lunker: the advanced phishing framework joshua perrymon ceo, packetfocus
TRANSCRIPT
Lunker: The Advanced Phishing FrameworkJoshua PerrymonCEO, PacketFocus
Agenda
•Intro•What is Lunker?•What can it do?•Attack Theory•Payloads•The Old Way•Demo•Questions
Who am I?
•Joshua Perrymon, CEO PacketFocus•12 yrs Experience “Ethical Hacking”•Over 200 Spear-Phishing attacks in 4-5
languages•85% Success ratio using “Blacklist”
emails from the Internet •MUCH higher using “Whitelist” Emails
What is Phishing
•Phishing is a method of Social Engineering used to gain credentials, or have users perform a specific action.
•We have all gotten these types of emails.•Sent out to Millions•Usually triggers SPAM filtering alerts•Uses a known phishing site that is usually
takes down within a couple days if possible
What is Spear Phishing
•A directed Phishing Attack•Only targets a handful of users•Emails are harvested from the Internet or
other public places•Very hard to stop as the attack isn’t sent
out all over the Internet
Attacking up the OSI
•We have been moving up the OSI (Open System Interconnection) model with attacks.
Attacking up the OSI model cont.
How these attacks work
Doing this the “OLD” Way•This takes time. But doesn’t require a lot of
technical skills.
•Find emails•Find site to be phished•Create the site•Setup php mail spoof•Test•Send•Monitor
Using the Phishing Framework
•Easy and repeatable
PacketFocus.com 2008 - JperrymonStep 1.
PacketFocus.com 2008 - JperrymonStep 2: Enter Client Info
PacketFocus.com 2008 - Jperrymon
Client Details
•This is entered into the local database. This allows an audit trail of tests configuration and results. The idea is to document each step automatically, because no-one else wants to do it.
•Enter URL and IP Info if provided
PacketFocus.com 2008 - JperrymonStep3: Email Recon
PacketFocus.com 2008 - Jperrymon
But everyone uses their company email address right????•This is hard to protect against most times.
Usually, internal email addresses must be used in business communication. This can be leaked to the Internet Search Engines.
•Search “@acme.com” and look through the results.
PacketFocus.com 2008 - JperrymonStep 4: Phishing Analysis
PacketFocus.com 2008 - Jperrymon
On the lookout
•This module will actively search the target URL’s and IP’s in scope to identify potential Phishing Targets.
•Any site that requires credentials remotely should be considered and identified.
•Top targets include Webmail, VPN, and website logins.
•The tool will identify these portals and return analysis based on previous information gathered.
PacketFocus.com 2008 - JperrymonStep5: Select the Bait
PacketFocus.com 2008 - Jperrymon
Email is easy
•Most often, a simple email from spoofed technical support will be enough to have a user form over login and password details.
•Analysis will identify token passwords. Numeric entries should trigger token MITM functions.
•Start analysis timers.
PacketFocus.com 2008 - Jperrymon
Verify it works
PacketFocus.com 2008 - Jperrymon
Now what?
•Login to the Phishing site locally to make sure it captures the password.
•It’s easy to email the credentials. Be responsible and store them encrypted.
•Modules could auto login based on template used. Get email(), Get Attachment(), Get Keyword(), Get Subject().
PacketFocus.com 2008 - JperrymonRedirect Confusion
PacketFocus.com 2008 - Jperrymon
Where am I?
•Redirection must be used after the user logs in the first time. Error message, Google, etc
•Redirect to real site.
•Delete email sent to user after getting credentials.
PacketFocus.com 2008 - JperrymonSpoof the email
PacketFocus.com 2008 - Jperrymon
Tony.. Tony Montana
•Setup a spoofed email.•To goal is to have the user perform a pre-
defined action.•Authority, realism, and language play a
vital role in a successful attacks.
•The key is gain trust as soon as possible.•NLP (Neuro-Linguistical Programming)•Milgram Experiment
PacketFocus.com 2008 - JperrymonSelect Footer
PacketFocus.com 2008 - Jperrymon
Footer
•If you want to write a custom body, select a footer template to give the attack structure.
PacketFocus.com 2008 - JperrymonScenario Options
PacketFocus.com 2008 - Jperrymon
Pick one.
•Pre-defined spoofed email scenarios are included with the framework. These are selected conversations that usually get the response desired based on actual field results.
•Scenarios:▫Tech Support▫Internal IT▫3rd Party IT▫End-User
PacketFocus.com 2008 - Jperrymon
Stealthy
PacketFocus.com 2008 - Jperrymon
Email Head
•Sometimes you need to modify the email headers.
•We will probably put something in here to identify the tool once it goes public.
PacketFocus.com 2008 - JperrymonLoad the Ammo
PacketFocus.com 2008 - Jperrymon
Money Shot.
•This is what makes the framework stand out.
•The ability to add custom payloads to the phishing email.
•XSS, Browser Exploit, Recon, Trojans, Exploits, Backdoors, etc..
•Welcome to hack 2.0
PacketFocus.com 2008 - JperrymonTest Environment
PacketFocus.com 2008 - Jperrymon
Test 1.2.3.
•This module launches the local email client and the locally hosted phishing site at the same time.
•The tester sends the spoofed email to a locally configured account. This account is checked by the Email Client as would a normal user.
•Look for mistakes. The smallest error can cause the attack not to work.
Local Mode
PacketFocus.com 2008 - JperrymonStart the Audit
PacketFocus.com 2008 - Jperrymon
Just a little patience…
•Monitor the web server, db, MTA, and monitor.
•Setup MITM scripts to auto•Configure alarms and real-time logic.•Setup login options
▫Capture▫Capture/Login▫Capture/Login/Scrape
DEMO
•Lets have a look at the current working version.
•How to bypass Outlook 2007 Phishing filters.
PacketFocus.com 2008 - Jperrymon
What's Next• MITM- 2nd Factor Authentication• Advanced Payloads
▫XSS▫CRSF▫Browser Exploits▫Recon to determine user browser, OS, etc.
• Reporting • Forum Support• Template Sharing• Training Modules• User reaction analysis module• Ability to customize the Templates
Thank You
•Thanks for sitting through this presentation. The main aspect to take away from this is how attacks are moving up the OSI model and targeting the user (layer 8).
•It doesn’t take a lot of technical skills to perform these types of attacks.
•User Awareness is the only way to mitigate this risk. We can’t rely on technology.