Technical dry goods | Party A uses open source tools to conduct phishing drills

Preparations before the exercise✦

Fishing Drill Requirements Background

“

At present, Party A has two major security work KPIs that are visible to the naked eye. One is policy compliance and data compliance, and the other is responding to various large-scale offensive and defensive drills. A common method used by everyone in offensive and defensive drills is fishing (everyone knows). Against this background, Party A's fishing drill is logical. With the normalization of large-scale offensive and defensive drills, we believe that the combination of drills + security awareness training is ideal. The following are the problems and thoughts encountered in the fishing drill, combined with the open source software of the masters to organize an article "Using open source software to conduct party A's fishing drill". Non-attack scenario), focusing on Party A’s workflow and experience in open source tool selection, hoping to help small partners with similar needs to quickly deploy according to the process of this article, and try to let everyone quickly build a set of tools after reading the article Implementation of a fishing drill.

Collaborative resources

“

human resources

The leader communicated and confirmed (applying for a gold medal to avoid death), and the content was generally to introduce the benefits of the fishing drill, the implementation process, and the result disposal (training after the drill) to solicit opinions.

data resource

Coordination of data resources, internal coordination of data resources after the establishment of the project, here refers to the email address of the participating personnel's department, the format of the output data is defined, and the communication must be in the form of email. And emphasize confidentiality.

win-win

The ultimate goal of the drill is to thoroughly understand and train security awareness. The company's internal learning platform (HR department) negotiates and organizes security awareness training courses at the company or department level, which facilitates continuous learning and deepens the impression after the fishing drill.

planning exercise

“

Range of options for anglers

1. Confirm the range of drillers. The screening mainly considers the following aspects, divided by function, production and research team, data team, customer service team, and sales team. Party A should have an in-depth understanding of the audience of the exercise, such as the production and research team with a large number of servers and product background permissions. Another example is a customer service team with a large number of orders or user information in hand. Different teams use different scripts, and their working system environments are also different, such as whether to use email as a communication software, whether email replies are sent and received quickly or slowly, whether there are some special chat software for external communication, etc. The fishing process can be deduced to design the scope of planning personnel before preparing the script.

2. Exclude non-essential participants. Here we should pay attention to remove some sensitive personnel, such as some high-level leaders or sensitive departments such as the financial department. After all, it will be embarrassing if the leaders are also phished.

Choice of fishing method

1. The original intention of choosing credential phishing methods

• Obtain account credentials through phishing. What login permissions do we need, and is the account and password phished available on the external network? Simulate external attack scenarios. If the cloned page cannot be accessed externally, it is easy to be challenged by the business. Ensure the rationality of obtaining internal login page information, prove that the account password obtained through phishing can be further used, and prove the harm. The advantage of Party A is to know which sensitive and important systems and information are associated with the account in the asset, whether the account is unusable due to secondary authentication, and other internal information. There are also some benefits here that promote the addition of multi-factor authentication to related account platforms.

• The advantage of Party A is to know the habits and usage details of its own company, which is reflected in the email system used by the company and what kind of operating system is configured on the personal computers of the company employees. , Antivirus and other features.

• Detect whether business colleagues consciously report phishing email incidents to the security department through the correct channels.

The difference between Trojan phishing and credential phishing

• The original intention of Trojan phishing is to obtain personal computer information and establish a base to expand horizontally. At this time, the original intention of the drill is changed to confront the anti-virus software of the office network, traffic audit, and the discovery and disposal capabilities of the defender. This method is not adopted in non-special circumstances. drill.

• Trojan horse phishing is closer to the red-blue confrontation scene, which is more intrusive to users and is not suitable for large-scale drills. If it is not well controlled, it will easily lead to business disgust.

• This exercise chooses to obtain account credentials and send emails in batches to phishing.

Implement the phishing phase

“

3 steps required for the implementation process

3. script

4. Clone page production and deployment

5. Send emails in bulk

Speaking skills and scripts, people, things, things, time

6. The first principle prohibits harming the country's personal interests, and the content cannot be phishing content related to politics, epidemics, public opinion, and scandals.

7. A role player, who initiates an activity, has a certain validity to this role. For example, HR, administration, and enterprise IT will have work overlaps with almost every employee.

8. The rationality of the event, the interaction that initiated this email must follow the seemingly reasonable and habitual. The rationale is that I want to click on this link to participate in the activity because I saw the email. Here it is necessary to make full use of the advantages of Party A to collect and convert information. For example, what does a common company notice look like? Compared with external attacks, it is necessary to pay more attention to email leaks or send and receive emails to observe email habits.

9. Drive the victim's actions, lure or threaten to make it do what you want it to do, such as clicking a page, jumping to the login page, and entering the account password.

10. The time factor, the commonality that creates anxiety and oppression for people is time, so under the premise of time factor, people will lose some ability to recognize mistakes.

11. For example, refer to the above modular production of a script, the HR department (HR role) solicits the choice of home holiday gifts (reasonable events + reasonable time), and completes the (time, urgency of creating anxiety) collection and questionnaire before xxx on xxx day Survey, the top 100 finishers will get a mysterious gift (item reward).

Make a phishing page

Open source software used for reference (thanks to orz)

12. SiteCopy is a tool for clone pages
    https://github.com/Threezh1/SiteCopy , which is mainly used as a fake page in this walkthrough.

13. Pricking is a tool for automatically deploying watering holes and web phishing
    https://github.com/Rvn0xsy/Pricking . This software is used as an nginx proxy and can record the victim's account password. (In some scenarios, it is not necessary to clone the login box, step 1). In this exercise, this function is used to record account secrets. The reason for not directly cloning is that the page is from an intranet page and cannot be used directly.

14. henggeFish is a batch email sending tool
    https://github.com/SkewwG/henggeFish , mainly sending phishing emails in batches. Many practical skills have been considered in the program, such as the mechanism of bypassing spam, and the ip source using cloud functions is not fixed , and the number of times a mailbox sends emails, supports batch sending, supports attachments, etc.

“

Principles for choosing phishing pages

15. What account is the most valuable to catch, what we need to care about is what can we do to get this account? Login E-mail? Contract system, etc., this step is able to show that the hazard point is also an attack link in the real attack and defense process. The best choice is this kind of login page with external sso and internal erp as the first choice for phishing clone pages.

16. After determining the cloned page, consider the rationality of the page in phishing. If the phishing email account is confidential, then the script is to click to change the password of the email account, so the cloned page should be the login page of changing the email password. If you call the erp account password, then go to the script to the erp general account login page. Therefore, we must consider the rationality of speaking skills when selecting a landing page.

Clone phishing page production

17. The cloned page is an intranet service. If it is an intranet page, you can choose to use "SiteCopy" to clone the page and deploy it to your foreign VPS. Here is why you use a foreign VPS, because it involves confusing domain names, so here is also involved to the record issue. Solution: extranet VPS + extranet domain name. The login page of the intranet system will have certain challenges, that is, you will be asked how the login on the intranet is leaked. This point must consider that the attack scenario is sufficient and reasonable.

18. The cloned page is an external service, directly using "Pricking", but in some cases it may not be successful because some complex login pages still do not support the "Pricking" method. So we can use "SiteCopy" to deploy a VPS locally and log in to the account secret in the "Pricking" hook.
    #### Page Deployment

19. The cloned fake page needs to be deployed to the VPS. Select Pagoda here, we just trigger it from the perspective of rapid deployment. If there is a security problem, we can build Nginx by ourselves.

20. It is very convenient to use Pagoda to sign https, which can solve the problem of exclamation mark prompt on the browser.

21. Domain name binding It is very convenient to bind the domain name directory. Sometimes it is very convenient when a vps needs multiple services. The web management interface for uploading files is also very convenient.

22. Regarding the principle of least authority for clone page service (pagoda security), the principle of least service does not enable the service unless necessary, and 0day is not considered. Turn on the service when you use it and turn it off when you don't use it.

jump trick

23. Reasonable reminder + jump, Pricking is the principle of nginx proxy, so it will record the request data in our actual traffic. For the purpose of forging a closed loop, after the user clicks to submit, that is, after the POST or GET data, our fake is static The page does not support back-end services, so the error module must be used after the data request. Here, an alert pop-up box is set to prompt "xxx activity is over" before jumping to the company's forum or wiki (not that Pricking does not support it). The usage scenarios here are different. . We only use Pricking's hook username and password function.

24. The front-end js prompt box modifies the code of the alert

window.alert = function(msg, callback) {                            var div = document.createElement("div");                            div.innerHTML = "<style type="text/css">"                                + ".nbaMask { position: fixed; z-index: 1000; top: 0; right: 0; left: 0; bottom: 0; background: rgba(0, 0, 0, 0.5); }                                          "                                + ".nbaMaskTransparent { position: fixed; z-index: 1000; top: 0; right: 0; left: 0; bottom: 0; }                                               "                                + ".nbaDialog { position: fixed; z-index: 5000; width: 80%; max-width: 300px; top: 50%; left: 50%; -webkit-transform: translate(-50%, -50%); transform: translate(-50%, -50%); -webkit-transform: translate(-50%, -50%); -moz-transform: translate(-50%, -50%); -o-transform: translate(-50%, -50%); background-color: #fff; text-align: center; border-radius: 8px; overflow: hidden; opacity: 1; color: white; }"                                + ".nbaDialog .nbaDialogHd { padding: .2rem .27rem .08rem .27rem; }                                                       "                                + ".nbaDialog .nbaDialogHd .nbaDialogTitle { font-size: 17px; font-weight: 400; }                                                   "                                + ".nbaDialog .nbaDialogBd { padding: 0 .27rem; font-size: 15px; line-height: 1.3; word-wrap: break-word; word-break: break-all; color: #000000; }                                   "                                + ".nbaDialog .nbaDialogFt { position: relative; line-height: 48px; font-size: 17px; display: -webkit-box; display: -webkit-flex; display: flex; }                                   "                                + ".nbaDialog .nbaDialogFt:after { content: " "; position: absolute; left: 0; top: 0; right: 0; height: 1px; border-top: 1px solid #e6e6e6; color: #e6e6e6; -webkit-transform-origin: 0 0; transform-origin: 0 0; -webkit-transform-origin: 0 0; -moz-transform-origin: 0 0; -o-transform-origin: 0 0; -webkit-transform: scaleY(0.5); transform: scaleY(0.5); -webkit-transform: scaleY(0.5); -moz-transform: scaleY(0.5); -o-transform: scaleY(0.5); }    "                                + ".nbaDialog .nbaDialogBtn { display: block; -webkit-box-flex: 1; -webkit-flex: 1; flex: 1; color: #09BB07; text-decoration: none; -webkit-tap-highlight-color: transparent; position: relative; margin-bottom: 0; }                  "                                + ".nbaDialog .nbaDialogBtn:after { content: " "; position: absolute; left: 0; top: 0; width: 1px; bottom: 0; border-left: 1px solid #e6e6e6; color: #e6e6e6; -webkit-transform-origin: 0 0; transform-origin: 0 0; -webkit-transform-origin: 0 0; -moz-transform-origin: 0 0; -o-transform-origin: 0 0; -webkit-transform: scaleX(0.5); transform: scaleX(0.5); -webkit-transform: scaleX(0.5); -moz-transform: scaleX(0.5); -o-transform: scaleX(0.5); }    "                                + ".nbaDialog a { text-decoration: none; -webkit-tap-highlight-color: transparent; }"                                + "</style>"                                + "<div id="dialogs2" style="display: none">"                                + "<div class="nbaMask"></div>"                                + "<div class="nbaDialog">"                                + " <div class="nbaDialogHd">"                                + "     <strong class="nbaDialogTitle"></strong>"                                + " </div>"                                + " <div class="nbaDialogBd" id="dialog_msg2">弹窗内容，告知当前状态、信息和解决方法，描述文字尽量控制在三行内</div>"                                + " <div class="nbaDialogHd">"                                + "     <strong class="nbaDialogTitle"></strong>"                                + " </div>"                                + " <div class="nbaDialogFt">"                                + "     <a href="https://www.zuoyebang.cc" class="nbaDialogBtn nbaDialogBtnPrimary" id="dialog_ok2">确定</a>"                                + " </div></div></div>";                            document.body.appendChild(div);                            var dialogs2 = document.getElementById("dialogs2");                            dialogs2.style.display = 'block';                            var dialog_msg2 = document.getElementById("dialog_msg2");                            dialog_msg2.innerHTML = msg;                            // var dialog_cancel = document.getElementById("dialog_cancel");                            // dialog_cancel.onclick = function() {                            // dialogs2.style.display = 'none';                            // };                            var dialog_ok2 = document.getElementById("dialog_ok2");                            dialog_ok2.onclick = function() {                                dialogs2.style.display = 'none';                                callback();                            };                        };                        alert("很遗憾活动结束！")

1. The js code for any jump at the front end

“

domain name preparation

25. For foreign domain names, the reason is to bind foreign vps for fast resolution, without the trouble of domain name registration. If you need to avoid being quickly traced in actual combat scenarios, you can choose to enable domain name privacy protection.

26. 浏览器的对抗，chrome新版本的浏览器会有钓鱼页面风险提示，猜测是根据主域名的相似度来判断的，所以我们可以用子域名混淆的方式来绕过，当然文件名可以做的逼真一些，新版本chrome浏览器会识别钓鱼页面，如图

• login.0day.com/redict.html 被识别概率较高

• login.oday.com.sso1.xyz/redict.html 识别率低

• 223.21.233.22 ip方式暂时没有被浏览器识别风险问题

• chrome 新版本的防钓鱼功能详见 https://blog.chromium.org/2021/07/m92-faster-and-more-efficient-phishing-detection.html>chrome M92 中更快、更高效的网络钓鱼检测 所以在发送邮件前测试域名是否会被识别为钓鱼页面。

“

获取钓鱼页面中的账号密码

27. 钓鱼演练最好能够确认用户的密码是正确的，理论上应该调用sso接口查询出该账号密码是否正确，这样输出的用户名，密码是准确的业务方不会挑战数据准确性。密码也不做保留记录只记录账号和是否是正确密码即可。

28. 如果没有sso记录，就在fake页面中password获取input表单数据的地方用md5加密密码，这样保证不会看到大量的用户明文密码。避免一些不好的影响，且项目前也把代码给一些业务方去review保证整个演练流程中不存在存储用户账密行为。

“

批量发送邮件

邮箱发送的准备

29. outlook首选，垃圾过滤机制这块白名单会好一些。注册的话，可以用10分钟邮箱注册，在利用接码平台认证邮箱，outlook改昵称方式来混淆邮箱地址。

30. henggeFish中用的大量的163邮箱，去某些交易软件搜索关键词，163的邮箱呢在配置SMTP的时候需要手机认证，目前是1个手机号认证15个邮箱。脚本是1个邮箱发10个地址。再根据演练人数就能计算需要用多少个邮箱账号了。SMTP邮箱开启后会有个临时密码，这个密码才是发送邮件脚本使用的。

31. 密送方式发送，用邮箱发送邮件的时候选择密送方式发送，这样收件人无法查看到这封邮件同时还发送给谁。但是小心会因为数据量大被ban。切记不要随便找一个邮件组就发送邮件，导致超出演练范围的人收到邮件。

32. 所有工作准备好以后整体的去测试下全流程。

培训

培训主要是三方面

33. 钓鱼社工宣贯，可以把相关的真实数据来做案例。

34. 有针对性部门的安全宣贯，对研发偏向技术，对其他团队偏向于安全意识。

35. 安全部门的职能介绍与相关联系方式，通过演练告诉同事如何应对该类场景，识别钓鱼，快速上报。