In a previous post, I wrote about GoPhish.  Since then, I've been working quite a bit with GoPhish and there are some tricks to an effective campaign that I'd like to share.  First, I'd like to point out, this is not a game where you try to win but it's also not something you want to approach like a fake Nigerian Prince.  You want to fall somewhere in the middle.  With respect to the actual campaigns, rather than come at the company all at once, I want to break the company into groups.  In this campaign, we're targeting the sales group.


    I think the idea of an Evil Captive Portal has been done to death but I heard someone talking about near-field communication (NFC) tags in the tables at a McDonald's.  The idea is that you put your phone on the table, the phone picks up the tag, and performs some action.  I honestly can't remember if it was taking them to their Twitter account or the web site but it gave me an idea.  The idea is similar to dropping a handful of malicious thumb drives in the parking lot but instead, printing business cards with some text and attaching a pre-programmed NFC tag.  You touch the phone to the card, the tag configures your phone to the Evil WiFi, and the captive portal steals your credentials or whatever.


    Not unlike the previous post, PowerShell Data Exfil, this is another example of how we would move data outside the network using email.  This time, we're using a simple Bash script that base64 encodes the data, calls Sendmail, and exfiltrates the data to a Gmail account.  By default, Gmail will not allow what it considers "less secure apps" to send data but a simple flip of the switch will solve that issue.  As a final point, we're obviously not confined to using Gmail, I would suggest using a provider that supports TLS rather than sending this over port 25. 


    There are a number of tools to perform this attack but this one in particular states:  "DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain."

    There was a story a couple of years ago that talked about how help desks were resetting passwords using the words Winter, Spring, Summer, Fall, the year, and possibly some special characters.  If we think about password complexity rules, we need an uppercase letter, a lowercase letter, a number, and maybe a special character.


    In my talk at BSides,I brought up "attacker motivation" and I gave some possible factors such as:  political, financial, revenge, etc.  Hacking isn't necessarily for the sake of just hacking and there could be some sort of underlying motivation.  It could be that an attacker is attempting to steal data.  And in the context of showing small businesses the impact of a breach, I want to lean more towards showing the simplicity of an attack which was the point of the talk and this post.  In my talk, I didn't go through data exfiltration but I'm giving another talk this week and I will go through it with them.


    Evil Clippy is described as:  "A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows."  I didn't have much luck with some of the other features but the feature that was of most interest to me, hiding macros, was functional.

    We work with small businesses and the goal is to hide -- well enough, meaning that we want to show that if a small business is attacked, assigning attribution is difficult.  We're not hiding from competent investigators, we're just hiding from the average Joe. 


    Page 11 of 58

    © 2020 sevenlayers.com