Presentation on theme: "Lunker: The Advanced Phishing Framework"— Presentation transcript:
1Lunker: The Advanced Phishing Framework Joshua PerrymonCEO, PacketFocus
2Agenda Intro What is Lunker? What can it do? Attack Theory Payloads The Old WayDemoQuestions
3Who am I? Joshua Perrymon, CEO PacketFocus 12 yrs Experience “Ethical Hacking”Over 200 Spear-Phishing attacks in 4-5 languages85% Success ratio using “Blacklist” s from the InternetMUCH higher using “Whitelist” s
4What is PhishingPhishing is a method of Social Engineering used to gain credentials, or have users perform a specific action.We have all gotten these types of s.Sent out to MillionsUsually triggers SPAM filtering alertsUses a known phishing site that is usually takes down within a couple days if possible
5What is Spear Phishing A directed Phishing Attack Only targets a handful of userss are harvested from the Internet or other public placesVery hard to stop as the attack isn’t sent out all over the Internet
6Attacking up the OSIWe have been moving up the OSI (Open System Interconnection) model with attacks.
10Doing this the “OLD” Way This takes time. But doesn’t require a lot of technical skills.Find sFind site to be phishedCreate the siteSetup php mail spoofTestSendMonitorBefore Lunker setting up a phishing attack required a lot more planning and technical details. You have to make a new phishing template by hand. Setup the backend scripts to capture the credentials, find a server to host it on, figure out how to relay a spookef , login and either tail apache ot run TCPDUmp to monitor for attacks. This is now somewhat automated with the new framework.
11Using the Phishing Framework Easy and repeatableShow step by step process on using lunker. Use camtasia or animations.
13Step 2: Enter Client Info PacketFocus.com JperrymonStep 2: Enter Client Info
14PacketFocus.com 2008 - Jperrymon Client DetailsThis is entered into the local database. This allows an audit trail of tests configuration and results. The idea is to document each step automatically, because no-one else wants to do it.Enter URL and IP Info if provided
16But everyone uses their company email address right???? PacketFocus.com JperrymonBut everyone uses their company address right????This is hard to protect against most times. Usually, internal addresses must be used in business communication. This can be leaked to the Internet Search Engines.Search and look through the results.
18PacketFocus.com 2008 - Jperrymon On the lookoutThis module will actively search the target URL’s and IP’s in scope to identify potential Phishing Targets.Any site that requires credentials remotely should be considered and identified.Top targets include Webmail, VPN, and website logins.The tool will identify these portals and return analysis based on previous information gathered.
20PacketFocus.com 2008 - Jperrymon is easyMost often, a simple from spoofed technical support will be enough to have a user form over login and password details.Analysis will identify token passwords. Numeric entries should trigger token MITM functions.Start analysis timers.
21PacketFocus.com 2008 - Jperrymon Verify it works
22PacketFocus.com 2008 - Jperrymon Now what?Login to the Phishing site locally to make sure it captures the password.It’s easy to the credentials. Be responsible and store them encrypted.Modules could auto login based on template used. Get (), Get Attachment(), Get Keyword(), Get Subject().
24PacketFocus.com 2008 - Jperrymon Where am I?Redirection must be used after the user logs in the first time. Error message, Google, etcRedirect to real site.Delete sent to user after getting credentials.
26Tony.. Tony Montana Setup a spoofed email. PacketFocus.com JperrymonTony.. Tony MontanaSetup a spoofed .To goal is to have the user perform a pre-defined action.Authority, realism, and language play a vital role in a successful attacks.The key is gain trust as soon as possible.NLP (Neuro-Linguistical Programming)Milgram Experiment
30PacketFocus.com 2008 - Jperrymon Pick one.Pre-defined spoofed scenarios are included with the framework. These are selected conversations that usually get the response desired based on actual field results.Scenarios:Tech SupportInternal IT3rd Party ITEnd-User
32Email Head Sometimes you need to modify the email headers. PacketFocus.com JperrymonHeadSometimes you need to modify the headers.We will probably put something in here to identify the tool once it goes public.
34Money Shot. This is what makes the framework stand out. PacketFocus.com JperrymonMoney Shot.This is what makes the framework stand out.The ability to add custom payloads to the phishing .XSS, Browser Exploit, Recon, Trojans, Exploits, Backdoors, etc..Welcome to hack 2.0
36PacketFocus.com 2008 - Jperrymon TestThis module launches the local client and the locally hosted phishing site at the same time.The tester sends the spoofed to a locally configured account. This account is checked by the Client as would a normal user.Look for mistakes. The smallest error can cause the attack not to work.
38PacketFocus.com 2008 - Jperrymon Start the Audit
39Just a little patience… PacketFocus.com JperrymonJust a little patience…Monitor the web server, db, MTA, and monitor.Setup MITM scripts to autoConfigure alarms and real-time logic.Setup login optionsCaptureCapture/LoginCapture/Login/Scrape
40DEMO Lets have a look at the current working version. How to bypass Outlook 2007 Phishing filters.
41What's Next MITM- 2nd Factor Authentication Advanced Payloads PacketFocus.com JperrymonWhat's NextMITM- 2nd Factor AuthenticationAdvanced PayloadsXSSCRSFBrowser ExploitsRecon to determine user browser, OS, etc.Reporting Forum SupportTemplate SharingTraining ModulesUser reaction analysis moduleAbility to customize the Templates
42Thank YouThanks for sitting through this presentation. The main aspect to take away from this is how attacks are moving up the OSI model and targeting the user (layer 8).It doesn’t take a lot of technical skills to perform these types of attacks.User Awareness is the only way to mitigate this risk. We can’t rely on technology.