Building Gophish Healthcheck: Part One

One of the questions I see most often from Gophish users is “how do I get past my spam filter?” Generally, my answer to this is something along the lines of “just whitelist the IP address,” since it’s my opinion that phishing simulations should be a test of the people and processes, not the email infrastructure.

But what if we do want to test the email infrastructure?

This post is the first in a two-part series about how I’m creating the email healthcheck service for Gophish. This post talks about how I handle DNS programmatically, and the next post will describe the actual architecture being used.

Read More

Automating Gophish Releases With Ansible and Docker


It’s been a while! While I haven’t posted as much here, I have been writing quite a bit over on Duo’s blog about the really cool research I’ve gotten to do this past year with the incredible Duo Labs team.

Any spare time I’ve had has been spent working on Gophish. This past year I’ve released a new hand-crafted, artisinal website, responded to nearly 400 support requests, and made too many improvements to count!

Now, most people who use Gophish use a pre-built binary*, which means that it’s important to make new releases as soon as possible after improvements are made. Otherwise, I’m left answering support requests with the advice of “build from source”, which is not ideal.

The previous release process was manual, making it a huge pain. This led to inconsistency and large amounts of time spent packaging every release, which results in very infrequent releases.

This post documents the previous process as well as how I recently improved it using Ansible, Docker, DigitalOcean API’s, and more.

Read More

Analyzing 5 Years of Police Call Data

San Antonio is a great city. According to Yelp, there are over 1200 places to get a taco - how could it not be great?

Unfortunately, any time you get a huge group of people together there will be crime, and SA is no exception. Our SAPD stay busy 247, constantly putting their lives on the line to keep the city safe, and I’m thankful for all the work they do.

Being an amateur API aficionado, I was excited to find the SAPD Open Data Initiative that contains a wealth of information on the activities the SAPD perform. Specifically, I wanted to see what kinds of analytics I could gather from exploring the historic SAPD call data.

In this post, I’ll explain how I was able to gather and analyze 4.3 million call data records, or how I basically became the extremely boring part of Batman.

Read More

I Automated Infosec "Thought Leadership", and it's Hilarious


Being a Thought Leader is Hard

@thought__leader - Thinking thoughts for you, so you don’t have to.

The infosec industry is full of “thought leaders”. These are people who are on the forefront of the industry, keeping up with latest trends, technologies, and philosophies.

Or they are heavy on the buzzwords and prolific on Linkedin/Twitter. That works, too.

Unfortunately, both of these take way too much time for me. In fact, I’d argue that they take too long for our industry. So this weekend, I set out to automate thought leadership, so that we can spend more time doing things that matter - things like coming up with marketing for the next CVE or finding obscure reflective XSS bugs that affect literally no one.

This resulted in @thought__leader. And it’s hilarious.

Read More

What Happens When Tor Exit Nodes Break Bad?

Introduction

When looking at how Tor works, we’ve looked at the various types of nodes that make up the Tor network. However, you’ll notice that we haven’t dealt too much with exit nodes. Exit nodes are the final link in a Tor “circuit”, or path from the client to the server. Since exit nodes send data to the final destination, they can see the data as if it had just left the device.

This visibility puts quite a bit of trust in exit nodes and, for the most part, they tend to act responsibly. However, this isn’t always the case. This post will take a look at what happens when a Tor exit node operator decides to “break bad” and wreak havoc on Tor users1.

Read More

Author image Jordan Wright on #tor,

How to Download a List of All Registered Domain Names

Introduction

Every morning, the infosec field is greeted with an onslaught of freshly registered malicious domains. These domains are used to host phishing sites, maintain botnet command and control, harvest stolen information, and more.

Having the complete list of registered domains day-by-day offers substantial visibility that can be used for intel and repsonse. Fortunately, such lists not only exist, but are available (usually for free!) with little effort involved. This post will introduce TLD zone files, how to access them, and how they can be used to your benefit.

Read More

Gophish Update - Importing Sites and Emails

Introduction

I’m excited to announce that the gophish “alpha” release is almost complete! I’m just cleaning up a few bugs, touching some things up, etc. In the meantime, I wanted to write a quick post to show off some really slick features that I was able to add earlier than planned.

Creating pixel-perfect email templates and landing pages are crucial to delivering the best possible phishing training. Gophish has always had the ability to create these, but it was quite frankly a pain to use as you needed the raw HTML or text for both the email and site content. In this post, let’s take a look at how we can now import sites and emails directly into gophish.

Read More

Author image Jordan Wright on #gophish,

CSAW CTF 2015 - Forensics 100 Transfer Writeup

This challenge starts off with the following hint:

I was sniffing some web traffic for a while, I think i finally got something interesting. Help me find flag through all these packets.

This challenge started off with a pcap. Let’s take the cheap way out and do a basic Wireshark filter for frame contains flag:

Read More