| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but once you realize you aren't getting command and control, that fuzzy feeling wears off quickly. Everyone knows in theory what Phishing is, what Phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing Campaign? This talk will show you the journey of setting up and executing a Phishing Campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. An important understand in Phishing (like any attack) is the side of the victim; what they see and do in receiving a phishing email; this is referred to as advancing ones tradecraft.
We will go through:
- The main difference between phishing for clicks and phishing for shells
- Choosing and setting up a Phishing Framework
- Actions I take when learning something new
- Testing delivery and bypassing Spam filters with Microsoft Click once
- Testing different user interactions for executing payloads
- Learning different payloads for command and control
- Understanding the email minefield Haydn has specialized in offensive security and cyber threat
intelligence for over 4 years. He has extensive experience in
Information Security, network/web penetration testing, vulnerability
assessments, identity and access management and identifying near
future threats that face organizations on the horizon. Haydn is
considered an industry expert on PurpleTeaming, and has been published
several times in online articles on this topic. Additionally, he has a
Masters in Information Technology and holds the OSCP and GXPN
certifications. Haydn regularly contributes to the infosec community,
speaking at various conferences including HackFest, BsidesTO, BsidesLV
and Sector.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast