URLCADIZ - Handy Addition To Social Attacks  

This popped up on LinkedIn earlier today, so I went to confirm the software and see if it would fit into the current workflow well. Something as simple as this has to have a place, otherwise, why would it have been created in the first place?

After logging into my Kali VM, moved over to /usr/share (or wherever you store scripts and programs) and input the following:
git clone https://github.com/PerezMascato/URLCADIZ
If necessary, do the following:
pip3 install pyshorteners
Then to run the program:
python3 URLCADIZ.py

The first screen prompts for the type of social URL you would like to run through tinyURL.

While looking at this screen, the first thing that went through my mind is a combination of this with BadPDF or SET. While SET may already do something like this out of the box, this one script can bind other social engineering tools that are not yet in SET.
Next screen prompts for the attacker URL (or original URL):

Here I have input http://h.acki.ng. This is a URL I own that redirects to http://zi.n.gy. The next screen is the bogus article, search result, or Instagram posting. Just minor tweaking on this script, and you can make it appear to come from anywhere you want, including a corporate intranet. ;)

This screen is just where you make up a Django style URL or anything actually. I just copy/pasted the one suggested, then the next displays the formed malicious URL printed at the top.

For a test, copy and paste that URL into your browser and the redirection warning pops up.

The alert is due to an attempt to authenticate from Instagram, so will most likely not appear if posted on Instagram - but I’m not going to try that, even if URLs I control are not malicious. As mentioned above, just a little bit of tweaking this script could make it even more effective.

Small, simple and handy. Another addition to my Pen Testing toolkit!


Now read this

The CISO Role Is Technical

Recently there has been a bit of discussion about information security leadership. The other night I was put on the spot when I made a comment and the response was, “so if you’re not technical, you cannot do security work?” Or, something... Continue →