Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control. Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works. What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network. We will go through: Choosing and setting up a Phishing Framework Cloning a site Testing delivery and bypassing Spam filters with a payload (Click Once) Testing different user interactions for executing payloads Learning different payloads for command and control

Haydn has over 4 years of information security experience, including network/web penetration testing, vulnerability assessments, identity and access management and Cyber Threat Intelligence. Additionally, he has a Masters in Information Technology and holds the OSCP and GXPN certifications. Haydn regularly contributes to the infosec community, speaking at various conferences including HackFest, BsidesTO, BsidesLV and Sector. https://ca.linkedin.com/in/haydnjohnson

Recorded at NolaCon 2017