Introduction:

This workshop is designed to advance participants from a basic understanding of phishing and social engineering to mastering sophisticated techniques for security awareness, red teaming, and security control testing. Over two days of hands-on training, participants will journey through the full spectrum of phishing techniques, from beginner to expert level.

Key objectives include:

  1. Hardware
    • Understanding the evolution and types of phishing attacks, as well as the tools and methods used by attackers.
    • Mastering the creation of phishing payloads, bypassing security controls, and exploiting weaknesses in Multi-Factor Authentication (MFA).
    • Learning how to utilize advanced tools like Muraena and NecroBrowser for post-exploitation automation, including session hijacking.
    • Developing defensive strategies against phishing, including email security mechanisms and incident response.
    • Gaining practical experience through hands-on exercises that simulate real-world phishing scenarios.

By the end of the workshop, participants will be equipped to enhance their red teaming capabilities, fortify defenses, and anticipate evolving phishing threats with a comprehensive and practical understanding of the phishing landscape

Table of Content

  1. Day 1: Phishing Essentials and Offensive Techniques
    • Introduction to Phishing: History, Types, and Evolution of Phishing Attacks; Case Studies and Real-World Examples
    • Email Security Mechanisms: Overview of Email Ecosystem - Vendors, DMARC, SPF, DKIM; Advanced Email Header Analysis
    • Phishing Toolkits: Exploration of Popular Toolkits and Blackmarket Insights
    • Crafting Phishing Emails: Hands-on - Creating and Analyzing Phishing Emails; Techniques for Bypassing Email Security Controls
    • Phishing Payload Creation: Techniques for Effective Payload Development; Strategies for Data Exfiltration and Target Selection
  2. Day 2: Advanced Phishing, Defense Mechanisms, and Post-Exploitation
    • Bypassing Multi-Factor Authentication (MFA): Understanding MFA Pitfalls and Bypass Techniques
    • Advanced Tools: Hands-on with Muraena and NecroBrowser for Post-Exploitation Automation; Session Hijacking and Automation Techniques
    • Cloud Phishing and OAuth Token Abuse: Overview and Practical Session on Targeting Cloud Services
    • Defensive Strategies Against Phishing: Best Practices and Frameworks for Mitigating Phishing Threats; Incident Response and Legal Considerations
    • Wrap-up and Q&A: Summary of Key Learnings and Final Q&A Session

Pre-Requisites :

  • Basic understanding of email protocols, web technologies, and Linux.

Participants Requirements:

  • Participants must bring their own laptops with virtualization software installed (VMware or VirtualBox recommended) and a Linux distribution loaded.

Duration

2 days

Who should attend:

  • Red Teamers and Penetration Testers
  • Security Analysts
  • Security Awareness Trainers
  • Students and aspiring security enthusiasts

What to expect:

  • A comprehensive understanding of phishing and social engineering from basic to advanced levels.
  • Interactive and engaging sessions with a focus on hands-on exercises and real-world scenarios.
  • Networking opportunities with like-minded professionals and sharing of valuable experiences

What not to expect:

In-depth instruction and discussion outside the scope of phishing and post-exploitation automation.