Friday, July 12, 2013

Pwnxy and Phishable - awesome tools with scary abusability

Penetration testing answers the question "can someone penetrate your defenses" before a hacker does the same.  In other words, when you put up a door on the Internet, someone somewhere is going to see if they can crawl in through an unlocked window instead of using the door as you intend.  Pen testing searches for that window, or back door, or subterranean tunnel, with the intention of finding and closing vulnerable surfaces before an attacker does it for you.

One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window.  A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.

At the end of a local Hackformers meeting today, Threat Agent's Marcus Carey gave an impromptu demo of a new tool he has just released, and another tool set for release in a couple of weeks.  These tools are frightening in how easy they make  a phishing campaign (Marcus is a white hat hacker who creates tools for legitimate use, but the same idea could just as easily be used maliciously. As he said, the tools are swords - not benign nor malicious in their own right, but can be used for good or for evil depending on the one wielding them).

Pwnxy is a pen testing proxy.  The attacker gets a target to click on a link, and Pwnxy serves up a legitimate web site (possibly with added code), and sends any data the user enters to both the legitimate web site as well as the attacker.  In truth, the demo looks a lot like Zeus (a widespread crimeware kit that targets bank web sites), but with a crucial difference – Pwnxy is cloud-based and does not require compromising the target’s box. Get the target to click a link, Pwnxy will serve up the legitimate desired web page with any customizations, and poof – phish is successful.

Once the target has clicked the link, they have no indication whatsoever that the website is fraudulent - because the web site actually is not. The real web site, be it a bank, or Gmail, or Facebook, or a favorite news site, is what the target sees. The proxy works behind the scenes to collect login credentials or any other data the target enters.

Marcus created a couple of videos demonstrating use of the tool at his company blog (I trust the source, but as with any hacker/developer I keep some degree of paranoia -- I would not log into any sites he may link to, including Youtube :-)

The second tool is not yet publicly available, but is equally interesting. "Phishable" simplifies the task of creating a phishing email campaign - the tool has built-in templates to emulate messages from a variety of common businesses and services, and allows the attacker to customize the messages and to/from fields. It would be very easy to, for instance, craft a message from an employer's IT department that direct's the target to change their corporate account password.

How do you defend against this type of tool?  Given that Marcus accidentally phished himself more than once while developing the tool, it's not an easy question to answer. That said, some common advice will go a long way: don't click links in email if you are not certain of the source, but rather enter a known address in your web browser by hand (or via a saved bookmark). Be especially wary of links in Facebook, Twitter, etc. - links about hot current topics (NSA versus Snowden, anyone? How about the Texas abortion law debate?) are often legitimately shared, but are also often used by attackers.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen