Introduction:
This workshop is designed to advance participants from a basic understanding of phishing and social engineering to mastering sophisticated techniques for security awareness, red teaming, and security control testing. Over two days of hands-on training, participants will journey through the full spectrum of phishing techniques, from beginner to expert level.
Key objectives include:
- Hardware
- Understanding the evolution and types of phishing attacks, as well as the tools and methods used by attackers.
- Mastering the creation of phishing payloads, bypassing security controls, and exploiting weaknesses in Multi-Factor Authentication (MFA).
- Learning how to utilize advanced tools like Muraena and NecroBrowser for post-exploitation automation, including session hijacking.
- Developing defensive strategies against phishing, including email security mechanisms and incident response.
- Gaining practical experience through hands-on exercises that simulate real-world phishing scenarios.
By the end of the workshop, participants will be equipped to enhance their red teaming capabilities, fortify defenses, and anticipate evolving phishing threats with a comprehensive and practical understanding of the phishing landscape
Table of Content
- Day 1: Phishing Essentials and Offensive Techniques
- Introduction to Phishing: History, Types, and Evolution of Phishing Attacks; Case Studies and Real-World Examples
- Email Security Mechanisms: Overview of Email Ecosystem - Vendors, DMARC, SPF, DKIM; Advanced Email Header Analysis
- Phishing Toolkits: Exploration of Popular Toolkits and Blackmarket Insights
- Crafting Phishing Emails: Hands-on - Creating and Analyzing Phishing Emails; Techniques for Bypassing Email Security Controls
- Phishing Payload Creation: Techniques for Effective Payload Development; Strategies for Data Exfiltration and Target Selection
- Day 2: Advanced Phishing, Defense Mechanisms, and Post-Exploitation
- Bypassing Multi-Factor Authentication (MFA): Understanding MFA Pitfalls and Bypass Techniques
- Advanced Tools: Hands-on with Muraena and NecroBrowser for Post-Exploitation Automation; Session Hijacking and Automation Techniques
- Cloud Phishing and OAuth Token Abuse: Overview and Practical Session on Targeting Cloud Services
- Defensive Strategies Against Phishing: Best Practices and Frameworks for Mitigating Phishing Threats; Incident Response and Legal Considerations
- Wrap-up and Q&A: Summary of Key Learnings and Final Q&A Session
Pre-Requisites :
- Basic understanding of email protocols, web technologies, and Linux.
Participants Requirements:
- Participants must bring their own laptops with virtualization software installed (VMware or VirtualBox recommended) and a Linux distribution loaded.
Duration
2 days
Who should attend:
- Red Teamers and Penetration Testers
- Security Analysts
- Security Awareness Trainers
- Students and aspiring security enthusiasts
What to expect:
- A comprehensive understanding of phishing and social engineering from basic to advanced levels.
- Interactive and engaging sessions with a focus on hands-on exercises and real-world scenarios.
- Networking opportunities with like-minded professionals and sharing of valuable experiences
What not to expect:
In-depth instruction and discussion outside the scope of phishing and post-exploitation automation.