Phishing Tips

If you are looking to phish your own company (with permission), or perform phishing as part of a security service there are a lot of resources to help you get started. I’ve spent some time on this lately learning from others like those at Black Hills Info. Sec. and Zeknox (Phishing Frenzy). Below are a couple tips I picked up along the way that I feel are important when phishing.

  • Register a convincing domain to use 
    • Use a consistent registrar so it is easy to manage the domains. (Godaddy DNS records update really fast, which is good for phishing.)
  • Actually have a real email address (Sometimes this will be checked before messages are received)
    • Setup an email server and email account for the sending email address
      • Godaddy often offers free Office 365 email for a month, so that is one easy way to setup a temporary email server and email account. That deal isn’t constant, so it isn’t always an option.
      • Rackspace offers cheap business email accounts and you can manage multiple domains from one interface, which is nice. Minimum number of accounts is 5 for $10/month, but you can add one at a time after that.
  • Setup DKIM and SPF records
  • Use Legit TLS Certs for Websites
    • Let’s Encrypt can be used to generate TLS certs and get your site looking more legit.

That’s it. Just a couple quick tips.

Ditching PTF for Kali Light

After using the Penetration Testing Framework for several months I have decided to part ways with the platform. The primary reason is that it requires enabling updates from the unstable repository. Something that has made me uneasy for quite awhile and to the point that I’ve decided it is no good for production. Instead, for systems where I don’t want the full suite of Kali tools I have decided to go with Kali Light, which has just the basics installed. From there you can add what you want and keep everything tight and easy to maintain.