australia within a few hours at a total cost of around $10 using this technique.
Dark Fairytales from a Phisherman
- 1. Dark Fairytales from a Phisherman @an4snatchor – HackPra AllStars 2015
- 2. Outline • whoami • Fishing === Phishing • Badass phishing at cost (almost) zero • Fairytalessss • PhishingFrenzy + BeEF FTW • Outro
- 3. whoami • Pentester & Vuln researcher • BeEF lead core developer • Browser Hacker’s Handbook co-‐author • (ex) Surf Cas4ng pro fisherman • (current) Phisherman
- 5. Fishing === Phishing (F): Prepare bait and cast it (P): Prepare pretext, phishing strategy, and send emails (F): Wait for something interested on the bait (P): Wait for vic4ms to click on your links, enter creden4als, open/execute stuff (F): you got a big fish (P): you got a shell on the company’s CFO laptop
- 7. • End-‐users are some4mes more stupid than saltwater fishes – Fishes do evolve: you have to use smaller hooks and Fluorocarbon lines for increased stealth – Humans apparently do not evolve: we’re doing phishing with 15 years old aZacks that s4ll work • MS Office macros • HTA files • Custom .exe files Fishing === Phishing
- 8. Badass phishing at cost (almost) zero • If you do phishing, you know that: – Every 4me it’s a different story – Configura4on overhead some4mes is a killer – You can iden4fy repeatable paZerns – You need automa4on – Speed is key once you got access to vic4ms assets
- 9. Badass phishing at cost (almost) zero • Meet PhishLulz – phishing automa4on in Ruby • Puts together PhishingFrenzy + BeEF on a dedicated Amazon EC2 image – Cheers @zeknox for crea4ng PF !!!
- 10. • Current features: – Mass mailing with HTML templates (SET…LOL) – Highly configurable template system – HTTP/HTTPS support – Creden4al harves4ng – BeEF integra4on • Correlate vic4m name/email with OS/browser fingerprin4ng including geoloca4on • Automate client-‐side aZacks via BeEF modules – Repor4ng Badass phishing at cost (almost) zero
- 11. • What is led to the consultant as a manual step: – Phishing domain selec4on/configura4on (A/MX/ CNAME records, as well as SPF/DKIM TXT records) – Configuring/star4ng the phishing campaign • If an exis4ng phishing template can be used this takes 2 minutes – Eventually crea4ng/modifying a phishing template or client-‐side vector – Wait for browser hooks, harvested creden4als and shells Badass phishing at cost (almost) zero
- 12. Badass phishing at cost (almost) zero • Amazon advantages: – domain/IP blacklisted? – Fixed with 2 steps: • Reboot the AWS instance • Update the A record for your main phishing domain – Good IP block reputa4on – Cheap, zero maintenance • T2.small -‐> 0.026$/hours -‐> 0.6$/day -‐> 3.12 $/5days
- 13. Fairytale 1 (s/lulz/real_target_name/) • Target: www.lulz.wa.gov.au (GMT+8) – Discovered during reconnaissance: • Webmail.lulz.com: Outlook WebAccess • Vpn1.lulz.com: Checkpoint SSL VPN – OWA template (phishing + email pretext) available in PF – Registered lulz-‐wa-‐gov-‐au.com
- 14. Fairytale 1 • Started campaign with 46 targets at 13:30 target 4me
- 15. Fairytale 1 • Started campaign with 46 targets at 13:30 target 4me
- 16. Fairytale 1 • In less than 3 hours (by 5PM COB in the target 4mezone): 39% success rate Harvested creden4als Domain creden4als VPN creden4als
- 17. Fairytale 1
- 18. Fairytale 1
- 19. Fairytale 1 • Results: – Gov network compromised (including AD) – Pure blackbox -‐> client-‐side -‐> internal pentest – Overall 4me spent: • 4 hours prepara4on/recon • 2 days harves4ng/pwning – Total cost: • About 2 $ for the EC2 cost • About 8 $ for the domain registra4on 10 $ total cost
- 20. Fairytale 1 • Results: – Gov network compromised (including AD) – Pure blackbox -‐> client-‐side -‐> internal pentest – Overall 4me spent: • 4 hours prepara4on/recon • 2 days harves4ng/pwning – Total cost: • About 2 $ for the EC2 cost • About 8 $ for the domain registra4on 10 $ total cost
- 21. Badass phishing at cost (almost) zero • Debian 7 AMI on Amazon EC2 – Can be used with t2.small profile (1 vcore/2GB ram) – Loosely coupled with Amazon: it can be used with other cloud providers or your own infrastructure too – Relies on the FOG gem • Support for Rackspace, Linode, Dreamhost, XenServer, libvirt, OpenVZ • hZp://fog.io/about/provider_documenta4on.html
- 22. Badass phishing at cost (almost) zero • The (private) AMI has the following installed: – PhishingFrenzy (custom version) – BeEF – Apache/MySQL/PostgreSQL – More stuff to be added in the (near) future: • metasploit • recon-‐ng • Veil • URLcrazy
- 23. PhishingFrenzy + BeEF FTW • PhishLulz ruby script video demo
- 24. PhishingFrenzy + BeEF FTW • PhishLulz phishing video demo
- 25. Fairytale 2 • The Telegraph UK asked us to target a specific journalist (Sept 2014). Info provided: – Name: Sophie Cur4s – Not much info from reconnaissance – Target writes about IT stuff, breaches, and so on – Together with a brazilian friend of mine we did the engagement • You will not find our names here: h"p:// www.telegraph.co.uk/technology/internet-‐security/ 11153381/How-‐hackers-‐took-‐over-‐my-‐computer.html
- 26. Fairytale 2 • AZack plan: – Generic LinkedIn invite phishing campaign • Aim: profile the journalist OS/browser/plugins with BeEF • Aim 2: detect mail provider/tech – Ader fingerprin4ng, 3 client-‐side aZacks op4ons 1. Custom encoded .exe inside password encrypted .rar 2. Word document with Powershell macro 3. HTA aZack targeted to Internet Explorer
- 27. Fairytale 2 • LinkedIn aZack (template in PF):
- 28. Fairytale 2 • OS, browser and plugin fingerprint via BeEF – Note: Office 2012, Java 1.7u51, Citrix ICA Client
- 29. Fairytale 2 • Credible Pretext (snip):
- 30. Fairytale 2 • Credible Pretext (snip):
- 31. Fairytale 2 • Via the ini4al fingerprin4ng we iden4fied that the vic4m was using Gmail for Business – Encrypted .zip is not an op4on, filename leak – “Good” an4spam/AV – Phishing domain with SPF/DKIM – Encrypted .rar with custom .exe inside
- 32. Fairytale 2 • Payload: – .exe file with 3 connect-‐back mechanisms • Reverse hZps • Reverse DNS • OOB extrusion via Outlook profile – Custom encoding – Adobe PDF modified icon + long Win filename trick – Custom MsgBox with PDF icon (msg: “Adobe Reader could not open xxx.pdf”)
- 33. Fairytale 2 • The vic4m believed in the pretext, she even replied back once double clicked the payload asking for more clarifica4on • Camera/microphone access. Game over
- 34. Fairytale 2 • Plan-‐B was ready in case of Plan-‐A failure
- 35. Fairytale 2 • Plan-‐B was ready in case of Plan-‐A failure
- 36. More Fairytales? • Wait for the new BeEF Autorun Engine – More shells, automated aZacks – In the mean4me, if you can’t wait, enjoy: • InsomniHack’14 talk with @kkotowicz h"p://www.slideshare.net/micheleorru2/when-‐you-‐dont-‐ have-‐0days-‐clientside-‐exploitaCon-‐for-‐the-‐masses • Browser Hacker’s Handbook videos h"p://browserhacker.com/videos/videos_index.html • My Vimeo channel h"ps://vimeo.com/user1924142
- 37. PhishingFrenzy + BeEF FTW • Work in progress – integra4on with UrlCrazy and domain registra4on providers for automa4c phishing domain sugges4on and registra4on/configura4on – Automa4c campaign configura4on based on phishing profiles • Outlook WebAccess • LinkedIn • HTA/browser extensions/etc..
- 38. PhishingFrenzy + BeEF FTW • Work in progress – More repor4ng capabili4es (currently Excel): – More graphs • Campaign 4me graph with clicks/submissions 4mestamps • Browser type/version/plugins and OS type count
- 39. PhishingFrenzy + BeEF FTW • Work in progress – BeEF server-‐side ARE (autorun rule engine) – Create separate autorun profiles for different client-‐side aZacks (new profiles can be added at run4me) • Internet explorer -‐> autorun_hta.json • Chrome/Firefox -‐> autorun_mal_extension.json • Chrome/Firefox -‐> get WebRTC internal IP address, start enumera4ng internal network – IPC/IPX (see my previous HackPra AllStars presenta4on) – Blind XSRF on home routers, or Shellshock aZacks on embedded Linux devices (NAS/routers/cameras/etc..)
- 40. PhishingFrenzy + BeEF FTW
- 41. PhishingFrenzy + BeEF FTW … BTW That’s not the ISIS black flag, just BeEF offline browsers …
- 42. Outro Hope you enjoyed the dark fairytales!