Posted On:January 2013 - Pentest Geek
I’m often times asked how I perform email email phishing attacks. Email phishing attacks are very compelling, and unique to each situation. The process of creating a successful email phishing campaign is very methodical, and most of the time and effort goes up front into the planning phase.
Understanding that good security is a multilayer approach and we will have many layers of security that could potentially destroy our email phishing campaign. Some of these layers may include Email Gateway Spam Filters, Outlook ‘Junk Email’ Filters, Host based Antivirus, Intrusion Prevention Systems, Web Proxy Servers, Egress filtering, and the list goes on and on.
A few days ago I was chatting with pasv about a recent vulnerability he discovered. Apparently there was demand for Razer Synapse which syncs the configuration for a Razer mouse to the “cloud”. Syncing configurations to the cloud was most likely needed since some of Razer models have so many buttons the mouse has its own full blown number pad on the side. Pasv got bored and did what any good bored security professional does and reverse engineered the Razer Synapse installer. He discovered that the encryption key and IV were hard coded for the “Remember my password” feature (PoC).
The vulnerability was recently fixed before the new year (12/27/12), via an auto-update in the Razer Synapse software but we figure there are probably at least a few configuration files still sitting out there. This vulnerability was very similar to a recent metasploit module @zeknox and I released about Spark IM so it was fairly painless to write up a new module to exploit this configuration.
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
- Recovering Passwords From Hibernated Windows Machines
- How To Install Metasploit Framework Ubuntu 17.10
Subscribe To Our Mailing List
Want To Be a Better Pentester
Subscribe to our mailing list and recieve FREE pentest tips, tricks, product reviews, news, article release notifications and more!
- Forensics and Incident Response
- Information Gathering
- Penetration Testing Tutorials
- Web Applications
Web Application Hacking