HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 72 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow Toolsarrow Need to build a Phishing platform/framework
EH-Net
May 26, 2012, 05:08:49 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Need to build a Phishing platform/framework  (Read 9258 times)
0 Members and 1 Guest are viewing this topic.
rance
Full Member
***
Offline Offline

Posts: 163


<censored>


View Profile
« on: July 28, 2011, 11:55:57 AM »
I'm on a roll today...

Just before leaving for SANS last week, I was hit up and told that we need to implement our own home-grown phishing tests.  My first thought was "crap, gotta build a box, write code, run tests, maintain code, etc"...

Well, I went to a phishing lunch and learn at the conference, and found out about the PhishMe company/service.  I like the idea of it, and I'm try to get approval to move forward with a demo, HOWEVER, cost is always an object.  We got an initial quote, and it's probably going to be difficult to get funding.

Which, puts me back at building my own solution.  As I was looking up reviews on PhishMe, there were mentions in articles about scripts and programs in the open source community that assist in phishing tests, but my google-foo is not up to snuff this morning and I'm coming up blank.

So, I'm putting out a call to anyone with information on building a platform for this.  What scripts/programs/frameworks do you utilize to perform phishing exercises?

As always, thanks for any input!
Logged
Poking at security since 1986.  +++ATH
dbest
Jr. Member
**
Offline Offline

Posts: 68


View Profile
« Reply #1 on: July 28, 2011, 12:09:52 PM »
Have you had a look at The Social Engineer Toolkit (http://www.social-engineer.org/) Am certain it contains a module for Phishing attacks.
Logged
CISM, CEH, CISA, ISO 27001 LA
cochese86
Newbie
*
Offline Offline

Posts: 9


View Profile
« Reply #2 on: July 28, 2011, 12:26:09 PM »
+1 to SET and sendmail on a backtrack box.  You should be ok then.
Logged
tturner
Sr. Member
****
Offline Offline

Posts: 329


View Profile WWW
« Reply #3 on: July 28, 2011, 12:49:10 PM »
I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P Imagine the fun you could have just issuing instructions to staff. No need to hack anything, just go all HBGary on them and ask for the SSH credentials  Grin
Logged
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GSEC, OPSE, CSWAE, VCP

Next 6 months: GCIH, CSTP, STI MSISE
lorddicranius
Sr. Member
****
Offline Offline

Posts: 396



View Profile WWW
« Reply #4 on: July 28, 2011, 01:41:52 PM »
Quote from: tturner on July 28, 2011, 12:49:10 PM
I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P

I've been considering a VPS for awhile now and I think I was just persuaded!

Quote from: tturner on July 28, 2011, 12:49:10 PM
No need to hack anything, just go all HBGary on them and ask for the SSH credentials  Grin

LOL
Logged
Blog: http://lorddicranius.wordpress.com/
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 204



View Profile
« Reply #5 on: September 04, 2011, 02:47:32 PM »
We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 
Logged
CISSP, CISM, CISA, GCIH, CEH, HMFIC, KTHXBIROFLCOPTER
dbest
Jr. Member
**
Offline Offline

Posts: 68


View Profile
« Reply #6 on: September 05, 2011, 12:45:36 AM »
Quote from: pseud0 on September 04, 2011, 02:47:32 PM
We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 

A colleague of mine recently did something similar. However, he created an URL similar to famous social networking site. The organization had a URL filtering software in place and the spoofed site could not be accessed by the users.
Something to keep in mind. Smiley
Logged
CISM, CEH, CISA, ISO 27001 LA
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 204



View Profile
« Reply #7 on: September 05, 2011, 10:20:19 AM »
If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked.  That's why I recommended copying their own corporate home page.  I'd be slightly surprised to see someone blacklisting their own site.
Logged
CISSP, CISM, CISA, GCIH, CEH, HMFIC, KTHXBIROFLCOPTER
MaXe
Hero Member
*****
Offline Offline

Posts: 507


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #8 on: September 06, 2011, 12:14:43 PM »
If you need to phish users from common services that many people use, there's SET by the Social Engineer project, but also many other free and open source projects you could look into.

Many of these may be unfinished, perhaps even buggy, but there is one in particular that should catch your interest.

I'm glad my memory is with me today, as it has been a few years since people talked about this:
http://forum.intern0t.net/offensive-guides-information/2262-phishing-google-wave-hacking-google-buzz.html
http://blog.nparashuram.com/2008/06/tackle-javascript-based-phishing-kit.html

A friend of mine also wrote a blog entry which you may be interested in checking out:
http://www.e-x-e.dk/2010/07/03/how-to-phish-the-effective-and-smart-way-using-xss-3/


Enjoy and use it for ethical purposes only!  Wink
Logged
I'm an InterN0T'er
rance
Full Member
***
Offline Offline

Posts: 163


<censored>


View Profile
« Reply #9 on: September 07, 2011, 11:52:43 AM »
Looks like SET is the way to go, going to have to find some time to take a peek at it.

Thanks to everyone for all the info!
Logged
Poking at security since 1986.  +++ATH
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.304 seconds with 23 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.