.

Need to build a Phishing platform/framework

<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Thu Jul 28, 2011 11:55 am

Need to build a Phishing platform/framework

I'm on a roll today...

Just before leaving for SANS last week, I was hit up and told that we need to implement our own home-grown phishing tests.  My first thought was "crap, gotta build a box, write code, run tests, maintain code, etc"...

Well, I went to a phishing lunch and learn at the conference, and found out about the PhishMe company/service.  I like the idea of it, and I'm try to get approval to move forward with a demo, HOWEVER, cost is always an object.  We got an initial quote, and it's probably going to be difficult to get funding.

Which, puts me back at building my own solution.  As I was looking up reviews on PhishMe, there were mentions in articles about scripts and programs in the open source community that assist in phishing tests, but my google-foo is not up to snuff this morning and I'm coming up blank.

So, I'm putting out a call to anyone with information on building a platform for this.  What scripts/programs/frameworks do you utilize to perform phishing exercises?

As always, thanks for any input!
Poking at security since 1986.  +++ATH
<<

dbest

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Jun 23, 2011 1:14 pm

Post Thu Jul 28, 2011 12:09 pm

Re: Need to build a Phishing platform/framework

Have you had a look at The Social Engineer Toolkit (http://www.social-engineer.org/) Am certain it contains a module for Phishing attacks.
CISM, CEH, CISA, ISO 27001 LA
<<

cochese86

User avatar

Newbie
Newbie

Posts: 10

Joined: Wed Jun 08, 2011 6:43 pm

Post Thu Jul 28, 2011 12:26 pm

Re: Need to build a Phishing platform/framework

+1 to SET and sendmail on a backtrack box.  You should be ok then.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Jul 28, 2011 12:49 pm

Re: Need to build a Phishing platform/framework

I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P Imagine the fun you could have just issuing instructions to staff. No need to hack anything, just go all HBGary on them and ask for the SSH credentials  ;D
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Jul 28, 2011 1:41 pm

Re: Need to build a Phishing platform/framework

tturner wrote:I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P


I've been considering a VPS for awhile now and I think I was just persuaded!

tturner wrote:No need to hack anything, just go all HBGary on them and ask for the SSH credentials  ;D


LOL
GSEC, eCPPT, Sec+
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Sun Sep 04, 2011 2:47 pm

Re: Need to build a Phishing platform/framework

We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

dbest

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Jun 23, 2011 1:14 pm

Post Mon Sep 05, 2011 12:45 am

Re: Need to build a Phishing platform/framework

pseud0 wrote:We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 


A colleague of mine recently did something similar. However, he created an URL similar to famous social networking site. The organization had a URL filtering software in place and the spoofed site could not be accessed by the users.
Something to keep in mind. :)
CISM, CEH, CISA, ISO 27001 LA
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Sep 05, 2011 10:20 am

Re: Need to build a Phishing platform/framework

If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked.  That's why I recommended copying their own corporate home page.  I'd be slightly surprised to see someone blacklisting their own site.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Sep 06, 2011 12:14 pm

Re: Need to build a Phishing platform/framework

If you need to phish users from common services that many people use, there's SET by the Social Engineer project, but also many other free and open source projects you could look into.

Many of these may be unfinished, perhaps even buggy, but there is one in particular that should catch your interest.

I'm glad my memory is with me today, as it has been a few years since people talked about this:
http://forum.intern0t.net/offensive-gui ... -buzz.html
http://blog.nparashuram.com/2008/06/tac ... g-kit.html

A friend of mine also wrote a blog entry which you may be interested in checking out:
http://www.e-x-e.dk/2010/07/03/how-to-p ... ing-xss-3/


Enjoy and use it for ethical purposes only!  ;)
I'm an InterN0T'er
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Wed Sep 07, 2011 11:52 am

Re: Need to build a Phishing platform/framework

Looks like SET is the way to go, going to have to find some time to take a peek at it.

Thanks to everyone for all the info!
Poking at security since 1986.  +++ATH

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software