The weakest link. Phishing emails as a pentesting tool

Conventional wisdom holds that the most vulnerable component of any computer system is its user. Humans may be inattentive, unthoughtful, or misinformed and easily become victims of phishing attacks. Accordingly, this weak link must be tested for security as thoroughly as the software and hardware components.

Penetration tests based on social engineering techniques can be performed either separately (e.g. as an audit of the personnel awareness and performance evaluation for the IT and IS departments) or in the framework of external pentesting. For instance, the client wants to exclude the penetration possibility through a certain vector; or, alternatively, this direction is the last hope, since the tester was not able to get into the network without the assistance of the customer’s employees. Regardless of the reasons, it is necessary to develop a social engineering strategy on the basis of the existing information (either received from the customer or collected at the OSING stage).

The attack strategy depends on various factors, including the client’s desire to implement social engineering scenarios, restrictions on social engineering, and sufficiency of information collected at the OSINT stage. Let’s say the customer has approved a scenario in which you send unsolicited emails (i.e. spam) to the staff. In this article, I will address most common problems arising in the course of such email campaigns and explain how to solve them to make sure that your messages reach the personnel with a probability close to one hundred percent.

WARNING

All information provided in this material is intended for educational purposes only. Neither the author nor Editorial Board can be held liable for any damages caused by improper usage of this publication.

Stage 0. Goal identification

First, it is necessary to decide what attack vectors are applicable in the current situation. Email campaigns usually have two purposes:

  • using the body of the letter and fillable fields (e.g. on a phishing web site or in a program impersonating the corporate software), trick the users into disclosing confidential information without raising any suspicions; or
  • trick the user into downloading a file (from a message, torrent, etc.) and perform certain actions with it (e.g. launch an app, open a document in MS Word and enable macros, etc.) also without raising suspicions. The downloaded malicious file may either exploit vulnerabilities in the target system or steal confidential data.

Email campaigns require at least a mail server. In fact, mails can be delivered to the customer’s network in two ways: from within and from without.

The delivery from within requires a mail server inside the tested network (provided that it was successfully compromised). I am not going to discuss this scenario here because, unlike the external mailing, it does not require any special skills. If the customer’s mail server cannot be compromised, then you have two options: (1) use existing mail services; or (2) deploy your own mail server and purchase a domain. The existing mail services are not good for this purpose: emails coming from them look suspicious, while the IT/IS department may refuse to lower the security level for domains used by such services (because these domains might be used not only for pentesting purposes).

On the other hand, if you deploy a server on your domain resembling the customer’s domain, you can kill two birds with one stone: the vigilance of inattentive users drops nearly to zero, and you are the only person in control of this domain. However, it is necessary to keep in mind that the technologies are rapidly developing and antispam filters protecting against such tricks have been invented a long time ago.

So, before starting a pentesting research, you have to make the following decisions:

  • decide whether to use malicious files or only fishing pages (these two techniques can be combined). Then you have to produce the phishing letter in accordance with the selected approach; its text should motivate the user to take the required actions;
  • decide how to deliver the malicious files and how to perform phishing attacks;
  • prepare local mailing infrastructure;
  • reduce the chance that the letters get into the Spam folder; and
  • carry out the mailing campaign.

INFO

This article refers to some social engineering basics; however, the provided information is in no way exhaustive. If social engineering is new to you, I strongly suggest reviewing related materials available on the Internet.

Stage 1. Creating the arrows

After determining the attack technique, it is necessary to prepare the required tools, identify the targets, produce the letterhead and text, and decide how to entrench yourself inside the network.

The information obtained at the intelligence collection stage, including email addresses of the employees, the corporate security systems (that test incoming emails for malicious attachments), and various infrastructure configurations, plays a crucial role in the selection of the right tools. The last two aspects can help at least in the following cases:

  • the testing is to be carried out with minimal assistance from the IT and IS personnel: this means that no exceptions will be made for your letters in the configuration of security systems. Accordingly, any information on the configuration of the corporate security systems will help to select the optimal strategy and implement it in the right way; or

  • malicious attachments are to be delivered, and it is logical to assume that the corporate security systems will actively detect them. Accordingly, you need to know what security software is used by the company. This information will facilitate the malware testing and raise the chances of success.

Some users should be excluded from the mailing list; for instance, you can choose a certain department (or several departments) and divide the phishing attack into stages using an individual approach to each group of recipients. It is preferable to exclude the IT and IS personnel from the mailing list because these people are skilled in cybersecurity and may warn their colleagues. It is always good to personalize the letter by writing “Dear %username%” instead of “Hi!”. The mailing and personalization procedures must be automated, but first of all, you have to create a general template to be able to insert users’ names, addresses, and positions into it.

Then it is necessary to collect information making your letter credible. For instance, you can find out what internal events are conducted in the company or what clients and partners are actively communicating with it. This information determines the subject and text of your letter.

You will also need information required to polish the letter, including the business writing style used by the employees, the corporate signature, etc. Any piece of information is valuable and raises the chances of success.

Another purpose of the polishing is to make sure that your letter does not resemble spam. Spam filters rate all letters on the basis of several parameters, including the content and subject. The analysis algorithm uses various, often combined, techniques (artificial intelligence, users’ complaints, researches carried out by the mailing service, etc.). The purpose of this analysis is to assess the odds that the letter contains malicious payload.

Major mail services employ sophisticated know-how techniques. The tested company may also use commercial spam filters. Normally, the attacker has no idea of the antispam services (if any) used by the target corporation; therefore, I suggest following the general recommendations provided below:

  • every time, check in Google the list of words frequently used in spam messages (such lists are updated on a regular basis) and avoid such words in your letter;
  • don’t overuse punctuation marks;
  • don’t try to make your letter ‘diverse’ (i.e. don’t use various combinations of letter sizes, colors, and styles as well as words in capitals). The only possible exception is the corporate style used by the target company;
  • don’t use a lot of links in your letter, especially to different domains;
  • if you use links, do not shorten them;
  • don’t add too many images unnecessarily;
  • the letter should not be empty and contain only the attachment;
  • don’t use the leet style;
  • if your letter includes a link to a malicious site, do not attach this link to the file directly: security systems can alert the IT or IS personnel, and you attack would fail – provided that the security staff react properly;
  • think twice before attaching the malicious payload directly to the letter. Even packing and encrypting do not guarantee a success: the security system policy may block incoming encrypted files from external mail domains;
  • don’t attach large files to your letters. The letter size must not be large, too;
  • monitor the requirements of popular mail services to mailing campaigns;
  • imagine that you are a recipient of this letter and try to estimate its credibility; and
  • use mail-tester to check the ‘spammyness’ of your letter.

Phase 2: Creating the bow

Choosing a domain

This step is simple: design a domain strongly resembling the domain of the tested company. Ideally, the difference should be limited to one symbol, and the replacement must be undistinguishable (e.g. 0 instead of o or the same letter with a different code in Unicode). You can also use the catphish tool to generate a domain name and check its availability. After the domain selection and availability verification, purchase it from your favorite registrar. In the zone settings, add an MX record (e.g. mx.yourdomain.com). Then add to it an A record specifying the IPv4 address of the future mail server. In addition, you have to add an RTR record because its absence may lower the letter’s rating.

Mail server

Your next objective is to prepare the mailing infrastructure (i.e. a mail server). To send out letters, you will need an SMTP server. It would be great to have a POP3/IMAP server as well – in case you need to communicate further with the target users. You may use your favorite mail server, but the two most common pentesting schemes are exim + dovecot or postfix + dovecot combinations. Both of them are great if you had never configured servers in the past: plenty of guides explaining how to do this and solve configuration issues are available on the Internet. However, the main problem is: how to avoid ending up in the Spam folder if you use a premade mail server?

In addition to the letter content, other indicators are used to assess the integrity of emails. Antispam filters believe that the mail server administrator must prove the legitimacy of the letters sent from it. To deceive the filters, you may add two resource DNS records: SPF и DKIM.

SPF

SPF (Sender Policy Framework) is a method enabling administrators to produce whitelists of IP addresses from where emails are sent. As you are probably aware, the sender may put any domain in the MAIL FROM field (which is called spoofing). The purpose of SPF is to prevent such tricks.

The point is that everybody can get information about the sender’s domain and instructions specifying who can send emails (DNS is perfectly suited for that purpose). SPF is configured as follows: in the DNS zone settings, the mail service administrator adds a resource TXT record (optionally, it is also possible to add to the TXT record a resource SPF record created specially for SPF) in a certain format; the record lists IP addresses that can use the domain associated with this record. Then the receiver checks the sender’s IP address against the addresses specified in the resource records; if the verification is successful, it forwards the message further. The following header appears among the letter headers:

Authentication-results: spf=pass

If the verification fails, the letter is usually sent to the Spam folder: SPF inadequacy significantly lowers the rating of the message. More details about SPF and its syntax are available in an official document called RFC 7208. For pentesting purposes, a simple record allowing certain IP addresses and prohibiting everything else will suffice.

@yourdomain TXT "v=spf1 ip4:1.2.3.4 -all"` or `yourdomain.com TXT "v=spf1 ip4:1.2.3.4 ~all"
  • @yourdomain is the lower-level domain in the current zone (if the record is added to the example.com zone, it will relate to yourdomain.example.com) On some hosting services, the @ symbol is not used; so, review the hosting help for syntax rules;
  • v=spf1 is the version of SPF (only the first one exists so far);
  • ip4 is the IP address of the host for the whitelist (important: ip4, not ipv4);
  • -all means that the letter must be declined. The SPF syntax allows to do this in two ways: the ~ symbol indicates a ‘soft’ decline (the letter is received and placed in the Spam folder), while the dash indicates a ‘strict’ decline.

DKIM

DKIM (DomainKeys Identified Mail) is an email authentication method enabling the receiver to verify that the letter was indeed sent from the domain specified in its header. DKIM is based on asymmetric cryptography: a digital signature is affixed to each email; the open key must be associated with the sender’s domain and must be available to everybody. DNS is ideally suitable for that purpose, too. The receiving server will verify the digital signature using the open key. The scheme below illustrates the DKIM work principle.

DKIM operation scheme (source: ru.wikipedia.org)

DKIM operation scheme (source: ru.wikipedia.org)

The following processes are shown on the scheme:

  1. Prior to performing a operation, the mail server generates an open key and a closed key. Obviously, the closed key is stored in a safe place, while the open key is placed in the resource TXT record of the mail domain.
  2. Software used to affix a signature to the message every time it is sent is configured on the server (you may use for that purpose an open-source program called OpenDKIM).
  3. Every time the message is sent, it is signed using the closed key. In other words, a DKIM signature is generated and affixed to the message header (hashes are generated for the headers and body of the message and encrypted using an asymmetric algorithm).
  4. The receiver verifies the digital signature mentioned in the previous paragraph using the open key; if the verification is successful, then the recipient receives the message.

Of course, the above scheme is simplified; see RFC 6376 for more detail.

If everything is fine, then the receiver sees the following string in the Authenication-results header: dkim=pass.

One might think that DKIM is sufficient for pentesting purposes, but this is not the case because SPF and DKIM have slightly different goals. SPF tells the receiver what IP addresses are permitted to send messages using this particular domain; while DKIM confirms that the message was not altered in transit.

No problems arise if you configure a server on your dedicated IP address. However, if you configure a mail server on a VDS, you may encounter some issues. I suggest reviewing online resources describing how to configure the Postfix + OpenDKIM combination. Another important aspect: the length of the open key may be too big, while the hosting provider may prohibit long resource records. In such a situation, OpenDKIM divides the key into several parts enclosed within quotation marks.

At least, two methods can be used to circumvent this problem: (1) add several consecutive TXT records or (2) add one TXT record split into several parts. In the latter case, the line break symbol indicates the split. OpenDKIM puts the entire key within round brackets, encloses each of its parts within quotation marks, and divides the parts by putting spaces between them. Therefore, you have to remove quotes and round brackets (some providers allow round brackets in DNS records) and then insert the resultant text with line breaks into the TXT record.

Important: after configuring all the settings, make sure to check the correctness of the added records, especially if you use a multiple-line open DKIM key.

Phishing web site

Phishing sites are useful when you need to extract data from a certain online resource. People often use same passwords for various services; so, after a successful phishing attack, it makes sense to check other company’s services using the stolen account credentials. A phishing web site must closely resemble the original one. In some cases, you have to bypass two-factor authentication; for that purpose, use either Modlishka or Evilginx phishing tools.

If you are going to use a web site in your phishing campaign, keep in mind the following nuances.

First, enable the HTTPS support by adding a self-signed certificate to your site: many users trust the padlock in the address line having no idea of technical aspects of this function. If you use HTTP, the browser will repeatedly tell the user how risky it is to send confidential data openly. This may raise the users’ vigilance, which you definitely want to avoid. It is not that difficult to generate a certificate; for more detail, refer to the HackMag articles cited above.

Some companies offer so-called brand protection services, including protection from phishing (because a successful phishing attack may compromise the customer’s reputation). This includes the following operations:

  • monitoring company’s web resources for defacement or domain name hijacking;
  • monitoring the company’s network for phishing emails;
  • monitoring domains that strongly resemble the company’s domains and objects associated with these ‘twin’ domains (primarily, web sites and mail servers); and
  • monitoring company’s products enabling malefactors to act on its behalf (dynamic loading images, JS libraries, etc.).

Such companies also offer antiphishing extensions for browsers; these extensions advise users that certain sites are unsafe. For instance, in MS Edge, the combined efforts of various web services and the SmartScreen filter make it virtually impossible to visit a site recognized ‘potentially phishing’.

MS Edge blocks a potentially phishing site (source: ManageEngine.com)

MS Edge blocks a potentially phishing site (source: ManageEngine.com)

Chrome blocks a potentially phishing site

Chrome blocks a potentially phishing site

The word “potentially” is used because such blocking mechanisms sometimes affect perfectly legitimate sites.

Antiphishing extensions have already been released for many browsers; in addition, some browsers (e.g. Firefox) have built-in security mechanisms based on references and ratings. Overall, it can be said that antiphishing services and techniques are steadily developing and progressing.

To circumvent such traps, follow two simple rules:

  • if your phishing web site uses third-party resources, download these resources and deliver them statically from the web server because requests to third-party resources can be monitored. This is especially actual if the phishing site uses resources associated with popular browsers: the owners of these browsers normally track such things; and
  • the phishing site only when you are ready to use it, the brand’s security services may actively monitor the appearance of such sites on the web.

Payload setup

If you want to create malware to entrench yourself in the target network, keep in mind the following aspects:

  • test the malware in an isolated network;
  • disable Internet access when you test the reaction of the network security systems; otherwise, your malware’s signatures can be promptly added to antivirus databases;
  • never upload samples on public resources (e.g. VirusTotal);
  • use a web site to deliver the payload because sending such objects by email will 100% result in a failure; even an encrypted archive would likely be blocked by the customer’s security systems.

Of course, the above measures cannot guarantee success in 100% of cases because security system policies are sometimes configured in the most paranoid way; however, they raise the chance that your email won’t be blocked or sent to the Spam folder.

Stage 3. Drawing the bow

So, you have prepared the letter, compiled a mailing list, and deployed and configured the server. What’s next?

Next, you have to automate the process. Of course, you can write a command-line script that will use the CLI of your mail server to send out the phishing letters – but this is like reinventing the wheel. I suggest using popular phishing simulators instead. The most common free tool is Gophish; it automates the process using built-in mailing scripts and a template generator, automatically inserts the text into an email, and collects the statistics.

The monitored parameters include the opening of the letter (an invisible picture with the src attribute pointing to a special script running on the web server is inserted into the message) and following the link embedded in this letter. Overall, configuring Gophish is pretty straightforward and simple. The tool sends emails via an external web server that must be specified in the settings. Gophish cannot be used to read incoming emails (otherwise, it would be a mix of a mailing quasi-client and a phishing framework).

Everything seems to be ready to go. However, if you are going to use a phishing site, there is one last thing to do: post-exploitation in the victim’s browser. Sometimes, this allows to collect additional information, especially if the victim uses an obsolete browser version.

The most popular free solution is beefXSS browser exploitation framework. Its operation principle is simple: you add to your phishing site a script that subsequently connects to the command server deployed earlier. If everything works fine, you will be able to perform various actions from the command server in the admin panel of the web interface: from basic information collection (e.g. open ports on the client’s host and neighboring hosts, IP addresses of the host and its neighbors, etc.) to exploitation of vulnerabilities in the browser.

Keep in mind the following important aspects.

First, if the phishing site uses HTTPS, while the command beef server is HTTP-based, modern browsers won’t allow you to upload the script on an HTTPS-based site using the HTTP protocol. Therefore, you have to enable the HTTPS support in the config.yaml configuration file and specify the names of the key and certificate to be generated later. The config should include the following strings:

https:
    enable: true
    key: "your_key.pem"
    cert: "your_cert.pem"

Second, you have to allocate a domain (or a subdomain of a purchased domain) for your beef command server and reissue the certificate using letsencrypt. The key and certificate should be subsequently placed in the folder containing the beef server.

Conclusions

Phishing emails are neither a new nor the only social engineering technique. However, they are pretty efficient and applicable to nearly all situations. Every subtle detail collected at the OSINT stage is important: from email addresses to the business writing style used by the company.

If you intend to continue using your IP address or domain after the pentesting, make sure to check that they weren’t included in the DNS Black Lists (another popular antispam technology). If you want to deploy a dedicated server, also check your VDS against these lists.

Good luck in your pentesting endeavors!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>