Practical Phishing Automation with PhishLulz

Presented at Kiwicon X: The Truth is In Here (2016), Nov. 17, 2016, 4:30 p.m. (30 minutes)

If you do Phishing attacks on a regular basis, you will end up using a framework or scripts to automate some of the tedious parts. You have your preferred web stack for phishing pages, your custom SMTP delivery system (with SPF/DKIM enabled AND good reputation - of course), your payloads and so on, and you need to maintain all of that while evolving it at the same time. Where do you host your phishing infrastructure? What happens if the target blacklists your phishing FQDNs or IPs? Moreover, do you have a template system for HTML emails, including victim fingerprinting with automated and targeted exploit delivery? If you have such needs and you do all the above manually, then PhishLulz comes to the rescue. PhishLulz is a Ruby toolkit to dynamically instantiate phishing instances on the fly. You can use Amazon, OpenStack, libvirt and much more (the ruby Fog gem comes to the rescue), which means you can use it to deploy internal phishing VMs, or have everything public in the cloud. It comes with a Debian Amazon EC2 image pre-configured with PhishingFrenzy, BeEF, Metasploit, ShellTer, Veil and other useful tools for phishing engagements (Mr.Robot will be lost, he uses SET !!). PhishLulz allows to focus on pretext creation and payload customisation, automating for you all the tedious configurations related to the phishing infrastructure. Multiple real-life stories from engagements done with PhishLulz will be discussed, including automated functionality to concurrently grep Outlook Web Access and Outlook 365 webmails with different credentials. In the middle of all of this, we will also analyze some interesting real-life scenarios of phishing lures spotted in the wild. As a side note, PhishLulz will be exclusively released at KiwiCon X.


  • antisnatchor
    antisnatchor is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook". He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, black metal, and the communist utopia (however, there is no hope). He also enjoys speaking and drinking at a multitude of hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra AllStars, ZeroNights, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, InsomniHack, PXE, BlackHat. Besides having a grim passion for hacking and programming, he enjoys leaving his Mac alone, while s/phishing/fishing/ on saltwater and hoping for Kubrick's resurrection.


Similar Presentations: