Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but once you realize you aren't getting command and control, that fuzzy feeling wears off quickly. Everyone knows in theory what Phishing is, what Phishing emails looks like, they even may even theoretically know how it all works. What about executing a Phishing Campaign? This talk will show you the journey of setting up and executing a Phishing Campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. An important understand in Phishing (like any attack) is the side of the victim; what they see and do in receiving a phishing email; this is referred to as advancing ones tradecraft. We will go through: - The main difference between phishing for clicks and phishing for shells - Choosing and setting up a Phishing Framework - Actions I take when learning something new - Testing delivery and bypassing Spam filters with Microsoft Click once - Testing different user interactions for executing payloads - Learning different payloads for command and control - Understanding the email minefield

Haydn has specialized in offensive security and cyber threat intelligence for over 4 years. He has extensive experience in Information Security, network/web penetration testing, vulnerability assessments, identity and access management and identifying near future threats that face organizations on the horizon. Haydn is considered an industry expert on PurpleTeaming, and has been published several times in online articles on this topic. Additionally, he has a Masters in Information Technology and holds the OSCP and GXPN certifications. Haydn regularly contributes to the infosec community, speaking at various conferences including HackFest, BsidesTO, BsidesLV and Sector.

Back to Circle City Con 2017 Videos list