When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your client-side risk landscape.
There are essentially two ways to use phishing as part of your security program.
- Phish 2 Pwn: If you are a penetration tester, you'll likely use spear phishing of a couple of users to compromise a machine to gain a first foothold in the network and then pivot from there.
- Phish 2 Educate: Phishing as part of your security program uses simulated phishes to see how many of your users would click on a link or enter credentials on a fake form.
Metasploit Pro offers phishing options for both Phish 2 Pwn and Phish 2 Educate. For this blog post, we'll focus on the latter. With Metasploit, you would typically set up your phishing email, containing a link to a landing page, which could be used to do any of the following:
- Exploiting the browser or its plugins
- Displaying a fake login page to harvest credentials (e.g. OWA login page)
- Tracking click-throughs
- Delivering security awareness training
- Any combination of the above
Here's how you do it:
- Create your free BrowserScan account
- Click on Tracking and choose the Transparent badge, which is not visible when the user visits the page
Once you have run your phishing campaign, you'll be able to see the the results of the vulnerable scanners in your BrowserScan Dashboard:
You can view the number of vulnerable clients overall or by a particular plugin. Here's Oracle Java by vulnerability status:
You can also see the breakdown by version number:
BrowserScan is not only limited to your phishing campaigns - you can also host it on other web pages, e.g. your intranet page or a frequently used internal web application, to get a quick, easy, and free view of your users' security posture, no matter where they may access the page from. You can even include a badge on your intranet page that gives the user instant feedback of their security posture. You may even consider this for your phishing training page:
Want to give this a try? Create your free BrowserScan account now!