Author Archives: Christoffer

Dradis v4.8.0 has a Quality Assurance feature to approve Issues and Content Blocks before reporting

New in Dradis Pro v4.9

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Liquid Dynamic Content in Word and HTML reports

We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.

Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can! For example, the following will export into an Issue:

#[Description]#
Global:
{{ project.name }} for {{ team.name }} team
{{document_properties.available_properties}}
 
Tag Name:
{% for tag in issue.tags %} {{ tag.name}} {%endfor%}
 
CVSSv3 score:
{{ issue.fields['CVSSv3.BaseScore'] }}
 
Evidence:
{% for evidence in issue.evidence %} {{ evidence.fields["Label"] }} {%endfor%}
 
The {{ issue.title }} issue has {{ issue.evidence.size }} instances of Evidence
 
Evidence count per node:
{% for node in issue.affected %}
{{ node.label}} has {{node.evidence.size}} instances of evidence
{% endfor %}

It would give a result like the following:

Better filters in Word templates

We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.

Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by "CVSS Base"|(9.0..10.0) or Category|"A1 Injection".

Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.

DuoWeb and ServiceNow support in the Integration Manager

We have changed the way our integrations work, so you can now install DuoWeb and ServiceNow right in the Integration Manager. No need to use the command line to install 2FA! You can also configure Duo and ServiceNow, as well as integrations like Azure DevOps, right in the Integration Manager.

Release Notes

  • AccessTokens: allow the storage of per-user encrypted tokens
  • QA: Show state changes in activity feed
  • Sessions: Store :secret_key_base in encrypted configuration file
  • Tylium: Extend support for Liquid Dynamic Content
  • Upgraded gems:
    • bootstrap, popper_js, simple_form
  • Bugs fixes:
    • Issue Library: Prevent rendering navbar over top of the fullscreen editor
    • QA: Redirect to correct view when changing states on QA edit views
    • Users: Force logout for users with locked accounts
  • Integration enhancements:
    • Acunetix: Parse inline code, not just code blocks
    • Burp: Adds strong and code tags parsing
    • CSV: Fix CSV Upload for files with special characters
    • Nessus:
      • Parse code tags as inline code
      • Add plugin_type as an available Issue field
    • Nexpose:
      • Parse inline code, not just code blocks
      • Wrap ciphers in the ssl-weak-message-authentication-code-algorithms finding
    • Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
    • Azure DevOps: Switch authentication from PAT to OAuth2
    • Duo 2FA:
      • Migrate to UI-based configuration
      • Add to Integrations Manager
    • ServiceNow:
      • Migrate to UI-based configuration
      • Add to Integrations Manager
  • Reporting enhancements:
    • Word
      • Add support for filtering nodes by properties
      • Add support for the notextile tag
      • Allow multi-word fields/values in the content control filters with double quotes
      • Extend support for liquid dynamic content in Word reports
      • Warn of missing blank lines around a screenshot only when it’s not the first or last item in a field

Not using Dradis Pro?

New in Dradis Pro v4.6

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Integration and Tool Manager

Now you can install and upgrade integrations (such as DuoWeb and Jira) and tools (such as the Gateway and the Remediation Tracker) directly in the Dradis application – no need to use ssh or the command line! Simply browse to the Integration and Tool Manager in Dradis v4.6, Get the tool, and then Enable it. Then you should be good to go!

Instance Dashboard

Want a better overview of what is going on in your Dradis instance after login? The new Instance Dashboard gives you an at-a-glance overview of Projects, Tickets, and Tasks assigned to you; a list of the newest unread notifications; and and overview of what’s new in the latest version of Dradis.

As a new feature, please do let us know if there are other things you would like to see or change on the instance dashboard once you start using it.

Permanently delete items in Trash

As of v4.2 of Dradis, you could soft-delete projects and teams so they end up in an Instance Trash. However, to permanently delete items in trash, you needed to use the command line. Not anymore! Now you can permanently delete items in Trash straight from the UI.

New Kits

We have long had a few templates and kits available for download at the Dradis Users Portal. We have overhauled some of these kits and made them available directly from the Dradis UI. Simply go to Templates –> Kit Upload, and either upload a kit file as you normally would, or click the Upload button under your preferred preinstalled testing kit.

Release Notes

  • Dashboard: See active projects, notifications, assignments, and what’s new in one view
  • Integration and Tool Manager: Add UI for installing and managing integrations
  • Kits:
    • Add selection of kits to choose from
    • Enable import of kit with no templates
  • Mintcreek: Adjust element contrast ratios to be WCAG 2.1 compliant
  • Navbar:
    • Split the Addons menu into Integrations and Tools menus
    • Remove inaccessible addon’s menu items for contributors
  • Notes: Remove category selection from form UI
  • Projects: Update active projects empty state
  • Trash: Delete projects and teams permanently
  • Rubocop: lint changed files since previous commit
  • Upgraded gems:
    • nokogiri
  • Bugs fixes:
    • Comments: Align comment header content in Safari
    • Content Blocks: Fix revision history links
  • New integrations:
    • Core Impact
    • Veracode
  • Integration enhancements:
    • Implement enable/disable feature for Gateway, JIRA, Remediation Tracker, Scheduler, and VSTS
    • JIRA:
      • Add view for editing configuration
      • Hide link in addons menu for contributors
    • VSTS:
      • Add view for editing configuration
      • Issues: add WorkItem Status and Comment feed
  • REST/JSON API: new v2 released
    • Projects: undiscard and permanently delete from trash.
    • Teams:
      • Undiscard and permanently delete from trash.
      • Deprecate the “/clients” endpoint, use “/teams”
      • Deprecate the “client_since” attribute, use “team_since”

Not using Dradis Pro?

New in Dradis Pro v4.5

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

CSV Importer

Dradis can now import CSV files into projects! Some vulnerability scanners produce output in CSV format rather than e.g. XML or JSON. You can now import these (and other) CSV files into Dradis, and configure which column to assign to which field in your Dradis projects on a per-file basis. Simply go to “Upload”, select the CSV importer, upload a file, and you will be redirected to an interface to assign data to fields. As with other plugins, you can create Issue, Evidence, or Node data and fields.

This is v1 of the CSV importer, so we look forward to your feedback on what works for you and what you would like to see in the future from this feature!

Note that for the sake of internal naming consistency, we have renamed the CSV exporter plugin with this change, so if you have the CSV exporter installed, you will need to reinstall the plugin as dradis-csv_export.

JIRA bulk send

Do you use our JIRA integration? If so, you can now bulk-send issues to JIRA. Simply select multiple issues from your project in the “All Issues” view, and click “Send to JIRA”:

That will send all your selected issues to the Dradis-JIRA interface. Pick the destination project, issue type, and other required fields for each item, and you’re done!

Bug fixes and quality-of-life improvements

Another focus of the v4.5 release is working through some bug reports and lower-level requests we have accumulated over time.

Bug fixes include multiple items relating to attachment validation and export, Node labels linking to external resources (so e.g. clicking on a Node label of “www.google.com” will no longer redirect you to Google instead of the Node in Dradis), and the Rules Engine matching against IssueLibrary entries without trailing empty lines.

Quality-of-life improvements include adding Revision History for Content Blocks and improved error messages in the Output Console on Word report export. Check our release notes for more detail!

Release Notes

  • Content Blocks: implement Revision History
  • Upgraded Dradis Pro to run on ruby 3.1.2
  • Upgraded gems:acts_as_tree, bootsnap, bundler-audit, factory_bot, paper_trail, rails, rails-html-sanitizer, timecop, thor, unicorn, unicorn-worker-killer
  • Bug fixes:
    • Attachments: Fix attachments not showing, validating, or exporting correctly
    • Evidence:
      • Add validation for creating evidences in the issue view
      • Set correct localStorage key to prevent pre-populating incorrect content at the issue level
    • Issue Library: Render colored badges in the Tags column of the entries table
    • Nodes: Prevent evidence labels linking to external resources
    • Rules Engine: Fix the Rules Engine not matching Issue Library entries with no trailing empty lines
  • New integrations:
    • CSV Importer
  • Integration enhancements:
    • JIRA:
      • Add support for datepicker custom fields
      • Add Bulk Send To support
      • Update JIRA setup instructions
    • Rules Engine: Prevent subsequent rules from running after a discard action
    • Qualys: Wrap ciphers in code blocks for the Vuln Importer
  • Reporting enhancements:
    • CSV Export: Rename integration to dradis-csv_export
    • HTML Export: Add :rtp plugins feature
    • Word:
      • Fixes “-” in hyperlinks displaying HTML entity
      • Fixes duplicated relationship Ids when adding relationships
      • Fixes text with double exclamation marks breaking report
      • Show error message in export logs when populating multi-paragraph content in inline content controls
      • Show error message in export logs when removing invalid screenshots
  • Security Fixes:
    • Medium: Authenticated author broken access control: read access to issue content

Not using Dradis Pro?

New in Dradis Pro v4.3

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Auto-update Charts in Word

Previously, to include charts in Word templates, VBA macros were necessary to be able to update the charts in exported reports. This was a problem for the Mac users among us, as the relevant VBA is not supported in Office for Mac. We have now tweaked the reporting engine so that the source Excel sheets for charts in Word can be filled in with filters so they will auto-update during the export process from Dradis. The supported filters support the majority of use cases we have seen, such as issue counts by CVSS score, severity, type, category, host, etc.

Gateway comments

Do you use the Dradis Gateway? We have now improved this collaboration feature! Comments are already supported within Dradis projects, but now comments have reached the Gateway as well. If you are an Admin or Author on a project, you can choose to make a comment public (available on Gateway) or not (only visible to your team members within the project). Gateway contributors are able to view your public comments and submit their own comments on issues and other content inside the Gateway.

Qualys Asset Scans

Dradis now supports Qualys Asset Scans! This expands our Qualys coverage to include:

  • Qualys Vulnerability Scans (Vuln)
  • Qualys Web Application Scans (WAS)
  • Qualys Asset Scans (ASSET)

Release Notes

  • Comments: Show public comments for issues in a project
  • Mintcreek: Add breadcrumb navigation
  • Uploads: Allow subsequent file uploads from the same scanner without needing to re-select the scanner
  • Upgraded gems:
    • nokogiri, rails
  • Bugs fixes:
    • Document Properties: Set focus to property name/value inputs when clicking the edit icon
    • Editor:
      • Add keyboard shortcut support for windows and linux
      • Allow comparing document property values with “==” operator
      • Allow text selection expansion using shift-click
    • Issues: Show correct links in the “Send To” menu
    • Subscriptions: Show correct Subscribe/Unsubscribe link after a new comment is posted
    • Tables: Prevent columns state from resetting after 2 hours
    • Teams: Prevent displaying trashed projects
    • Tylium: Remove extra left padding from the first line of content in a code block
    • Upload: Show pre upload validation for Qualys
  • Integration enhancements:
    • Openvas: Update Node label parsing. Include :hostname and :asset_id properties.
    • Qualys: Add Qualys Asset Scanner (ASSET) support
  • Reporting enhancements:
    • Word: Charts in Word can now be exported without the need for macros
  • Security Fixes:
    • Low: Password reset token can be reused in a 5-minute window

Not using Dradis Pro?

New in Dradis Pro v4.2

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Project Soft-Delete and Instance Level Trash

Previously, once you deleted a project or a team, it was gone forever! We have now added soft-delete and an instance-level trash. So, if you delete a project or team, you can find it in your instance’s Trash, and you can recover it from there.

Choose Which Fields to Display by Default in Projects

In recent versions of Dradis, new projects will display all fields for Issues and Evidence in their respective tables by default. This can lead to a cluttered view. You can update which columns to display, but this is stored on a per-project basis. Now, you can select which Issue and Evidence fields to display by default in the Report Template Properties for your project’s associated report template in Templates –> Reports. Simply switch the toggle to “Show” to whichever fields you want to display by default, and that will apply instance-wide from then on. Of course, if you have project-specific preferences, or if you have multiple people working on the same project but with different preferences of which columns to display, each user can still manually set their preferences on a per-project basis as before.

Improved Evidence Creation from the Issue Level

Dradis lets you add Evidence directly from Issues by going to the Evidence tab of an Issue and hitting the “+ New Evidence” button. Previously that only allowed you to add a blank piece of Evidence or adding a Note template with no customised content. Now, you can customise the content right in the “Add New Evidence” form and choose where to put it, including in new nested Nodes.

Release Notes

  • Editor: Support fields with the same name in the Fields View
  • Increased table loading performance on Issues, Evidence, and Notes for projects with a lot of issues, evidence, or notes
  • Issues:
    • Display evidence in a table
    • Load evidence tab content asynchronously
    • Multi-delete evidence at the issue level
    • Update evidence content while creating evidence records at the issue-level
  • Notifications Navbar Dropdown:
    • Improve font-sizes
    • Wrap long notifications links
  • Projects:
    • Generate default report content when updating the report template
    • Truncate long team name badges in active project cards
  • Report Templates: Add Show option to display certain evidence and issue fields by default in tables
  • Trash: Allow projects and teams to be soft deleted
  • Tylium:
    • Import CSS manifests from addons
    • Move ‘…’ (more actions) menu closer to the content affected by the actions of the menu
    • Move the ‘Edit’ action out of the ‘…’ (more actions) menu for issues, evidence, notes, etc.
    • Remove extra left padding from the first line of content in a code block
    • Remove height restriction from code blocks
    • Simplify issues table columns
    • Updates focus state outline color
  • Upgraded gems:
    • mini_racer, puma, rails
  • Bug fixes:
    • Comments: Show sticky toolbar when adding long comments
    • Issues: Send To menu updates when new plugins are installed
    • Fixes background services from not restarting after upgrades
    • Liquid drops: Allow author collection to be called in ProjectDrop
    • Methodology: Fix misformatted cards when saving a methodology as a template
    • Redirect back to issue when updating evidence from the issue level
    • Rules Engine: Allow authors with “update” permission to sort rules
    • Tables: Prevent the select all button from selecting filtered out rows when a filter is been applied
    • Subscriptions: Fixed a caching issue preventing users from subscribing or unsubscribing after the first cache was stored
  • Integration enhancements:
    • Dradis Projects:
      • Fixes missing parent nodes during template and package imports
      • Fixes missing nodes for attachments during template and package imports
    • Gateway:
      • Bug fixes:
        • Fixes ‘authors’ call for the atlantia theme
        • Fixes missing attachments crashing Gateway
        • Select a default pane when Authors edit a Gateway project instead of loading a mostly blank screen
    • Nexpose:
      • Add the Hostname Node property from the name rather than site-name tag
    • Nipper:
      • Add Nipperv1 fields to issues
    • PDF Export:
      • Add Thor task for console export
      • Add view hook for Export#index
    • Qualys:
      • Add ‘element.qualys_collection’ as issue field
      • Add Qualys Web Application Scanner (WAS) support
    • Remediation Tracker:
      • Bug fixes: Hide the tickets’ “edit” and “delete” buttons for unauthorized users
    • SAML:
      • Add PingIdentity support
      • Add SAML logo to Log in button
      • Increases log verbosity on errors
    • Scheduler
      • No longers shows disabled projects in the calendar
    • VSTS:
      • Format issue content when sending to VSTS
  • REST/JSON API enhancements:
    • Projects/Teams:
      • Discard Projects through the DELETE endpoint
      • Hide discarded projects/teams from endpoints
  • Security Fixes:
    • Low: Authenticated author broken access control: read access to screenshots

Not using Dradis Pro?

New Dradis script: Bulk upload

Leave a reply

We have a new addition to our dradispro-scripting repository. The bulk_upload.sh script allows you to upload multiple tool output files (of the same type) into a Dradis project at once.

For example, you might have multiple Nmap files from scanning hosts associated with a single Dradis project. Now you can upload all those files to your project at once. To use the script:

1. Copy all the XML files for a given plugin that you want to upload to a folder on your Dradis instance, such as /tmp/nmap/

2. Copy the bulk_upload.sh file to /opt/dradispro/dradispro/current/ on your Dradis instance.

3. Make the file executable:
$ chmod +x /opt/dradispro/dradispro/current/bulk_upload.sh

4. Run the file:
$ /opt/dradispro/dradispro/current/bulk_upload.sh <project_id> <plugin> <path>

For example, if your project is at <Dradis IP>/pro/projects/4 and you want to upload multiple Nmap files from /tmp/nmap/
$ /opt/dradispro/dradispro/current/bulk_upload.sh 4 nmap /tmp/nmap/

We hope you find this script useful! Check out our other scripts at dradispro-scripting repository for other scripts you can use or adapt to improve your workflow.

w00t and pillage – Captain’s bLog: day 14

Leave a reply

I have now completed the first course in my queue! Since the last post, I have been digging into website hacking. This is of course a big area and a massive element of day-to-day information security. I went through various avenues and implementations of SQL injection attacks, XSS (Cross Site Scripting) attacks, and more. I also learned about protecting against these sorts of attacks, and had a brief introduction into how vulnerability scanning can be automated with scanning tools. Of course, once you have your scan output ready, put it into Dradis and produce a custom no-fuss report!

Trying out the SQL injection procedures was based on attacking a fake vulnerable web server in Metasploitable. Insecure database calls in SQL on a website or web application can let attackers extract or modify information, or grant access even without passwords. An SQL injection vulnerability on one site can potentially undermine the security of all sites and applications hosted on that one web server. As the instructor said, if there is an SQL injection vulnerability on the target site, bingo, game over, you as an attacker can ultimately do virtually anything you want with that site.

With XSS vulnerabilities, you essentially insert scripts to run from a site. As an example, there may be a commenting feature on a web page with an XSS vulnerability, which means that this XSS script would run for all visitors to that page. What makes this insidious is that the script would run for visitors to the page, as it’s not part of the base web page. An insecure website could therefore jeopardize the security of third parties – and therefore, owners of web pages, web applications, and web hosts have a responsibility to protect their sites so third parties are not affected.

The course closed with a very brief introduction to ZAP (Zed Attack Proxy), one of many tools to automate scanning for vulnerabilities. The point of this course was to show the theory behind security vulnerabilities, and the sort of attacks that can be carried out by hackers. Now that I have been introduced to the nuts-and-bolts, step-by-step methods of attacking devices and applications, the path is open to learning more about particular focus areas and to think about scripting and automation. I do have some more studies coming up to these ends. I intend to learn more about hacking using Android, I need to learn more about networking vulnerabilities, and I would like to learn more about scripting and vulnerability scan automation through software like ZAP and Burp, both of which have official Dradis plugins. I already manipulate their plugin outputs most days when building Dradis templates, so it would be fun to create those outputs as well!

w00t and pillage – Captain’s bLog: day 13

Leave a reply

Lately I have been looking into the details of hacking through networks, and post-exploitation attacks. The idea was to get beyond the idea of trying out attacks on a second VM on the same device, or another device here at home, to the principle of hacking devices on other networks.

First up was freshening up on the basics of networking. From the “information gathering” step I should have multiple ways of potentially feeding backdoors to the target device. Then there was an exercise of doing so, using BeEF – essentially the same exercise as before, with only some minor changes to function with the outside network. That demonstrated the principle, so we moved on to a look at post-exploitation attacks.

Post-exploitation attacks were run with metasploit through veil-evasion. That generated a robust connection with meterpreter that should be essentially undetectable by antivirus programs. The challenge is of course to manage the original connection, but with that accomplished, meterpreter allows all sorts of scripts to be run as well as terminal access.

In effect, that meant running all the sorts of attacks that people should be paranoid about; keylogging, capturing screenshots of the target device, controlling the camera and/or microphone, altering the files on the target device, and so on. Fun! Metasploit has so many functions and capabilities that going through them in detail was beyond the scope of this course.

Now that the possibilities of post-exploitation attacks had been made clear, the course moved back to networking, to cover pivoting. Pivoting allows hackers to target other devices in the same network as an infected device. Even if the hacker’s device has no access to the final target devices, if they can attack a device in the same network as the final target, they can route their attacks through the infected device. That is another cool exploit, and hammers home how important security is on servers and routers.

As the course progresses, I believe I get a far better understanding of our Dradis users’ use cases. When I build custom Dradis templates and configure projects, of course there’s always some variation of issue descriptions, screenshots, and usually evidence output. These post-exploitation attacks and network penetration efforts are exactly the sort of vulnerabilities that Dradis is set up to report, and screenshots of my work would make good evidence output.

I do feel that in the last weeks’ studies I have been heavy on the theory and observation, but light on actual practise. I intend to set up a few devices and VMs to practise attacking, and I have permission to try to attack some other peoples’ personal devices. Let’s see how that goes; beyond that, the rest of the current course covers website hacking, which will also be fun!

w00t and pillage – Captain’s bLog: day 12

Leave a reply

Lately my studies have gone over email spoofing and hooking browsers using BeEF. Email spoofing in itself is easy enough, with editable “from” fields in many email apps, but I learned a few new cool approaches to make the spoofing far more accurate, enough to fool Gmail. Browser hooking is very cool, it’s frankly shocking to see just how much can be done to a victim’s device just through a browser. Then I consider that Chromebooks are basically a PC running through a browser. The trend is definitely to make browsers even more central to electronic device usage, and I’m not convinced that the work taking place for improved browser security is commensurate with the needs for it.

Most of this Social Engineering section has been based around one simple trojan, easily created and capable of bypassing antivirus programs. Whether it’s through spoofed emails, browser redirection, fake updates, or other BeEF tricks, the delivery of the trojan has been simple. The approaches are also fairly convincing on the face of it – getting someone to open a zipped .pdf or .png which is secretly a trojan is not hard when they are convinced it comes from someone they know and trust. At first approach, the browser hooking techniques I have seen appear a little more crude and unsophisticated – why would Firefox need to redirect you for an update, for example? – but could definitely work on more casual users. Phishing login data through a fake login window is still effective, especially when it’s from a frame in the user’s current page and doesn’t involve a redirect or an obviously fake URL in the header. Capturing screenshots, and even commandeering the webcam and microphone, is of course far more insidious and unlikely to be detected once the browser is hooked.

My main takeaway from this so far is that I’m gaining a lot more respect for proper preparation work in information gathering before making the first attack. Proper research with Maltego, or just careful use of Google and social media, clearly make an attack far more likely to succeed. As I’ve noted before, this suggests we should all be far more protective of our data and privacy – but how realistic is that really in the modern age, when simply applying for jobs or keeping in touch with your friends all but requires social media accounts?

I’m also surprised at the suggested measures for detecting trojans like the ones I have made – far too manual, like checking file properties. Fortunately the OSes I use will not run malicious code without my active consent, but the way I had my Windows rig set up (back when I had one) would be far more vulnerable despite the firewall, antivirus, and VPN.

Next up is some more work on networks, e.g. for using BeEF outside the user’s network, and then going into post-exploitation attacks in more depth. Fun!

Mycenae, the original centre for combating Trojans

w00t and pillage – Captain’s bLog: day 11

Leave a reply

This week my studies took a bit of a left turn into Social Engineering.  Whereas everything else so far was technical in nature, using and abusing hardware and software issues and their vulnerabilities, the most recent classes covered the most defective element of any security system – the meatbag in front of the monitor.  PEBKAC indeed!

In terms of systems, I got started with Maltego CE.  The interface is very user-unfriendly, but with the right walkthrough and plugins, it’s the tool I never knew I wanted!  By doing plugin-based searches on all sorts of media on nodes such as persons, websites, servers, and so on, it becomes possible to draw intricate networks of connections between nodes – like a conspiracy theorist’s corkboard, only for cyber-stalking.  Fun stuff!

Next up on the technical side was spoofing to bundle malicious code with a legitimate file and obscure the executable extension, as well as spoofing emails and accessing email servers to send spoof emails without getting immediately flagged as spam.

The downside of this part of the course is that it feels like it’s stretching the concept of “ethical hacking” to the limits of what can be considered “ethical”.  If I spoof a VM, or a real device with the owner’s permission, for the sake of attempting a man-in-the-middle attack, I’m not hurting the device’s feelings.  To even test out a social engineering attack I have to try to fool someone.  I have no problems with pushing the limits of what I can find out about an entity online through publicly accessible information, as the entity in question can use that data for good (e.g. improving their personal privacy by restricting apps’ access to their data), but getting someone to “click here” feels too close to Nigerian royalty.

Even so, the shock value of a successful engineering attack can have positive effects in the sense of raising awareness.  A BBC journalist agreed to let a cyber-security firm try to phish him, and they succeeded.

Did you click that link?  Considering the subject of this post, did you even check if it was legit?  This time it was – but what if it hadn’t been?