Secondary Categories: 02-Social Engineering - 02-Infrastructure
Description:
Keep in mind what services you are targeting
- Email
- OWA365
- GMail
- VPN
- Citrix
- Cisco
- External Web Application
- Internal Web Application
Before crafting a payload ensure that you know what email service they use by using:
- SecurityTrails
- MX Records
- DNS Dumpster
- viewdns.info
Choosing a Domain
Look for the following:
-
Subdomain takeover
- Companies often set up CNAME records that point a subdomain to another domain. Very often this is for use with a cloud service provider
-
Domain Expires and CNAME still points to expired domain
-
Typo Squatting
-
Ex:
- Original:
- fortynorthsecurity.com
- Typosquatting
- fortynorhtsecurity.com
- fortynorthsecurty.com
- Original:
-
Adding βmailβ,βemailβ,or βvpnβ
- Ex: fortynorthvpn.com
- Ex: fortynorthintranet.com
-
Change the Top Level Domain
- The Top Level Domain (TLD) is just .com, .net. .org, etc.
- Ex: fortynorthsecurity.org
-
Finding a available domain name
- Namemesh β namestation.com
Website Cloning
- WGET
wget \
--mirror \
--page-requisites \
--convert-links \
--adjust-extension \
--domains <TARGET_URL_SUBDOMAIN>\
--no-parent \
<TARGET_URL>
wget flag meaning β’ βmirror = turns on recursion and time-stamping, sets infinite recursion depth and keeps FTP directory listings β’ βpage-requisites = download all the files that are necessary to properly display a given HTML page including inlined images, sounds, and referenced stylesheets β’ βconvert-links = convert the links in the document to make them suitable for local viewing (ie: relative paths) β’ βadjust-extension = ensures html and css pages included the .html and .css extensions after downloading β’ βdomains <TARGET_URL_SUBDOMAIN> = domains to be followed; we donβt need to follow external domains since weβll already have absolute paths to them β’ βno-parent = donβt go up to the parent directory when retrieving files recursively
- SingleFile Firefox Extension
- Ensure that you delete the comment at the top of the html file
Infrastructure
HTTP(S) Setup
DNS Setup
Payload Setup
Connecting
There are two ways to connect to the GoPhish Backend:
- Dynamic SSH Tunnel and use the browser
- Connect to the VPN then navigate to the Public IP
Email Templates
You want the emails that are sent to the victim to look as close to real as possible. You can do this by exporting an email from outlook or another mail provider. Once you have exported the email you can modify the html to your choosing to look real or fit the scenario.
Links in Email
A method to hide the true links is to of course make the href different from the text shown but this maybe caught by anti-phishing solutions. Another way to bypass is spliting the URL link into parts and change the font size to 1
In the example above our malicious/look-a-like phishing page is therevoltgroup.us.com but the email user only sees therevoltgroup.com
Phishing Scenarios
- Asset Inventory of computer systems
- Office365 Encrypted Messages
- Contact the Sales/Marketing team to send a malicious file (legal docs, job application, or interested in product/service )
- Contact HR as a person looking for a job
Phishing Objective
Credential Harvesting
- Continued Below
2FA
- evilginx2
Payloads
Types of Payloads
There are many different types of payloads we can send such:
- Malicious Office
- VBA Macros
- JScript
- Signed Executable
Sending the Payload
Office Document
- Create a Document and either attach it to the email or provide a link in the phishing email to the document.
- The Document can container a page that states that the document is encrypted and they need to click βEnable Contentβ to decrypt it and accept the policy or read the document.
- We can also use a method such as ZLoader malware and use an excel document with =CHAR() in cells to create create the payload one byte at a time and execute.
Other Methods:
Executable
- Setup a fake GoToMeetings link and invite the target to a meeting. The target will have to download the video chat meeting executable in order to chat with us. This usually works best with just about anyone. This may work best with Sales/Marketing/HR.
- If we use this method then we should create a multi-stage payload that wonβt be caught when the end user downloads and runs the program. So the payload must be able to evade static and dynamic AV
- ClickOnce Executables
HTAs
https://github.com/t3ntman/Social-Engineering-Payloads
JScript
https://github.com/rasta-mouse/GadgetToJScript
Bypass Anti-Phishing Solutions and SFP
You can bypass these solution many different ways or maybe even using a combo of them all:
- Fill out the Contact Me page on the target website to become whitelisted
- Use an aged domain
- A trusted SSL cert. (Try to avoid LetsEncrypt SSL certs or OpenSSL self signed certs)
Resources:
Title | URL |
---|---|
place | holder |