Phishing

To Study [BHIS - Getting Access]

  • Performing reconnaissance to support each attack.

  • Setting up their own “botnet” with ProxyCannon to spread traffic across multiple source IP addresses.

  • Executing password guessing attacks such as credential stuffing and password spraying.

  • Phishing for credentials and sessions to bypass multi-factor authentication.

  • Setting up and using Azure Information Protection (AIP) to deliver encrypted phishing emails.

  • Creating “MalDocs”—Microsoft Office documents with embedded executable payloads.

  • Delivering executable payloads during a phishing campaign.

Articles:

Tools

  • Modlishka

  • SET

  • ReelPhish

  • PwnAuth

  • CredSniper

  • PhishingPretexts

Metrics

  • Who fell for the Phish?

  • Who reported the Phish?

OSINT

#Check for SPF record
spoofcheck.py
dig +short TXT <domain.com>

#Check for DKIM record
dig dkim._domainkey.<domain.com> TXT

#Check for DMARC record
dig +short TXT _dmarc.<domain.com>

SPAM Traps

Spoofing Prevention Mechanism: MS Exchange

Factors affecting SPAM traps:

  • Domain's age

  • Links pointing to IP addresses

  • Link manipulation techniques

  • Suspicious attachments

  • Broken email content

  • Values used that are different to those of the mail headers

  • Existence of SSL certificate

  • Submission of page to web content filtering sites

Circumventing Defenses:

  • Check of target domain has SPF, DMARC, DKIM records configured.

  • Send a mail to non-existent user from target's domain and analyze the non-delivery notice message headers for critical information.

  • If spoofing is not an option, register a legitimate domain and set up DNS records.

Phishing with Google Domain

Fingerprinting

  • Fingerprint2

File Transfer

  • File.io

  • Transfer.sh

  • Firefox Send (encrypted)

  • JustBeamIt.com

Payload Generation

  • Banana

  • Scarecrows

Send e-mail to no-reply@domain.com with Target in Cc

Linux Trape

  • Useful for web hooks

  • Get IP Geolocation

Mail Template

Gophish

  • Grab Email Source code from "View original" within Gmail.

  • Import into Gophish and clean up the template.

  • Replace all URLs.

Sample Pretexts

Subject: RE: Proposed Redundancy FY20xx
Dear All/UserX, 
Here are my proposed redundancies for FY 20xx. It's always difficult talking about letting people go, but COVID has been hard on all of us and unfortunately we have to make cutbacks. You can find the list of personnel I'm considering in the attachment.
I'll schedule a meeting later this week so we can discuss this further. 
Regards,
<Sender Name>
Dear <Name>,
This email is an automated warning that you have exceeded your email storage quota. 
Unless you request more space immediately, any email to you might fail to be delivered. 
Please click here to request an emergency quota extension.

Sincerely,
Network Services

This message contains confidential information and is intended only for <E-mail>. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this e-mail by mistake please delete it from your system. Finally, the recipient should check this email and any attachments for the presence of viruses. 
The company accepts no liability for any damage caused by any virus transmitted by this email.

Sending HTML Emails in Gmail

Sending Attachments

  • Host on Mixmatch

  • Includes trackers as well

Abusing MSOffice For Post Exploitation

  • Reference: Kyle Avery

PreviousPhishing InfrastructureNextCredential Harvest

Last updated