PowerShell Phishing Response Toolkit (PPRT)

Yesterday I gave a talk at ShowMeCon in St. Louis regarding PPRT. ¬†I also gave this talk at CircleCityCon, but had some technical issues. ūüôā ¬†I wanted to write this quick post to share out my PowerPoint Slides from this presentation. ¬†If you have any questions about PPRT, please reach out via this blog or create an issue on my GitHub page:¬†https://github.com/MSAdministrator/PPRT—PowerShell-Phishing-Response-Toolkit


Slides: PowerShell Phishing Response Toolkit

PhishReporter: PowerShell Module

If you work in the Info Sec world you know that phishing is a pain in the neck, especially when you’ve been targeted by a large phishing campaign. ¬†I’ve been through these massive phishing attacks, and it is not fun!

One such attack, about a year ago, was especially difficult because the attackers were using very unique tactics and spoofing lots of internal e-mail communications.

Our procedure was to go and find the company that was hosting these phishing URLs and e-mail them to tell them to shut the site down immediately.  Hosting companies like weebly.com, jimdo.com, webs.com, etc. were pretty good at shutting these sites down as soon as they were put online, but this process would take about 5 to 10 minutes and sucked!

Since this last attack, I decided to automate this process.  This new script/tool is a PowerShell Module called PhishReporter.

The PowerShell module can be downloaded on GitHub: https://github.com/MSAdministrator/PhishReporter

This PowerShell Module is designed to send notifications to hosting companies that host phishing URLs by utilizing the major WHOIS/RDAP Abuse Point of Contact (POC) information.

  1. This function takes in a .msg file and strips links from a phishing URL.
  2. After getting the phishig email, it is then converted to it’s IP Address.
  3. Once the IP Address of the hosting website is identified, then we check which WHOIS/RDAP to search.
  4. Each major WHOIS/RDAP is represented: ARIN, APNIC, AFRNIC, LACNIC, & RIPE.
  5. We call the specific WHOIS/RDAP’s API to determine the Abuse POC.
  6. Once we have the POC, we send them an email telling them to shut the website down. This email contains the original email as an attachment, the original phishing link, and e-mail body telling them to remove the website.

This Module came out of necessity. I was sick of trying to contact these individual sites, so I have began automating our response time to these events.

The next steps for this project are to fully integrate into Outlook and automate this even further by enabling a simple text search or based on a selected ‘folder’ event. Please share with the Security community and contribute/improve as you deem fit. I only ask that you share your edits back with this project.

Windows Security: Public/Private Key Exchange (Basics)

My wife and I saw CITIZENFOUR yesterday during a secret screening. ¬†If you have not had the chance to see this movie, please do so as soon as you can – it’s a great documentary! ¬†The only complaint I have about the film is that they do not explain Cryptography or Encryption for the “normal” folks. ¬†When the film ended, I looked around and their were many non-technical people (including older individuals). ¬†I remember hearing someone say “well I guess I’m not going to be using email anymore”. ¬†This sentiment is not what the film is about, and I believe the director should have explained this very technical methodology to not confuse the non-techie people.

With all that being said, I’m going to try to explain Public/Private Key Exchange in the simplest form I can……

Imagine that you (mother) are wanting to send an email to someone (son), but you want the contents to be secure from prying eyes.  In order to do this, you need to use a form of encryption that it is secure.  The most common form of encryption is based on a certificate.

You may be asking, what the hell is a certificate? ¬†Think about your college degree or your highschool diploma, you received this certificate from your high school or university. This certificate is really nothing special, just a printed piece of paper, but the one thing that makes this certificate unique is that it’s yours. ¬†Additionally, your certificate is unique because it has your name on it, the year you graduated, the school you went to and it possibly has an issue number. ¬†All of these things make your certificate unique, this is similar to a certificate we use for encryption.

The only difference between a certificate you received for your graduation and one you use for encryption is that your certificate for encryption is digital. ¬†Your digital certificate is typically unique because it comes from trusted source, it’s made specifically for you, and well it means that this is me – you can trust me.

So you have your unique certificate and within your certificate is a public key and a private key. ¬†As you can imagine, your private key should always be kept private. ¬†This private key is the key (pun intended) to all of your encryption. ¬†This means that you do not want to store this private key just anywhere – keep it on a thumb drive in a safe (and buried in the backyard) ūüôā ¬†Seriously, keep it as safe as the data you are trying to encrypt needs to be protected.

The other half of your certificate is your public key.  Your public key will be, well, public and we (the son) will use this public key to encrypt their data.  You may be asking at this point, well okay I have my certificate, I have my public and private key, and my data is now encrypted by my public key, NOW WHAT?  Well, once (your) the data is encrypted with your public key then you are the only one that can decrypt the data.

That’s right, your private key is used to decrypt data that has been encrypted by your public key!

Now let’s get to a real world example. ¬†Now, back to my example above – Mother wants to send data that’s secure to her son. ¬†For the mother to send data securely she first needs to get a certificate. ¬†Depending on where the mother lives, she can purchase a certificate from a Certificate Authority (CA) or receive one from her work’s CA. ¬†Once the mother has a certificate, she installs into her web browser or email client (for example).

Now that the certificate is installed, the public key (sometimes the private key as well) is installed on her computer and can be used to encrypt her data. ¬†Since the mother has a public key, it’s now in the public and is sent with most communication on the web. ¬†That’s okay, remember this is your public key. The mother then sends her public key to her son (by sending an email). ¬†Once her son has his mothers public key, he can now communicate with his mother securely. ¬†Anything that is sent by the son to the mother can be decrypted by the mother because her private key is the only one that can decrypt the message – which is sent encrypted by the mothers public key.

Below is a great graphical explanation of the Public/Private Key Exchange:


This post explains the basics of public/private key exchange and does not go into the details surrounding the multitude of different technologies (i.e. Diffie-Hellman, symmetric and asymmetric key exchanges, etc).  I hope this post has helped people understand the absolute basics of encryption.

Script: Adding Exchange Resource Accounts to your Outlook

I work for a large public University and we have many Resource Accounts.  We needed a way to move from Public Folders but we wanted it to be seemless as possible.  To do this, I created this VBS script that allows anyone to add Resource Accounts to their Outlook 2013/2010 calendar as a shared calendar.  The user in question will have to run this script while Outlook is open and it will pull the Resource Account (add the Resource Account name in the RESOURCEACCOUNTNAME variable below) from the GAL and add it to the users calendar.  I hope this helps anyone interested in doing the same.

' Script Name: ADDCALENDAR.vbs
' Version: 1.0
' Author: Josh Rickard
'Last Updated: 4.Nov.2013
' Purpose: This program is used to add Room Resource Calendars to
' someones Microsoft Office 2013 Shared Calendars group.
' Outlook 2013 has to be open for this script to continue.
' This script was originally created for the Trulaske
' University of REDACTED Technology Services Department.
' Legal: Script provided "AS IS" without warranties or guarantees
' of any kind. USE AT YOUR OWN RISK. Public domain.
 Dim objApp
 Dim objNS
 Dim objFolder
 Dim strName(3)
 Dim objDummy
 Dim objRecip
 Dim calendar

Const olMailItem = 0
 Const olFolderCalendar = 9


' This section checks to see if Outlook 2013 is open. If it is not
' It will return "Please Open Outlook and run this program again"

'Change "Outlook.Application.15" to "Outlook.Application.14" for Outlook 2010
On Error Resume Next
Dim Outlook: Set Outlook = GetObject(, "Outlook.Application.15")

If Err.Number = 0 Then
 MsgBox "This program will add Room Calendars to your mailbox."
 MsgBox "Please Open Outlook and run this program again."
End If

' For Each Next Loop while adds each calendar from strName(array) to the users Shared Calendars

For Each calendar In strName

Set objApp = CreateObject("Outlook.Application.15")
 Set objNS = objApp.GetNamespace("MAPI")
 Set objFolder = Nothing

 Set objDummy = objApp.CreateItem(olMailItem)
 Set objRecip = objDummy.Recipients.Add(calendar)
 If objRecip.Resolved = True Then
 On Error Resume Next
 Set objFolder = objNS.GetSharedDefaultFolder(objRecip, olFolderCalendar)
 On Error GoTo 0
 MsgBox "Could not find ", , _
 "User not found"
 End If


 Set GetOtherUserCalendar = objFolder
 Set objApp = Nothing
 Set objNS = Nothing
 Set objFolder = Nothing