deepsea

DeepSea Phishing Gear

View on GitHub

DeepSea phishing gear aims to help RTOs and pentesters with the delivery of opsec-tight, flexible email phishing campaigns carried out on the inside of a perimeter.

Goals:

Operating Instructions

DeepSea relies on directives specified in a YAML configuration file for it’s runtime. Most of the directives are grouped by logical steps of executing mail delivery, loading marks, transforming messages, creating embedded resource URLs, and querying databases. Most of the directives can also be overriden on the command line if the operator finds this method more acceptable in the context.

Some Quick Workflow Example:

To illustrate the workflow, here is an example of a campaign, follwed by a smaple configuration to satisfy the outlined scenario.

We are mailing a phish via our Outlook Live account, connecting to it via a standard TLS SMTP port, with authentication (SMTP password is provided interactively). The message has been written in HTML, CSS inlined and trasformed to contain a TXT counterpart. The contents of the email have been personalized from variables introduced by loading a list of marks (targeted users) from an external CSV file. For example, the First name and the Last names of a person. During preprocessing of the message DeepSea has generated a unique identifier for the user, and it was included in the content link. Here we also have chosen to attach a PDF document to the email, embed two logo files in the message, and add a set of SMTP headers to the mail envelope.

Operational Workflow Example:

  1. To begin working on the campaign we load marks from a CSV into a campaign database, taking directives from the campaign configuration file.
$ ./deepsea  storage load \
--config ./campaigns/campaign1/campaign.yml   
-d ./campaigns/campaign1/campaign.db   
-s ./campaigns/campaign1/campaign.csv
  1. Mail the campaign with all the parameters specified in the configuration file which is depicted below.
$ ./deepsea  mailclient  --config ./conf/.deepsea.yaml

Here is the example of a mark records in the CSV file for DB import for reference.

$cat campaigns/campaign_irc/campaign.csv

ident,email,firstname,lastname
<dynamic>,xxxx@xxxxxx.com,FName,LName

Here is the example of the configuration file for our scenario.

mailclient:

  connection:

    #SMTPUser: "info"
    SMTPUser: "XXX@outlook.com"

    #SMTPServer: "smtp.gmail.com"
    SMTPServer: "smtp.office365.com"

    SMTPPort: 587
    #SMTPPort: 465
    TLS: "yes"

  message:

    Subject: "Here you go."
    ## Some providers, namely MSFT does not like to relay arbitrary emails.
    ## Make sure the "From" is your@outlook.com
    ## Or you get: `554 5.2.0 STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied`

    ## Google/Gmail is still ok with the following:
    #From: "Joe B <info@xxx.org>"

    ## Gather Marks from CSV import
    ## This is the most common use of the marks:
    To: "campaign1/db/deepsea.db"

    ## However, you could send a direct one-off email:
    #To: "xxxx@gmail.com"

    #mark:
    #  FirstName: "First"
    #  LastName: "Last"
    #  Identifier: "345345sdfsdf"

    ## We would like the email messages to have access to additional metadata
    template-data:
      # This directive is used to construct `URLCustom` property exposed in the templates
      # In previous example http://evil.com/Identifier/file is /
      URLTop: "https://xxx.com"

    headers:
      Return-Receipt-To: "info@xxxx.com"
      Disposition-Notification-To: "info@xxxx.com"
      List-Unsubscribe: "<https://www.xxxx.com/unsubscribe?u=876>, <mailto:info@xxxx.com?subject=unsubscribe>"
      List-Unsubscribe-Post: "List-Unsubscribe=One-Click"

    body:
      # Templated HTML / TEXT multipart delivery
      # Templates can substitute dynamic vartiables (See. Template Section for details).
      html: "campaign1/message.htpl"
      text: "campaign1/message.ttpl"

    attach:
      - "/tmp/evil_report.pdf"
    embed:
      - "campaign1/artifacts/logo_header.png"
      - "campaign1/artifacts/logo_footer.png"

##
## Storage module
##
storage:
  DBFile: "campaign1/campaign.db"
  load:
    SourceFile: "campaign1/marks.csv"
    ## Identifiers are used to track marks across the campaign. Identifiers can be of any format, as long as you can carry them in URLs as resources. For example, the URL: http://evil.com/Identifier/file can track access to a hosted payload. You could generate your own Identifiers in the CSV file. Or, you can talk DeepSea to generate unique Identifiers for each mark based on a Regex pattern. You would then need to place "<dynamic>" in place of identifier field in CSV, and use `IdentifierRegex` directive to notify the program the format of the Identifier you want to generate. If for some reason custom generation of Identifiers fail, you will get a 8 Int rand string

    IdentifierRegex: "^[a-z0-9]{8}$"
  query:
    DBTask: "showmarks"

Here is the example of a templated email message (HTPL). The text multipart (TTPL) is similar in content, but different in the format (without HTML markup).

Note: You can generate TTPL from HTPL by using dsh2t tool provided in the distribution.

<html>
<head></head>
<body>


<div> <img src="cid:" alt="Header"/> </div>

<h3> Greetings from Frequent Flyers, `{(printf "%s %s" .Mark.Firstname .Mark.Lastname) }` ! </h3>
<p>A new correspondence is waiting for you in the portal 

<p>Kindly review the information so we can assist you in reserving your travel.</p>

<p>
Please visit {(printf "%s/%s" .URLTop .Mark.Identifier) }
</p>

<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <div>
        <!--[if mso]>
          <v:roundrect xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" href="http://litmus.com" style="height:36px;v-text-anchor:middle;width:150px;" arcsize="5%" strokecolor="#FEC426" fillcolor="#FEC426">
            <w:anchorlock/>
            <center style="color:#000000;font-family:Helvetica, Arial,sans-serif;font-size:16px;">Account #E5589-A344</center>
          </v:roundrect>
        <![endif]-->
        <a href="" style="background-color:#FEC426;border:1px solid #FEC426;border-radius:3px;color:#000000;display:inline-block;font-family:sans-serif;font-size:16px;line-height:44px;text-align:center;text-decoration:none;width:200px;-webkit-text-size-adjust:none;mso-hide:all;">Account #E5589-A344</a>
      </div>
    </td>
  </tr>
</table>


<div> <img src="cid:" alt="Footer"/> </div>

</body>
</html>

Email Message Construction

This section will most likely be changed as the email mod tools will be rolling into DeepSeea binary

Inlining CSS

Problem: There are many editors and mail clients that can be used to create the initial HTML content for the email message. Conversely, you may want to clone content of a web page and modify it. Many times, when straing HTML is used, it is not suitable for proper rendering by some email clients as the CSS is not properly inlined.

Solution: You can use supplied ds2inline tool to convert a normal HTML to inlined CSS HTML.

./dsh2inline  ./css.in ./css.out

Generating Multipart TXT From HTML

Problem: Most email clients support and prefer HTML, some do not. Email gateways check for both HTML and TXT versions of the email document to be present in the delivered envelope. Security stack also takes advantage of that fact when checking for a phishing email.

Solution: DeepSea automatically constructs multipart email. Expectation is that RTOs provide it with both version. However, it may be tedious to textify an already existing HTML document by hand, and RTOs may not have access to tools to do so when operating deep in the network.

DeepSea provides dsh2t tool to convert an HTML to a TEXT structured document, to be included into the envelope.

./dsh2t samples/email.html samples/email.txt

Usage

./deepsea 

Usage:
  DeepSea [flags]
  DeepSea [command]

Available Commands:
  config      dump config file
  help        Help about any command
  mailclient  Email a phish
  storage     Manage persistent record storage

Flags:
      --config string   config file (no default)
  -h, --help            help for DeepSea

Use "DeepSea [command] --help" for more information about a command.

$ ./deepsea mailclient --help
Email a phish with features

Usage:
  DeepSea mailclient [flags]

Flags:
  -F, --From string           Message From: header
  -H, --HTMLTemplate string   HTML Template file (.htpl)
  -p, --SMTPPort int          SMTP server port (default 25)
  -s, --SMTPServer string     SMTP server (default "127.0.0.1")
  -U, --SMTPUser string       SMTP user (default "testuser")
  -S, --Subject string        Message Subject: header
  -t, --TLS string            Use TLS handshake (STARTTLS) (default "yes")
  -P, --TextTemplate string   Text Template file (.ttpl)
  -T, --To string             Message To: header
  -h, --help                  help for mailclient

Global Flags:
      --config string   config file (no default)


$ ./deepsea storage --help
STORAGE: TODO

Usage:
  DeepSea storage [flags]
  DeepSea storage [command]

Available Commands:
  load        Load Marks from a file
  query       Query storage

Flags:
  -d, --DBFile string   Path to QL DB file
  -h, --help            help for storage

Global Flags:
      --config string   config file (no default)

Use "DeepSea storage [command] --help" for more information about a command.

Build

Normally, just:

go build

However, a static x-platform build may be desired:

CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-s -w -extldflags "-static"' .

Email relay support:

Any SMTP compliant server:

DeepSea

TODO: