From Zero to Hero Phishing Company (ONSEC)

From Zero to Hero Phishing Company (ONSEC).pdf

Phishing/Red Team Engagement Infra

Blogs/Talks

• BHIS | How to Build a Phishing Engagement - Coding TTP's : https://m.youtube.com/watch?si=YTjMa8XBusj_tPdc&v=VglCgoIjztE&feature=youtu.be
• Bitb + Evilginx
  • https://youtu.be/luJjxpEwVHI?si=XBxV3zyCS4LbCuAM
  • https://youtu.be/p1opa2wnRvg?si=-TzobnKmUkrYs19t

Red Team/Phishing Infra Automation

• https://github.com/dazzyddos/HSC24RedTeamInfra/blob/main/RedTeamInfraAutomation.pdf

Domain Purchase and Categorization Techniques

• Check for Expired Domain and Possibly purchase the good ones
  • https://expireddomains.net/
• Domain Categorization
  • Bluecoat/Symantec - https://sitereview.bluecoat.com/#/
  • McAfee - https://www.trustedsource.org
  • Palo Alto Wildfire - https://urlfiltering.paloaltonetworks.com
  • Websense - https://csi.forcepoint.com & https://www.websense.com/content/SiteLookup.aspx (needs registration)
  • FortiGuard - https://www.fortiguard.com/webfilter
  • IBM X-force - https://exchange.xforce.ibmcloud.com
  • Cyren - https://www.cyren.com/security-center/url-category-check-gate
  • Checkpoint - https://www.checkpoint.com/urlcat/main.htm (needs registration)

Delivering Emails in Inbox

• Method -1
  • Use SendGrid
• Method - 2 (By Andre Rosario - From BreakDev Red Discord)

  • If you are having issues with delivering emails due to email filtering, consider using Microsoft 365 and Azure IPP to send encrypted emails to your targets!

    • Emails originate from legit Microsoft SMTP servers so they can't block it.
    • Targets who get the encrypted email are the only ones who can open it, if they forward it to their DFIR, they will have to login as that user to even see your message.
    • Easy orchestration in the Microsoft Admin portal of custom domains, create a ton of fake accounts.
    • M365 allows you to set arbitrary display names. So in a targets outlook the email can look like its from [email protected] but it's really from [email protected] (Technical people can easily figure this out though)
    • Emails come from legit Microsoft IPs and domains, so you don't have to worry about domain categorization or lifespan since it's Microsoft.

  • Steps

    1. Make an account with a Microsoft 365 Business Standard (or higher) license. (https://www.microsoft.com/en-us/microsoft-365/enterprise/office365-plans-and-pricing)
    2. Create a generic company name.
    3. Get a Azure Information Protection Premium P1 license to be able to use encryption. (https://support.microsoft.com/en-us/office/encrypt-email-messages-373339cb-bf1a-4509-b296-802a39d801dc)
    4. Import your domain.
    5. Create a user with an email to your custom domain to send the phish and give it the M365 Business and Azure IPP P1 license.
    6. Draft your phishing message in Outlook online and press the encrypt button
    7. ????
    8. Profit

  • Screenshot

    

Phishing Engagements With Evilginx

• Building Evilginx Phishlets

  • Evilginx Mastery Course : https://academy.breakdev.org/evilginx-mastery
  • Evilginx Phishlets Collections : https://github.com/An0nUD4Y/Evilginx2-Phishlets
  • Evilginx Less Known Techniques : https://github.com/An0nUD4Y/Evilginx2-Phishlets?tab=readme-ov-file#some-less-known-techniques

• Securing Evilginx Infra tips -

  • https://github.com/An0nUD4Y/Evilginx2-Phishlets#securing-evilginx-infra-tips
  • https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks

  - Remove IOCs (X-Evilginx header and Default Cert Details)
  - Modify Unauth redirect static contents
  - Modify code to request wildcard certificates for root domain from Let'sEncrypt other than requesting for each subdomains (As mentioned in Kuba's blog) - Check this repo for reference <https://github.com/ss23/evilginx2>
  - Put evilginx behind a proxy to help against TLS fingerprinting (JA3 and JA3S)
  - Use cloudflare in between if possible/feasible (You have to configure the SSL Settings correctly, change it to Full in cloudflare settings)
  - Use some known ASN blacklist to avoid getting detected like here (<https://github.com/aalex954/evilginx2-TTPs#ip-blacklist>)
  - Reduce the Number of proxyhosts in phishlet if possible to reduce content loading time.
  - Host Evilginx at Azure and use their domain (limit proxy host in phishlet to 1 or find a way , may be create multiple azure sub domains and try with that)
  - Add some sub_filters to modify the content of the pages to avoid content based detections, like (Favicon, form title font or style, or anything which seems relevant)
  - Block the feedback/telemetry/logs/analytics subdomains using the phishlet sub_filters which can log the domain or may help later on analysis.
  - See if js-injected is static or dynamic , if static modify the evilginx js-inject code to create dynamic/obfuscated version of your js for each user/target.
  - Make sure to not leak your Evilginx infra IP, Check the DNS history to make sure its not stored anywhere (Analysts may look for older DNS Records of the domain)
  - Be aware of this research : <https://catching-transparent-phish.github.io/catching_transparent_phish.pdf> , repo - <https://catching-transparent-phish.github.io/>
  
  

  • Remove X-Evilginx header (Check all the code lines with req.Header.Set and comment relevant functions)

  • Search for <html> in core/http_proxy.go file and modify the html code to remove any static signatures.

  • Also to avoid the static injected js code signature detection , You can modify the code as below

    • Make sure to add "github.com/tdewolff/minify/js" in imports

      	re := regexp.MustCompile(`(?i)(<\\\\s*/body\\\\s*>)`)
      	var d_inject string
      
      	if script != "" {
      		minifier := minify.New() // "github.com/tdewolff/minify/js"
      		minifier.AddFunc("text/javascript", js.Minify)
      		obfuscatedScript, err := minifier.String("text/javascript", script)
      		if err != nil {
      			// Handle error - Obfuscation failed
      			d_inject = "<script" + js_nonce + ">" + "function doNothing() {var x =0};" + script + "</script>\\\\n${1}"
      		}
      		d_inject = "<script" + js_nonce + ">" + "function doNothing() {var x =0};" + obfuscatedScript + "</script>\\\\n${1}"
      		//d_inject = "<script" + js_nonce + ">" + "function doNothing() {var x =0};" + script + "</script>\\\\n${1}"
      
      	} else if src_url != "" {
      		d_inject = "<script" + js_nonce + " type=\\\\"application/javascript\\\\" src=\\\\"" + src_url + "\\\\"></script>\\\\n${1}"
      	} else {
      		return body
      	}
      
      

  • Modify core/cert.db file as well

  • Change “rid” for gophish.