So just in case it doesn't get approved for being a valid comment, here is my response to
http://valleywag.gawker.com/nothing-says-welcome-to-our-tech-conference-like-a-towe-1617722289
I 100% agree with ladywhohacks. I was one of the chicks (and there were several of us) who helped the dudes create this amazing masterpiece of engineering. I don't normally get into the whole sexist in infosec bitchfest that manifests itself among articles like this as well as twitter, facebook, and other mediums unless I'm trolling them of course. But I think we were all very proud of this! Every single one of us had fun erecting this magnificent structure.
A couple things that are my views on the whole sexism stuff (I'm always willing to talk at length in private if you'd like):
1. I understand that some people have witnessed it first hand. But it's not just infosec it's life in general. Yea so have I.... so what. That doesn't mean that I'm going to get butt hurt on everything that has somewhat of a sexual connotation to it. Sex is awesome, it's in our lives everywhere, and it can be extremely funny. If it (or anything else for that matter) makes you uncomfortable, then leave or go into a profession that isn't so fun loving or crude. For God Sake McAfee signed a poster board sized goatse, and we're complaining about a tower of condoms?
2. It's awesome that they were promoting safe sex. But honestly how is it all of a sudden women being oppressed by it? Isn't it both parties responsibility to be safe? So we decided to have fun with them. I myself along with another girl and her husband created an anatomically correct Trojan horse!! Get it?!?! Well if you're complaining you either don't get it or are as equally offended.
3. How about OMG They were BLACK boxes?!?! Where are all the colored folk screaming about their feelings?! Or it started out short but then got taller. HEIGHT EQUALITY!! I'm 100% for all equality. But this isn't how you go about it. I recently had a get together at CircleCityCon in June called #girlpowerlunch Bondage & Backups. This was met with a little bit of scrutiny and some girls in infosec getting their panties all bunched up and acting like they were on a high school cheer leading squad again. Again let me reiterate, if it's something that you don't agree with ignore it. Unless it's a blatant disregard of human life or someone is going to seriously get (physically) hurt.
4. Almost every guy that I've met in this industry is extremely open and willing to teach everyone and anyone what they know and their passion. Yes there are assholes out there. But that's life. So how about we pick out the people that are actually being jerks and ostracize them instead.
In summary: grow a fucking pair and get a sense of humor
EDIT:
After another "incident" at Shmoocon 2015 A friend of mine decided to try and approach the topic as well and also nails it in the article and responses in the comments.
http://www.iamit.org/blog/2015/01/sensationalism-doing-more-damage-than-good/comment-page-1/#comment-933
Which made me also add this, a shortened portion of a conversation that I've had with an abundance of people.
5. I know a decent amount of people in this industry that are into the con circuit. Each and every one of them would come to someone's help if there was an act of harassment or worse happening. No it doesn't always happen in public, but sometimes it does. That's what we do. we stick up for each other, we have each other's backs, we're a family. Taking care of our own is what we do.
Sunday, August 17, 2014
Monday, February 3, 2014
Hackers Are People Too
We are hackers and we are proud.
We question and answer, we break and fix, we create and destroy, we attack and defend, we teach and are taught.
We provide value by inspiring others to do the same.
We care about the safety of your data!
Hopefully this article will help enlighten you to what a "hacker" truly is. We want to spread the word and break the negative stereotypes that come with the word and profession.
We'll start off with a couple questions.
1. When you think of a hacker what do you think of?
Some of the most prominent hackers in recent news would be Edward Snowden or Anonymous as well as other nameless groups or people. Most of these people/groups/activities have a negative connotation right? Nothing but a bunch of hi-tech criminals. But then again, most of the news that sells is negative. Who wants to write a story about the 99% of hackers that are doing good work in the local and global economies? Well, since you're here reading this article, it means this newspaper, website, blog, etc... feels that it is just as important.
The first time I actually considered myself a hacker was during my first trip to a “hackercon” (conference) called DerbyCon in Louisville, KY. When I arrived I was blown away at the sheer amount of knowledge and skill that I was surrounded by. I felt like a very small fish in a giant ocean. But I have to tell you, there wasn’t a single person that was too good to talk to me. They would strike up conversations as you walked by, while we were in talks learning, and if they saw you out in a restaurant. They were there to teach just as much as they were there to learn. The security practices and tools that I learned about that weekend not only would help the security of the organization that I work for, but the security of the data of everyone in the community. In those three days I realized that I wanted to work in Information Security and become a good hacker (aka “White hat”).
One thing that really upset me was during DerbyCon a reporter at WDRB in Louisville posted to his Facebook and Twitter account this
“I don’t know how I feel about this--DerbyCon happening at Hyatt downtown. It’s a convention for computer hackers. Sessions include password cracking, hacker war games and a lock picking pavilion. Thoughts?” - Sterling Riggs
This sparked some very hurtful comments from the residents of the city. Such as “The cops should be waiting to arrest anyone upon their arrival. It’s a shame that people have the brains to do stuff like that, but are too lazy to get a real job…” and “Should be outlawed”. We need to stop letting this fear mongering happen and stop participating in it when it does. As a single mom of three, I’ve had a steady job since I was 16 and would rather not go to jail for trying to help others.
Hackers are all around you. Hopefully bettering the company you work for, the hospital you need to visit, the stores you shop at, and the services you use. We’re there, but you don’t realize it because we’re doing our job to protect you and your data. Yes there are a lot of threats out on the internet, but with the bad come a whole lot of good.
An amazing group of hackers is Hackers For Charity (HFC) www.hackersforcharity.org. Hackers for Charity's Food for Work Program feeds hungry children in Africa but also teaches them to grow gardens to become self-sufficient. They have a whole group of volunteers that travel from city to city and attend hacker cons to raise money for this cause through auctions, t-shirts, zombie makeup drives, and more.
An extremely popular con is DEF CON. Located in Las Vegas, Nevada, DEF CON is possibly the largest con in the USA, drawing people from around the world. In 2010, over 10,000 people attended DEF CON 18. At almost last minute notice project Bloodkode was setup to accept blood donations for a member of the community that had become ill. In the first hour all of the appointments had been filled, and they had to actively turn away donors. Bloodkode has now been expanded and will continue to collect donations at each DEF CON.
2. How many of you would purchase a car for your family that had never gone through crash or safety testing?
Companies of every size and every household should think of their data the same way. Wouldn’t you want to be for certain that your car wouldn’t blow up at the next pothole? Or that it had seatbelts, warning lights, airbags, etc? Well that’s a good analogy that describes why hackers break stuff! We enjoy and most times get paid to try and break into systems or make them do things that they aren’t meant to do. Because if we didn’t someone else would.
3. What questions can we answer for you? About our community, the work we do, or the lives we lead? Maybe you’re interesting in getting into this field of work as well?
#HackersArePeopleToo <3 @Infosystir
We question and answer, we break and fix, we create and destroy, we attack and defend, we teach and are taught.
We provide value by inspiring others to do the same.
We care about the safety of your data!
Hopefully this article will help enlighten you to what a "hacker" truly is. We want to spread the word and break the negative stereotypes that come with the word and profession.
We'll start off with a couple questions.
1. When you think of a hacker what do you think of?
Some of the most prominent hackers in recent news would be Edward Snowden or Anonymous as well as other nameless groups or people. Most of these people/groups/activities have a negative connotation right? Nothing but a bunch of hi-tech criminals. But then again, most of the news that sells is negative. Who wants to write a story about the 99% of hackers that are doing good work in the local and global economies? Well, since you're here reading this article, it means this newspaper, website, blog, etc... feels that it is just as important.
The first time I actually considered myself a hacker was during my first trip to a “hackercon” (conference) called DerbyCon in Louisville, KY. When I arrived I was blown away at the sheer amount of knowledge and skill that I was surrounded by. I felt like a very small fish in a giant ocean. But I have to tell you, there wasn’t a single person that was too good to talk to me. They would strike up conversations as you walked by, while we were in talks learning, and if they saw you out in a restaurant. They were there to teach just as much as they were there to learn. The security practices and tools that I learned about that weekend not only would help the security of the organization that I work for, but the security of the data of everyone in the community. In those three days I realized that I wanted to work in Information Security and become a good hacker (aka “White hat”).
One thing that really upset me was during DerbyCon a reporter at WDRB in Louisville posted to his Facebook and Twitter account this
“I don’t know how I feel about this--DerbyCon happening at Hyatt downtown. It’s a convention for computer hackers. Sessions include password cracking, hacker war games and a lock picking pavilion. Thoughts?” - Sterling Riggs
This sparked some very hurtful comments from the residents of the city. Such as “The cops should be waiting to arrest anyone upon their arrival. It’s a shame that people have the brains to do stuff like that, but are too lazy to get a real job…” and “Should be outlawed”. We need to stop letting this fear mongering happen and stop participating in it when it does. As a single mom of three, I’ve had a steady job since I was 16 and would rather not go to jail for trying to help others.
Hackers are all around you. Hopefully bettering the company you work for, the hospital you need to visit, the stores you shop at, and the services you use. We’re there, but you don’t realize it because we’re doing our job to protect you and your data. Yes there are a lot of threats out on the internet, but with the bad come a whole lot of good.
An amazing group of hackers is Hackers For Charity (HFC) www.hackersforcharity.org. Hackers for Charity's Food for Work Program feeds hungry children in Africa but also teaches them to grow gardens to become self-sufficient. They have a whole group of volunteers that travel from city to city and attend hacker cons to raise money for this cause through auctions, t-shirts, zombie makeup drives, and more.
An extremely popular con is DEF CON. Located in Las Vegas, Nevada, DEF CON is possibly the largest con in the USA, drawing people from around the world. In 2010, over 10,000 people attended DEF CON 18. At almost last minute notice project Bloodkode was setup to accept blood donations for a member of the community that had become ill. In the first hour all of the appointments had been filled, and they had to actively turn away donors. Bloodkode has now been expanded and will continue to collect donations at each DEF CON.
2. How many of you would purchase a car for your family that had never gone through crash or safety testing?
Companies of every size and every household should think of their data the same way. Wouldn’t you want to be for certain that your car wouldn’t blow up at the next pothole? Or that it had seatbelts, warning lights, airbags, etc? Well that’s a good analogy that describes why hackers break stuff! We enjoy and most times get paid to try and break into systems or make them do things that they aren’t meant to do. Because if we didn’t someone else would.
3. What questions can we answer for you? About our community, the work we do, or the lives we lead? Maybe you’re interesting in getting into this field of work as well?
#HackersArePeopleToo <3 @Infosystir
Tuesday, December 24, 2013
T'was The Scan Before Christmas
Twas the scan before Christmas, when all through the NOCs
Not an admin was patching, not even for SOX.
The cat5 was strung up in beautiful spindles,
As the hope it would stay that way quickly dwindles.
The servers were nestled all snug in their racks,
While disks hummed and lights flashed on jacks.
The sysadmin in his Tux shirt, and I in my cap,
Had just hyped up on coffee to stave off a nap.
When on the monitoring screen arose such a clatter,
I turned just slightly to see what was the matter.
Away to my command prompt I typed in a flash,
Right-click, open, come to me bash.
I panic, I sweat, the desk meets my head,
What piece of shit did they successfully embed.
When, what to my wondering eyes should appear,
But a dude with no pants on, it was perfectly clear.
With a high-gain antenna along for his quest,
I knew in a moment it was a pentest.
More rapid than fiber his fingers did fly,
A grumble he made, the jr. admin starts to cry.
Now APT! Now phish! Now, vuln and attack!
On HIV! On, encrypt! On, cyber and crack!
To Hell we must go! Turn up the dubstep!
To deal with the vendors, cope with inept!
As the time comes around to check mark the boxes,
To keep vendors happy, those damn sly foxes.
So on to the testing, start up the scan,
Lets punch some holes in that software tincan.
And then, in a twinkling, I heard in his voice,
Spearfishing will be my method of choice.
As I drew in my head, and was turning around,
His eyes said don't worry, just CTF down.
He now spent time waiting, biding his time,
For what he had set was a victimless crime.
A shell he had wanted, now shown on his screen,
His face had lit up like an excited pre-teen.
His eyes-how they twinkled! His neck-beard so hairy!
His legs were so placid, his name, maybe Gary?
His teeth were clenched in a victory smile,
As he exported his findings to an ascii text file.
The scope he was given, made him laugh just a bit,
POS systems are not something to omit.
But write his report he shall do with a grin,
Oh, your whole network, the places he's been!
Default creds, sa password, and local admin,
PCI data, HIPAA, and click to login.
Metasploit helped with a bit of SET magic,
The board's quote? "This is fucking tragic."
He said no worries, we're here to help you out,
This place will be cleaned, beyond any doubt.
To defcon, derbycon, shmoocon you'll go,
Oh, all the wonderful things you'll now know!
He left in a fluster, red team let's leave!
These admins need some good time to greive.
But I heard him exclaim, ‘ere he stomped out of sight,
Pwny Christmas to all, and to all a good fight!
(What happens when I work on Christmas Eve)
Thursday, December 5, 2013
Internal Social Engineering Documents
So I know it's not pretty, but I'll work on that later. I've added a second "Downloads" page linked to my Google Drive. These are documents that I've worked on for our internal Social Engineering and Training program. The program is still being developed, but I've stripped out all of our company headers and info so you can customize as you wish.
Friday, November 29, 2013
Mapping drives with Group Policy to a DFS Target that is using ABE
This blog post is something that we'll be migrating towards to fix several annoyances that I have with our infrastructure. We have one giant clusterfuck of login scripts here. At a certain point someone thought it would be a great idea to give every AD user their own to map drives with and not standardize anything. We also have WAY too many file servers with user and department drives. Combination of clustered/standalone, physical/virtual, windows 2003/2008/2008R2. We'll be moving away from all of them to groups of DFS namespaces. I've created two servers DFS01 and DFS02. They will be housing the Depts DFS namespace on their E: drives. After all department drives have been moved over, we will also have a set for home drives, and certain areas that would need their own.
The Design:
Using the GPO over all of my users I entered in a drive mapping to the DFS namespace with Item-level targeting. We have many people that need access to more than one department drive, so why use up drive letters needlessly? When these department drives were mapped I didn't want anyone to see a department they either weren't a member of or didn't manage. The department drive will be the T: mapped drive for everyone, company wide, and the departments you need to view will show up based on what AD security group you are a member of. Everything will be setup for growth, using best practices. No more adding user accounts to shares and NTFS permissions, or file servers crashing and preventing logins for hours, or a 3TB clustered file server decide it wants to chkdsk in the middle of the day, should I go on? no? fine then.....
Setup:
- Install DFS - It's a Role Service under File Services. If you are unsure how to do this, google it, or wing it. It's not that bad.
- On the E: drive I created two folders "DFS" and "Shares". I've shared "Shares" as Shares$ with Authenticated Users having Read NTFS permission.
File Share Creation:
- Navigate to your "Shares" folder and create your first folder that you plan on mapping DFS to. In this example I have created a BusAnalysts folder that only has Admins and the DFS-BusAnalyst security group in AD as read/change for NTFS permissions. I'll also follow the same structure to create a CareMgmt folder to show that one will show up and the other won't later on when ABE has been finished.
Distributed File Servers and Access-Based Enumeration:
- Open up DFS Management
- Right-click on Namespaces and select "New Namespace"
- Enter the Name of your DFS Server, ours is listed as DFS-SERVER01, and in later screenshots is changed to a blurry spot DFS01.
- Now select your DFS name, ours will be "Depts".
- Select Edit Settings. The local path of the shared folder needs to point to the DFS folder that was created in step 2. The default points to the C: drive, and that's not what you want. The permissions will be set to the same (Everyone removed, & Authenticated Users = Read) under Customize. Click "OK">"OK">"Next".
- Select the defaults on the next screen and then "Next".
- Verify all the information is correct and click "Create" then "Close".
- Next we have to enable ABE. Right-click on your namespace go to Properties>Advanced and select "Enable access-based enumeration for this namespace" and "OK".
- Now create a new DFS Folder that will map to your shared sub-folder. The preview of the namespace should be pointed to where you specified in step 5, and will show up as a shortcut in that folder when you view it on the server. The folder targets should be pointing to the folder under Shares$. Click "OK".
- This is the part that pretty much eluded me for a week or so. I guess I just assumed ABE would pick up and do the right thing without any additional intervention.... WRONG!! soooo Right-click on your newly created DFS folder and go to Properties>Advanced> and select the "Set explicit view permissions on the DFS folder" radio button. Add your specific DFS group to be able to see this DFS target, in this case it's DFS-BusAnalyst. I'll do the same thing for the CareMgmt folder as well as every other DFS folder that is added.
Group Policy Drive Mapping:
- In the proper GPO (where your users are located) navigate to User Configuration>Preferences>Windows Settings>Drive Maps to create a new drive mapping.
- The location will be the DFS target, in this case it's \\domain.local\depts, I've labeled it as "Department Drive", and I'm using the T: drive.
- Navigate to the Common tab and select "Item-level Targeting".
- Under "Targeting" we'll want a rule saying that it will apply to any user that is in a certain security group. Our naming convention will be DM(drive map)-ABCD(company name)-DFS-DEPT. So as long as you are in the DM-ABCD-DFS-DEPT you will have a T: drive mapped to //domain.local/depts when you login.
And we're done! On our way to becoming that much more organized :)
Friday, September 6, 2013
Cisco SNMP v3 settings for PacketFence using clogin via Rancid
First off, could I really fit any more key words into the post title?
Secondly, I'm fairly new to scripting and linux in general. So forgive me if I get some terms or other stuff way wrong. I've recently been tasked with setting up a NAC (Network Access Control) for our network. We're starting small, only conference rooms at first. We have around 40 or so conference rooms, I think.... The goal is to use PacketFence by Inverse to allow guests and vendors access to our guest network, and employees access to our internal network.
PF will allow you to push switch vlan changes via snmp, but one of the big hurdles for me was the SNMP v3 setup since I've never set it up before. After figuring it out on a single switch I realized that I didn't want to manually make changes to all of our Cisco switches. Which lead me to clogin that comes with Rancid (Really Awesome New Cisco confIg Differ). clogin will allow you to make multiple changes using a command file to the switch(es) of your choosing.
Third, I hope you enjoy my liberal use of smudgery.
Step 1: Install Rancid: http://www.shrubbery.net/rancid/RhysEvans_overview_0.3.pdf
Step 2: Setup switch in PF:
Step 3: Setup the .cloginrc file
This file (under root) holds all of the usernames/passwords that clogin will use when attempting to auth to a device. We use ssh on everything and setup a TACACS account specifically for packetfence testing. This is what I've added to the bottom of ./cloginrc
add user * {PFTestAccount}
add userpassword * {TermPassword} {EnablePassword}
add password * {TermPassword} {EnablePassword}
add method * ssh telnet
Step 4: Send global switch commands via clogin. In the default setup clogin is located under /usr/local/rancid/bin and must be ran as the user rancid if you've followed the instructions above.
Global commands, saved in SNMPv3.txt:
snmp-server engineID local 123450000000000000000000
snmp-server group PFREADGROUP v3 priv notify *tv.00000000.00000000.00000000.0
snmp-server group PFWRITEGROUP v3 priv read PFREADVIEW write PFWRITEVIEW
snmp-server community PFREADWRITESTRING RW
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 2
snmp-server host 172.16.x.x OtherCorpReadOnlyString
snmp-server host 172.16.x.y version 3 priv PFREADUSER port-security
Clogin command:
./clogin -x /usr/local/rancid/scripts/SNMPv3.txt 172.16.x.y
Result:
Step 5: Interface config:
Now there are a couple ways we could go with this. We could include this config in with clogin as long as we could pick the same port on ever switch. I have yet to find a way to prompt for each switch with my limited knowledge. Or the way I'll be doing it, going through and finding out which port on which switch I need setup, and creating a different command file for clogin to pull from. It's probably not the best way, but still better than logging manually into each switch and running every command.
## mac-address should follow this format: fa0/1...fa0/48 = 10001...10048
## or gi0/1.....gi0/48 = 10101....10148
## vlan 311 is the PF Registration vlan
int fa1/0/46
switchport access vlan 311
switchport mode access
switchport port-security maximum 2 vlan access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0001.0046 vlan access
Secondly, I'm fairly new to scripting and linux in general. So forgive me if I get some terms or other stuff way wrong. I've recently been tasked with setting up a NAC (Network Access Control) for our network. We're starting small, only conference rooms at first. We have around 40 or so conference rooms, I think.... The goal is to use PacketFence by Inverse to allow guests and vendors access to our guest network, and employees access to our internal network.
PF will allow you to push switch vlan changes via snmp, but one of the big hurdles for me was the SNMP v3 setup since I've never set it up before. After figuring it out on a single switch I realized that I didn't want to manually make changes to all of our Cisco switches. Which lead me to clogin that comes with Rancid (Really Awesome New Cisco confIg Differ). clogin will allow you to make multiple changes using a command file to the switch(es) of your choosing.
Third, I hope you enjoy my liberal use of smudgery.
Step 1: Install Rancid: http://www.shrubbery.net/rancid/RhysEvans_overview_0.3.pdf
Step 2: Setup switch in PF:
Step 3: Setup the .cloginrc file
This file (under root) holds all of the usernames/passwords that clogin will use when attempting to auth to a device. We use ssh on everything and setup a TACACS account specifically for packetfence testing. This is what I've added to the bottom of ./cloginrc
add user * {PFTestAccount}
add userpassword * {TermPassword} {EnablePassword}
add password * {TermPassword} {EnablePassword}
add method * ssh telnet
Step 4: Send global switch commands via clogin. In the default setup clogin is located under /usr/local/rancid/bin and must be ran as the user rancid if you've followed the instructions above.
Global commands, saved in SNMPv3.txt:
snmp-server engineID local 123450000000000000000000
snmp-server group PFREADGROUP v3 priv notify *tv.00000000.00000000.00000000.0
snmp-server group PFWRITEGROUP v3 priv read PFREADVIEW write PFWRITEVIEW
snmp-server community PFREADWRITESTRING RW
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 2
snmp-server host 172.16.x.x OtherCorpReadOnlyString
snmp-server host 172.16.x.y version 3 priv PFREADUSER port-security
Clogin command:
./clogin -x /usr/local/rancid/scripts/SNMPv3.txt 172.16.x.y
Result:
Step 5: Interface config:
Now there are a couple ways we could go with this. We could include this config in with clogin as long as we could pick the same port on ever switch. I have yet to find a way to prompt for each switch with my limited knowledge. Or the way I'll be doing it, going through and finding out which port on which switch I need setup, and creating a different command file for clogin to pull from. It's probably not the best way, but still better than logging manually into each switch and running every command.
## mac-address should follow this format: fa0/1...fa0/48 = 10001...10048
## or gi0/1.....gi0/48 = 10101....10148
## vlan 311 is the PF Registration vlan
int fa1/0/46
switchport access vlan 311
switchport mode access
switchport port-security maximum 2 vlan access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0001.0046 vlan access
Wednesday, August 14, 2013
1-2-3 SET
So yesterday was my second SE campaign to enlighten a subset of our users. Here is a n00b's guide written by a self proclaimed n00b....
Intro:
So using The Social Engineering Toolkit has been most of my hands-on knowledge when it comes to anything SE. I've only been using it for around 8 months at this point, and I've learned a little bit. When our company decided that it would be too expensive for regular user training we decided to try and make things interesting instead. The plan is still forming, but we've gotten good feedback so far.
The Plan:
The idea is to run a blatantly obvious SE attempt at a subset of users each month from a gmail account. I made the account ourITdepartment@gmail.com. SET will allow you to auth to gmail to send out the campaign email. The targets will receive a plain html email with a link that takes them to a credential harvester embedded in a cloned website of my choosing. After we obtain their credentials this is what they see:
This slideshow takes them through some normal "don't click shit" information, just in a professional format. I may upload the full slide deck, but it still needs a little work. As time goes on and we get less hits, we'll up the complexity.
First Attempt:
Using ./theHarvester.py from Marcus Carey (@marcusjcarey) I scanned for our domain to pull the first list of users, which got me about 50.
./theHarvester.py -d mydomain.com -l 500 -b google
Every year we fill out an employee survey with a third party company. Since we had just completed it I figured an email about the survey results being in would yield a good hit rate.
The link took them to a clone of Survey Monkey's login page. Which yielded a surprising 15/50 credentials being harvested, 3/50 reports of a suspicious email to our helpdesk, and 1 call from a nurse letting us know that she no longer has any respect for us and has lost our trust.
Second Attempt:
To gather a list of users that are more likely to be targeted from the outside we have an active sender list on our postfix mail filtering box. There are about 600 or so that normally get email from outside addresses, out of the 1,400 total mailboxes we have. I took the first 200 this month and will continue on until everyone has been hit with an easy campaign.
At the beginning of the year we switched to an HR system "in the cloud" that uses AD Federated Services to auth our users. I figured a clone of that site would work well, accompanied with this email.
1-2-3 SET:
What Comes Next?
So we're currently working on a database to bind to MS Active Directory and store the results of each month. It would allow us to run reports on most phished users, who each campaign hits, etc. All the data from the xml report will be pulled in also.
Intro:
So using The Social Engineering Toolkit has been most of my hands-on knowledge when it comes to anything SE. I've only been using it for around 8 months at this point, and I've learned a little bit. When our company decided that it would be too expensive for regular user training we decided to try and make things interesting instead. The plan is still forming, but we've gotten good feedback so far.
The Plan:
The idea is to run a blatantly obvious SE attempt at a subset of users each month from a gmail account. I made the account ourITdepartment@gmail.com. SET will allow you to auth to gmail to send out the campaign email. The targets will receive a plain html email with a link that takes them to a credential harvester embedded in a cloned website of my choosing. After we obtain their credentials this is what they see:
This slideshow takes them through some normal "don't click shit" information, just in a professional format. I may upload the full slide deck, but it still needs a little work. As time goes on and we get less hits, we'll up the complexity.
First Attempt:
Using ./theHarvester.py from Marcus Carey (@marcusjcarey) I scanned for our domain to pull the first list of users, which got me about 50.
./theHarvester.py -d mydomain.com -l 500 -b google
Every year we fill out an employee survey with a third party company. Since we had just completed it I figured an email about the survey results being in would yield a good hit rate.
Second Attempt:
To gather a list of users that are more likely to be targeted from the outside we have an active sender list on our postfix mail filtering box. There are about 600 or so that normally get email from outside addresses, out of the 1,400 total mailboxes we have. I took the first 200 this month and will continue on until everyone has been hit with an easy campaign.
At the beginning of the year we switched to an HR system "in the cloud" that uses AD Federated Services to auth our users. I figured a clone of that site would work well, accompanied with this email.
So far we are at 47/200 and they are still rolling in.
1-2-3 SET:
What Comes Next?
So we're currently working on a database to bind to MS Active Directory and store the results of each month. It would allow us to run reports on most phished users, who each campaign hits, etc. All the data from the xml report will be pulled in also.
Subscribe to:
Posts (Atom)