Dark Fairytales from a Phisherman @an4snatchor – HackPra AllStars 2015
Outline
• whoami • Fishing === Phishing • Badass phishing at cost (almost) zero • Fairytalessss • PhishingFrenzy + BeEF FTW • Outro
whoami
• Pentester & Vuln researcher • BeEF lead core developer • Browser Hacker’s Handbook co-‐author
• (ex) Surf Cas4ng pro fisherman • (current) Phisherman
Fishing === Phishing
(F): Prepare bait and cast it (P): Prepare pretext, phishing strategy, and send emails
(F): Wait for something interested on the bait (P): Wait for vic4ms to click on your links, enter creden4als, open/execute stuff
(F): you got a big fish (P): you got a shell on the company’s CFO laptop
• End-‐users are some4mes more stupid than saltwater fishes – Fishes do evolve: you have to use smaller hooks and Fluorocarbon lines for increased stealth
– Humans apparently do not evolve: we’re doing phishing with 15 years old aZacks that s4ll work • MS Office macros • HTA files • Custom .exe files
Fishing === Phishing
Badass phishing at cost (almost) zero
• If you do phishing, you know that: – Every 4me it’s a different story – Configura4on overhead some4mes is a killer – You can iden4fy repeatable paZerns – You need automa4on – Speed is key once you got access to vic4ms assets
Badass phishing at cost (almost) zero • Meet PhishLulz
– phishing automa4on in Ruby
• Puts together PhishingFrenzy + BeEF on a dedicated Amazon EC2 image – Cheers @zeknox for crea4ng PF !!!
• Current features: – Mass mailing with HTML templates (SET…LOL) – Highly configurable template system – HTTP/HTTPS support – Creden4al harves4ng – BeEF integra4on
• Correlate vic4m name/email with OS/browser fingerprin4ng including geoloca4on • Automate client-‐side aZacks via BeEF modules
– Repor4ng
Badass phishing at cost (almost) zero
• What is led to the consultant as a manual step: – Phishing domain selec4on/configura4on (A/MX/CNAME records, as well as SPF/DKIM TXT records)
– Configuring/star4ng the phishing campaign • If an exis4ng phishing template can be used this takes 2 minutes
– Eventually crea4ng/modifying a phishing template or client-‐side vector
– Wait for browser hooks, harvested creden4als and shells
Badass phishing at cost (almost) zero
Badass phishing at cost (almost) zero
• Amazon advantages: – domain/IP blacklisted?
– Fixed with 2 steps: • Reboot the AWS instance • Update the A record for your main phishing domain
– Good IP block reputa4on – Cheap, zero maintenance • T2.small -‐> 0.026$/hours -‐> 0.6$/day -‐> 3.12 $/5days
Fairytale 1 (s/lulz/real_target_name/)
• Target: www.lulz.wa.gov.au (GMT+8) – Discovered during reconnaissance:
• Webmail.lulz.com: Outlook WebAccess • Vpn1.lulz.com: Checkpoint SSL VPN
– OWA template (phishing + email pretext) available in PF
– Registered lulz-‐wa-‐gov-‐au.com
Fairytale 1 • In less than 3 hours (by 5PM COB in the target 4mezone): 39% success rate
Harvested creden4als
Domain creden4als
VPN creden4als
Fairytale 1
• Results: – Gov network compromised (including AD) – Pure blackbox -‐> client-‐side -‐> internal pentest – Overall 4me spent:
• 4 hours prepara4on/recon • 2 days harves4ng/pwning
– Total cost: • About 2 $ for the EC2 cost • About 8 $ for the domain registra4on
10 $ total cost
Fairytale 1
• Results: – Gov network compromised (including AD) – Pure blackbox -‐> client-‐side -‐> internal pentest – Overall 4me spent:
• 4 hours prepara4on/recon • 2 days harves4ng/pwning
– Total cost: • About 2 $ for the EC2 cost • About 8 $ for the domain registra4on
10 $ total cost
Badass phishing at cost (almost) zero
• Debian 7 AMI on Amazon EC2 – Can be used with t2.small profile (1 vcore/2GB ram) – Loosely coupled with Amazon: it can be used with other cloud providers or your own infrastructure too
– Relies on the FOG gem • Support for Rackspace, Linode, Dreamhost, XenServer, libvirt, OpenVZ
• hZp://fog.io/about/provider_documenta4on.html
Badass phishing at cost (almost) zero
• The (private) AMI has the following installed: – PhishingFrenzy (custom version) – BeEF – Apache/MySQL/PostgreSQL – More stuff to be added in the (near) future: • metasploit • recon-‐ng • Veil • URLcrazy
Fairytale 2 • The Telegraph UK asked us to target a specific journalist (Sept 2014). Info provided: – Name: Sophie Cur4s
– Not much info from reconnaissance – Target writes about IT stuff, breaches, and so on – Together with a brazilian friend of mine we did the engagement • You will not find our names here: h"p://www.telegraph.co.uk/technology/internet-‐security/11153381/How-‐hackers-‐took-‐over-‐my-‐computer.html
Fairytale 2 • AZack plan: – Generic LinkedIn invite phishing campaign
• Aim: profile the journalist OS/browser/plugins with BeEF • Aim 2: detect mail provider/tech
– Ader fingerprin4ng, 3 client-‐side aZacks op4ons 1. Custom encoded .exe inside password encrypted .rar 2. Word document with Powershell macro 3. HTA aZack targeted to Internet Explorer
Fairytale 2 • OS, browser and plugin fingerprint via BeEF – Note: Office 2012, Java 1.7u51, Citrix ICA Client
Fairytale 2 • Via the ini4al fingerprin4ng we iden4fied that the vic4m was using Gmail for Business – Encrypted .zip is not an op4on, filename leak – “Good” an4spam/AV
– Phishing domain with SPF/DKIM – Encrypted .rar with custom .exe inside
Fairytale 2 • Payload: – .exe file with 3 connect-‐back mechanisms
• Reverse hZps • Reverse DNS • OOB extrusion via Outlook profile
– Custom encoding – Adobe PDF modified icon + long Win filename trick – Custom MsgBox with PDF icon (msg: “Adobe Reader could not open xxx.pdf”)
Fairytale 2 • The vic4m believed in the pretext, she even replied back
once double clicked the payload asking for more clarifica4on
• Camera/microphone access. Game over
More Fairytales?
• Wait for the new BeEF Autorun Engine – More shells, automated aZacks – In the mean4me, if you can’t wait, enjoy:
• InsomniHack’14 talk with @kkotowicz h"p://www.slideshare.net/micheleorru2/when-‐you-‐dont-‐have-‐0days-‐clientside-‐exploitaCon-‐for-‐the-‐masses
• Browser Hacker’s Handbook videos h"p://browserhacker.com/videos/videos_index.html
• My Vimeo channel h"ps://vimeo.com/user1924142
PhishingFrenzy + BeEF FTW
• Work in progress – integra4on with UrlCrazy and domain registra4on providers for automa4c phishing domain sugges4on and registra4on/configura4on
– Automa4c campaign configura4on based on phishing profiles • Outlook WebAccess • LinkedIn • HTA/browser extensions/etc..
PhishingFrenzy + BeEF FTW
• Work in progress – More repor4ng capabili4es (currently Excel):
– More graphs • Campaign 4me graph with clicks/submissions 4mestamps • Browser type/version/plugins and OS type count
PhishingFrenzy + BeEF FTW • Work in progress
– BeEF server-‐side ARE (autorun rule engine) – Create separate autorun profiles for different client-‐side aZacks (new profiles can be added at run4me) • Internet explorer -‐> autorun_hta.json • Chrome/Firefox -‐> autorun_mal_extension.json • Chrome/Firefox -‐> get WebRTC internal IP address, start enumera4ng internal network – IPC/IPX (see my previous HackPra AllStars presenta4on) – Blind XSRF on home routers, or Shellshock aZacks on embedded Linux devices (NAS/routers/cameras/etc..)