Open Mobile Menu

Blog

Lure: Phishing Target Recon for GoPhish

Views: 814

Written By: Jayme Hancock August 12, 2019

Verizon’s Data Breach Investigations Report (DBIR) for 2018 stated that 32% of all breaches reported last year involved phishing. That’s not insignificant – as network security has advanced and the cost and barriers to a secure perimeter have lowered – attackers have moved to attacking the user directly. An absent-minded click could lead to a shell on the user’s system, and a convincing phishing e-mail could result in credentials.

Phishing is hard. We have to craft a perfect e-mail and landing page, with a pretext good enough to convince the user to trust an unsolicited message and click a link or open an attachment. But arguably the most important part of a successful phishing campaign is ensuring your email actually reaches the right people in the first place. On a white-box phishing engagement this is as easy as asking the client for a list of e-mail addresses and white-listing your phishing email. But on a black-box test, we don’t have these luxuries.

Black-box testing assumes you’ll be using Open Source Intelligence Gathering (OSINT) to find email addresses on the internet to use in your campaign. This can be difficult and time consuming. Each penetration tester has their own methodology for collecting targets. But manually identifying email addresses can lead to inconsistency and missed opportunities. A number of resources are available for harvesting email addresses, but a method is needed to make this process as simple, painless, and consistent as possible.

This week I’m releasing Lure, a tool for helping automate target collection on phishing campaigns. Lure interfaces with GoPhish, a popular open-source phishing platform written in Go. It leverages email search modules to compile a list of as many email addresses as possible and convert them into a format GoPhish can understand (including the target’s first and last name, email address, and position if that information is available). It then pushes the list to the GoPhish server, making the process fast and easy.

The current version of Lure searches three repositories of data; LinkedIn, theHarvester, and Hunter.io. Let’s quickly discuss how this works, because each module is a little different.

  • Hunter.io: Hunter.io is a paid service that claims it is “the leading solution to find and verify professional email addresses,” and frankly, it is. Geared toward lead generation, Hunter.io can take a domain and search its database for any results. It’s also possible to filter out shared accounts (think support@xyz.com). Note that there is a free account option for Hunter.io, but its restricted to 50 requests per month. Hunter.io uses API calls to retrieve information.
  • theHarvester: theHarvester is an open-source Python tool that “gathers emails, names, subdomains, IPs, and URLs using multiple public data sources”. While the data returned in theHarvester can be hit and miss, it’s a commonly used tool included with Kali Linux and other security-related operating systems, making it an easy addition to Lure. theHarvester provides output as an .xml file
  • LinkedIn: LinkedIn has taken great strides to stop email scraping from occurring. However, LinkedIn pages are still indexed by search engines. Lure leverages Microsoft Bing’s API to obtain first and last names from Bing Advanced Search results, and combines them into the most common email format (first initial, last name @ company.tld). In future releases of Lure, additional email formats will be made available.

Lure can also take a CSV list of addresses you’ve found using other methods and append them to its search results, further increasing the size of your campaign. The email targets are then loaded into GoPhish as a group, automatically labeled with the name of the tester, the domain, and the date. All that’s left is to start the campaign itself, and wait for the creds to come rolling in.

BSI AppSec includes basic phishing services with all penetration tests to provide a quick assessment of end-user awareness and identify where gaps exist. In addition, the credentials harvested provide much more realistic penetration test outcomes. Attackers are already targeting your users, and knowing exactly what the ramifications are can help determine your path to mitigation. BSI AppSec also offers advanced phishing assessments that include well-crafted lookalike domains, spearphishing, and the option to include malicious payloads to gain internal network footholds.

Jayme Hancock

Jayme Hancock is a Penetration Tester with AppSec Consulting with 14 years of experience in the Information Technology field as a systems administrator and security professional. He holds the Offensive Security Certified Professional (OSCP) certification, the Certified Information Systems Security Professional (CISSP) certification, the Certified Ethical Hacker (CEH) certification, and the GIAC Certified Enterprise Defender (GCED) certification. He has helped secure and implement network systems for small and medium businesses, as well as Fortune 500 companies. Over the past five years, he has implemented and managed the HIPAA compliance program for an insurance brokerage from the ground up, including creating and enforcing security policies and performing compliance audits and penetration tests. He served on the board of directors for a local ISSA chapter from 2013-2014 and is active in the information security community.

read more articles by Jayme Hancock