About a year ago, the Python Software Foundation opened a Request for Information (RFI) to discuss how we could detect malicious packages being uploaded to PyPI. Whether it’s taking over abandoned packages, typosquatting on popular libraries, or hijacking packages using credential stuffing, it’s clear this is a real issue affecting nearly every package manager.
One of the questions I see most often from Gophish users is “how do I get past my spam filter?” Generally, my answer to this is something along the lines of “just whitelist the IP address,” since it’s my opinion that phishing simulations should be a test of the people and processes, not the email infrastructure.
But what if we do want to test the email infrastructure?
This post is the first in a two-part series about how I’m creating the email healthcheck service for Gophish. This post talks about how I handle DNS programmatically, and the next post will describe the actual architecture being used.
Read More
It’s been a while! While I haven’t posted as much here, I have been writing quite a bit over on Duo’s blog about the really cool research I’ve gotten to do this past year with the incredible Duo Labs team.
Any spare time I’ve had has been spent working on Gophish. This past year I’ve released a new hand-crafted, artisinal website, responded to nearly 400 support requests, and made too many improvements to count!
Now, most people who use Gophish use a pre-built binary*, which means that it’s important to make new releases as soon as possible after improvements are made. Otherwise, I’m left answering support requests with the advice of “build from source”, which is not ideal.
The previous release process was manual, making it a huge pain. This led to inconsistency and large amounts of time spent packaging every release, which results in very infrequent releases.
This post documents the previous process as well as how I recently improved it using Ansible, Docker, DigitalOcean API’s, and more.
Read More
Back in March, Wikileaks released over 30,000 emails “sent to and from Hillary Clinton’s private email server while she was Secretary of State”.
Read More
San Antonio is a great city. According to Yelp, there are over 1200 places to get a taco - how could it not be great?
Unfortunately, any time you get a huge group of people together there will be crime, and SA is no exception. Our SAPD stay busy 24⁄7, constantly putting their lives on the line to keep the city safe, and I’m thankful for all the work they do.
Being an amateur API aficionado, I was excited to find the SAPD Open Data Initiative that contains a wealth of information on the activities the SAPD perform. Specifically, I wanted to see what kinds of analytics I could gather from exploring the historic SAPD call data.
In this post, I’ll explain how I was able to gather and analyze 4.3 million call data records, or how I basically became the extremely boring part of Batman.
Read More
@thought__leader - Thinking thoughts for you, so you don’t have to.
The infosec industry is full of “thought leaders”. These are people who are on the forefront of the industry, keeping up with latest trends, technologies, and philosophies.
Or they are heavy on the buzzwords and prolific on Linkedin/Twitter. That works, too.
Unfortunately, both of these take way too much time for me. In fact, I’d argue that they take too long for our industry. So this weekend, I set out to automate thought leadership, so that we can spend more time doing things that matter - things like coming up with marketing for the next CVE or finding obscure reflective XSS bugs that affect literally no one.
This resulted in @thought__leader. And it’s hilarious.
Read More
When looking at how Tor works, we’ve looked at the various types of nodes that make up the Tor network. However, you’ll notice that we haven’t dealt too much with exit nodes. Exit nodes are the final link in a Tor “circuit”, or path from the client to the server. Since exit nodes send data to the final destination, they can see the data as if it had just left the device.
This visibility puts quite a bit of trust in exit nodes and, for the most part, they tend to act responsibly. However, this isn’t always the case. This post will take a look at what happens when a Tor exit node operator decides to “break bad” and wreak havoc on Tor users1.
Read More
Every morning, the infosec field is greeted with an onslaught of freshly registered malicious domains. These domains are used to host phishing sites, maintain botnet command and control, harvest stolen information, and more.
Having the complete list of registered domains day-by-day offers substantial visibility that can be used for intel and repsonse. Fortunately, such lists not only exist, but are available (usually for free!) with little effort involved. This post will introduce TLD zone files, how to access them, and how they can be used to your benefit.
Read More
I’m excited to announce that the gophish “alpha” release is almost complete! I’m just cleaning up a few bugs, touching some things up, etc. In the meantime, I wanted to write a quick post to show off some really slick features that I was able to add earlier than planned.
Creating pixel-perfect email templates and landing pages are crucial to delivering the best possible phishing training. Gophish has always had the ability to create these, but it was quite frankly a pain to use as you needed the raw HTML or text for both the email and site content. In this post, let’s take a look at how we can now import sites and emails directly into gophish.
Read More
For this challenge, we were given an HDD image and asked to find the flag on it. Let’s start by seeing what kind of file we’re dealing with:
Read More