Trainings, talks, and more with a Halloween twist at Specter Bash, Oct 7-10! Learn more
Aug 21 2024 | forrest kasler

Teach a Man to Phish

Share

PHISHING SCHOOL

A Decade of Distilled Phishing Wisdom

I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead.

Key Takeaways

If I could teach you only three things about phishing:

  1. Phishing can be an absolute thrill: The effort is worth the payoff!
  2. Canned templates won’t get you far: Just a little creativity goes a long way
  3. Whatever controls you are up against, there is probably a bypass (or multiple): Play around with multiple techniques and document what works for your team

Distilled Wisdom

This whole series was designed to break down phishing into its individual challenges, and provide advice for each. Here’s the list of lessons learned from each post:

Phish Sticks; Hate the Smell, Love the Taste: I’ll Make You Great at Phishing, Or Your Money Back

  1. Don’t quit before you start! You secretly love phishing (trust me)
  2. To be successful, we must recognize and address each control that will try to stop us
  3. Logging is your friend and will guide you if you pay attention

Plenty of Phish in the Sea: How to Find the Right Phishing Targets

  1. Cast a wide net. Get all the contacts you can; then pair down the list
  2. Use industry specific sources when you can
  3. Focus on small groups so we can be targeted with our pretexts

One Phish Two Phish, Red Teams Spew Phish: How to Give your Phishing Domains a Reputation Boost

  1. SPF is not a silver bullet. We can take advantage of misconfigurations
  2. When you buy domains for phishing, set up your own mail security records
  3. There are many options to get our domains categorized. Make sure to use at least one

Fly Phishing: How to Bypass Spam Filters

  1. “Click” is a very dirty word. Don’t use foul language like that in your emails
  2. There are many tricks we can use to disguise our message. Experiment with many
  3. AI is not a silver bullet against phishing messages
  4. Test, Measure, Repeat!

Feeding the Phishes: Bypass Phishing Link Filters

  1. Most link filters use simple string matching. There are several tricks to bypass them
  2. Sometimes it’s more useful to put your link inside an attachment

I Will Make you Phishers of Men: Convincing Targets to Click Your Links

  1. Phishing is a game of odds. If we understand the math, we can boost our success
  2. Targeted campaigns are always better than generic emails
  3. We can appeal to a variety of emotions and motivations to drive click rates
  4. People love furry animals

Like Shooting Phish in a Barrel: How to Bypass Link Crawlers

  1. Link crawlers are pretty basic bots. Classic bot protections like CAPTCHAs work fine
  2. Fingerprinting using JavaScript can be even more effective

Drink Like a Phish: How to Make Your Phishing Sites Blend In

  1. Expect your phishing sites to be crawled, and prepare for it
  2. Don’t just directly clone sites
  3. Don’t server phishing site contents to just anyone
  4. Browser-in-the-Middle can be extremely effective

Phish Out of Water: Bypass Web Proxies so Your Phish Don’t Suffocate

  1. Most attempts to block malicious file types only look for one of three indicators: Extension, MIME, or Magic number. We can control all three.
  2. There are tons of malicious file types we can use for initial access. It’s unlikely that every one will be blocked
  3. When in doubt, just ask the phishing target to circumvent controls for you

Deep Sea Phishing Pt. 1: How to Bypass EDR With Custom Payloads

  1. We need our payloads to stay off the “known bad” list
  2. Writing your own payloads is one of the best ways to achieve “unknown bad” status
  3. Make your code modular, and keep it as simple as possible
  4. You don’t always need a super feature rich implant to be successful

Deep Sea Phishing Pt. 2: Making Your Malware Look Legit So It Bypasses EDR

  1. EDR evasion is all about looking like legitimate software
  2. There are many ways we can trick trusted, signed binaries into doing our bidding
  3. Help desk software can be a bombshell when used with social engineering

Sleeping With the Phishes: Hide C2 With Stealthy Callback Channels

  1. HTTP(S) and DNS are not the only C2 channels out there
  2. SMTP is a hidden gem of a C2 channel
  3. Have you heard of STUN and TURN? They are protocols that traverse firewalls by design, and your target network probably allows them
  4. Data in and data out don’t have to take the same path

Bon Voyage

That’s 42 practical phishing lessons, and only just my top picks. There are many more nuggets of wisdom throughout the series, but I understand if you don’t have time to basically read a whole book about phishing. Feel free to skip around and reference as needed.

“The sea, once it casts its spell, holds one in its net of wonder forever” — Jacques Yves Cousteau

Hope you’ve had fun learning at my school of phish. Tight lines my friends!

Teach a Man to Phish was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.