[Owasp-alabama] Phishing Tool ideas and opinion

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Wed Jul 8 13:28:56 EDT 2009

Hey Mike,


I agree. I think that we should release the tool as it may help  overall
security in the phishing/security awareness area.   What I don't want to do
is release a version that's fully functional with advanced payloads.


Meaning, that the attacker has the option to not only harvest credentials -
but launch more malicious attacks such as OS and Browser exploits. I'd even
consider releasing the tool with a SAFE payload, meaning that my default it
doesn't harvest credentials. Rather, the phishing page is a security
awareness page about phishing for user education.


That way, it would be more usable out of the box for education. Anyone
attacker that knows PHP would easily modify the phishing sites to harvest
credentials or whatever they wanted to do.


I have done a lot of research on what it takes to bypass outlook and other
phishing/SPAM filters so I would want to leave that out as well.




From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Wednesday, July 08, 2009 12:20 PM
To: owasp-alabama at lists.owasp.org
Subject: Re: [Owasp-alabama] Phishing Tool ideas and opinion


Howdy all,


Just my two cents on this:  I don't think that releasing it is really all
that bad.  The crackers that we all work to stop probably already have their
own custom tools that do this.  Besides that, phishing should be part of pen
testing any way.  This is just another tool that the security community
could use to train and educate our end users as well as aid in the security
testing of a network.  I would love to see this some time. 


Good luck with it.


Mike Conway, Security +, CEH

Dynetics, Inc.




From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Wednesday, July 08, 2009 11:53 AM
To: owasp-alabama at lists.owasp.org
Subject: [Owasp-alabama] Phishing Tool ideas and opinion


Hey Guys,


I wanted to have a discussion with the list about the Lunker phishing tool
that was worked on last year.  Basically, it's a phishing framework used to
perform controlled phishing attacks.  It's written in PHP, Python, MySQL.


Myself and Brad Causey did most of the development up to this point. Anyway,
I wanted to get the lists opinion on releasing the tool to the public. We
talked about it last year, and decided that the tool was too powerful in the
hands of the wrong people. But there more I think about it, so it
MetaSploit, BeEF, and most other security tools.


The way Lunker is currently configured it must use a valid SMTP account to
send emails, so it's not anonymous or anything. We also only include a
credential harvesting payload, and not advanced OS or Browser exploits.


So my question is, how do you guys feel about releasing this tool from the
Alabama Chapter?


I have some more work to finish it up, but would setup SVN access for anyone
who wanted to contribute.


Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com



www.packetfocus.com <http://www.packetfocus.com/> 


President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/> 

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20090708/3940f7c9/attachment-0001.html 

More information about the Owasp-alabama mailing list