When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your client-side risk landscape.

There are essentially two ways to use phishing as part of your security program.

  • Phish 2 Pwn: If you are a penetration tester, you'll likely use spear phishing of a couple of users to compromise a machine to gain a first foothold in the network and then pivot from there.
  • Phish 2 Educate: Phishing as part of your security program uses simulated phishes to see how many of your users would click on a link or enter credentials on a fake form.

Metasploit Pro offers phishing options for both Phish 2 Pwn and Phish 2 Educate. For this blog post, we'll focus on the latter. With Metasploit, you would typically set up your phishing email, containing a link to a landing page, which could be used to do any of the following:

  • Exploiting the browser or its plugins
  • Displaying a fake login page to harvest credentials (e.g. OWA login page)
  • Tracking click-throughs
  • Delivering security awareness training
  • Any combination of the above

Some phishing projects don't allow you to exploit clients, but there is a great way to determine client-side vulnerabilities using a free Rapid7 product called BrowserScan. Think of BrowserScan like Google Analytics for client-side vulnerabilities: You embed an invisible JavaScript snippet in your landing page and view the vulnerabilities in your BrowserScan dashboard. It records both browser and plugin vulnerabilities. While a vulnerability management, such as Nexpose, can give you this kind of information about clients inside your network, BrowserScan gives you the vulnerability ratings of the machine actually used by the user, such as the user's home PC.

Here's how you do it:

  1. Create your free BrowserScan account
  2. Click on Tracking and choose the Transparent badge, which is not visible when the user visits the page
  3. Embed the JavaScript code in your phishing landing page

Once you have run your phishing campaign, you'll be able to see the the results of the vulnerable scanners in your BrowserScan Dashboard:

You can view the number of vulnerable clients overall or by a particular plugin. Here's Oracle Java by vulnerability status:

You can also see the breakdown by version number:

BrowserScan is not only limited to your phishing campaigns - you can also host it on other web pages, e.g. your intranet page or a frequently used internal web application, to get a quick, easy, and free view of your users' security posture, no matter where they may access the page from. You can even include a badge on your intranet page that gives the user instant feedback of their security posture. You may even consider this for your phishing training page:

Want to give this a try? Create your free BrowserScan account now!