EZXploit is an automated social engineering pen-testing tool which you can add to any phishing campaign that you set up in your management console. The purpose of this social engineering pen-test is to attempt to extract data from the device the user is using when they fail your test.
How does it work?
In a standard simulated phishing test, your campaign will send emails to your users containing one or more phishing links which, if clicked on, will take those users to a designated landing page. EZXploit expands that phishing test further. With EZXploit, when the users arrive on that designated landing page, a Java applet will appear and prompt the user to allow the Java applet to run.
If the user allows for the applet to run, another failure is recorded in the console, and the data that you requested the applet to obtain in your phishing campaign's EZXploit settings will be gathered and transmitted to your management console.
NOTE: Users must have Java on their system and must also be using a browser that supports Java applets in order for the EZXploit applet to appear. Certain browsers, such as Chrome, do not support Java applets.
Through testing, we have found that the attack goes through most anti-virus without issue.
How do I set up an EZXploit pen-test?
1) Login to your management console, then click on Phishing, then +Create Campaign.
2) Enter your phishing campaign details as you normally would. For further information on how to set up a phishing campaign, CLICK HERE.
3) The last option prior to creating your campaign is where you can add an EZXploit pen-test. Click the drop-down next to Add Exploit to add an exploit.
Choose what details you'd like to obtain during the pen-test.
4) After selecting to add an exploit, you will see additional options which you can select for that particular test. Each option will allow you to harvest that data if the user fails your EZXploit test. You may choose as many options as you wish.
Options of information you can gather in a failed EZXploit test include:
Current & Recently Logged on Users
Realtime User Screen Capture
Active TCP sessions
Currently Running Applications
Currently Running Services
Active Domain User Details
Active Directory Computers
Active Directory Service Principal Names
Active Directory Comments Password Search
User printer info
What will my users see during the pen-test?
Your user will land on any landing page you have designated, as they normally would when failing a phishing test by clicking your phish link. The difference for the user is that once they land on the page, they will be prompted to allow a Java applet to run on their machine.
They will not be made aware that details are being obtained from their machine.
An example of what your user may see during an EZXploit pen-test
Where can I view who failed my EZXploit test?
In your management console, click on Phishing, and then Campaigns. Click on the name of the phishing campaign in which you have added an EZXploit test.
Beneath an individual phishing campaign's report, click on the Users tab. You can then click on the Exploited tab to see exactly who failed your pen-test.
Click on the "cherry bomb" icon next to the user who failed your pen-test and you will be able to view the detailed information collected by the campaign.
A preview of the data is presented in the timeline view of the results and a full download of the respective data gathered is available via the "Download Output" links.
Also, beneath the main Users tab in your console, each individual user has their own personal page you can visit by clicking on their email address. If a user was exploited as part of a phishing test, you will see a "cherry bomb" by the test in which the user was exploited.
Is this type of testing safe for my users and system?
No malicious action is performed on the target system and all private data is deleted upon campaign deletion. This data collection method applies for other types of simulated phishing attacks, for example, using an attachment that contains the "simulated malicious code" instead of a "malicious link" in the body of the email. When the attachment is opened, the code will execute and will perform similarly to an EZXploit pen-test.
What is the fastest way to get started with EZXploit? Get started in 7 easy steps.
- Under the “Phishing” tab, create a new campaign.
- Fill out basic details:
- Name: EZXploit Test
- Deliver To: All Users
- Frequency: One Time
- Fill out desired "Start Time" and choose to "Send all emails when the campaign starts".
- Track Activity: At least 3 days.
- Under Templates, select the “IT” category and then select “New Java Version Rollout”.
- Difficulty Rating and Phish Domain can be left as-is.
- If you desire, you can select a campaign-specific landing page. The "New Java Version Rollout" template already has a fake Java landing page associated with it, so we recommend leaving the Landing Page field as-is.
- Click the dropdown “Add Exploit”. Enable EZXploit by selecting Java Applet.
- Select the data you want to attempt to collect. We suggest checking everything at first so that you can see the scope of what can be collected.