Shopping Cart

No products in the cart.

How to Build a Phishing Engagement: Coding TTP’s

This webcast was originally published on July 9th, 2021.

In this video, Ralph discusses how to build a phishing engagement, focusing on coding techniques and tools to automate and secure phishing tests. He demonstrates how infrastructure setup, operational security, and phishing email creation can be automated using tools like Ansible, Terraform, and Docker. Ralph also highlights the importance of operational security in phishing engagements, showing how to protect phishing infrastructure and manage indicators of compromise.

  • Phishing is one of the most successful techniques for security engagements, often involving social engineering to gain access.
  • Operational security for phishing involves careful setup of infrastructure, including domain name creation, virtual machines for hosting the phishing site, and secure email services to send phishing emails.
  • Automation and tools like GoFish and Evilginx2 are critical for streamlining phishing campaigns and improving efficiency while maintaining operational security.

Highlights

Full Video

Transcript

Jason Blanchard

Thank you so much for being here. For this Blackfield information security webcast. Today. It’s going to be on the topic how to build a phishing engagement with Ralph, talking about coding ttps. If you have any questions at all, feel free to ask them in the gotowebinar chat or in discord.

I highly recommend discord if you are on there, if you enjoy that kind of thing. Plus, you can post memes. But Ralph’s going to give the presentation. It’s going to be about 50 minutes long. At the end, we’ll do q and a, but if there’s a question that comes up that feels like it should be answered, then, then we will interrupt Ralph and say, hey, Ralph, we have a question.

So if not, then we’ll just wait to the end. And with that said, if you ever need a pen test, where to find us. Ralph, it’s all yours.

Ralph May

Oh, thank you. All right. All right. So I’d like to thank everybody for joining my presentation on how build a phishing engagement coding ttps.

I have a lot to cover today and, get rolling right into it. Right? So the obligatory who am I? Slide. So right now, I’m a pen tester at Bhis, and I’ve been doing this for about six years.

I’ve been on a lot of engagements done of a lot of different assessments, a lot of stuff. I’m an army veteran and, I worked in some civilian contracting and other things before I actually got into pen testing.

Right. So I have a bit of, experience in it. My hobby is my job. I put this picture of the server rack in here. It’s something I just enjoy to do. It is actually a hobby of mine, servers and it, and all this other stuff.

So I really, really enjoy it. In addition to that, I’m also from Florida, for everyone who doesn’t know. And I’m a Florida man and part time alligator regular.

So something I like to do, just wrestle some alligators. It’s honestly a mandatory ability to live in Florida. So if you didn’t know that, now you do.

So quick disclaimer before I get rolling on this stuff is that this is some advanced topics. So if it’s above or below, you may know this stuff.

Just know that I’m trying to give you the whole picture. Okay? And I really designed this for red team, so a lot of evasion and a lot of other things that sometimes aren’t necessarily always required.

But if you’re on the blue side, look at these as tips. Of what to possibly be looking for and other techniques that could be bypassing your security controls you have in place.

talk a lot about automation, and automation is great, but it’s not great for everything. So just know that when I’m going, there is issues sometimes with automating stuff, and I totally understand that.

And other times it can really help speed up things, gloss over some stuff. Feel free to ask questions about that later. it’s just in that spirit of time, because I only have an hour with you guys and this is my way, not the way.

I know a lot of other testers have tons of other ways to do this or the ways that they accomplish their phishing engagements and that work for them. So take this. Maybe there’s some tips in here that you can pull and use in yours, and maybe you just want to, use the script, or the build process that I have.

So there’s a lot of good stuff here. So quick overview. We’re going to talk about fishing in general. We’re also going to talk about how to design a fish, how to go through functionally the process of creating a fish for an engagement.

Then we’re going to talk about how we could take that design and we could code that fish so that we don’t manually have to do a lot of the work that’s kind of involved here. And then we’re going to get into the execution.

I’m going to show you guys quickly setup that I already have that’s running and, quickly how to use the tool that I’ve already made. And then I’ll have some closing remarks.

Here is the why slide. Phishing is hard. Okay? We are all to blame for that. Phishing is also one of the most successful techniques for engagements.

And it’s a lot of times social engineering is kind of how you get in. But the more phishing that we do, the more companies take, I, the more security controls we get.

So there’s a lot of that going on. One of the, some of the issues, excuse me, with phishing is one infrastructure. We have to set up some stuff to get a phishing go going.

I just can’t use my email address to start a phish. Obviously. We also have scanners. There are scanners scanning everything today. Okay. Just a couple that I can think of right off top of my head.

We have got Google Chrome scanning all the sites you’re visiting and then actually reporting that back to Google when it finds suspicious sites. We also have census, we’ve got Shodan.

We’ve got tons of scanners scanning the entire Internet looking for anything and trying to create signatures on malicious attacks. Next we’ve got domains. So we need to have a domain that hopefully convinces a user to visit our link, for example.

And those domains are also getting looked at. How old are they? When was it made? How similar is it to the company? There’s a lot of that going on so we’re having to deal with that as well.

How fast does our domain immediately get blocked? We have two factor. This is something that we recommend to all of our customers. We say hey, you need to set up two factor so that it’s not one password access to your infrastructure.

We need to figure out a way to get bypassed that and I’ll look at some of the techniques that are currently being used. We also have email filtering. So I mean some simple stuff that you could do as far as email filtering, it’s just looking for anything that has company names similar.

You could also add external tags. We have a lot of that. And email filtering isn’t just for phishing, we also have it for spam. So when we send an email we got to get PI spam blockers and we have to get into that inbox to get that action that we’re looking for.

And last but certainly not least, we have user awareness. And this is the one thing we always recommend on an engagement. We say, hey, we wouldn’t have got in if that user would understood what a fish was.

And today more people understand what a fish is, people who don’t care about it, more cautious about clicking links.

That’s another thing we have to deal with and we’re creating our fish and executing these engagements. I’m going to talk about infrastructure. There are a couple of things we need in here and there’s a lot of nuances, but the big stuff is we need DNS.

We’re going to have to make a domain name to run our phishing engagement. It’s just part of all the stuff we’re going to need. Next we’re going to need some kind of virtual machine.

we’re going to use this to send emails, we’ll use this to host our website, hopefully capture some credentials. And last we’re going to need an email service to send our emails and typically we’ll get a third party service.

There’s tons of services out there to send email but we’re going to need something like that to continue with this process. Let’s talk about some of the operational security after we set that stuff up.

we set this infrastructure to do our fetch. We need to think about URL scanning. We don’t want our, our URL that we just sent in the email to git scan.

We also want to hide our ip address wherever that virtual machine lives. We don’t necessarily want other people being able to find out what our ip address is and be able to correlate that.

That is a digitalocean instance, for example, and that’s an easy target or most likely not the site that I should be visiting. We also need to secure our host machine.

We need to lock down, ssh, setting up firewall rules, all kinds of stuff to avoid hacking naked. We need to take those steps so that our OpSec doesn’t seem, we’re not putting ourselves at more risk just to run this engagement and we can lower our threat profile.

We also want to hide some of our indicators of compromises, IoCs. We want to hide things that people will be looking for to indicate that this could possibly be a fish.

Some of those things we have in our control, some of them we don’t. Some of them we just have to accept that users don’t understand what they’re doing or they just disregarded the fact that it said external email when they read the email.

So some of that stuff we can control and some of it we can’t. But we want to control as much as we can. Let’s talk about designing a fish and let’s start with a very simple example.

Is a typical phishing engagement. Now I know some people are going to say, well, what if I send a payload and all this other stuff? We’re going to focus on just capturing credentials.

Today we’re going to send this phishing email and typically we’re going to use some kind of email provider. In my diagram I’ve used mailgun, but you could use Outlook, I mean gmail a lot.

And I’ll go into some of the reasons why I use mailgun, but you could use any email provider. In that email we’re going to have some kind of ruse to get our user to perform an action, hopefully clicking a link.

After they click that link they’re going to be directed to some kind of domain or site that we control. In this case I’m using Nginx. Any kind of web server would work for this.

And then last, that site will have some kind of function to capture the credentials. Now this site’s going to look like something that would follow the ruse and make sense to the user. Okay, this is a simple fish and this is what has been done for a long time and honestly it could still work.

But if we want to think about this a little better, we need to look at designing some ttps and some better Opsec in our design so that we can get by some of the things that I mentioned before.

So let’s look added more advanced design. Okay, now in our example we still have the phishing email and this phishing email. We’re still going to use mailgun or some email service provider to send our email.

In addition, we’re sending them a link. So nothing’s changed there. But that link is not going to go in our case directly to Nginx. Let’s put that link behind a CDN.

In our case we’re going to use Azure CDN. Why? Because now Fakedomain.com is not in the email. Instead azureedge.net is.

And as a defender it’s a lot harder to block blanket wildcard mask on azure edge.net dot. It’s just not something you’re going to want to do.

In addition, this protects our IP address, not just the domain for the website that we’re hosting now. in my example I’m also using another program called Go Fish.

And what I’m using this, if you can see in the diagram, is I’m actually using go fish to send the email. Just makes it easier. You could use anything you want. But if you’re sending a couple emails there’s some other features that you get with go fish.

Go fish is actually sending that email to the user. In addition, because go fish is in place here and it is hosting our landing page, go fish can also capture whether that user actually clicked the link.

Okay, visiting that page lets us know that somebody visited the URL. After they land on that page, we’re going to send them back again to azure CDN.

But this time we are now going to be proxying traffic to evil Gen X two. Evil Gen X two is going to be our man in the middle proxy and it’s going to help us capture session data so that we can bypass two factor.

When the user sees the site for evil genics two, it will be of the real site we’re proxying. In our case, we’re going to be processing office 365 and when that user visits the site they will see an office 365 login just like normal.

Again, from a blue team perspective now, I would have blocked azureedge.net, comma, I’m hiding my IP address, it makes it harder. Also with our go fish we have now put a landing page so that when scanners scan this URL, proof point being one example of some product that would scan a URL, it will just see a static page with a button, hopefully enticing the user to log in or whatever supports our roots.

That also helps with the scanning piece and Evil Gen X capturing our session tokens so that we can reuse them in office 365 and actually take advantage of the user doing something that we wanted them to do.

So this is a more of advanced design for how you could help hide yourself and also capture the right kind of data to utilize that immediately.

Let’s talk about phishing emails. I’m not going to dive in to all the ways to build the best phishing email. Okay? There are tons of options out there.

A lot of times a good ruse is a good ruse. It’s reusable a lot of in a lot of situations. So usually just making a couple work. But here’s some quick tips.

First, take your time. When it comes to designing that perfect email, you really only have one shot to send it. Okay, you might be, you surely can send another phishing email, but it won’t be that same URL anymore.

It’s not going to be that same design. You’re going to have to start all over again because immediately you have a time clock once this email enters before it gets reported and moves on.

Next thing that I absolutely can’t recommend enough is use mailtrap IO. what this allows you to do is actually send your phishing email to kind of a black hole where you can investigate how the email looks, what kind of headers are in it, how spammy it looks.

All of this to help increase the success of your email landing, in the mailbox of choice. This is great. I absolutely recommend it.

Even if you take nothing away from this or don’t use the scripts that I’ve created. Definitely check this out for doing your phishing engagements. It can help you in any way that you do a phishing engagement.

Next, ask your website. Look at how that looks to the user. Run through the scenario and make sure you’re capturing all the data that you want. It looks perfect before you send the email.

I would say test it twice because again, you don’t get another shot. And once it’s out there, it’s kind of out there. And last, close the loop. When you’re describing a scenario or something you want the user to do, let’s get to the end, walk them through the process and make them feel like they got that checkbox for the day.

You ask them to log in to check this document out, to redirect into a document, get them to do something that makes them feel like they accomplished whatever it was in that email.

If you just capture session data and then forward them to a blank page, it feels fishy. I feel like I have been duped.

I don’t know what to go. And if you have to have your users send you an email stating that they tried it and it didn’t work, sure, you capture credentials, but not for long.

So just remember that. Let’s talk about evil Gen X. Two for anyone who hasn’t messed with this. I know a lot of people have, and it’s been out for a little while, but it’s an HTTP proxy.

This is what we’re going to use to capture credentials. We’re also going to be capturing session data, which is really what we want here. Those session cookies are how we’re going to get access to, for example, office 365 after someone’s logged in without being prompt for the two factor again.

Now just a quick note. Some things that you might want to do is if these employees live in a certain area, you might want to use a VPN from that certain area to log in.

You want to make it look like a real user is logging in. In addition, wherever you do set up evogenics, you might want to make sure that that IP address looks like it’s coming from the area that the user would be living in.

This is just a, kind of a pro tip because it’s easy to correlate the fact that someone who normally works in New York just logged in from LA and then back in New York if they’re actually watching the logs.

So just a pro tip. It helps defeat two factor. Again, like I said, capturing that session cookie and this really helps us with avoiding cloning websites.

The very beginning, when I was doing phishing, I would make a copy of a site, make a login page, and just capture credentials. And it actually takes a lot of work to do this.

This avoids the whole process and allows you to just make a proxy, to the actual real site so it doesn’t feel fishy when you’re there because it is the real site.

In addition, if they have 25 factor authentication after they get done, you’ll get the session cookies, which is all that really matters in this scenario. Here, is something that I wanted to share about evogenics IoCs.

So Evil Gen X actually has an IOC that as a blue teamer, you could be looking for to see if a site is actually running evil genics.

So deep inside of his go code, inside of the proxy, and I actually have the link in there. It’s in the HTTP proxy go code. There is a header that gets added.

You can see I actually ran this in the go run online and put that byte array and printed out the string. It actually adds a header when evil Gen X visits a site called X.

Evil gen X. Now I’ve actually removed this from my code so that it doesn’t appear anymore. But just something to note. Sometimes your tools have their own iocs.

Let’s talk about go fish. So go fish is what we’re going to be using in our scenario to pretty much send our emails and crack clack, excuse me, track clips.

This helps with us finding out whether they visited the site. It also gives us that landing page. It’s not really going to help make it more stealthy, but it will help with just your setup and the overall process.

And it’s definitely a useful tool when you’re sending fish, especially if you’re sending it to a lot of people. It can really save you some time. And that’s what a lot of this is about.

Having OPSec while also trying to save some time that you don’t really have on an engagement because you only get so much time. Go Fish also has some iocs.

So the two that I want to talk about with go fish, the first one is the X mailer. So when you send an email via go fish, it will add a header in the email called X Mailer.

Now the X mailer header is not a sign of malicious. There are email clients that add this header, but this X mailer header says go fish.

It’s kind of easy to indicate on, right? Well, in go fish you can actually add headers or remove headers. This is great to make your email seem more like a legitimate email.

And you can remove the X mailer header value so it doesn’t say go fish anymore. Another IoC of go fish is the rib value. So the rid value in our example is going to be in the URL that you put in the email.

When you get the link for these emails or the emails that get sent out, they will include a rid that will be a unique value for each user. So you can distinguish which user click which link.

Well, if you were to just use the rid, it’s kind of easy to say, hey, any URL that I get via email that has rid equals could possibly be a fish.

So another technique is to actually change, you could see again, this is go inside, the go function here. Excuse me. There’s a consistent variable and you could change it from red to anything you want.

You could change it to just id, you could change it to just anything so it doesn’t look like a go fish URL. So just another to think about when you’re using these other tools, sometimes they have ioCs.

Just because they’re meant for doing phishing doesn’t mean that people can’t create indicators via them. Let’s talk about Nginx. We’re going to use this in our scenario to be in a reverse HTTP proxy.

And this is just going to help us with blocking other outside traffic. So some things that I like to do is block all ips except for ips from Azure I like to lock down.

So if you hit it, if you hit the host IP directly, you get redirected or the page doesn’t load. There’s all kinds of stuff that you can do with Nginx. It’s very, very customizable, especially when it comes to IP blocking and other things like that.

There are some other reverse proxies out there that I actually like as well, like traffic. But Nginx is probably the most customizable for IP blocking and some other stuff like that.

In addition to that, we’re going to use Nginx to load our SSL certs and this is going to allow us to be able to talk to the CDM with a valid ssl cert. We will have this all automated, so don’t worry about that in this particular scenario.

But that’s what we’re going to be using it for. Nginx will talk to evil Genics two and go fish. Additionally, using a reverse proxy like this helps us only have to spin up one vm as opposed to a vm per application.

This can save us money on an engagement. I know it’s not a lot, but it can add up. and honestly it really helps dial in how our traffic’s routed. For my example, I am going to be using digitalocean as the cloud provider to set up our vm.

Reason it’s cheap to build a virtual machine. It’s API based and they do include DNS, among some other things. There are a ton of other cloud providers out there, some of the big players, AWs, Google, you could use these as well.

The code that I’m going to share with you guys today does not have it built, it’s just built for digitalocean. But easily could be added. I’m also going to use mailgun for sending email. If there’s one thing you learned from this entire talk today, one thing, do not roll your own email server.

Just don’t do it. It is a pain in the butt and if you have not experienced it, I don’t recommend it. If you have set it up and oh, the pain, especially today in today’s email world where there’s so much spam going around that it is a really pain in the butt.

So absolutely recommend some kind of email service. We’re going to use mailgun. It does have an API as well and this helps us gain some email reputation. This platform is designed for sending lots of emails.

It’s not designed for sending spam but it newsletters, other things like that. So it really does help just get the ball rolling with that email server that we want to use. We’re also going to use for the CDN we’re going to use Azure.

You could use other ones. I kind of like Azure in this particular example because we get Azure edge.net which most customers in our case since they’re using Office 365, are probably not going to be blocking Azure edge.net dot it does kind of seem to go against everything.

This is going to help hide our IP address. You could do IP filtering, you can block out whole countries inside of Azure Edge. There’s no point to see an IP from China visiting one of your Azure edge URL’s when you’re targeting a company in the US.

So you can block whole countries. You also get some domain reputation. Like I said with Azure Edge.net comma just makes it harder to block. I kind of went down like the mechanics of the fish and the tools we’re going to use inside of here.

So how would we code this? How would we just make this all work? The first tool that I use in this example is going to be ansible. What is ansible if you haven’t played with it?

This is an open source configuration management tool. It’s used to do one big thing, which is infrastructure as code. This is to help you spin up a bunch of things, set up domains, set up vms, plethora of items, but it’s Python based.

It uses YAML files which are pretty easy to edit. And really one of the big things that we’re going to use this for particularly is OS configuration.

One of Ansible’s greatest features is that it is agentless, it uses SSH to log into a host and run a bunch of commands, similar to running a bash script on the host, but without having to put the bash script on the host and then run it.

It doesn’t have a state file, so it doesn’t actually know what the state after it ran. But it does checks in a procedural style. So we’ll check the first line goes to the next line, checks to make sure that’s okay, goes to the next one, so on and so forth.

This is great. Like I said, for OS configuration, you can also run it over and over again and it will make those checks, and if nothing needs to change, it will just move to the next check.

Here is a simple diagram of how ansible works. We’ll have a playbook. A playbook is just a bunch of things that we want to do on a host, like things that we want to configure.

For example, you could say I want to install this package via apt. Now you could just type that in via ssh apt get install Nginx for example.

But you can use the ansible playbook to do the same thing and make it repeatable. So if there’s any changes that need to be made and there’s a lot of other features additionally there’s an inventory file.

This inventory file is the host that we want to talk to. So ansible takes the things you want to do and the host you want to talk to and running on your host itself, it will ssh to those servers and execute what you’ve told it to do one by one, every check.

Now you can do conditionals and other stuff like that to skip checks that don’t need to be made. But in general you can actually run all those checks over and over again. And it shouldn’t affect anything. It’s looking for a certain state, and it will check every time to make sure that a file or a package is installed or changed.

Appropriate. Next we have terraform. Terraform. Think of it as like a counterpart to ansible. They really have a lot of the same things that they do.

Ansible can actually configure Aws in my example. I’m not going to use it for that. I’m going to use terraform. Now, this is another open source configuration tool, and again its goal is infrastructure as code instead of Python base.

This is actually go lang based. And it uses, instead of YAML files, it uses Terraform’s configuration language. It’s not too hard to understand, but the big things that make terraform different than Ansible is.

Terraform is declarative. So you’re going to declare or define what you want the end result to look like, and Terraform will get it there. In addition, once it gets that state the way you want it, it will save the current state into a state file.

Next time you run terraform, it will check the state file to see if anything has changed, if we need to modify that to get it to the correct state. Ansible does not have a state file.

It doesn’t remember what had changed. It will go check every time, whereas terraform can just check for differences between the two. In our case, we’re going to use terraform for anything with an API.

So anything not related to OS commands. This would be any cloud provider, anything that you would want to communicate with an API.

That’s what we’re going to use terraform for. And it’s great for this. It works really good at defining what you want your infrastructure to look like. This is a simple example of the terraform layout.

Terraform is going to have this file called MainTf. These are going to be the things you want. For example, I want this VM on Digitalocean and I want it to have these resources and making a menu of what you want.

You also have some variables in this variable TF file. This would be things how big of a VM and other things like that that you might want to change. Well, run this on our host and it will use APIs to communicate to something like digitalocean, mailgun, azure, cdn to configure and get the state that you want with this particular setup.

Again, this is a simple example, but in general that’s what terraform is doing. We’re also going to use Docker in our build. And the reason why is because application containers are useful.

They’re reusable, they make portable code, they also simplify our dependencies. I’m a huge fan of Docker. I know some people feel like it adds complexity, but I feel like it creates portability.

That makes it easier to use in other environments, unlike the one that we’re currently in. Some good examples of this would be running a Docker container on a different OS is okay.

We don’t have to worry about the dependencies that aren’t on that particular flavor of Linux. Those are just some of the benefits. Another one is separate network stack, which really does help in our scenario.

Because I want to route traffic around and not create more vms. I can do that on one host. I want to use as much of the resources I can on that host as opposed to getting another vm to spin up and then creating the network outside of that.

Here’s just a quick diagram of how Docker would look. So you’re going to have the, for anyone who hasn’t played with Docker, you’ll have the host OS on that host. For example, in our case Ubuntu, I’ll be running the Docker service and I will have a couple containers.

In our example, we’re going to have an NginX proxy container. I will have evil Gen X running in Docker and I will also have go fish running in Docker. So these are going to be the docker containers we’re going to use.

For example, again, makes it portable. So now you can take just the evil Gen X two Docker container and just use that if you want. And you can pluck in Chuck, you could add different things in here.

So again, all about making different choices later that you don’t have to rewrite. Okay, so that is really the benefit of this and the benefit of Docker in our particular scenario.

So let’s bring that together. Okay, something that I found out about a year ago, people were talking about this, but actually running it is really amazing. I was using ansible to configure things and I was using it to configure, for example, digitalocean.

But because it’s procedural style and I have to do one line after another, I have to make all these checks. I started feeling like I was getting into the same example of Zabash script by actually combining ansible and terraform together.

It made all of that go away. So the way we’re going to use it in our example is we’re going to have a playbook that is going to run ansible. Ansible will then in turn in our diagram call terraform to build just the cloud stuff we care about.

And we will pass some variables to terraform from our ansible and configure. For example digitalocean, mailgun, azure, CDN get our cloud stuff going the way that we want.

Now, after terraform is done, it’s running in the background. All it does is just get our desired state that we care about. It will spit out some IP addresses, for example, host that we want to talk to and we’ll put that into an inventory file.

That inventory file will save it to the computer. We can tell terraform to save us a file with any of the outputs that it received from any of these cloud providers. And we’ll use that ip to talk via ssh.

Again, ansible here to our digitalocean instance that we just created via terraform. What’s also great about this, we can run it over and over again. because terraform has a state file, it knows did anything change?

Well, not going to touch anything. And because we’re not using terraform to configure the OS, we don’t have to worry about something getting overwritten and use ansible to do that. So this is kind of the complete design here, and it’s kind of the goal of automating what we’re trying to get to in this phishing example.

One last thing I want to talk about is ansible secrets. Okay, so this is a quick detour, but I really feel like it’s important to talk about this is the fact where you put API keys or other sensitive data in ansible as variables, because in our example, we just have a variable digitalocean token, and we can just put in a key and leave that file there.

But if someone finds that file, if somebody, you accidentally share that file via GitHub, all kinds of fun stuff. So bad day. And so the leakage is easy.

And I find this on engagements. So one option we can use is, and my preferred option is using some kind of secrets manager. Well, very common secret managers are something like LastPass or one password or Bitwarden.

These are very common. You probably have one of these right now. It’s where you store all your passwords. With ansible, you can actually use the code above the lookup, the community general Lastpass, to pull a value from your secret vault as a variable only when it runs.

So every time it runs, it’s just querying it. The way it works is you’ll use for example, LastPass as a CLI one password. They’re super easy to install and you’ll log in and it will time out eventually, but you’ll log in and when you run this, it will pull that variable from the secrets manager or your password manager and bring it in just for that moment, run it, and when it’s done, it’s done.

So you don’t leave this stuff laying around. Right. Secret management is huge, especially when you start getting to kind of what we’re doing, which is the automation and somewhat of DevOps here. So just pro tip.

also if you’re on engagement, look for this stuff. If you see Ansible, it’s probably got some secrets in there they didn’t mean to leave. So that’s where I really want to talk about this. And I feel like everything that I tell a customer I should be doing myself.

So think about it like that. We are going to get into some execution. I’m going to show you the code that I’ve already put online and we’ll walk through the setup and what it looks like demo time right at the demo gods.

The simple steps here would be to clone the repo and set up some API keys. In our case we have two keys that we need to set up. Azure and Digitalocean.

We’ll change some variables inside of a variable file. This is making it our own, whatever those are. You’ll see when I show you the variable file, there’s, there’s a certain set of them. And then we’re going to run our playbook and hopefully get the desired outcome we want.

You could see the link there. I posted it. It’s bill the fish. Couldn’t think of a clever name for this, but all the code is there now I don’t have enough time to walk through the whole thing and everything that’s going on.

Okay, I wish I did, but the code is out there, so everyone else can see this and the readme is not too bad. I probably could use a little bit more work, but it is functional. The big things to note though is that we have this playbook that we’ve cloned and really the only things we need to do to make this work and build the design that I actually just talked about was modify a couple variables.

The first one is this all YAML file. Inside of here we’ve got some settings, like an op number. You can set this to whatever you want. It doesn’t have to be a number. This is just some way to identify this engagement.

We also have a tTl time to live so that you can see if later on if you tag VMs like this, you could see, this has been up for a while, I probably need to delete it. Or you could maybe write something that automatically looks for those tags and gets rid of them.

Also a username. And then, we set some other settings like our DNS. We’re going to use digitalocean, in this case our set, our domain name. We’re getting up to this token.

You see how I don’t have a hard coded token. I just am referencing a value inside of lastpass. This is what you want to do for anything. That’s a secret.

We also set a region size, set up a username that we want to use. So this is what we’re going to be able to ssh into this. You can add more users than once you can actually, if you wanted to have two users on this system, you can actually just go ahead and paste that in and have two users now.

Right? So then change the names and then change authorized keys so they can all set up. Last big one here is the setting up this ansible private key. So this is the location on my disk where a private and public key is going to be.

Using this to set up the initial host you’ll need to have one, a new one, use one you already have. It doesn’t really matter. So the other variable file is over here.

We’ll set a hostname again, provider for the vm. And then this is where we can set our domain name. For go fish. I’m going to use gpadmin, whatever my domain name is.

In this case over here in my all variable I said my domain name was what is it? It’s over here, hackersite.com dot.

So it would actually be go gpadmin dot. Hackersite.com dot. You just need to set up all these variables. We’re going to, in my current example, this is set up for office 365.

So this is going to set up office 365. It’s going to or excuse me, set up evil gen x for office 365 and use that phishlet. I’ll make a quick detour to show you that.

oh. Additionally we also have whitelist. Make sure you add your ip address in there so you can access the go fish administration portal via your ip. And not everyone can see that, right. Just a little bit offset.

We have a firewall set up. I set up a lot of stuff inside the os that you don’t have to think about setting up a lot of. It’s just sane security values. I do set up the right, I do set up ash shell.

I set up a lot of stuff. If you do want to modify, I have this in the readme. So the two big things that we’re trying to accomplish here is evil Gen X and go fish for evil Gen X, particularly if you want to go in, I’m showing you this templates folder.

There’s two templates in here. There’s a config template and then there is this office 365. The office 365 is actually just the fishlet, okay? Now the config is where we can set up our lures.

And you don’t need the ClI. I actually am not against Clis. I just don’t want to have to log in every time and configure a bunch of things. I want a config file.

Actually evil Gen X has a config file. You just have to know what the settings are and it doesn’t have it documented. But anyways, in my case I’ve already set one up and giving you an example of what it would look like. I also have the redirector set up.

This is a variable for the redirect domain and we’re also setting up the CDN domain. I’ve already ran this because it takes about five to ten minutes maybe to run all of this stuff and get it set up.

And I’m going to go ahead and show you what that looks like. All right, so now that I’m done searching for John Strand, the model, let’s talk about go fish.

You can see that in my particular demo example, I use this domain that I don’t use for engagements called pondcompany.com dot and GP admin is the go fish interface. Now once go fish gets set up, you need to check the docker logs again.

This is in the readme and it will tell you the password so you can log in and get going. Right. So we have some campaigns. This is where you’re going to set up your email templates. This is where I just have some example template in here.

But you would set up the perfect one. You could use HTML. A lot of how to use go fish is in their documentation. I’m not going to go through all of it, just know that it’s there. You also set the landing page. I’d recommend in this landing page that you set some kind of redirect.

Okay. Because you want to redirect to evil genetics. This is all set up. I also wanted to show mail trap. I’ve actually sent some of these phishing domain or some emails to this to see what they look like.

One of these, I saw this x mailer in here. I could see that the text or the HTML source, I would say writing an HTML email makes sense. It just depends on your rusev and what you’re trying to do.

And this helps again to just test out your setup before you really start sending emails. So definitely set up a profile to do that you would go into sending profiles right here and you would set up mail trap.

And this is where you can also set up this kind of stuff, set in your password and stuff. And then for my mail gun example you might want to, right here under this custom header, set that x mailer to something else.

Then evil genics is actually already running in the background. And if we visit our site when you go to the don’t hack me URL.

We get mycompany login dot azure edge.net, which is something that we set in the configuration file. This is official it for office 365 running behind Azure CDN, allowing us to capture credentials.

And how would you see that? So how are we going to get these credentials? They’re going to be right in the terminal and I am going to show you that last piece before we get done here.

Inside the terminal you’ll see that if I follow the logs for evil genics, we have the logs for this connection. I haven’t actually logged in, but if I refresh the page you can see we’re capturing all that data.

When I do find the capture sessions it will show up in here. It will also get saved to the file. There’s some other really great stuff that I’ve also included in here. As you can see, the shell’s already set up the host name, a lot of that fun stuff.

But one other thing that I did, and this is super useful for engagements is there’s a log folder and it will capture all of the terminal output that you ever type into here, saving all of the formatting so you can go back later and see what you did.

If you did something else inside of this vm that you utilize super good for reporting, it’s definitely something that you don’t think about it until you need it and automating that process is just, it really helps.

That is pretty much all I had to show. I know that that was super fast. Let me go back. I didn’t actually show it running, but please m check out the code that’s been posted and give it a shot to close this out.

What about other cloud providers? One thing is you can use terraform for all the different cloud providers. All the other ones out there, Aws, Azure, whatever makes you happy.

You just have to write those terraform pieces. I do plan to actually write for some more providers. They’re actually not that hard. But yes, you can use it for other providers without changing that ansible code that configures the OS.

You can use this for more than just phishing. This is just one example of taking code and writing it to do a form fit. Now you could change this. You don’t want to use evil Gen X or you don’t care about go fish.

You can just remove those pieces and just use what you want. I do have a blog to follow this that talks about all the stuff that I talked about today, maybe in a little bit more detail showing all those diagrams, including obviously, this webcast.

And I plan to actually have a webcast for getting started with ansible and terraform geared toward just helping you accomplish these engagements.

Okay. So just how to actually go through and modify this stuff. And when I do this webcast, I’ll be talking about how it relates to our industry, not just in general.

So how I could use this to just make my life easier and save myself a ton of time. Right? And once you write it, you can reuse it and other people can grab it and you can just plug in pieces and pieces.

That was all I had today, and I really want to thank everybody who showed up and checked out this presentation.

Jason Blanchard

Well, there’s going to be a whole lot more questions.

Beau Bullock

Oh, yeah, dude, there’s like just, they’re streaming in the whole time. Like, I don’t know, I didn’t even get to listen to you. I was like just answering questions all the time.

Jason Blanchard

So one of the things that you can do is ask whatever questions you have based on this, because Ralph is going to write blogs based on the questions that you write, and he’s going to think about future webcasts based on the questions that you ask.

So any questions that you asked that we don’t get to today, maybe a, future webcast or a future blog post, and then we’ll make those available. But I was red flagging some of these.

Ralph May

Okay.

Jason Blanchard

And I’m going to start with this one. It’s a little long, so please stay with me. Okay. So we do security awareness, trainings with using phishing simulations.

We don’t care if mails go to the spam because we send them only to customers we have agreement with and they usually whitelist us, but we observe more often than that.

Browsers like Firefox and Chrome mark our phishing websites. Here’s the part as malicious phishing, how to prevent such things. Last time we did a campaign on Friday and it went great, but on Monday another one was a fail.

The domain had been blocked by browsers, probably during the weekend. In the last few months, we lost a few of our domains. Did you get all that?

Ralph May

Yeah, I did. So this is a battle that I’ve currently been experienced as well. And this really has to do with domain aging, domain categorization, and also how they’re finding out that it’s a phishing.

Your browser is tattletailing on you. Google is actually using you as a sensor to pull in when it detects phishing sites.

Okay, so you visiting the site during your testing can actually flag that. So there are some things you could do. You can disable that inside of chrome.

You can use other browsers that aren’t submitting this information. There’s a lot of that, again, domain aging as well. Another technique is to get a domain and plan to use it in a later time as opposed to buying one and immediately using it.

The last technique I can think about is also using the CDN approach, which is what I’m doing. And this is for that more rapid fire setup where you don’t have all a lot of time to age a domain, but you want to use that CDN and get some of that reputation immediately.

Does it look like the company? Not necessarily, but users who feel like they need to do something are going to click the link. It’s not necessarily the fact that it says company name secure that really sold them on this URL.

Right? So just think about that or something to know, right? Yeah.

Jason Blanchard

So bo, let’s do it this way. I’ll take a question while you research the next question and then we’ll leapfrog each other. But since I didn’t tell that to you, I should probably ask the next question.

Ralph May

Okay.

Jason Blanchard

how do you manage your gofish templates? Importing, exporting the DB? Or is there actually a better way?

Ralph May

So there are a couple ways to do it. I mean, obviously there’s the manual way of just importing or saving the HTML for the email or the web piece. It’s really just two functions. Inside of gofish there is a email which would typically be an HTML Hm, and then there would also be your landing page which would also be an HTML HM.

Now you can, if you would like, save this or have one instance of go fish always running to run these kinds of things. But if you do that scenario, absolutely put it behind someone kind of CDN because you’re immediately going to be flagging yourself all the time as you run multiple engagements.

But I will typically just save the email and the landing page HTML as a bundle as an example of a certain kind of scenario that either worked or something that I liked, and then I’ll reuse it.

Now when I create scenarios, a lot of them are custom. I put the company header in there, I change the colors, I do a lot of stuff to sell whatever it is, I’m trying to do the scenario so that it makes it the most believable and that probably not somebody just whipping this up overnight.

So I really try to sell it. And so I typically save them to answer the question, just the HTML and the email and like kind of a package of a scenario and then I’ll put them in there.

Beau Bullock

So Ralph, this is a good one. What’s the best day and time to send a phishing campaign?

Ralph May

That’s a good question. Honestly, I really wish I had metrics on that, like when was, the best time. But I think one thing that I personally like to do, I like to do it in the morning.

I don’t want to wait till the end of the day. You don’t want them sitting in inboxes. Another thing about phishing is your interactions are usually going to come right away by the most. Not gullible, but like excited to get whatever it is you asked them to do off their plate.

So a lot of those clicks come very quick and you’re going to need to capitalize on that time hopefully to get that session before you get detected. I don’t know if I necessarily have a good day.

Monday’s not too bad. I think Friday could be like the lazy day, maybe Thursday. So I’d say Monday to Thursday. I would avoid Friday, but definitely in the morning. You want to get people when they first get started working.

Jason Blanchard

So next question. Also from a blue team side, have you thought about making a blog on stopping key tricks and phishing? I’m seeing a lot of x header changes and many of the email security gateways out there are frankly trash.

Feels like a John Strand kind of quick and require a lot of manual configuration in this way. Also open source abilities for this functionality. I’m not sure if this is a question, but do you have any comments or commentary on that?

Ralph May

Yeah, I think that the big thing here is really just trying to make this rule about external emails and how they’re interacted.

I know I’ve seen some organizations that will use a more heavy handed approach where they’ll actually kind of put all outside or external emails into a quarantine for the most part.

And then once you whitelist those individual emails they pop, start popping up in your inbox permanently from whatever that user is, a vendor, so on and so forth. That’s one way to really slow it down. Adding the external email header on there is good, but plenty of engagements.

It’s still users click so on and so forth. But I think one of the things that I have seen pretty successful is just dropping all of those that the user hasn’t actively whitelist.

There’s probably not going to be too many emails that are going to be sent at random, that the user wasn’t expecting that email that they couldn’t dig it up out of that quarantine to make sure that you don’t get fishes.

Beau Bullock

People, people want a 16 hours class, man. They want, they want a fishing class. When can they expect to be, the fishing class.

Ralph May

The fishing class. So the, the, Yeah, right. Just fish them all in. No. So actually the, I want to take this and build it into a class to talk about more than just fishing.

What about c two? I know that’s another big one too for setting up a lot of these more complicated and also just tedious tasks and making Opsec inside of that.

So doing more than just fishing. But yes, fishing would be included. These, these are a lot of things that just require a lot of time to set up and speeding some of that up while also allowing you to be original at the same time allowing you to have that customizability to make it your own engagement and not just something that I wrote that you ran.

Jason Blanchard

How common is credential harvesting a part of a campaign? Is it to prove the risk of training requirement, aka contract?

Ralph May

So I guess there’s going to be two types of engagements you’re going to have. One where you’re actually just doing a phishing engagement to see if you’re getting those interactions, those clicks or those logins. Typically when I’m capturing credentials in something like a red team, I’m looking to utilize that to go further inside of the environment.

Something like office, 365. It really gives me a gateway into the side of your organization, especially if you’re using something like Sharepoint and teams and all the other products inside of there. That allows me to harvest and then even take that one step further and do some social engineering with those platforms, including teams dropping files and SharePoint.

Other things to further compromise the environment and move laterally inside of your environment by starting with your perimeter cloud environment. So that’s how I would use phishing. And I guess both of those engagements and the red team, you’re going to take those credentials and push it further, whereas when you’re just capturing credentials, you’re just seeing whether people were not alerted and that they continued to go down this process and you can convince them to do it again.

It goes back to user awareness, but there’s only so much you can harp there.

Beau Bullock

Ralph, what is the most successful ruse that you’ve used?

Ralph May

So I’ve had some pretty successful ones. One that I’ve done was giving away free iPhones. People love iPhones. It seemed like a very useful one.

I do know of other ruses that have turned pretty bad too, especially anything to do with the government. So don’t do anything like that. Just heads up. I haven’t personally done them, but other people have.

And I’ve got to hear, bad idea. So the iPhone one has worked pretty well. What’s another one? Checking out a file.

So sharing a file on OneDrive or some other kind of platform like that usually can get some interaction, hey, check this file out. I, we shared it with you.

This has got to do with, maybe compensation or hey, check this, or you might not get paid this week, around payroll time is usually pretty useful too.

Jason Blanchard

Does the DKIM and SPF configurations for a, for the lookalike domain? Does the DKIM, and SPF configuration for the lookalike domain can, can also be automated using terraformer?

Ralph May

yes, Mailgun will actually set that stuff up for you. You just need to add some of those records. And yes, it can be in my current iteration, I don’t have it. There was a couple little hurdles that I just hadn’t solved yet.

But yes, you can automate that with. It’s mostly the problem is I need to get this data from mailgun, which is very easy to get from their web interface, and then re put that into the domain registry, which in my example, I’m using digitalocean.

So I need to pull that domain information, those keys, and put them in real time. So I kind of have to solve that, but it is definitely solvable.

Jason Blanchard

All right, Bill, you get the last question and then we may go into overtime, but we’ll see.

Beau Bullock

Okay, yeah, I saw one earlier. I can’t find it right this second, but it was, in regards to doing, browser compromise as an attack mechanism, what are your thoughts on phishing for trying to hook a browser?

Ralph May

So phishing for once they get in some kind of browser level exploit? Is that what you’re talking about?

Beau Bullock

Yeah, I think what they are referring to are, add in type attacks where you would fish to have them install an add in, like a chrome add in or explore add in, that kind of thing.

Ralph May

Firefox add in. Yeah. So there’s a couple of things with that. One, I’ve never done it, but I can think of the logistics of it, which would be first having to create this Chrome ad. And I don’t know how much level, but let’s just assume that it’s not a whole lot of work.

We also have to submit that and hopefully Google doesn’t flag it or notice anything suspicious. And additionally, we would have to build a roost around that add on.

So, I mean, one that I can think of off top of my head would be possibly, hey, this is a security add on to secure your browser while at the company. This is a mandatory installation that you need to do.

And because there’s no way to push it via chrome, I have to, manually do that. So that could be really interesting. Another interesting attack path. And I’m not sure if you can do this with the plugins, but you could actually harvest the credentials inside of the browser with that plugin.

I’m not sure if there’s that separation, so that’s some research I’d have to do. But I do know that those credentials.

Beau Bullock

Actually, with, the browser exploit framework, I’m pretty sure that there’s a module in there to pop a cred box.

Ralph May

So yeah, that would be how I would leverage it after you created it. I do believe that would be, like I said, a bit of work, but it could be pretty successful if you could convince users to install your add on.

And Google didn’t catch on to the fly, but you never know.

Jason Blanchard

Okay, everybody, thank you for being here. We’re going to stick around for just a few more minutes afterwards, but this is the official end of the webcast. If you would like to leave, we’ll see if we can answer one or two more questions because they came in fast and furiously.

And, we’ll get those to Ralph and Ralph. We’ll use them to take the most common questions and build some blogs. There are no blogs at this time. Ralph is working on them. And then Ralph’s going to take some of your feedback and questions that you asked in order to incorporate into the next podcast.

So thank you from all of us here at Black Hills information security. We appreciate you being here. We know that you give up your time to come see us and hopefully we teach you something and you learn. And with that, if you ever need a pen test, where to find us.

Ralph May

Bye.

Jason Blanchard

Hey, Ralph, great job. This post show banter. Post show banter.

Ralph May

Take it off.

Beau Bullock

Ralph, you put the wrong Twitter handle in there, man.

Jason Blanchard

Yeah, you did.

Ralph May

What?

Beau Bullock

Yeah. Missed opportunity, man.

Jason Blanchard

Everyone that’s here, we know we’re still alive, we know you can hear us, we know you can see us. But we ended officially so that, way in case people need to leave. And then we also have a nice clean ending for the recording.

So we’re going to stick around for a few minutes. Hey, Ralph, I was doing your, counting. You did great. You did so good today.

Ralph May

Yeah, I tried. I actually thought I, like, I heard me say them and then start continuing on.

Jason Blanchard

Yeah, yeah, you definitely. You were thinking about what you wanted to say instead of.

Ralph May

Filling. I did notice that I probably had like four spaces. So.

Jason Blanchard

There was a lot of questions, Ralph.

Ralph May

Awesome.

Jason Blanchard

A lot, a lot of questions. So we’ll jump all these, we’ll get them over to you.

Ralph May

That’s actually, that’s either one of two things. Either I, really horrible talking about this, and everyone could got super confused, or they’re actually all really interested and want to learn some more stuff. So I don’t know where to go with that.

Jason Blanchard

I think it’s a little both. A little bit of both question for you.

Beau Bullock

I mean, it’s a lot to pack into an hour.

Ralph May

it was a lot and I kind of, I got it.

Beau Bullock

It’s good, though. It’s really good.

Jason Blanchard

What recommendations can you give us for the report of the results that delivered to a client? Any examples?

Ralph May

Thanks. A little confused about the question and what contents as far as, like, what, to recommend to the client in this particular example or just fishing in general?

Jason Blanchard

Well, I think this question is just dealing with the report of the fish. So that’s a good. I think what you were just saying is a good way to segue, because we do a full pen test, and a fish is a part of the pen test.

It’s not just a fish report, it’s during the pen test. So can you talk about that part?

Ralph May

Yeah. So you would, you would just say, during the pen test, you would talk about the scenario where you were able to either capture credentials or convince a user to do some, perform that action.

Okay. I mean, the root cause is most likely user susceptible to clicking a link or user susceptible to doing some kind of action that you were able to convince them to do.

In addition, you could also make some recommendations about security controls that maybe they just didn’t have in place that helped or did not prevent you from conducting that phish.

But it would only just be one piece of the report as you move through, and then you would take that to go further on to find more findings or other kinds of attack avenues inside of the environment.

Jason Blanchard

Yeah, I guess my follow up question to that is, do you start with fish?

Ralph May

I hate them. That’s the last thing I want to do. And I know that seems weird to say because I just wrote, I just did a whole presentation about fishing but it’s hard. It’s hard.

Beau Bullock

It is so hard.

Ralph May

That’s why I did it. I talked about something that is hard. And all these things that I did in here is because it’s a pain in the butt. That’s why I just started automating it, because I’m spending three days trying to get ready for that one moment in time.

Now, fishing can be very successful, and it’s not something to take off the table. And honestly, if you want to be ready, you should have that fish before day one, like, know where you want to go with that, because most likely it’s going to be part of the repertoire of what you need to do.

So it just, it is hard and, fishing, but it is very, it is very useful, and there’s been tons of engagements. Whereas the last thing I did, because I checked all the other possible avenues and it was the first thing that worked for mhm.

Beau Bullock

It’s. It’s hard gauging, like, like how. How, the posture of an organization is going to be, like, a lot of times, like, you will just assume that it’s, like they have the best, security training.

They have all these products in place, and you go to fish and it’s like a shell, and they have like, no av. what I mean? Like, it’s hard sometimes to really gauge it.

Ralph May

Yeah, it is. And there have been engagements where I got in on the fish and I saw them report it, in fact, and immediately, but not lose access.

So. And that’s a talking point from the blue team side to look through your playbook of how you document phishes, how you triage that information to make sure that user credentials get reset immediately, even up the suspicion of a fish, because just having to change your password isn’t really the end of the day.

Beau Bullock

I was on an engagement where the user reported the phish, and it was on purple team. So I was in a slack chat with a customer, and they’re like, oh, we caught you guys. they reported the fish and they reported it to their sock, right?

So the guy, the infosec person I was dealing with, he wasn’t actually directly the one that was being informed as the SoC person, and he was watching the chat between the SoC engineer and the user, and the sock person was like, no, that’s legit.

Go ahead and go with it. It was great. It was amazing.

Jason Blanchard

A lot of times when I play backdoors and breaches with people, I’ll use a fish as one of the initial compromises. And I’ll say that the user got compromised seven days ago and finally brought it to your attention seven days later.

Like, something’s fishy. And when I tell, like, the security team at the end, when they reveal it to fish, I’m like, so how plausible is this that you could have something like this and it takes seven days to get reported?

They’re like, yeah, that’s pretty typical.

Ralph May

I think user awareness is up. it’s now catching up to like, how fast you can respond. I know personally, once I get credentials, I want to move as fast as I possibly can to get as most, the most amount of information I can with those credentials, because I am on a clock and I have no idea how fast the response is.

And the more information I get, the better I’m more prepared to either do the next fish or to continue to escalate.

Jason Blanchard

So a comment from Asher. I’m really excited to use this repo in the future. Where can we buy Ralph a beer, coffee or support him somehow for all his hard work?

Ralph May

I hadn’t actually thought of that. Like.

Jason Blanchard

You don’t have your patreon?

Ralph May

Yeah, I don’t have a patreon. I don’t.

Beau Bullock

Where’s your, I mean. Oh, go ahead, never mind.

Jason Blanchard

No, yeah, I was just going to wrap things up, but if you had one last.

Ralph May

Funny, I was going to say send.

Beau Bullock

Ralph some alpaca coin.

Jason Blanchard

one more from wizard King. How long after the fish would you shut down your infrastructure?

Ralph May

So that’s a good question. And it just depends, are you still using it? And the active engagement, have you got that access? I would probably not put it more than like a day or two, anything past a day, two days, very tops, you’ve gotten all the clicks you’re going to get because at that point you’re pretty much burnt and, you could take it down.

Now, in my example with the CDN, you really haven’t given up much. The only thing that you can’t reuse is that CDN link. So you can just make another CDN and see if they start blocking wildcard dot azure edge.net, which could be bad for business.

But it depends on how you have your setup. But yeah, after two days you’re pretty much, probably burned.

Jason Blanchard

tons of comments, tons of questions, not because you didn’t cover the material, but because there’s additional things to cover and learn. So we will make sure that Ralph comes back in the future.

For all of you stuck around here, for the post show banter. Thanks for being here. Any final words for today, Ralph?

Ralph May

No, I just want to thank everybody, especially everyone who’s coming. First of all, everyone is still here. I, really appreciate it. And, hopefully you guys get to use this, and hopefully I’ll get some feedback and continue to.

To make it better for everybody so that, we can all stop building fishes.

Beau Bullock

Can I buy the slides as an nft? That’s the real question.

Ralph May

with, the wrong Twitter handle. Sure. All right, everybody.

Jason Blanchard

We’ll see you next time.

Ralph May

Bye, guys.

Jason Blanchard

I am m ending the webinar.

Beau Bullock

We’re still.