GitBook: [master] 4 pages and 3 assets modified

SUMMARY.md

@@ -454,7 +454,8 @@
     * [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
 * [1911 - Pentesting fox](1911-pentesting-fox.md)
 * [Online Platforms with API](online-platforms-with-api.md)
-* [Phising Documents](phising-documents.md)
+* [Phising Documents](phising-documents/README.md)
+  * [Detecting Phising](phising-documents/detecting-phising.md)
 * [Reset/Forgoten Password Bypass](reset-password.md)
 * [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
 

phising-documents/README.md

@@ -19,7 +19,7 @@ DOCX files referencing a remote template \(File –Options –Add-ins –Manage:
 Go to: _Insert --> Quick Parts --> Field_  
 _**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
 
-![](.gitbook/assets/image%20%28347%29.png)
+![](../.gitbook/assets/image%20%28347%29.png)
 
 ### Macros Code
 
@@ -245,11 +245,11 @@ Set a rDNS \(PTR\) record that resolves the IP address of the VPS to the domain
 
 You must **configure a SPF record for the new domain**. If you don't know what is a SPF record read the following page:
 
-{% page-ref page="pentesting/pentesting-smtp/" %}
+{% page-ref page="../pentesting/pentesting-smtp/" %}
 
 You can use [https://www.spfwizard.net/](https://www.spfwizard.net/) to generate your SPF policy \(use the IP of the VPS machine\)
 
-![](.gitbook/assets/image%20%28345%29.png)
+![](../.gitbook/assets/image%20%28398%29.png)
 
 This is the content that must be set inside a TXT record inside the domain:
 
@@ -261,7 +261,7 @@ v=spf1 mx a ip4:ip.ip.ip.ip ?all
 
 You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record read the following page:
 
-{% page-ref page="pentesting/pentesting-smtp/" %}
+{% page-ref page="../pentesting/pentesting-smtp/" %}
 
 You have to create a new DNS TXT record pointing the hostname `_dmarc.<domain>` with the following content:
 
@@ -273,7 +273,7 @@ v=DMARC1; p=none
 
 You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record read the following page:
 
-{% page-ref page="pentesting/pentesting-smtp/" %}
+{% page-ref page="../pentesting/pentesting-smtp/" %}
 
 This tutorial is based on: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
 

phising-documents/detecting-phising.md

@@ -0,0 +1,53 @@
+# Detecting Phising
+
+## Introduction
+
+In order to detect a phishing attempt it's important to **understand the phishing techniques that are being used nowadays**. In the parent page of this post you can find this information, so if you aren't aware of which techniques are being used today I recommend you to go to the parent page and read at least that section.
+
+This post is based in the idea that the **attackers will try to somehow mimic or used the victim's domain name**. If your domain is called `example.com` and you receive a phishing that is using a completely different domain name for some reason like `youwonthelottery.com`, this techniques aren't going to uncover it.
+
+## Domain name variations
+
+It's kind of **easy** to **uncover** those **phishing** attempts that will use a **similar domain** name inside the email.  
+It's enough to **generate a list of the most probable phishing names** that an attacker may use and **check** if it's **registered** or just check if there is any **IP** using it.
+
+### Finding suspicions domains
+
+For this purpose you can use any of the following tools. Note that these tolls will also perform DNS requests automatically to check if the domain has any IP assigned to it:
+
+* \*\*\*\*[**dnstwist**](https://github.com/elceef/dnstwist)\*\*\*\*
+* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)\*\*\*\*
+
+### Basic checks
+
+Once you have a list of potential suspicions domain names you should **check**  them \(mainly the ports HTTP and HTTPS\) to **see if they are using some login form similar** to someone of the victim's domain.  
+You could also check the port 3333 to see if it's open and running an instance of `gophish`.  
+It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.
+
+### Advanced checks
+
+If you want to go one step further I would recommend you to **monitor those suspicious domains and search for more** once in a while \(every day? it only takes a few seconds/minutes\). You should also **check** the open **ports** of the related IPs and **search for instances of `gophish` or similar tools** \(yes, attackers also make mistakes\) and **monitor the HTTP and HTTPS web pages of the suspicions domains and subdomains** to see if they have copied any login form from the victims web pages.  
+In order to automate this I would recommend to to have a list of login forms of the victims domains, spider the suspicions web pages and compare each login form found inside the suspicions domains with each login form of the victim's domain using something like `ssdeep`.
+
+## Domain names using keywords
+
+I the parent page it's also mentioned a domain name variation technique that consist on putting the **victim's domain name inside a bigger domain** \(e.g. paypal-financial.com for paypal.com\).
+
+#### Certificate Transparency
+
+It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of https://paypal-financial.com, seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
+
+The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggest that you can use Censys to search for certificates affecting a specific keyword and filter by date \(only "new" certificates\) and by the CA issuer "Let's Encrypt":
+
+![](../.gitbook/assets/image%20%28365%29.png)
+
+However, you can do "the same" using the free web [**crt.sh**](https://crt.sh/). You can **search for the keyword** and the **filter** the results **by date and CA** if you whish.
+
+![](../.gitbook/assets/image%20%28345%29.png)
+
+Using this last option you can even use the field Matching Identities to see if any identity from the real domain matches any of the suspicious domain \(note that a suspicious domain can be a false positive\).
+
+**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in \(near\) real-time. In fact, there is a project called [**phishing\_catcher**](https://github.com/x0rz/phishing_catcher) that does just like that.
+
+**One last alternative** is to gather a list of **newly registered domains** for some TLDs \([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service\) and **check the keywords in these domains**. However, long domains usually uses one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain.
+