What is a phishing email and how to do it!

[Tomcat]

Although phishing emails are not new or the only method of using social engineering, they work well and are almost always applicable. But every detail obtained at the OSINT stage is important for success, starting from the email addresses themselves and ending with the style of corporate correspondence adopted in the company (both in the literal sense - text design, and in the figurative sense - speech patterns and signatures in letters).
If you plan to use your IP address or domain after testing is completed, do not forget to check that they are not in the DNSBL (DNS Black Lists) - this is another common way to combat spam. If you are going to deploy a dedicated server, you should also check your VDS in advance for professional suitability using these lists.
Well, the rest, as they say, everything depends on you. Trusting and not too attentive users are not mammoths, they will not die out, and therefore pentesters with the skills of social engineers will find the weak link in any, even the most reliable team.

Why are phishing emails needed?​

Popular wisdom says that the most vulnerable component of any information system is located between the computer chair and the keyboard. A person can be distracted, inattentive, and insufficiently informed, so he often becomes the target of phishing attacks, the results of which are sometimes very disastrous. The conclusion is obvious: the reliability of this weak link must be checked no less carefully than the software configuration and hardware settings.
Social engineering testing can either be a separate event (this includes checking employee awareness or checking the operation of IT and information security services), or become one of the ways to penetrate the network as part of an external pentest. It happens that the customer simply wanted to exclude the possibility of penetration through this vector, or this direction turns out to be the last hope, since the tester was unable to get into the network without the “help” of the customer’s employees. Whatever the reasons, in any case it is necessary to think through a strategy for social engineering based on the available information (received from the customer or collected during the OSINT stage).
The attack strategy can be structured differently depending on various factors: the customer’s desire to carry out social engineering scenarios in principle, the presence of restrictions on social engineering, and the sufficiency of information collected at the OSINT stage. Let's assume that the customer has approved a scenario in which we send unsolicited email messages - that is, spam. Today’s article will talk about what problems will arise when distributing such messages and how to properly solve these problems so that the messages reach employees with a probability close to one hundred percent.

Stage 0. Setting goals​

First, you need to decide which attack vectors are generally applicable to the current situation. Mailing lists are mainly used for two purposes:

• using the text of the letter and input fields (for example, on a phishing site or in a program simulating internal corporate software) to force the user to give out confidential information without arousing suspicion;
• force the user to download a file (from a letter, from a website, torrent) and do something with it (for example, launch an application, open a document in Word and enable macros), also without arousing suspicion. The downloaded malicious file can either exploit vulnerabilities in the user’s system or simply act as a stealer.

To send email, you must at least have a mail server. In fact, there are two possible options for delivering letters to the customer’s network: from inside and from outside.
Delivery from within means the use of a mail server in the tested network (if it is successfully compromised) - but we will omit this option, since there is practically no special preparation required there, compared to mailing from outside. Having decided that it will not be possible to compromise the customer’s mail server, we come to the conclusion that we need to either use ready-made mail services or set up our own mail server and buy our own domain. Ready-made email services are bad because messages from them do not inspire confidence, and the customer’s IT/IS service may not agree to weaken the security systems for the domains of these services, since they are used not only by the tester.
But if you raise a server on your own domain, which very much resembles the customer’s domain, this will kill both birds with one stone: for inattentive users, this can reduce vigilance to zero, and only we will use the domain. At the same time, it is important to remember that technology does not stand still and anti-spam filters were invented a long time ago for such things.

So, at the moment we have set the following goals for ourselves:

• decide whether malicious files will be used, or whether we will use only phishing scams (you can combine both methods). In accordance with the chosen approach, we need to come up with a letter text that motivates the user to take the actions we need;
• decide how to deliver malicious files and how to perform phishing;
• prepare local infrastructure for sending messages;
• reduce the likelihood of our emails ending up in spam;
• Finally, send out the mail.

Stage 1. Making arrows​

Once we have decided on the attack, we need to prepare the necessary tools for this: outline the circle of recipients, come up with the title of the letter, its text and the method by which we will gain a foothold in the network.
A significant role in choosing the right tool is played by the information obtained at the reconnaissance stage - first of all, the list of email addresses of employees, the protection systems they use (for testing the detection of malicious attachments) and various infrastructure configurations. The last two aspects can help at least in the following cases:

• testing can be carried out with minimal assistance from IT and information security personnel: this means that exceptions for our letters will not be made in the configuration of security systems. Information about the configuration of security systems will help us know which strategy to choose and how to follow it correctly;
• in the case of the delivery of malicious attachments, which, as you might guess, can be actively detected by those same security systems, you need to know at least the name of the software used. This will already help in testing the malware and, as a result, will increase the chances of success.

It is necessary to exclude some users from the list of email addresses, for example, by selecting only a certain department (or several, but dividing the phishing attack into stages with an individual approach for each group of recipients). It is better to exclude from the list IT and information security personnel, who are much more likely to recognize a phishing email (because these people are technically savvy) and promptly warn their colleagues. It would also be a good idea to personalize the letter, that is, write not impersonally, but in the style of “Good afternoon.” Mailing and personalization, of course, will need to be automated, but more on that later; for now, for future automation, we will simply create a general letter template, into which we will then substitute the user’s name, address and other values.
Then you need to collect information that will give the letter credibility. For example, find out whether the company is holding any internal corporate events, or clarify with which clients and partners the customer’s company is actively in correspondence. In general, those things with which you can associate the subject and text of the letter.
After this, the information used to “polish” the letter is used - the employees correspondence style, their corporate signature, etc. You need to grab hold of any information - this will increase your chances of success.
And now an important point: “polishing” the letter is also necessary to ensure that the message looks less like spam. Spam filters use several indicators to rank an email. Among other things, both the content and the title are analyzed. The content analysis algorithm can be based on different, usually combined, methods (artificial intelligence, complaints from users, own research by mail service employees), but the goal is the same - to determine the likelihood that the message belongs to a malicious mailing.

Large mail services attract sophisticated know-how. The company we tested may also use commercial spam filters. The attacker will often have no information about the details of how antispam works (including that it exists), so it is worth following general tips on how to overcome spam filters:

• Every time Google a list of words that are often found in spam, because such lists can be updated. Try not to use these words in writing;
• do not overuse punctuation marks (especially consecutive ones);
• Don’t try to make the letter “varied”, in other words, don’t use different combinations of font sizes, text colors, styles, words written in upper case. In short, try not to decorate the text with such frills unless necessary (an exception may be, for example, to comply with the style of corporate correspondence);
• do not use many links in the letter, especially to different domains;
• if you insert links, do not shorten them;
• Don't add too many images unnecessarily;
• the letter should not be empty and contain only attachments;
• do not use leet-style text;
• if the letter includes links to a site with malicious content, then do not attach a link to the file directly - the systems can notify IT or information security personnel, and the attack will come to naught if these employees react properly;
• Think carefully before attaching malware directly to an email. Even if it is archived and encrypted, this does not guarantee success - security systems may use a policy of not allowing incoming encrypted files from foreign email domains;
• try not to attach large files to messages. The size of the letter itself should also be small;
• monitor the requirements of popular email services for mailings. For example, the requirements Google;
• think how believable this letter would seem if it came to you;
• It would be a good idea to use services like mail-tester to check the rating of the letter.

Stage 2. Making a bow​

Choosing a domain​

Everything is simple with this: we come up with a domain that is as similar as possible to the domain of the company being tested. Ideally, the difference should be in one character and the replacement should be subtle ( for example, replacing o with 0 or replacing with the same letter with a different Unicode code). If your imagination is tight or you don’t even have time to think about a domain name, then you can use the catphish tool. At the same time, he will check the availability of the generated domains. After choosing a domain and checking its availability, you need to buy it from your favorite registrar. In the zone settings, you need to add an MX record (for example, mx.yourdomain.com), and for it, in turn, an A record indicating the IPv4 address on which we will set up a mail server in the future. You also need to add a PTR record, because its absence can reduce the rating of the letter.

Mail server​

The next goal is to prepare the infrastructure for mailing, that is, the mail server. To be more precise, you need at least an SMTP server to send letters. It would also be a good idea to have a POP3/IMAP server in case you need to communicate with users further. You can install your favorite mailer, but most often the exim + dovecot or postfix + dovecot bundles are used for these purposes . This is an excellent choice if you have never set up your server, because on the Internet you can find a bunch of articles on setting up these servers and solving problems that arise when configuring them. Now let’s talk about how to avoid getting spammed with a ready-made mail server.
In addition to the content of the letter, there are other indicators of the integrity of email messages. Content analysis can bring some results, but antispam filters believe that the administrator of the mail server himself must also prove the legality of the messages being sent. You can lull the filters to sleep by adding a couple of DNS resource records: SPF and DKIM.

SPF​

SPF (Sender Policy Framework) is a method that allows administrators to whitelist IP addresses from which mail is sent. If we remember the principles of mail and SMTP, it turns out that the sender of the mail can specify any domain in the MAIL FROM field (that is, arrange spoofing). SPF is aimed at combating this.
The essence of the method is that anyone can obtain information associated with the sender's domain and containing instructions about who can send mail - DNS is perfect for these purposes. SPF configuration is performed as follows: the mail server administrator adds a TXT resource record in the DNS zone settings (to the TXT record, you can optionally add an SPF resource record, invented specifically for SPF ) in a certain format, which says which IP addresses can use the domain associated with this entry. After this, the receiving mail server checks the sender's IP address with the addresses specified in the resource record, and if successful, forwards the letter further. In this case, in the headers of the letter you will see something like this:

Authentication-results: spf=pass

If the verification fails, the message usually ends up in spam, because the SPF mismatch is a strong argument for lowering the message rating. All details about SPF and its syntax can be read in the official document RFC 7208. For our purposes, it is enough to use the simplest entry in which we allow certain IP addresses and deny all others.

@yourdomain TXT "v=spf1 ip4:1.2.3.4 -all"` или `yourdomain.com TXT "v=spf1 ip4:1.2.3.4 ~all"

• @yourdomain — indication of the lower domain relative to the current zone (that is, if a record is added to the zone example.ru, then it will relate to yourdomain.example.ru). On some hosting sites the sign @ is not indicated - study the syntax in the hosting help;
• v=spf1 — SPF version, currently only the first is used;
• ip4 — indicating the host IP address for the white list (please note: it is ip4, not ipv4);
• -all - an indication to reject the letter. In the SPF syntax, there are two ways to do this: a tilde indicates a “soft” rejection of a letter (the message will arrive, but end up in spam), and a hyphen (as in the example) indicates a “hard” rejection.

DKIM​

DKIM (DomainKeys Identified Mail) is a method that helps authenticate email messages. To be more precise, DKIM allows the receiving server to verify that the email was actually sent from the domain specified in the headers. The method works on asymmetric cryptography, and its essence is that an electronic message is signed with an electronic signature, the public key must be associated with the sender’s domain and be available to everyone. DNS is also ideal for these purposes. And the receiving server will then verify the digital signature using the public key. The picture below shows how DKIM works.

The following happens in this diagram.

1. Before starting work on the mail server, public and private keys are generated. The private key, of course, is stored in a safe place, and the public key is located in the TXT resource record of the mail domain.
2. The server is configured with software to sign a message each time it is sent (you can use an open source program - OpenDKIM).
3. Every time a message is sent, it is signed using the private key. That is, a DKIM signature is created and inserted into the message header (hashes from the message headers and body are calculated, which are then encrypted with an asymmetric encryption algorithm).
4. The receiving server uses the public key to check the digital signature from the previous step, and if everything is ok, then most likely the message will reach the recipient.

This simplified diagram is provided simply to understand the general process, you can again refer to RFC 6376 for details .
If everything went well, the receiving party Authenication-results will see, among other things, the string dkim=pass.
At first glance, it seems that DKIM would be enough for our purposes , but this is not so, since SPF and DKIM have slightly different goals. SPF tells the relying party which IP addresses are allowed to send messages using the specified domain, and DKIM notifies that the message has not been modified during transmission.
If you set up a server on your own dedicated IP address, then there are no problems, but when setting up a mail server on VDS there are certain nuances - you can read about them in the article about setting up SPF/DKIM (you can also find out about the details of setting up the Postfix + OpenDKIM combination there) . Another thing to consider is that the length of the public key may be too long, and hosting providers may prohibit the addition of resource records that are too long. In this case, OpenDKIM kindly splits the key into several parts, enclosed in quotes.
There are at least two ways to get around this problem: add several consecutive TXT records or one TXT record broken into parts. In the latter case, the break symbol is a line break. OpenDKIM places the entire key in parentheses, and wraps each part of it in double quotes and separates them with a space. Thus, you need to remove the quotes and parentheses ( some hosting providers allow parentheses in DNS records ), then place all the remaining text with line breaks in a TXT record.
The main thing is that after adding all the settings, do not forget to check the correctness of the added entries, especially in the case of a multi-line DKIM public key.

Phishing site​

A phishing site is useful when you need to obtain data from some resource on the Internet. Some users tend to use the same password for different purposes, so after successful phishing, it makes sense to check the rest of the company’s services using the resulting accounts. The phishing site should be barely distinguishable from the real one. You may also need to bypass two-factor authentication - it is convenient to use the Modlishka or Evilginx tools.
If you decide to use a website in your phishing company, then there are also a couple of nuances.
First of all, you need to provide support for HTTPS - add a self-signed certificate to the site, since many users tend to trust the padlock in the browser bar without going into the technical details of the implementation of this function. In addition, when working via HTTP, the browser will clearly hint that transmitting confidential data in clear text is dangerous, and even if there is no warning about a phishing site, this can increase the anxiety and vigilance of users, and we do not need this at all. There is nothing complicated about issuing a certificate, and details can be read, for example, in the article about letsencrypt.

There are companies offering so-called brand protection. This service usually includes protection against phishing, that is, protecting the company from actions that could damage its reputation. This usually means:

• monitoring the company’s web resources for domain name defacement or hijacking;
• monitoring the company’s network for phishing emails;
• monitoring domains that are very similar to the company’s domains, and everything that may be associated with these similar domains (first of all, websites and mail servers are searched);
• monitoring of company products that may allow attackers to act on its behalf (use of dynamically loaded images, JS libraries, etc.).

Such companies also offer browser extensions that ambiguously hint to the user about the dangers of a particular site. In MS Edge, for example, the combined work of different web services and the SmartScreen filter can lead to the fact that it will be impossible to access a certain site considered “potentially phishing”.

Blocking a Potentially Phishing Site in the MS Edge Browser

Blocking a Potentially Phishing Site in Chrome Browser

The word “potentially” is used here because completely legitimate sites may also suffer from such blocking.
Such extensions are released for different browsers, but, in addition, the browsers themselves (for example, Firefox) have protection mechanisms based on reviews and ratings. It is possible that different services will be improved and used to monitor phishing activity.

To avoid all these pitfalls, follow these rules:

• When using third-party resources on a phishing site, it is better to download them and serve them statically from the web server, because access to third-party resources can be monitored. This is especially important if the phishing site uses resources associated with popular browsers - it is in the interests of browser owners to monitor such things;
• Don't launch a phishing site too early, brand protection services can actively monitor this.

Debugging the payload​

If you decide to prepare malware for installation on the network, then there are also several important nuances:

• test the malware on an isolated network;
• when testing the response of protection systems, cut off access to the Internet - otherwise the signatures of your malware will quickly end up in antivirus databases;
• do not upload samples to public services like VirusTotal;
• It is better to use a website as a delivery method, since sending such things by mail in clear form will lead to one hundred percent failure, and an encrypted archive may not be missed by security systems on the customer’s network.

Of course, this does not provide a 100% guarantee of success, because security system policies may be set too paranoidly, but at least it will increase the likelihood that your letter will not be blocked or sent to spam.

Stage 3. Pull the bowstring​

So, we wrote a letter, prepared a mailing list, got the server up and configured. What's next?
Now we need to automate this matter. It is possible to write a command line script that will use the CLI of our mail server to send emails, but this is akin to reinventing the wheel. It is better to use popular mailing automation tools. Among the free solutions, the most popular is Gophish. It helps not only automate the process using built-in mailing scripts and a template engine for automatically inserting text into an email message, but also collect statistics.
Among the metrics monitored are the opening of a letter (an invisible image with the src attribute is inserted into the message, pointing to a special script on the web server), and the opening of a link. Hacker has already published an article about setting up this tool, there is nothing complicated there. Gophish is designed to send mail through a third-party mail server, which must be specified among the parameters, but it does not allow you to read the sent mail (otherwise it would be some kind of mixture of a mail sub-client and a phishing framework).
It would seem that everything is already ready. But if you decide to use a phishing site, then there is one last step left to bring the matter to fruition - post-exploitation in the user’s browser. Sometimes this can provide some information, especially if users have outdated versions of browsers.
The most popular (and free) solution is beefXSS, a browser exploitation framework. The essence of its work is simple: you add a script to your phishing site that will connect to a pre-installed command server. If everything goes well, then on the command server through the web interface in the admin panel you will be able to perform various actions, ranging from simple reconnaissance ( for example, find out open ports on the client’s host and on neighboring hosts, find out the IP addresses of the host and its neighbors ) to exploiting vulnerabilities in the browser. Hacker also published a manual for working with beefXSS.
There are a couple of important points to consider.
Firstly, if a phishing site runs via HTTPS, and the beef command and control server is set to HTTP, then modern browsers will not allow a script to be loaded onto an HTTPS site via the HTTP protocol. Therefore, you will first need to enable HTTPSconfig.yaml support in the configuration file and indicate the future name of the key and certificate. Thus, the config should contain something like this:

https:
enable: true
key: "your_key.pem"
cert: "your_cert.pem"

Secondly, for the beef command server you need to allocate a domain ( you can have a subdomain for an already purchased domain) and issue a certificate again through letsencrypt. The key and certificate will need to be placed in the folder with beefxss.