Conducting USB Drop Tests With GoPhish

Measuring the effectiveness of your education and awareness campaigns through adversary simulation.

tl;dr

GoPhish, a free, open-source toolkit written by Jordan Wright, makes it easy to create custom URLs that can be embedded into files on USB stick. This gives you a nice front-end for tracking social engineering campaigns across multiple delivery methods. The other day, on Twitter, I gave my thumbs up on GoPhish and said we used it for USB drops (we didn’t, my memory was faulty), but it sounded like this wasn’t something they had considered before, so I figured I’d do the community a solid and describe the process.

The Background:

There’s a three-legged stool of security failures: faulty code, misconfiguration and social engineering. Phishing attacks, a social engineering technique, have been successfully used to compromise organizations large and small throughout the world. Statistics vary, but phishing has cost organizations billions of dollars via Business Email Compromise scams alone.

So where do USB sticks factor in? People will pick up USB sticks and plug them into their computer. From there, many operating systems will auto-run content on the USB stick, which will then infect the computer with malware and give attackers a foothold directly to your internal network, bypassing your expensive seven-layer application-aware next-gen cloud-awesome firewall entirely.

This happens in real life. Beyond opening malware or getting people to open a file, these devices can also emulate other hardware, to disastrous effect, as evidenced by the awesome USB Rubber Ducky.

Does your organization have an awareness program? How do you measure the effectiveness of your message? If you haven’t already, I suggest starting an internal phishing campaign to measure user response rates. I’m not a fan of negative-feedback training, so I recommend having them land on a generic block page that mimics what your company’s web filtering service might display. This will give you the ability to measure user responsiveness at regular intervals where you can watch the steep uptick in phishing clicks, starting about 30 days after you ran your once-per-year training.

Once you get regular phishing off the ground, you can start to measure responsiveness via different means of delivery. That’s where this post comes in. We’ll use GoPhish to measure how many users insert and run content off random USB sticks. The results will be informative and probably a bit unsettling the first time you do this.

The Story:

So there was this one time where I was standing in a parking lot, outside a fence line, chucking USB sticks as hard as I could over the fence. We wanted to see what people would do when presented with:

  1. Training that explicitly tells them to not insert found USB sticks into your computer.
  2. A USB stick in the parking lot.

Based on the reaction of the factory workers out for a smoke, watching this specticle and giving exactly zero shirts*, we were pretty sure that funtimes(tm) would ensue.

Spoiler: sticks were inserted and persons with access to highly sensitive data were pwned.

At the time we ran this test, we were using the Spear Phishing Toolkit (spt) — that project is long dead, but the concepts we used apply all the same using the excellent GoPhish application, which we used later on for all of our internal phishing campaigns.

Here’s how our process worked. I’ll use GoPhish as an example on how to do this so you can run a simple phishing drop, and provide additional info on how we tracked sticks using various enterprise IT computer management stuff. I’m also going to write this up under the assumption that if you’re going to stand up GoPhish, you’re going to want to do traditional phishing campaigns as well. At the moment, it appears that having deliverable emails is key to getting GoPhish to generate the unique URLs needed to make the USB drops work.

All the Steps

Step 1: Buy some USB sticks. 
Get USB sticks people will actually want to pick up and put in their computer. Get a brand name ones, with enough space that the person picking it up will want to make it their own. Don’t be a cheapskate.

Step 2: Install GoPhish on a server that can receive requests from the internet. It’s hard to understate how darn easy installation is. If you don’t know how to safely open servers to the internet from your home or office, get a server in the cloud that’s not connected to anything you care about.

Step 3: Register your phishing domain. 
I’m a big fan of Google Domains, because they include domain anonymity but use whatever registrar floats your goat. Just make sure you can easily create DNS records.

Step 4: Get yourself a SMTP server. 
I like Amazon SES because it’s cheap and has both API and SMTP methods, but also because it makes setting up DKIM dead simple. Make sure you set up SPF and DKIM if you want your mail to arrive. If you have access to your mail filtering system, whitelist your domain.

Step 5: Set up your GoPhish Parameters
In this example, we record the USB device serial number, the place we want to drop it, and a valid email address associated with this stick, from which we’ll get the unique URL.

Setting up Groups / Users

Create records for each USB stick.

Create your email template
No need to create a fancy landing page, you simply need to get GoPhish to generate unique URLs. You can generate two per user, one for the image tracker and another for the landing page. This allows you to, for example, embed in two different files on the USB stick to track what specific file was opened.

See the GoPhish docs on how these {{.placeholders}} work.

Create a Landing Page
Determine what a user would see if they happened to find the URL and open it in a browser. In our exercise, we were making a HTTP call via Excel Macro, so nothing was ever presented to an end-user.

Sending Profile
Set up your email sending profile to ensure your mail is deliverable.

Go Campaign Go!
Send your “phishing” email to all the addresses under your control. I haven’t looked closely at the database files used in GoPhish, but when we used SPT, we simply pulled the URLs out of the database. (Maybe the devs at GoPhish can make bulk creation of URLs more efficient.)
In this example, here’s the URL created in my mail client:

Don’t click “display images” — get the email source for the image link.

Step 6: Set up your USB Sticks
There’s a lot of ways to do this. In our exercise, we made a fake “password manager” in an excel spreadsheet. We used unicode dots to obscure the “passwords”. We made the spreadsheet in a way to entice the user to enable macros in order to reveal the passwords. We would edit the macro in the spreadsheet to reference the specific URL created for the stick, and save that unique file to each USB stick. Beyond this file, we also seeded the stick with other legitimate, but non-identifying files, to make it look less suspicious.

There’s a lot of ways you can accomplish the HTTP request, use your imagination.

Final Step: Drop It Like It’s Hot

We dropped about 20 USB sticks across several corporate campuses. Here’s how we tracked propagation:

1. We used Microsoft SCCM (or whatever it’s called this week) to collect data on removable disk use. I didn’t set this up, we had support from other evil geniuses. What this gave us was the name of the user, computer, serial number and timestamp for the insertion. It also allowed us to track the movement of a USB stick from computer to computer, even if they didn’t open any of the files or trigger the links.

2. If a user opened a file and triggered the link, we got realtime feedback via the console. In GoPhish, it looks like this:

No, my example don’t line up perfectly to the data in the previous ones. I’m cranking this out fast and dirty. Deal with it.

SCCM was great for tracking insertions, and having GoPhish listening on the internet was critical, as many of our users would insert these in computers not owned by the organization. As an aside, this is why we didn’t put any kind of payload on the sticks — we wanted to measure the non-effectiveness of the stupid click-through security awareness training. Our hypothesis was that our users thought the training was dumb and clicked through it as fast as they could to get it over with. This test helped confirm that, and gave us the data we needed to do awareness and training in ways that were more engaging, entertaining, etc.

That’s it. A lot of this is written from memory, as the last time I ran one of these exercises was several years ago. I hope this helps you measure the effectiveness of your awareness messages and support the ongoing improvement of security within your organization.

Another dashboard screenshot.

*I’m trying to curse less, courtesy of The Good Place.