Learn Phishing!
Key Takeaways
The video discusses cybersecurity training, particularly phishing, and introduces a new course on Just Hacking Training, covering hands-on and tactical approaches to phishing, including device code campaigns and infrastructure evasion techniques, using various tools such as GoFish, Amazon SCES, and Single File browser extension.
Full Transcript
Learn cyber security and focus technical training with just hacking.com where all-star instructors and industry experts provide hands-on, affordable, and practical learning across courses, free upskill challenges, hackalong training videos and capture the flag competitions. There's always something to hack. With new content twice a month, all throughout the year, plus by monthly live streams, you can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at justacking.com. It always sounds so good. I'm sorry. You know, I really like playing it at the start. I think that's a fine intro. Hi everybody. Thanks so much for coming to hang out. Look, welcome back to another Just Hacking Training live stream. Uh we got the chat going. I'm super glad to see everybody coming to hang out with us. Thank you again and again and again. Uh, and if you don't know the spiel here, usually the rundown, the agenda, the outline is, uh, hey, I'll do some announcements. I'll, uh, I'll kind of, hey, give you the lay of the land, the sitch, what's up, what's happening in the just hacking world, uh, for us, and then we'll get on to the real show. And we've got our guest Corey Macy coming to join the party. And I'm so excited for that. Uh, but if you wouldn't mind, I'd love to, hey, get started. I will share my screen. Fingers crossed and then we will roll through things. So, I'll hop over here to just hacking.com. Now, if you weren't tracking, if you aren't familiar, hey, this is the extra venture, the the next uh extravaganza, little adventure that we've been going on to put out more training, more educational material, more cyber security love and support and not strictly cyber security. We've gotten into some really cool stuff. We've done like what quantum computing, quantum security, satellite, satellite security, satellite, all this stuff that we are trying to help spread the word and it's really a labor of love but a dream team work with other incredible cool people because it's just shining the spotlight on other hey leaders in the industry to help share courses for one thing like you're used to for a typical schoolhouse and then upskill challenges which are free completely free like there is no price tag on that And then hackalongs that'll include a video. Those are a little bit shorter alongside the upscale challenges. Those are very short, 10, 30 minutes, something small and digestible. Uh hackalongs and our capture the flag archives. So look, yes, this conversation, what we are doing today, everything that we are getting to do for this live stream will be recorded. So, if you'd like, you could check it out on this channel, the same John Hammond YouTube channel or any of the VODs things that are available, and it'll all be present included in our events page. The events page, if you haven't seen it on the website, it's just over in the vitals, uh, little subnav menu there. And look, you can see everything that we're up to, whether it's online or digital or in person. This will include the schedule of, hey, what we've been doing for live streams. And then today, us all hanging out together. But that will coincide with a lot of our releases, a lot of the new content, new trending material that we put out and about. But the conferences, the live events that we go to, that's also included here. Whether or not we're sponsoring, whether or not we'll have a presence, whether or not we can come hang out, shake hands, and we'll give away some t-shirts and tons and tons of stickers. It's very, very cool. It's very surreal, very surreal to uh see all it kind of come to life. But May was super duper busy. We were kind of running all over the place for May. Uh I'm glad to take a bit of a break because we are going to be prepping for Defcon and Hacker Summer Camp. Um but if you are around, I think in the Boston area this Saturday, the layer 8 conference is running and we will be there to help support. Uh we're sponsoring that event. If you are there, you may very well be able to win, I think, one of the sweet giveaways or training raffle lunch special things. Uh, hey, some love to Michelle Michelle Khan, uh, one of the creators that we have there, uh, who has been sharing a lot of awesome stuff for OSIT, open source intelligence, and you might have gone through a lot of the work that he's already shared. We have a whole bundle that has all of that available. And, uh, keep an eye on Michelle's stuff. keep your ear to the ground because I think coming up soon whether it's this weekend or whenever we've got some some holiday coming up soon we do have a sweet announcement uh not just for dads not not just for the fathers of the world it will be for everyone but hopefully some uh some extra love and good support for everything that Michall has been up to uh layer 8 conference will be a little bit more of that social not to say social engineering but investigations you know work of the human human intelligence etc and uh I think that's a fine segue and play there. So, with that, some of the other cool things that we've been getting out the door this month, June, well, it is June right now, is constructing defense, but you've heard me probably beat the drum for constructing defense a long time. Look, we wanted to do something a little bit different. We wanted to kind of rearrange it and structure it in a uh maybe another approachable way. Uh, constructing defense light is the very same material and training and content and education as constructing defense that Anton Rutsky um, who has been with us before. He's been on the live stream previously. He showcased some really cool demos uh, including a couple free lessons that you can dig into. Condev light, cond being the nickname, takes the lab environment, the giant virtual machine setup, the giant virtual uh uh events environment, machines, cloud instances, but lets you spin it up. Uh it is automated with like a little bit of Lutus. You've got some capability to do that, but uh that is a much much more accessible and affordable uh entry point than I think pure OG original constructing defense. Um, so I hope that is some good support for you and I hope you're able to take a look at that. Again, I'm a huge fanboy for constructing defense. I said genuinely it's just like one of the best ways to get into industry work because it's everything that you could very well do for more of a blue team work and and purple team in all reality. Look at the giant lab that comes with it. It's so cool. Oh, I love seeing the chat. Hey, it's an awesome course. Anton is a great instructor. Thank you so much. Would agree. would agree. All right, if you want to dive into constructing defense light, that is available. But let me get on to the real star of the show for today for this week's live stream. Bear in mind when we get together again, let me note we will be hanging out with Matt E. Uh Matt Ernender. He's over uh part of our capture the flag team, M Alpha. Uh we've worked with him for years. He's an incredible genius fella. Um, but we'll be doing some capture the flag stuff at that next live stream. But Corey or Corgi is her handle is an angel. She is awesome. She is the best. And I'm so excited that we get to hang out and chat for a little bit. Uh, she's put together previously a upskill challenge. So again, completely free, totally accessible. You can dive in. Uh, a little bit more of a lesson and layer discussing and telling you about fishing, how this all happens, what this all means. see some of the sites, a little bit of visuals to it. But upcoming on the way, and I do have to add this disclaimer, I do want to make sure this is pretty clear, should be releasing the technical course, the hands-on practical, hey, in the environment, get into action, do all the work course on fishing. But this will be releasing July 1st. So, I want to make that known. Um, we have it out and about because we wanted to do something special. So, let me in on a let me let you in on a little bit of a secret. We are making it for the first time. This is an experiment for us. Please let me know. Give me that feedback if this is good, bad, or ugly. We're doing a pre-sale, a pre-release. So, hey, and there's some fun with it. If you were interested in the full original constructing defense light, if you were interested in the whole Michelle bundle or if you want to check out my previous dark web and cyber crime courses, um, if you were willing to jump into the action now, while this is a name your price training, name your price offering, and bless her heart, Corey really wanted that. she was pushing for, hey, can we make this uh as you know accessible as possible, this is available only in the range of 10 to 50. Uh while we'll offer 050 as the kind of price tag at the start, you could toggle that down. You can tweak that. You name your price to whatever you want. Um and then there's a chance uh three winners there. Three in this raffle if you get it this month before it is released in July. Once July hits course is released and we'll throw in for those winners one of these constructing defense Michelle bundle or dark web course. So I hope that's fun. I hope that's cool. I hope that's neat. Hey, you know much more easier entryway to a lot of potential prize pool for a smaller tag. So thank you. Thank you so much. And I don't want to uh fall down the rabbit hole here because this is truly Corey's domain. Um, but look at all the sweet stuff that we get to drill down into. I am so stoked about this course because I know that there are a lot of hey things that cover this sort of material. Fishing is is oftentimes out and about. They're for security awareness training which can be a very high level and fluffy. It can be oftentimes in just conversations. It can be just like things that folks talk about for oh cyber security. But we wanted to get really really tactical. So this is super duper hands-on getting into evil jinx, getting into goofish, getting into device code campaigns in the Office 365 or Entra environments and then a lot more of the infrastructure and evasion techniques. Uh but I can't uh spill the beans too much. I do want to let Corey take it away. She is the star of the show. But bear in mind, she's going to be giving us a sneak peek, a little bit of a preview, letting us know what's up. And then, while it's available now for pre-release, this thing will come out in July. Did I get all that right? Voice in the back of my head. Uh, production in my ear. Let me know. Cool. I'll stop sharing the screen and I'll ask now, hey Corey, uh, are you with me? Are you ready? Are you good? you want to jump in? You're the best. Thank you so much. Hey. Hey. Hey, John. Thanks so much for having me. Hey, thank you for doing this thing. I think I've said it a thousand times already before we kind of jumped on live. Um, but I can't say it enough and I'm just going to keep saying it. Thank you for all your support, all your contributions, everything you've been doing here with us. Oh, I'm so excited. Um, this is super special to me actually, just working with you because, uh, my husband is like the biggest fan of yours. uh probably like a few years ago. So my husband's a developer. He came to me and I had never heard of you before just because I'm not like a huge YouTube watcher, but my husband is and he was like, do you know John Hammond? He's the best programmer in infosc. No. And I was like, you know, I work in infosc. I am by I'm by no means the the best programmer in infosc. Not at all. Uh but I'm very flattered. What an honor. Thank you so much. Well, hey, would you mind kind of filling in the gaps for anyone tuning in that just hasn't uh I don't know, hasn't seen you around before, hasn't seen you across the internet airwaves, doesn't know who you are, doesn't know what you're up to. Uh, who are you, Corey? What are you doing? Uh, I'm Corey. People online probably know me better as Corgi, like the dog. Um, I do a lot of community involvement uh out there in the community. I work with social engineering community, the Defcon Village. Um, I run Besides Nashville. Uh, I'm based out of Nashville, Tennessee, and I'm also involved with Nashsec, formerly DC615. So, just always out there trying to share knowledge, get people into infosc and kind of support them and help them as needed. Well, you have been part, if I may, of the the village at Defcon and a lot of the social engineering work for quite some time now. Is that right? How did you kind of fall into this line of work, this occupation, this passion? Really? That Yeah. No, that's actually a really cool story. So, I always knew that I wanted to get into pentesting. Um, really since I was like a teenager and I found the Defcon YouTube videos and that was just a passion of mine. My dad is a programmer so growing up was always like my dad makes it, I break it, you know, as you do when you're a kid. Um, so it was always a passion of mine. always wanted to get into it and I eventually got into risk consultancy uh for the company that I'm at and I just told them how interested I was in offensive security and pentesting and probably about four or five years ago um they gave me the opportunity to move over. I started doing social engineering assessments. That's really how I got into it. Um and now I've been doing it for a while now. That's awesome. Can you w within reason, right, fill me in on what does a social engineering assessment kind of consist of? Do you have a physical element? Is it all on the keyboard? Are you sending those lures, getting, I don't know, fishing emails out and about or what is it? What is it? What does you do? Yeah. Uh, it's totally dependent really on a lot of different things. I I hate to say that. Um, but dependent on the client, right? So what industry they're in specifically if we're working with healthcare I'm based in out of Nashville so a lot of my clients are healthcare related um trying to pull things like PHI from nurses or doctors or um PHI through anything um calling helplines um sorry it's really dependent on on kind of the industry that you're working with the client and then of course the assessment type right if it's a standalone social engineering assessment and you're just trying to call into a help desk reset um employee passwords or if it's in tandem with like a internal pentest and so you're taking those user credentials and then you're trying to access their VPN or their Entra or Office um accounts and then kind of pivot from there. That's awesome. Does the phone call angle really really play a part? I it's so easy for me to forget like hey that's just kind of an easy route and angle. It's just calling someone when you've got like oh all the stuff that we tend to run around with between fishing fishing emails the lures inbox work etc. But I'm like oh we can it doesn't have to be that not to say high tech while it's on the computer which could be a phone call. Absolutely. Yeah. Um, probably the easiest way to get in somewhere through social engineering is over the phone, right? Because that's an entirely human element and it almost bypasses these like falsified restrictions that people have assigned to identifying social engineering. Uh, I would say like the average user when they get a fishing email or something, what they're looking for are flags like maybe non-native English or AI generated text. But when you're calling in, I'm calling in as a 20some year old woman and I'm saying, "Hey, you know, I work with internal IT. I clearly have the same like cadence and tone as you." Um, it becomes a lot more believable. Yeah. I feel like you can, I don't know, really do enough homework, do enough reconnaissance, do enough like figuring it out. How do I lay the perfect pretense and then it's just a matter of sealing sealing the deal, selling it. So, absolutely. Well, um I don't know if you have a maybe cool, fun, sweet demo or anything up your sleeve, anything that we might be able to uh take a look at. If it comes together, that's a okay. If not, no worries. But uh and and on the other end of that, if anyone in chat has any cool questions for you, for us, hey, please don't hesitate. Please drop those questions in here and there, and we can uh knock them out as they come through. Um but what do you think? Do you have anything up your sleeve? Anything to show? Cool. Yes, absolutely. Um I was planning this this morning and I like got banned from SCES. So I tried putting a ticket like two hours ago. Um but they haven't responded. So it won't be completely what I had hoped. Um just because I didn't want to spin up, you know, I spun up infrastructure for this. Um but I will share some. Can you talk me through hey all the things that you either had in mind and oh weren't quite there yet? just because I think that grandiose vision and idea of like oh what we could do is still really really cool uh as we get to see it. Yeah, absolutely. We will do that as I super cool. Um if you need to share screen whenever you can, we're ready for you. Quick fun background if I may. Uh I was just over in the people's call center event which was a cool uh little activity to get together with a lot of the like scam bait crew the scam bait um community um whether it's Jim Browning or Scammer Payback or perogi right and those folks do the scam bait work which is interesting because it's to a certain extent a lot of social engineering and to a certain extent a little bit of fishing but it's especially on the phone you get the back and forth fishing you get the back and forth voice conversations um and then seeing where that comes from. It's just cool to see it all tie together here. Um but all right, would you be willing to like zoom in? I'm so sorry my blind 5-year-old eyes will uh Excellent. All you awesome. One thing I wanted to add to just on top of that, it's interesting and I know visioning is kind of outside of the scope of really what we're talking about today, but it's interesting how frequently you can also bypass like technical controls through visioning. Um, one really common thing I'll see with like huge corporations when I'm calling into them, like retail companies and things like that, they'll have lots of different internal helplines that you can call and that's interesting. It's great for an attacker because you have this huge kind of pool of people that you can speak to and you so first you never have to speak to the same person more than once and then you can make all these like different weird requests, right? So to one internal line you can say, "Hey, um, I need to reset my password. I'm so and so." and then literally two minutes later you can call a different line and say, "Hey, I'm so and so and I just got a new phone. I need to change that message on my account." Um, so it's it it it's fun, especially with bigger organizations and you have the capability to do something like that um in such a short amount of time. All right. So, hey, we get to see a little bit of the course preview or sneak preview, whatever you're willing to share. Oh yeah. So I just wanted to kind of go through the contents of what the course has. So um we'll do some like really it's the course is centered around configuring your own fishing campaigns. Um so we'll be using GoFish with Amazon SCES um Amazon SMTP. We'll do things like recon and enumeration which is one of the coolest things that I wanted to showcase today. um as part of the course there are um these falsified companies that I've created, right? So, you'll be able to go out um as part of the course and go out to these domains, do your own reconnaissance as instructed and identify employees at these companies, um potential targets for your fishing campaigns. There will be flags within those for kind of the assessments between modules. Um and then craft great pretext based on the information that's out there. Um so this is one of the companies that's part of the course. It's called Third Ball Robotics. Um this is their main domain and you'll see within this um there is a team button up here. So you see right there are employees that are listed at this company. You can kind of see the employee um username formatting that you can use to aggregate into a potential list of users for this organization to target for fishing. And then there's more details about the organization itself, right? There's additional mailboxes, numbers, more information that you can use for reconnaissance, um third party companies that are associated with them. This is one of my favorite parts. Kind of like these real labs that exist out on the internet for you to go find and do the actual work um for yourself. Yeah. I feel like a cool certain amount of scavenger hunt is, hey, what what insight, what nugget, what things can I track down to add to your campaign? Absolutely. Yeah. And so within the course, all of these things are tested. Um there are exams between some of the modules that ask you for so and so company, you know, what employees did you identify? How many of employees did you identify? What was their username formatting? Um and then we show you things like device code fishing. Um typical credential fishing. Let me see if I can show you some of this. Cool. Thank you. So, if we go to um the team page for this example, there are all these different employees and they have their own mailboxes. Let's say you go to office.com signed in. I apologize. And then we will show you um great um so like for these users right actual accounts and mailboxes exist for these users and we'll show you how to do things like clone login portals. So one recommendation that I make in cloning log portals is this um browser extension called single file. Um, if you saw, we just did it in a literal second. We just compiled all that into one web page. Um, and so we have that exact clone now. Um, and then we show you how to build Goofish infrastructure and how to integrate this into Goofish itself. Um, this isn't an actual page that's working just because it would be your landing page. Um, that's one example. Single file is very cool. I uh I today's video just over on the YouTube channel for me was like oh exploring and looking and hunting down fishing kits. Like we used like URL scan pro and then trying to find stuff that would stupid simple oh xfiltrate out to like a discord or a telegram bot but it it's always you know just an HTML file. Yep. It just spun up on GitHub pages on Verscell in an S3 bucket or whatever way to oh get it public on the internet. But I love I mean just exactly as you showed, hey taking what we're so used to as a login form and then just bundling it up so it's easy to get out and about for a lure. So exactly. Yes. So the course runs through um all of that you know cloning login portals um creating Goofish infrastructure and then building out campaigns within that. Um I can show you an example of just this is like a example Goofish server um that I had created for this this morning. Uh unfortunately Amazon came after me very quickly so I can't actually send anything. Um but just as an example like this is how you would integrate uh users if you're not familiar with the goish UI. Um, you can create a new group. You could pull we'll within the course itself, we actually instruct you on how to pull users from, you know, crawl and scrape them from different domains from sources like LinkedIn or thirdparty aggregators like Rocket Boot or DHA, which is a great resource for like thirdparty breach data. Um, and then we show you how to build different fishing campaigns. So, we're using things like Evil Jinx to um I don't know how to explain this at like a lower level. Yeah, the reverse proxy magic tricks of Evil Jinx are are very cool. Uh but it is totally like oh wow, it just it just does it. It just it just works. Yes. Um and then configuring device code campaigns if you're not familiar with that. We could we could walk through that right now as well just using Graphrunner. That would be super cool if you're willing. Yeah, absolutely. Um I love GraphRunner. Can you fill in the gaps? Can you tell me a little bit about hey, what is it? What your explanation? Yeah, so Graphrunner is just a tool to interact with Microsoft's graph API. Um which you're actually interacting with literally constantly if you use Microsoft. So anytime that you like open Outlook or you message someone on Twe Teams, you yourself are using the graph API. just hidden behind this wonderful gooey that Microsoft has created for us. Um, and we're kind of just cutting out the middleman here, right? We can make direct graph queries to interact with different things. Um, and then we can use uh this has a great tool for device code um getting device code authentication tokens which basically if you've ever tried to login on like a Nintendo Switch or through some third-party like physical tool like a PlayStation or something and it's very difficult to kind of type out keys. device code authentication simplifies that and it allows you to just use an actual code for authentication which I can just show you right now. Um and actually when this tool was dropped I was sitting behind you John was it wildless hacker? Yeah. I was sitting at the table behind you and I was watching you slack everyone on your team like me. Yes. And like I had the same feeling. Um just total game changer especially with fishing. Um, so this is the Graphrunner um, GitHub. You can literally just plug that into PowerShell and then you can do a get craft tokens. And would you be willing to amp up text size? I don't know if you can if that's easy peasy. Yeah. Awesome. Thank you. Thank you. Um, so imagine this is from the attacker side, right? Um and then and I will say like one limitation of device code authentication is that it expires within 15 minutes. So fishing can be kind of difficult with that although it does work for me all the time especially if you send an email and then you followed up with a phone call within the 15 minute time frame and saying hey I sent you this and this needs to happen very quickly. Um but yeah and so you can just this is our URL. The great thing about device code fishing is that you're using Microsoft's legitimate OOTH um authentication, right? So, you're visiting the actual Microsoft URL uh which I'll showcase here. We have a code and it just says this is actually like a pretty new thing. I think I noticed it like a month or two ago. Oh yeah. um enter code to allow access. And so imagine that we are on the end of a um victim. And I'll pull up a demo invitation, like an email that I actually created for this. Um here's a good example of an email that I would send for device code authentication. I might I would probably actually take I use legitimate um emails. So like the actual Microsoft Teams invitations and stuff like this that um but here's an email that I created. Safeet robotics. And I'm going to keep being annoying. I'm sorry. I don't know if you can zoom or make text bigger. Sorry. That's the job. Cool. So here's an example of an email that an attacker would send to an end user. um they would receive this click on um the button and it would lead to the legitimate Microsoft um URL right because this is actually Microsoft's authentication and they would take the code within the email plug it in authenticate I actually need to authenticate as this user um yeah um there have and really cool conversations that we've been kind of having wondering, oh, how often does the device code fish or its equivalent uh lead to like account takeover, session hijacking, etc. I think it we always tend to obviously of course see and like there's so much usage for this in the in the Microsoft 365 or Entra playground but you always start to wonder like huh how well does this happen for a Google Workspace or any other sort of oh identity carrying spots um for my day job at the very least that's been a fun thing that we get to play with because we see this this this trade craft all the time um so I just hope that adds to, you know, the realism, the this is this is the the thing. Absolutely. Yeah. And there was tons of things like this, right? People are think um you know, I talked to companies that haven't seen this before and they're like, "Oh, this is novel." And it's like, "No, it it really isn't. This has been happening for a while and a lot of things like this are happening, right? Like thirdarty applications being registered and being forwarded to users to allow them." Like just lots of like internal abuse of Microsoft or whatever if you're using Google Workspace. um their functionalities. Now, this ends up giving you a token variable already filled out, right? So, yep. And yeah, so now you have full access to the graph API for that user. So, um you can do things like query teams messages, query Outlook, query SharePoint is kind of like the most beneficial that I see. Um and then you can also send emails, right? So traditionally like help at whatever the company's domain is will send you to internal IT. So just say help I can't connect so you can please help right now. Call me at whatever your phone number is. Cool. Yeah. So throughout the course we show users um all sorts of fun fishing campaigns like that. Um I think the funnest part is really that there's just so many labs. there's like real world labs, websites, fake companies built out for users to kind of explore and actually work through as well of of course you know setting up infrastructure because that's can be the toughest part right yeah it's funny I know you we like we we wanted to strike a balance of hey we want to give the students an environment like we'll give them oh some labs some virtual machines some things to work and interact with but then there is also like I I want I want you I want the students to, hey, learn and go through the process of setting some things up. Well, we've set up a couple things to make your life easier, but it's also a really important educational experience to just do this thing. So, I'm glad we got the balance. Absolutely. That is very cool. And thank you. I'm really glad that we got to see I mean, I know I think those are the big ones. Do you use Go Fish quite frequently for your for your own work? Um, is there often times other sort of management capabilities or things that you end up using or is GoFish just also the one? Yeah, most of the time I just I love Goofish and Evil Jinx. Those are my go-tos. Great to hear it. I uh I love seeing Evil Jinx up in action. Obviously, of course, the device codefish is is is a big one. Um, questions for you that have come through the chat, which I think is I hope cool. And if you're willing to entertain a couple of these, do you end up rolling a whole lot of different sock puppet accounts like for yourself to be able to do? Oh, the pretense, the lure, etc. How do you keep track of all if you have multiple these different sort of like fake identities? They they in the message in the chat they were saying, I've seen people use like a a whole CRM or some old database that just so they can maintain all these different personas that they've got to work with. Yeah, I think when you're really in any probably in any niche of infosc, note-taking is probably like one of the most foundational and important things that you could do. And so that's what I do. I and I actually don't know a single person that doesn't do something like that. Like just have an entire note-taking database where they store all of their knowledge and information um and things that they're working on to keep track of things like that. Cool. Do you write off of uh Okay. Yeah. Notion. Yeah, notion of course people are and people are very serious about what noting application they use. Um, Obsidian is the other like really big one. I think I just love Notion. I am right there with you. I use both Obsidian and Notion. So I concur. Do you ride off of any oh uh password manager? like can you oh say whatever bit warden whatever one password whatever blah blah blah that you can just shuffle or shove in all the accounts that you're going to be working with and then easy access for those as you operate and interact as that sock puppet account yeah I have tons of keypass I don't know if you actually saw me pull up in the demo today but yeah I have tons of them cool I love to hear it I'm glad that workflow I'm glad that methodology and I think everyone maybe tuning in will uh nod and agree write the same. Have you have have you had any of the AI Kool-Aid? Uh, yes, no, good, bad, or ugly. Does AI help put together these fishing pretense making these pages? Are there prompts that you use or is that nah, whatever, meh? What do you think? Yeah, absolutely. Probably like the best AI tool that I've run across is Lovable. I don't know if you've used Lovable. I love lovable. It's so lovable. Um, no, that's great for like web content generation. Um, that is probably the biggest one that I use is lovable just for like create building out domains and websites. And of course, like AI is also great. Before uh sponsor, no, no, no. I'm kidding. Like I hope they do. That'd be awesome. They're good. Give me pro for free. Um lovable.dev though, if folks wanted to if they weren't tracking, hadn't heard of it before, it'll just spit out a whole web app and website for you. It's so cool. So yeah, it is great. The only uh thing I will say is that it's very much like a LLM um for developers by developers. So if you're not used to like TypeScript or like building these like kind of developer center center um web pages just be prepared for that. Yeah, it's very very front-end love, right? like hey Typescript whatever ex new JavaScript npm node package extravaganza it's all in there. So yes that's the biggest one but I remember before LLM existed there was this site that you could go to and like regenerate a false identity and I would just go there and rotate rotate rotate to try to get a believable name right for different engagements. Otherwise I always end up with like Joy. I always make my first name Joy before I had anything like that. Um, but it's predictable and sometimes it sounds weird and so you can do all sorts of things with um just these like generative uh AI tools. Let's see. I'm scrolling through a couple other questions. Um, and even if there were any, I don't know if it's used for, it's using AI or anything that you end up doing with even simple chat GPT or prompts you enter to permutate potential fishing emails. There were a couple of those neat ideas kind of flying around in the in the chat. Um, odd thought and I think someone maybe noticed the Burpuite icon uh while you had your desktop up. They're thinking, look, no one ever really talks about some of these credential stuffing attacks like Open Bullet or using Burp Suite to do the same. Um, do you end up particularly doing that much for Oh, now using or validating some of the access in mass or is that less of the fishing direction that you're usually in? definitely less um of what I'm centered around to most of the like social engineering and fishing that I do is centered around like actually gaining access somewhere right so um most of the time when I'm doing it professionally at least I'm either calling or emailing people getting credentials through there um getting access through there and then just using that to pivot um and it's really not that hard honestly like as sad as it is to say um at least professionally we don't need to do that much. Can you help me establish that idea for the YouTube audience? Cuz I've done, you know, so many cheesy demos and videos and things um that are like, "Hey, take a look at this cool lure, this trick, this social engineering." Like, people will fall for this. People have fallen for this. And that is something that is worth knowing and being educated and aware of. But I always get the YouTube comment haters that say, "Oh, it's just another social engineering thing. Oh, you're not doing any le act lead exploits, hacking zero days, any server side vulnerabilities." I'm like, "No, you don't need that." Yeah. Yeah. No, John, you're completely right. And also, they're kind of completely right. Right. it it's not some elite we're not dropping zero days to build a fishing campaign because why would we you know if we email a hundred people and we get access to one account that's all we needed we didn't need 10 people to submit credentials or give us access to their account we just needed one person um so yeah it's not but also the complications between those two are very obvious as well like people that are dropping zero days sometimes don't have the capability to build out great social engineering campaigns because that's kind of a harder topic for them to approach. And so I think there is a great balance there between the super technical side and the kind of less technical side through social engineering. This is kind of a cool question I think that plays along with it if that's okay. Um because I I I would think and I know for a lot of the fishing work and the social engineering campaigns, it takes a lot of prep work like to be able to hey make this thing convincing and as realistic. Uh, so someone was asking, do you try to work with like pre-registered fake domain names like domains, internet presence for a specific campaign? And then how do you make sure that that newly registered domain will still kind of pass any automatic filters or anything that could flag it or warn it because uh you do and will be using it for some shady shenanigans. Uh, how do you make that purposeful and strong? Yeah, absolutely. That's basically an entire module if not half of a module in the course is just giving you the resources to do things like that. So like buying old domains and checking old domains and making sure that they're not already contaminated. I do you remember Okay, sorry this is a rabbit hole. This is a tangent. This is just John being John. But when there was the uh the zip domains like that Google had a leased as the the top level domain three days. the three days, right, that zip domains existed. Uh, did they did they get taken out? Did they get removed out of rotation and they're no longer or I actually don't know. Um, I'm pretty sure that they announced like a week afterwards like, "Okay, we're not going to sell." Yeah. Yeah. We take it back. We recall. We We I had bought a boatload of them just as a stupid, you know, fun ones off oneoff, but I got zero. zip. So, I could make like infinite subdomains of like CandyCrush.4.2.0.zip or whatever stupid thing, but it's a domain. Um, but I know without a doubt, okay, those are going to be eyed on and under the magnifying glass, under the microscope, like, oh, when are you going to be doing something sketchy with domains like those? Yeah, absolutely. TLDDS are kind of a big thing and that of course is talked about in the course. um using a TLD likeXYZ is probably never going to get clicks unless um I actually genuinely a use case where it would um but you we see that constantly right like we talked about notion earlier and a lot of companies will block notion because it has a simoleon TLD so definitely yeah.com is still the standard in terms of the internet I am a huge fanboy of the uh living off trusted sites resource. Have you seen that one? I'm sure lots project. No. Um, so this is uh Mr. Docs. I'll try and pull it up, but I I try to squeeze it in whenever I can. I think it's pretty good and valuable. Uh, lots-Ro.com. So, it's like living off trusted sites, knowing that what are these usual different online services or SAS utilities that are usually hosting content or material just naturally like legitimately for their own usage and use case. Um, so of course you got AWS, S3, blob, Windows domains, etc. Box.com, Bitbucket, GitHub, blah blah blah. But when you get to see those used in the context of, oh, how often is that done for fishing? Um, there's some insight there. Yeah. Yeah. I've never seen this list. It's very cool. But obviously I use these constantly. Azure websites is like a big one that people use both internally and for fishing campaigns. And yeah, these are great. Yeah, big big list. And I always try to oh, whenever I remember it, I want to make sure to squeeze it into the conversation because I hope that's a cool resource for a lot of folks. Good to have one centralized long list. Cool. Another question for you if that's okay. And I don't know how much you can run with this one if you can, but would you happen to have any stories, any sweet from the trenches, anything that's okay to share or if you you can say no, let me know. Yeah. Um, just in terms of fishing or social engineering as a whole or all of the above, whichever one gets you closer to a Oh, yeah. I can I can talk about that. Um, in terms of Oh, yeah, for sure. Um, in terms of probably physical pen testing, I will sometimes wear a pregnancy belly um when I go do physical assessments. Um, because who doesn't want to help a pregnant woman, right? I know nine out of 10 times if a pregnant woman is trying to get into my office, she has her hands full with coffee for other people, I'm going to run ahead and try to badge in and open the door for her. Um, so that's kind of a typical thing that I do. Um, I have somehow just gotten a lot of followers on Twitter, um, just over time being involved in the community. And one time I was going to do this big physical assessment and I posted a picture of my stomach with a pregnancy belly um, on and probably within an hour my boss starts messaging me and he's like, "Hey, the company follows you on Twitter and they saw your tweets. you need to completely can that like everyone knows what's happening. Um so that's kind of one funny physical story. Um luckily I've never been held at gunpoint. I know plenty of people that have unfortunately. Um yeah. Yeah. It gets very real when you're in person and on site, right? Like that raises the stakes. It does raise the stakes. Yeah. But I I do think that you almost have an advantage as a woman in that people tend to be softer and kinder and more accepting of your faults um rather than a man. But on the same hand, I also couldn't pretend to be an elevator technician because if I walked in in work overalls saying, "Hey, I'm here to inspect your elevator." It would say, "Get out of here." Right. Right. Um dynamics. I suppose that's cool. I I the Twitter the Twitter fail sounds hysterical and makes complete sense. I feel like I would probably make the same mistake just being excited about, oh, I get to wear some stupid some some fun costume. Yes. Oh, someone actually just put in the comments, if you want to call it early, get caught at a bank. I actually did get caught at a bank once. This is like my one big kind of failure on a physical pentest was I had gotten into a bank's data center and it was a long work in progress. But I had gotten into the data center and I had one employee that was helping me on site. And just as we had walked out of the data center and were kind of walking towards the exit, um, two other employees came up to us and said, you know, they just started swearing and screaming because obviously extremely secure center and they had no idea who I was. We're like, who is this person? Why do you have them here? And bless the employee that was helping me, he was like, oh, don't worry. This is not a breach. This is I was pretending to be um an auditor. I was like, "This is an auditor with like KPMG or whoever I was pretending to be." And in that moment, I was like, "Hey, uh I finished my audit. I hope that you all have a great day. I'm just going to head out of here." And I literally drove from there to the airport. And as I'm driving to the airport there, Siso calls me. He's like, "Please tell me that was you." Um they had like called the police and started breach protocol. Um Wow. Yeah. Well, I am glad, you know, things for it to be taken seriously uh in every direction, at every angle. That's good. So, super cool. Couple questions here in the chat. Some were wondering a little bit more back to the device codefish. Um, and I'm not sure if this is one that you have a uh a lot to that you'd like to bring in, but I they're wondering, oh, for those timebased cookie check devices or for things for oh, detecting the account takeover, the session hijacking with the device code fish. uh they're like, "Oh, wouldn't what about the IP address, the geoloccation, the device, user agent, things, all those things that would help oh, identify something has gone a muck in a regular login." Um, do you play in that pool all that much? I don't know if detecting it is uh part of all that you do, but um I'm not on the detection side and I don't know specifically what the question was, but I will recommend a a couple of really good resources actually. If you go to the Bites Nashville 2024 um talks or if you just Google Husky hacks besides Nashville 2024, he actually Yeah, he's awesome. And you work together, right? Um, yeah, he works at Huntress with me and he helps uh put together capture the flag challenges. He's been part of the team for a bit. He's a he's a swell guy. Love Matt. Yeah, he did a talk on detecting um in 2024 at Bites Nashville and I know that he has the slides posted up on his GitHub and so you can actually see I think that's super beneficial because you can actually like look at the logs and his commentary and stuff like that. I will uh let him know that he got some love during the uh live stream today. Here is that sharing just the link here in chat for folks that wanted to catch Husky Hack's identity crisis was the name of that talk. Um but big into the device codefish and a fun problem that we tend to chase for day job. Cool. Corey, can I ask, hey, how has the process been for putting together a course or the course? So, have you done training like this before? Um, has things been smooth? Have things been easy? Have you been, uh, oh, running around with other life things that get in the way? Uh, and I don't know, do you think you'd ever have an appetite for doing more? Yeah. Um, I would say yes to all of the above. Um, a lot of things going on in life, right, as they are for everyone. Specifically right now, it's summer for me, so all of my kids are out of school, so I'm constantly in between like working and trying to accomplish side projects and telling my kids, you know, please just open a different container of Play-Doh um while I finish this. Um, but yeah, super interested. It's been great. Honestly, the biggest concern for me is just making sure that people get as much as I could possibly give them, right? like the technical nitty-gritty, but also presented in a way that is easy to kind of digest and understand and covers people who are completely new to infosc to people who maybe have been in the industry for a while but haven't really run fishing props. And thank you seriously, genuinely so much for that attention to detail, you know, or like, hey, being so thorough to make this accessible and exciting and interesting for folks that may not be in the scene or with it just yet or like, hey, as spun up as others might be, and there's nothing wrong with that, but for the folks that are in in the thick of it, in the in the in the heart of the industry and understanding like, hey, being able to spin up some of the machines, being able to put together the infrastructure, being able to build out these different pretense things. I am just so stoked and so happy and just so thankful for you and this whole thing together and I hope that we made it. You know, it's a technical course for red teamers, for pentesters, for folks that are doing it, that want to do it, that should be doing it and want to do it the right way. So, thank you. Thank you. Thank you again and again. Thank you, John. Well, hey, I know we're getting to the last couple moments. Is there anything that you would love to Hey, I don't know, make a call to action, make uh any last words, any parting parting thoughts, pot shots? What's next? No. Um, I'm super grateful for this. I I'm really excited. Um, if you have taken my free UC that's out there in fishing, which is really kind of more beginner uh, entry level kind of an overview of fishing and how offensive people see it. Please give me feedback. I would love to see that. And then if you do take this course, feedback there as well. Um, and also just a huge congratulations to Caitlyn John because I wanted to shout her out on the stream because that was so cool. She just completed what was it an iron is it was it yeah she was at a super awesome CrossFit competition and uh was kicking ass and taking names. So, she's a badass. But I've having I've been having so much fun running around like the stupid Borat movie like my wife. My wife. So fun. So good. Yeah, that's awesome. Excellent. Thank you all so much everybody. I hope this was a tough one. Uh I hope you do get a chance to go take a look at Corey's Upskill Challenge Fishing that's free and then fishing the technical course coming out uh the start of next month. Remember, it is available for pre-sale for pre-release if you'd like. That'll put your name into a sweet raffle for a couple other good winnings. $1,000 in prize pool for the other courses like Michelle's Osent bundle, hey the dark web course, and constructing defense for all those sweet things. But thank you. Thank you. Thank you for just hacking training and seeing it all come to life. So anything more, Corey or we can we can sign out. I think that's it,
Original Description
Livestream with Cori Macy on Wednesday, June 11th at 10am Pacific Time for her upcoming course on Just Hacking Training https://justhacking.com
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
New Spirals Ransomware Demonstrates How Fast Modern Cyberattacks Can Escalate
Medium · Cybersecurity
How to Detect Malicious Traffic for Free
Medium · Programming
How to Detect Malicious Traffic for Free
Medium · DevOps
Career Opportunities After Completing a Cyber Security Diploma Course
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI