It’s been a little over a year since I started phishing full time with Phishing Frenzy and there is no looking back now. The project has really come a long way since I first started with it. I can’t thank the community enough for all the support and contributions along the way. Phishing today seems more enjoyable than ever before and I owe a lot of that gratification to Phishing Frenzy.
If you haven’t had a chance to checkout the project, I highly recommend you do and get involved. We are always seeking new templates to be added to our official gallery for the entire community to use, tweak and share.
In the last article we introduced some of the useful features that Burpsuite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will explore some additional functionality including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!
If you’re not currently using Phishing Frenzy, BeEF, or PowerSploit for your Phishing campaigns you’re really missing out. In this article we are briefly going to cover what I consider to be one of the “new hotness” attack vectors that every pentester should be using in their next phishing assessment.
Bypassing antivirus is always a cat and mouse game, and we’re always trying to stay ahead. I recently had a conversation with Justin Elze (@justinelze) on twitter about his version of WCE getting flagged by McAfee Antivirus.
When I was working on smbexec I knew the wce executable would touch disk and did research to find out how I might be able to get a step ahead in bypassing antivirus vendors. What I found was, for the wce universal binary, the base EXE had resources inside which were run on the target system. Essentially the base EXE was a wrapper that would review the architecture of the target system (32/64) and then launch the proper resource embedded. Essentially what this means is that even though the base EXE is obfuscated and can bypass antivirus, you may not have the same luck bypassing antivirus with the actual resources when they execute. Enter CFF Explorer and crypter for bypassing antivirus.
Burp Suite from Portswigger is one of my favorite tools to use when performing a Web Application Penetration Test. The following is a step-by-step Burp Suite Tutorial. I will demonstrate how to properly configure and utilize many of Burp’s features. After reading this, you should be able to perform a thorough web application penetration test. This will be the first in a two-part article series.
Here’s a fun trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!).
According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what it looks like. (more…)
The development and addition of new features within Phishing Frenzy (PF) continues to grow. Some of these latest upgrades and features come from a lot of feedback that I have obtained from the community. Thank you all for the great feedback regarding PF.
Recently PF was converted and upgraded to run the latest version of bootstrap. Previously PF was running bootstrap version 2 and was missing out on some of the latest bootstrap features. The conversion was fairly long and painful, but the end result is very pleasing.
As most of you already know, Thotcon one of the paramount security conferences took place a couple weeks ago in Chicago. I got the incredible opportunity to present on the main stage about Phishing Frenzy and show off some of the new features now available.
During the presentation at Thotcon Adam Ringwood and I gave a live demo of the new features and executed a simulated email phishing attack. Those of you who missed it I’ve summarized most of the details in this blog post. (more…)
If you’ve been following along with us, you’ve noticed we recently released a new software tool for penetration testers called Phishing Frenzy (PF). PF is a feature rich ruby on rails application that helps manage your email phishing campaigns from creation, customization, to execution.
Since the release of PF we have been making lots of changes to help enhance the software for easier management of your email phishing campaigns. Some of the biggest changes you’ll notice when you checkout the latest version is a new layout built on bootstrap, a new shiny logo, and sending of emails in the background using sidekiq.
A couple weeks ago I presented at this years Derbycon on an email phishing platform that I have been working on. The web application is geared towards penetration testers who want to help streamline the creation and management of email phishing campaigns. The application is written in ruby on rails and is available for download on the Github repository: Phishing Frenzy.
For those of you who came out to my presentation, I appreciate you all getting up so early (Saturday 9am) to hear my talk. Those of you who missed the talk I went over some of the features of Phishing Frenzy and launched a live phishing simulation. You can see the recording below thanks to irongeek. If your looking to see just the demo, fast forward to 11:52.