Dragnet: Your Social Engineering Sidekick
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39751 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
Social Engineering <Sicherheit>AggregatzustandComputersicherheitAssoziativgesetzInformationProzess <Informatik>Social Engineering <Sicherheit>Analytische MengeMultiplikationsoperatorCybersexAggregatzustandTypentheorieWeb SiteGleitendes MittelPhasenumwandlungFramework <Informatik>Luenberger-BeobachterStrömungsrichtungPhysikalismusSoftwaretestTVD-VerfahrenSystemaufrufE-MailTemplateRechter WinkelComputeranimation
02:44
Web SiteHeegaard-ZerlegungMultiplikationsoperatorAnalytische MengeSoftwaretestVersionsverwaltungEntscheidungstheorieRechenschieberTypentheorieFacebookDifferenteAggregatzustandStrömungsrichtungComputeranimation
03:43
SpieltheorieBildschirmfensterBeobachtungsstudieRechter WinkelStatistikVideokonferenz
04:23
TopologiePauli-PrinzipSocial Engineering <Sicherheit>Fächer <Mathematik>Kontextbezogenes SystemWellenpaketRuhmasseWasserdampftafelClientComputersicherheitEinsFokalpunktStrömungsrichtungAggregatzustandMereologieBitSoftwaretestKugelkappeComputeranimation
05:30
Maschinelles LernenOpen SourcePortscannerDatenflussKeller <Informatik>Projektive EbeneFront-End <Software>TemplateKorrelationsfunktionFramework <Informatik>Fortsetzung <Mathematik>Virtuelle MaschineIntegralDatenbankArbeit <Physik>DifferenteSocial Engineering <Sicherheit>SoftwaretestKeller <Informatik>BitOpen SourceDemo <Programm>SichtenkonzeptDebuggingPhysikalisches SystemAlgorithmische LerntheorieFreeware
07:10
Web SiteSpieltheorieVersionsverwaltungE-MailTropfenKorrelationsfunktionMathematikPunktIntegralStrömungswiderstandZahlenbereichEndliche ModelltheorieMultiplikationsoperatorComputeranimation
08:12
KorrelationsfunktionDämon <Informatik>DatenverarbeitungComputeranimation
09:01
PrognoseverfahrenTemplateSchätzfunktionFacebookTemplateBitrateVideokonferenzBildschirmmaskeTypentheorieDemo <Programm>LoginMailing-ListeEndliche ModelltheoriePunktE-MailGeschlecht <Mathematik>Wurm <Informatik>Computeranimation
10:28
RechenwerkArithmetische FolgeGarbentheorieClientFlussdiagramm
10:55
TypentheorieSoftwaretestClientFlussdiagramm
11:15
Hill-DifferentialgleichungMIDI <Musikelektronik>AdditionBitE-MailMailing-ListeProgrammfehlerTemplateTypentheorieGruppenoperationVorhersagbarkeitEndliche ModelltheorieNichtlineares GleichungssystemSoftwaretestMultiplikationsoperatorRechter WinkelIntegralElektronische PublikationBitrateSinusfunktionGüte der AnpassungClientSchreib-Lese-KopfRechenschieberFlussdiagrammComputeranimation
13:57
ZahlenbereichTemplateRechter WinkelMultiplikationsoperatorInformationFlächeninhaltSkriptspracheE-MailSystemaufrufVerdeckungsrechnungStichprobenumfangElektronischer FingerabdruckInklusion <Mathematik>XML
14:53
SystemaufrufGüte der AnpassungLoginClientRechter WinkelServerFlussdiagrammProgramm/Quellcode
15:29
Hill-DifferentialgleichungTemplateSystemaufrufPhishingComputeranimation
15:45
FlächeninhaltLanding PageTemplateE-MailGerade
16:16
EmulationInformationLanding PageAvatar <Informatik>Demo <Programm>TemplateTypentheorieVersionsverwaltungGarbentheorieFlussdiagramm
16:52
Demo <Programm>Pauli-PrinzipTropfenMobiles InternetSocial Engineering <Sicherheit>SystemaufrufMultiplikationApp <Programm>Repository <Informatik>Framework <Informatik>TypentheorieVerschlingungTropfenFlussdiagrammComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
All right, Truman Cain, social engineering. Yeah, another clap, please. Blake had too much to say about me, so he figured there wasn't enough time. Okay, so who here is from the abstract? Who here read the abstract, and that's why they wanted to come raise a hand? Yeah?
00:20
Dragnet, one hell of a catch. One hell of a catch. Okay, so I'm Truman Cain. I'm a security associate from Devora. We do cyber security, pen testing, that type of thing. And I decided to make a social engineering framework called Dragnet, that's what we're gonna talk about today. So, if you didn't read the abstract,
00:42
basically, your conversions on phishing emails, phishing calls, physical engagements, those conversions are all going to increase when you use this framework. What do I mean by conversions? Basically, things like credentials being entered, people giving you information they're not supposed to be giving you,
01:00
that type of thing. So, that's why I'm considering a conversion for these purposes. First, I'm gonna get into the current states of OSINT, analytics, social engineering engagements, and then we'll talk about the tool. But I also wanna let you guys know that these are my insights. You guys might not feel the same way about everything that I say. Hey, I recognize you.
01:22
And so, this is just what I've observed. Okay, so when I think about OSINT, I think that I want high quality, reliable data that I'm collecting on my target. And the collection process usually ends up being manual because when you see a successful spear phishing attack,
01:40
there's almost always manual OSINT going on. It can be for a few reasons, a couple. It might be that you want to verify that the information that you're getting is accurate. Also, so that you can tailor your attack to your target as you learn more about them. But all of it is so that you have a higher chance of conversion when you execute the attack.
02:01
So, aside from some minor variations, this process is extremely repetitive. And once you've gone through the OSINT phase on a couple targets, you kind of have down your process. Maybe you have a couple targets from each industry. You kind of, you know, you get down what you're gonna be doing. So you think, okay, why can't this be automated? And sometimes, you can automate things. But once the automation starts turning
02:23
into the heavy lifting, a lot of the times, you'll see big sites start to change their templating. And they just, coincidentally, roll out an update that just destroys the most popular, you know, scraping tool. So that would be why, when we see automation work, it's fleeting.
02:40
It doesn't last very long. So, here's the current state of analytics. Sorry, I had something else I wanted to say about the last slide. So why do these sites care so much about protecting their publicly available data? It's because analytics. As a side note, I'm gonna use big data and analytics interchangeably
03:01
for the purposes of this talk. So, regardless of what the company does, or what they say they do, if you look at companies with the biggest online presence, Amazon, Google, Facebook, that type of thing, if you were to take away their analytics, in my opinion, they would not last very long. You might not all agree, but I believe that when you're a company that big, you can't act on intuition alone.
03:21
So not only is every major decision driven by analytics, even the smallest decisions are driven by data as well. An example would be the way that Facebook has, is split testing thousands of different versions of their website at any one time, and pushing only the highest performing features to the public version of the site. But not only do these big companies
03:40
live off of analytics, sometimes it's the way that companies are born. This is a quote by Jeff Bezos in 1997. I'm not gonna read it in the Jeff Bezos voice from the video if you've seen it. He says, three years ago, I was working in a quantitative hedge fund when I came across a startling statistic. So that statistic stated just how rapidly consumers were moving online.
04:02
It's also what caused Jeff to leave the company he was at to start Amazon. And it's now why we're impatient when we can't get things delivered the same day. So, you're sold, right? You're gonna go out, you're gonna study the data, and start the next Amazon, right?
04:20
Well, as I look around the room, I'm not so convinced. Because fortunately, for those of you who take Jeff's quote to heart, the data is already out there. And it can be used for things other than starting or growing businesses. Like destroying it, no, like social engineering. So, I'm a fan of Amazon. By the way, I don't need my account shut down.
04:41
This is all educational purposes at this tool. So for those of you who conduct social engineering engagements legally, you may resonate with this chart. The client doesn't even get to choose two, they get to choose one. Effective, quick, or inexpensive. In this current state, and I'm generalizing a little bit, but the companies with big budgets are the only ones getting social engineering pentesting.
05:01
And I believe that needs to change. Let me grab some water. So, Fortune 5000 companies are already being targeted in mass. I believe that smaller businesses in certain industries are gonna quickly become the next big focus for social engineering attacks based on the data that they hold, and the lack of security awareness training.
05:22
I needed to include Zuck somewhere in here. So, I think I've depressed everyone enough with that last part, so what can we do about this? So, Dragnet is this social engineering framework that I'm gonna get into now. We'll watch a demo in a little bit. But I believe that Dragnet is gonna be a popular solution for pentesters. I'm committed to continually improving on it
05:42
as long as the demand is there. When I said about Oson Automation being fleeting, for every star on the GitHub, that's gonna be an hour of me going back and re-improving. So, free labor, basically. I mean, it's cheap labor for you guys. So, I would recommend starting this project if you like it, and maybe the Oson stops working.
06:03
Star the project, and that's an hour. I'm just gonna be sitting in mom's basement. So, where was I here? So, I'm gonna quickly cover the frameworks Oson, Automation, and Machine Learning capabilities, and then we're gonna check out a quick demo. I'm also happy to say that Dragnet is,
06:20
and will continue to be, open source. So, I believe that this target template correlation and machine learning thing. Oh, so the whole correlation, thank you. Where was I? Very nice. The whole recommendation system thing, AI is being implemented into everything.
06:40
The data is already out there. I think pretty much every phishing tool is going to start implementing this. That's why I'm really excited to try to be on the cutting edge. I think this is a cool thing, and it's becoming a lot easier for guys like me to implement this into projects. So, this is essentially the stack, TensorFlow for machine learning, Firebase for the NoSQL database backend,
07:02
and Vue.js for the front end. Things like Asterisk and Flask are also used, and there's a bunch of different integrations as well. So, here's how Dragnet Oson works. You're gonna start a new engagement. You're gonna drag and drop in a CSV with your target's names and emails or phone numbers,
07:20
and then Oson begins. Now, if a particular target already exists within the company that the engagement is for, then the Oson is going to restart, changes are gonna be tracked, and a new recommendation is gonna be made. This is almost entirely automated, hence, keep your hands near the wheel. This is using lead enrichment integrations and also manual scraping at times.
07:41
So, the reason for the hands near the wheel is because sometimes you're gonna get people with the same name from the same company, and so you need to decide who is your actual target, because if you choose wrong, you could skew the model, you could skew the entire model so that the recommendations for someone completely different that you think there's no correlation between,
08:01
gets a different suggestion, one that's not accurate because you chose the wrong person and because the data points about them weren't correct. So, this is the old version.
08:57
Still, it started dancing like Ashley Simpson.
09:06
So, this is the model, essentially. I really don't know how any of this works. I kind of just watched a bunch of videos and was just trying to get it to work. It barely makes sense to me, but essentially how it works is,
09:22
essentially how it works is you're going to tag the templates that you're using. So, you're gonna say, say for example, unusual login detected. So, you're gonna say urgency might get a tag, and it's from LinkedIn, so you're gonna give it a LinkedIn tag. Maybe you're doing an Amazon wish list phishing template, and you're gonna use tags like Amazon shopping. Maybe it's a Facebook poke email,
09:41
and you use things like Lust, for example. Things like that. Then the OSINT automation is going to create data points, which essentially we're calling target features. Things like someone's age, their name, maybe their gender, maybe previous work experience, that type of thing. Labels are going to be what are taken
10:00
from your previous engagements, the data on whether a target clicked, filled out a form they weren't supposed to, executed a payload, that type of thing. It's gonna give them a rating. All to end up with a probability of pwn. So, that's what we're left with. So, put simply, you're gonna tag your templates,
10:21
you're gonna import the prior conversion data, and then you're gonna say your prayers. All right, so we're gonna watch a demo.
10:46
So, here we are in the dashboard engagement section. You can see that we have an upcoming in progress and completed filter. We have some clients that we've worked with recently. But we're gonna start a new pen test
11:01
for Pied Piper. They're a client we decided to take on. So, we're gonna choose from the existing companies. We're gonna choose the type of tests that we're running. This one's phishing and vishing. And we're gonna choose a start and end date.
11:23
Okay, so these three contacts are essentially targets that we've already uploaded for Pied Piper. They've already run an engagement against them. But I'm gonna drag in a new file with some new targets. The target list is populated, and now I can choose who I want to include,
11:41
and also choose which type of test they're gonna be involved in. So, Gilfoyle is only going to be doing phishing. We're gonna get rid, I'm scared of Jared, so we're gonna get rid of him completely. He's just too easy, big head, so we're gonna get rid of him. And then we're gonna run just the phishing
12:02
on a couple of other of the targets here. And I think, yeah, there we go. Some UI bug. So now we're gonna save and OSINT begins. So, as you can see on the right, this says attack ready. That's how fast, I don't think I can go back,
12:22
that's how fast essentially that the OSINT is being done. And because the model is already trained and will be retrained each time someone converts or we get one of those labels that you saw from the equation slide, the model's gonna be retrained. Once that happens, to create the prediction is gonna be extremely quick.
12:43
So we can see, we have things like starting ML prediction. This last update column on the right is gonna show what the last thing to happen was. But we also see that we have an action required in addition to the attack rate. The action required is on Jin Yang, interesting.
13:02
This is prerecorded, they started, they wanted us to prerecord these, so which is probably a good thing. So which of these is Jin Yang? This is what I was talking about, where hands near the wheel. I have to pick which one is my target. I just happen to know that this is a male, maybe I've seen the target,
13:21
maybe I know roughly what age he is, I can call the client, maybe, and try to get that data. So I choose that he's the target, it started OSINT, it completed OSINT, because I have an integration like ClearBit or full contact, and that's why the OSINT is gonna be faster. Okay, so now I just launched. You can see some people say email scheduled, some people say sending email.
13:41
This is based on the, oh, what's this? So I wanna explain a little bit more. But it looks like we have a notification that Jin Yang already opened our email. Would we like to vish him now? So this is because it's a linked template that wants you to call and follow up as soon as the target opens the email.
14:02
Not all of these templates need to be linked. On the right, you can see a mini dossier area. This is gonna be, that check mark indicates that it's confirmed, the data is confirmed. The fingerprint indicates that this was using OSINT that we found this. Things like education history background, info, work history.
14:22
And so we see an attack log that shows the email was sent and opened and at what time. We have our script right here that we're gonna be using with his name included. And we can place the call whenever we're ready. And it should be hopefully sound for this.
14:46
Then calling Jin Yang from the mask number. So he apparently knew that this was not a legit call.
15:01
So did we get the goods? No, he's not phone. And the recording, if the client allows, is going to be uploaded to our servers and we would be able to play that here.
15:24
So we see the attack log on the bottom right has updated. And we see now there are some other updates on last updated. We see call unsuccessful from Jin Yang and call scheduled and we see creds captured for Monica.
15:44
Okay, so we're gonna click on the phishing template and we see the email that was sent to her. Gavin also wants to connect. We see the credentials captured there right on the top right or in the middle. We have her mini dossier area and we can see the credentials entered on the attack log as well. So if we click, we can see that this,
16:04
I think I'm gonna click on this email here. Basically we're gonna be able to see that the landing page that she was sent to is not LinkedIn, it is Linekadin. So this is the landing page and where she fell for the credentials captured attack.
16:20
So we can click on her little avatar there and see the full dossier. It's essentially just a more spread out version of the mini dossier that you saw. And also one cool thing is that this in the target history section is not just about the attack, it's all attacks. And it's also things like when she was added to a certain company, when it was since started, was completed, when templates were suggested,
16:41
that type of thing. So I believe that is it. Yep. Okay, so that's the demo.
17:03
What's next? Things like ringless voicemail drops. Once we get inbound calling set up, you'll be able to do things like this earlier in the morning. Maybe when someone is not gonna be around the phone and try to get them to call you back. Things like really focusing on individual targeting so that you don't have to do things through a company, again, for educational purposes.
17:23
Distributed vishing, so you might be able to have a team set up and be able to get them set up with multiple attack phones, that type of thing. Native mobile, I think, would be really cool to be able to have an app to manage this and to be able to do all the calls through an app. I think that'd be really cool. And your request here is the bottom one. So I really am committed to working on this.
17:44
I'm not gonna be the guy that's like, oh, submit a pull request. Like, I'll do the work. You guys, if there are enough people that want something, they can plus one it if someone else suggests it on GitHub. So I would really appreciate it if you guys give your ideas there. I'd be happy to do that, thanks.
18:08
So Dragnet's gonna be released on GitHub in the next few days. The repo is live. You can get it through the Tavora Threat Link. But I'd like you to watch the repo so that you're notified as soon as the framework is released, which will be in a few days. Also, thank you to Kevin, Steven,
18:22
Clayton, and Ray from Tavora. This framework wouldn't exist without them. Thanks again, guys. Thanks. Thanks.