The Hacker's Playbook 3: Social Engineering - pg. 174
Social Engineering: The Science of Human Hacking - Christopher Hadnagy
Advanced Penetration Testing: Advanced Concepts in Social Engineering- pg. 194
Hacking: The next generation - Infiltrating the phishing underground: learning from online criminals, pg 177
Social Engineers Toolkit - The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly
BeeLogger - Generate Gmail Emailing Keyloggers to Windows.
evilgrade - Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
Phishing - “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” (Hadnagy, Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. Wiley, 2015).
SMiShing- “the act of using mobile phone text messages, SMS (Short Message Service), to lure victims into immediate action. This action may include downloading mobile malware, visiting a malicious website, or calling a fraudulent phone number.”
Vishing- "practice of eliciting information or attempting to influence action via the telephone."
Impersonation- “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.”
OSINT - The research performed on the target using Open-Source Intelligence tools. This phase does not interact with the target in anyway.
Social Engineering: Christopher Hadnagy - pg.17
Pretext Development - This is where an attacker develops their reason for initial interaction.
Attack Plan - Planning out the Who, What, When, Where, Why, and How of the attack.
Attack Launch
Reporting - The full details of the attack. This is crucial for a client to understand all that was done and what they need to improve their defenses.
Phishing
squarephish - SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
PhishInSuits - OAuth Device Code Phishing with Verified Apps
Muraena - Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
NecroBrowser - Necrobrowser is a browser instrumentation microservice written in NodeJS: it uses the Puppeteer library to control instances of Chrome or Firefox in headless and GUI mode.
catphish - Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. Perfect for Red Team engagements.
evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
FiercePhish - FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
CredSniper - CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.
TigerShark - Bilingual PhishingKit. TigerShark integrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Zphisher - An automated phishing tool with 30+ templates.
SharpPhish - Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing.
SocialFish - Educational Phishing Tool & Information Collector
shellphish - Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github
I-See-You - A Bash and Javascript tool to find the exact location of the users during social engineering or phishing engagements. Using exact location coordinates an attacker can perform preliminary reconnaissance which will help them in performing further targeted attacks.
Vbad - Heavily obscures vba payloads within word documents
- destroys references to module containing effective payload in order to mave invisible from VBA dev tools
Give the end user a compelling reason to enable macros.
Tailor the attack to the client. Gather information with a mass email and get an OOTO response to get a template for the interna email style
Embeded macros in Microsoft office documents
Run test file against VirusTotal to check for ease of detection
Review “Tags” section for offending tags that set off signature matches
Often AV will only scan the main body of the code and NOT the declaration section.
Use an alias for a function import to get around this.
Avoid Obvious use of shellcode
Functions that will most assuredly get flagged: VirtualAlloc, RtlMoveMemory, Shell, URLDownloadToFile, and CreateThread
Automatic execution in macros
Three deifferent methods depending on which format you are using: word, excel spreadsheet, or excel workbook
Often all three are enabled when auto code execution is enabled.
Reduce to 1 or 0 depending on what you need to reduce chance of detection.
Using a VBA/VBS Dual Stager
While VBA is used exclusively in Office products, VBS is used to perform other tasks outside of office, therefore it is given more freedom of execution.
Deploy a VBA macro containing VBS code
Two separate scripts, one VBA and one VBS
Code obfuscation
Encoding script with possibilities such as Base64 and XOR and have it decrypted at run-time