Due to the increased number of reported high-profile attacks, it is likely that you have heard of "phishing". What exactly is phishing? At its core, phishing is the sending of an email to a target with the intent of having the target perform some action that will lead to the attacker gaining some new piece of information or access. While the phishing attack can have any number of intended outcomes, two of the most common are:
- Harvesting credentials from a target, typically via a credential harvesting website
- Compromise of a target's system via a malicious attachment
Most phishing attacks seem to follow the same basic four steps: recon, development and deployment, initiating the attack, and collecting the results of the attack. First, the attacker must identify, typically via OSINT (Open Source Intelligence Gathering), target email addresses. One common technique is to data mine social media sites like LinkedIn and Facebook. An awesome tool that can greatly aid in this is Recon-ng written by Tim Tomes. Once the target acquisition had been completed, the attacker must decide on the type of attack: credential harvesting, malicious attachment, or so on. Whatever the decision, work must be done to create the credential-harvesting website, create the malicious attachment, etc. Next, the attacker would design and send the phishing emails. This can be done by using a standard mail client or in a more automated manner via custom scripts. Finally, there is the waiting. At this point, if all were done correctly, the attacker would wait to see if any of the sent emails resulted in a success, including captured credentials, remote access shells, etc. While the simplified process presented above may seem fairly easy and straight forward, the actual execution of a phishing exercise can typically be a bit complex. Some great tools can be used to help simplify the process and assist in the deployment of phishing attacks ,such as the Social Engineering Toolkit by TrustedSec and PhishingFrenzy by Brandon McCann. As helpful and amazing as those tools are, these have their own minor limitations – either they're hard to install and configure, too complex and intimidating to those unfamiliar with them, or only help with part of the process. This is not a criticism of the tools or the developer, merely the nature of tools. No tool can be a complete solution to everyone. In an attempt to help fill in the gaps left by the other tools and to help my fellow penetration testers and myself, I developed a new tool called SPF “SpeedPhishing Framework”. SPF was designed to help simplify and automate the email phishing process. SPF is not without its own limitations, as well. While additional types of phishing attacks, such as malicious attachments, may be added in the future, SPF currently only assists with “credential harvesting” attacks. SPF, when provided with minimal input (such as just a target domain name), can search for potential targets, deploy multiple phishing websites, craft and send phishing emails to those targets, record the results, generate a basic report, among other more advanced tasks. Current features include:
- Written in python
- Can be run fully automated or interactively
- Automated target identification
- Profiling of target company
- Hosting of templated and dynamically generated phishing websites
- Sending of emails
- Collection of phishing results
- Verification of results
SPF will be presented in Las Vegas in August at BSidesLV. If you want to learn more or have comments or suggestions, please stop by.
About the Author: Adam Compton currently works as a penetration tester and has over 20 years of infosec experience, of which, 15 years has been as a penetration tester. He has worked in both the government and private sectors for a variety of customers ranging from domestic and international governments, multinational corporations, and smaller local business. Visit Adam's blog here: blog.seedsofepiphany.com Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
