In the modern world, we are all very aware that email exploits and phishing attempts are one of the largest attack factors on any company, for all the advancements in Security email despite being secure and having a certificate attached to it if still very much any event that is in the hands of the recipient.
Unlike other events that can be controlled like your login which can go through access or one of many CASB solutions, email is still received on TCP:25 Which is the good old SMTP standard.
Nobody anymore should be using POP3 (TCP:110) or IMAP4 (TCP:143) as many of these legacy protocols do not support the model authentication technologies.
Phishing Simulation
You have many solutions where you can simulate phishing attacks, however many of these tools even though people will still click on them or not very effective and to the train die they stand off by a mile, The general motive when you’re using these kind of simulations due to their limitations is changing all the clickable links to a URL that is clearly wrong and you’re hoping User doesn’t spot it - And on some of the attack emails I’ve seen that for a simulation they are very obviously not real but there seems to be a disconnect between test and security and Peoples conception of what is secure.
Deciphering Phishing Emails
If you know where to look it’s actually quite easy to spot these phishing emails, the big giveaway for most these products are the message headers, if you have received an official email from for example the government from a .gov.uk email address, that email is external to your company so the message headers should see you going through quite a few emails servers for that message to get to you, however, when you examine the message headers, it reports it’s not been through a single email server from outside your company or for that matter inside your company - Which means based on the SMTP works email is fake and is trying to catch you out, Unfortunately, many people do not check message headers to verify authenticity.
Hindsight and how you minds work.
If you are unlucky enough to not spot the signs and symptoms and check the headers and you click on the innocent links you will most likely be presented with a webpage that tells you something along the lines of “You have leaked your credentials” or “This was a phishing attempt that you’ve not passed”
It’s at that exact point you are told it’s fake you go back to the email analyse it again and realise things don’t look right, hindsight is such a wonderful and pointless commodity, It’s taken you to click on the email to be sent to a dodgy site to realise it was dodgy, In the eyes of scammers and cyber criminals that game over depending on what the email was supposed to do.
Once you click that email, it will have reported back that your email address has clicked the dodgy link and somewhere you will come up on a report that you’ve not passed the test, the interesting question is when the next batch of test come out are you going to do any better?
Self Made - Phishing Test - I wonder?
That is what leads me to the purpose of this post, I was wondering if I could do my own phishing test that will work slightly differently, The payload is exactly the same, but it starts Its life as a website, In this example, I have used a big red button that pulses and tells the user not to click it - one of the things humans seem to want to do is click a big red button, especially when they’re told not to click it…..
Red button website
The website is always more visually appealing because you could animate that big red button and the big red button is illuminated and it pulses, When you hover your mouse over the button goes dark but the background shadow lights up
Obviously, what you put here is open to your graphical design abilities, but I chose a big red button because the big red button that tells you not to click it, therefore excuses can only be “I was curious what it did” and unfortunately, simulations like this it’s always curiosity that will end up killing the cat.
Then when you hover over the link it turns a a darker colour with a glowing background as below:
Red button email delivery
This will obviously be less interactive and you will not get in the button jump around with an email, but it’s the same concept as the website, If you send an email with a big red button telling people not to click it, will they click it, Will curiosity get the better of them will they resist and report it?
Obviously, I do not recommend doing one as obviously this because you might as well on the button put the words “Phishing - DO NOT CLICK” However, if you do decide to take this approach, do not be surprised if you still get people clicking it.
While it looks enticing in a website if you but that HTML in a email, you get a problem immediately as emails cannot display the CSS content so it looks like this, which is awful as you can see below:
However with a bit of static images you can make the email work, however its not as nice as the website:
Free watch email delivery
I would rather in a corporate setting go for you qualified for a free Apple Watch, but supplies are limited so place your order now.
With this approach, you have the option of getting something for free at good value, Then you had the constrain timelines that if you don’t do something, you will miss out on your free expensive gift that should fire enough human responses to get a click.
If you are worried about a free watch and free shipping, then you can quite easily add a delivery charge of £22 but that is down to viewpoint - That might put many people off.
You will get the odd pocket of people that will think to themselves I don’t recall entering a draw to win a free watch, All the other thought people may have is you don’t get anything for free - The resistance in this department will be very weak.
If you’re looking to do the free watch delivery mechanism, you could do something like this with all the links in this email will take you to the payload site:
Payload delivery website
This is the website the victim, correction, user will end up on after click the link, this website should be obvious that they clicked on a link they shouldn’t have but not be a story and giving them a lesson about cyber security, once this page is displayed, the user will immediately know exactly what they’ve done wrong, keep this short and sweet.
IIS you say?
However, this website has additional requirements using the authentication, this particular payload website is running on IIS, why IIS I hear you ask?
Yes, I usually use Apache and PHP, but many corporate domains will be running Windows, and That makes it very easy using iOS to extract the logon ID of the person that visited the payload website.
Copy Folder to correct directory (virtual folder)
When you have your website designed copy it to the server, and this, I’ll be using default location paths so that will be c:\Inetpub\www - I have been created a new folder in that directory called it “Payload” copied my HTML and other code to that folder, this will now be referred to as a virtual directory.
IIS usually uses the anonymous authentication account, which means everybody is logged in with a generic account to use the website, However, when you take a look at the IIS logs You will notice that the login request activity contains the IP and where they’re going but nothing to do with who they are:
2024-07-06 16:21:17 10.242.8.164 GET /Payload/ - 443 - 10.245.161.136 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/126.0.0.0+Safari/537.36+Edg/126.0.0.0 - 401 2 5 19
We need to change this from anonymous to Windows authentication, so navigate to IIS manager, then expand the default website, then finally find your directory underneath the default website and click on your folder name - in this example, I have called mine Payload
Note: Please do not give your name virtual directory name like payload because the name you give it will form part of the URL, That is a giveaway that it’s going to do something suspicious, Instead use something linked to the product like Watch (meaning the directory will be /Watch/)
Once you have clicked on the name of your virtual directory, on the right hand side, you should see an option for authentication, double click on this option:
You should now say a list of authentication protocols used for this virtual directory, You will notice the anonymous authentication at the top is enabled, You will notice the entry at the bottom that says windows authentication is disabled
We now need to disable anonymous authentication and then enable Windows authentication once Complete, that should look like this:
One last change to make, once you’ve clicked on windows authentication on the right side toolbar you will see the option for providers as below, click on that hyperlink:
This will then show you all the providers used in Windows authentication you will notice the list for by default say NTLM followed by Negotiate - we need these the other way around so using the up and down arrows click on Negotiate and click the up arrow once, it should now be at the top:
Excellent, You have now configured this virtual directory to log the user credentials when they visit the site, After you enable this setting when you start a new browser session for logs will then look like this:
2024-07-06 16:21:21 10.242.8.164 GET /Payload/ - 443 BEAR\naughty.cub 10.245.161.136 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/126.0.0.0+Safari/537.36+Edg/126.0.0.0 - 304 0 0 106
If you can confirm, we now get a login ID which is actually the samAccountName - your configuration has been successful and we can move onto the next section.
Script : Red Button Extractor
We now have your payload website automatically logging every user that visits the website, this is done invisible to the user as it’s using windows authentication to seamlessly pass your credentials to IIS and therefore the logs.
Now the reason we need this will become clear, what we need to do now with this script is go through the most recent IIS log, which will now have all the users that have visited the payload website, then the script options are simple:
- Open the latest IIS log files
- Look for login ID information and specific virtual directory
- Extract the login ID from that log
- Look up the thumbnail photo stored in active directory for each user that has clicked the website
- Download those thumbnails to a specified directory
- Download only the thumbnail photo once per user
- When you execute the script, it will follow the logic above for each user visited the website it will download a single thumbnail photo for each unique user.
Visually, sequential numbers in in the red box and hexadecimal numbers is in the green box:
The Script - RedButton-Photo.ps1 (Sequential Numbers)
When the script is run it will output all the valid log entries and will report on the thumbnail status and the location of that thumbnail:
Thumbnail image for user naughty.cub saved to C:\Photos\userThumbnails\User1.jpg
This is where we display the thumbnail photo for each employee in a grid that has the dimensions 4x4, it will randomly read files from the directory where we have our user photos and display them in a random order.
Note : If the person has no thumbnail photo, then they will not appear on this grid, to appear on this grid, they are required to have a thumbnail photo that needs to be present in ADDS.
Each time the F5 key is pressed you will be presented with random people that have clicked on the phishing website from their thumbnail photo data, the key here is random, this is absolutely not targeted as certain users.
This website then for the purposes of this blog entry will only display peoples faces in a grid style randomly, this proves that this process can work and it turns into being a mugshot of people that have clicked.
Coding requirements
First you need the defautl.aspx which creates the 8x2 grid and that will also call the script:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html>
<html lang="en">
<head runat="server">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Image Grid</title>
<style>
.grid-container {
display: grid;
grid-template-columns: repeat(8, 1fr);
grid-template-rows: repeat(2, 1fr);
gap: 10px;
padding: 10px;
width: 100vw;
height: 100vh;
box-sizing: border-box;
}
.grid-item {
position: relative;
}
.grid-item img {
width: 100%;
height: 100%;
object-fit: cover;
display: block;
}
</style>
</head>
<body>
<form id="form1" runat="server">
<div class="grid-container" id="ImagesContainer" runat="server">
<!-- Images will be loaded here dynamically -->
</div>
</form>
</body>
</html>
Then you need the script, here called default.aspx.cs - this will red the folder with the thumbnail images and randomly select some to fill up the 8x2 grid:
You will know that has worked as you will now see the "application" icon next to your website rather than the folder icon:
Grid Example (with fake people from free thumbnails and 2x of me)
There all done and now you have lure website/email with a payload then a dynamic grid of people who have clicked the link with the photos coming from the ADDS thumbnail photo.