We covered phishing attacks, how they work, components of a phishing email, components of phishing infrastructure, phishing assessment tools such as Gophish and SET and how to stay guarded and protected from phishing attacks. This video used the lab material from TryHackMe room named phishing and part of the red team track.

We also covered practical phishing email analysis scenarios using PhishTool and Any.run. The first scenario we analyzed an email pretending to becoming from Netflix and the other two scenarios contained malicious attachments that performed calls to malicious servers and dns names. This was part of TryHackMe Phishing Analysis Tools.

We also went over a practical email phishing analysis scenario using Thunderbird. We highlighted specific areas for analysis such as the sender email, return-path, sender domain, SPF records, originating IP address and the email attachment. We found the email attachment to be malicious by analyzing it using VirusTotal. Addtionally the email contained grammatical errors and was addressed to a general recipient. That was part of TryHackMe Greenholt Phish.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Video Highlights

Phishing is a form of social engineering delivered through email to trick someone into either revealing personal information, credentials or even executing malicious code on their computer. These emails will usually appear to come from a trusted source, whether that’s a person or a business. They include content that tries to tempt or trick people into downloading software, opening attachments, or following links to a bogus website.

We have three things to work with regarding phishing emails: the sender’s email address, the subject and the content.

Different types of malicious emails can be classified as one of the following:

  • Spam – unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.
  • Phishing –  emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information.
  • Spear phishing – takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.  
  • Whaling – is similar to spear phishing, but it’s targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.
  • Smishing – takes phishing to mobile devices by targeting mobile users with specially crafted text messages.
  • Vishing – is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.

When it comes to phishing, the modus operandi is usually the same depending on the objective of the email.

For example, the objective can be to harvest credentials, and another is to gain access to the computer.

Below are typical characteristics phishing emails have in common:

  • The sender email name/address will masquerade as a trusted entity (email spoofing)
  • The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as InvoiceSuspended, etc.
  • The email body (HTML) is designed to match a trusting entity (such as Amazon)
  • The email body (HTML) is poorly formatted or written (contrary from the previous point)
  • The email body uses generic content, such as Dear Sir/Madam.
  • Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
  • malicious attachment posing as a legitimate document

GoPhish – (Open-Source Phishing Framework) – getgophish.com

GoPhish is a web-based framework to make setting up phishing campaigns more straightforward. GoPhish allows you to store your SMTP server settings for sending emails, has a web-based tool for creating email templates using a simple WYSIWYG (What You See Is What You Get) editor. You can also schedule when emails are sent and have an analytics dashboard that shows how many emails have been sent, opened or clicked.

SET – (Social Engineering Toolkit) – trustedsec.com

The Social Engineering Toolkit contains a multitude of tools, but some of the important ones for phishing are the ability to create spear-phishing attacks and deploy fake versions of common websites to trick victims into entering their credentials.

Droppers are software that phishing victims tend to be tricked into downloading and running on their system. The dropper may advertise itself as something useful or legitimate such as a codec to view a certain video or software to open a specific file.

The droppers are not usually malicious themselves, so they tend to pass antivirus checks. Once installed, the intended malware is either unpacked or downloaded from a server and installed onto the victim’s computer. The malicious software usually connects back to the attacker’s infrastructure. The attacker can take control of the victim’s computer, which can further explore and exploit the local network.

Choosing the right Phishing domain to launch your attack from is essential to ensure you have the psychological edge over your target. A red team engagement can use some of the below methods for choosing the perfect domain name.

Expired Domains:

Although not essential, buying a domain name with some history may lead to better scoring of your domain when it comes to spam filters. Spam filters have a tendency to not trust brand new domain names compared to ones with some history.

Typosquatting:

Typosquatting is when a registered domain looks very similar to the target domain you’re trying to impersonate. Here are some of the common methods:

Misspelling: goggle.com Vs google.com

Additional Period: go.ogle.com Vs google.com

Switching numbers for letters: g00gle.com Vs google.com

Phrasing: googles.com Vs google.com

Additional Word: googleresults.com Vs google.com

These changes might look unrealistic, but at a glance, the human brain tends to fill in the blanks and see what it wants to see, i.e. the correct domain name.

Room Answers | TryHackMe Phishing

What type of psychological manipulation is phishing part of?

What type of phishing campaign do red teams get involved in?

What tactic can be used to find brands or people a victim interacts with?

What should be changed on an HTML anchor tag to disguise a link?

What part of a red team infrastructure can make a website look more authentic?

What protocol has TXT records that can improve email deliverability?

What tool can automate a phishing campaign and include analytics?

What is the password for Brian?
Do droppers tend to be malicious?
What is better, using an expired or new domain? (old/new)

What is the term used to describe registering a similar domain name with a spelling error?

What can Microsoft Office documents contain, which, when executed can run computer commands?
Which recent CVE caused remote code execution?
What is the flag from the challenge?

Room Answers | TryHackMe Phishing Analysis Fundamentals

Email dates back to what time frame?
What port is classified as Secure Transport for SMTP?

What port is classified as Secure Transport for IMAP?

What port is classified as Secure Transport for POP3?

What email header is the same as “Reply-to”?

Once you find the email sender’s IP address, where can you retrieve more information about the IP?

In the above screenshots, what is the URI of the blocked image?

In the above screenshots, what is the name of the PDF attachment?

In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

What trusted entity is this email masquerading as?

What is the sender’s email?

What is the subject line?

What is the URL link for – CLICK HERE? (Enter the defanged URL)

What is BEC?

Room Answers | TryHackMe Phishing Analysis Tools

What is the official site name of the bank that capitai-one.com tried to resemble?

How can you manually get the location of a hyperlink?
Look at the Strings output. What is the name of the EXE file?

What brand was this email tailored to impersonate?

What is the From email address?

What is the originating IP? Defang the IP address.

From what you can gather, what do you think will be a domain of interest? Defang the domain.

What is the shortened URL? Defang the URL.

What does AnyRun classify this email as?

What is the name of the PDF file?

What is the SHA 256 hash for the PDF file?

What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)

What Windows process was flagged as Potentially Bad Traffic?

What is this analysis classified as?

What is the name of the Excel file?

What is the SHA 256 hash for the file?

What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)

What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)

What vulnerability does this malicious attachment attempt to exploit?

Room Answers | TryHackMe Phishing Emails in Action

What phrase does the gibberish sender email start with?
noreply
What is the root domain for each URL? Defang the URL.
devret[.]xyz
This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email?
citrix
What should users do if they receive a suspicious email or text message claiming to be from Netflix?
forward the message to phishing@netflix.com
What does BCC mean?
Blind Carbon Copy
What technique was used to persuade the victim to not ignore the email and act swiftly?
Urgency
What is the name of the executable that the Excel attachment attempts to run?
regasms.exe

Room Answers | TryHackMe Phishing Prevention

Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?

~

What is the meaning of the -all tag?

fail
Which email header shows the status of whether DKIM passed or failed?
Authentication-Results
Which DMARC policy would you use not to accept an email if the message fails the DMARC check?
p=reject
What is nonrepudiation? (The answer is a full sentence, including the “.”)
The uniqueness of a signature prevents the owner of the signature from disowning the signature.

What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

Correct Answer: smtp.response.code

Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)

Correct Answer: <domain> service ready

One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)

Correct Answer: 156,553

Based on the packet from the previous question, what was the message regarding the mailbox?

Correct Answer: mailbox name not allowed

What is the status code that will typically precede a SMTP DATA command?

Correct Answer: 354

What port is the SMTP traffic using?

Correct Answer: 25

How many packets are specifically SMTP?

Correct Answer: 512

What is the source IP address for all the SMTP traffic?

Correct Answer: 10.12.19.101

What is the filename of the third file attachment?

Correct Answer: attachment.scr

How about the last file attachment?

Correct Answer: .zip

Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Correct Answer: Zebrocy

Room Answers | TryHackMe Phishing Prevention

What is the Transfer Reference Number listed in the email’s Subject?

Who is the email from?

What is his email address?

What email address will receive a reply to this email?

What is the Originating IP?

Who is the owner of the Originating IP? (Do not include the “.” in your answer.)

What is the SPF record for the Return-Path domain?

What is the DMARC record for the Return-Path domain?

What is the name of the attachment?

What is the SHA256 hash of the file attachment?

What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

What is the actual file extension of the attachment?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles