Social Engineering : Phishing Campaigns : Creating a Phishing Attack

Creating a Phishing Attack

Metasploit Pro provides a canned phishing campaign that you can use to create a phishing attack. The phishing campaign contains all the components that you need to set up a phishing attack as well as many default, canned settings that you can use to quickly get up and running.
When you first access the canned phishing campaign, the campaign will contain a web page component called Landing Page, an e-mail component, an e-mail server, and a web server. A second web page component will be added after you configure the Landing page if you opt to create a redirect web page rather than use a real web page.
Each component is represented by a campaign button that provides access to the component’s configuration forms. When you click on a campaign button, a modal window appears and shows you the fields and options that you can configure for the component. The modal window provides step-by-step guidance to show you how to configure the campaign component and validates the component before saving it.
The following image shows the canned phishing campaign:
The phishing campaign breaks down the steps that you must perform to create a phishing attack into the following general tasks:
1.)
2.)
3.)
4.)
5.)
6.)
7.)
8.)
9.)
10.)
Read the following sections for more information on each step.
Task 1: Creating a Phishing Campaign
1.)
From within a project, select Campaigns from the Tasks bar. The Manage Campaigns page appears.
2.)
Click the Configure a Campaign tab.
3.)
In the Name field, enter a descriptive name for the campaign. The name of the campaign should help you easily identify the campaign as a phishing campaign. For example, a name like HR Phishing Scam lets you know that the campaign is a phishing campaign that targets the HR team.
4.)
Select the Phishing Campaign as the set up option.
Task 2: Setting Up a Landing Page
1.)
From the Campaign Components area, click the Landing button. The Web Page Configuration window appears.
2.)
In the Path field, add the name of the landing page to the end of the URL path.
3.)
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the company’s website or intranet.
Campaign Redirect Page - Uses the redirect page that you create as part of the campaign.
4.)
Click the Next button to continue to the Web Page Content window.
5.)
When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
Apply a web page template - To apply a web page template, click the Template dropdown and choose the template that you want to apply to the web page. When you apply a template, Metasploit Pro uses the predefined content to create the web page.
Create custom HML - To create a custom web page, use the content editor to write the HTML for the web page.
Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
6.)
Click the Save button to save the web page component.
Task 3: Setting Up a Redirect Page
Skip this step if you are using a redirect URL instead of a campaign redirect page.
1.)
From the Campaign Components area, click the Redirect button. The Web Page Configuration window appears.
2.)
In the Path field, add the name of the redirect page to the end of the URL path.
3.)
Click the Next button to continue to the Web Page Content window. The following steps are similar to the ones you just used to create the landing page.
4.)
When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
Apply a web page template - To apply a web page template, click the Template dropdown and choose the template that you want to apply to the web page. When you apply a template, Metasploit Pro uses the predefined content to create the web page.
Create custom HML - To create a custom web page, use the content editor to write the HTML for the web page.
Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
5.)
Strip Javascript - Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site.
Set referer - Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the site’s administrator as a user that browsed to the website (e.g., http://www.company.com/home).
Set user agent - Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser.
Resolve relative URLS - Resolves any relative URLS to absolute URLs in the cloned HTML. This option is selected by default.
6.)
Click the Clone button. Metasploit Pro copies the HTML from the web page and displays it in the Content Window.
7.)
Click the Save button to save the web page component.
Task 4: Crafting an E-mail
1.)
From the Campaign Components area, click the E-mail button.
2.)
Subject - The subject that displays in the message header and the subject line.
From Address - The sender’s e-mail address.
From Name - The sender’s name.
3.)
Click the Target list dropdown and choose a target list.
4.)
Click Next to continue to the E-mail Content window.
5.)
When the E-mail Content window appears, you need to create the body for the e-mail. You can either create a custom e-mail or use an e-mail template.
If you choose to use an e-mail template, click the Template dropdown menu and choose the template that you want to apply.
6.)
After you create the content, you need to add a link to the landing page. To do this, either highlight the text in the e-mail content that you want to use as the display text or place the your cursor at the insertion point where you want the URL to appear in the e-mail.
7.)
Click the Insert Custom Attribute dropdown and select Link to Landing Page.
8.)
When the Insert a Landing Page window appears, enter the text that you want to display in the e-mail and click Insert. The link will appear as {% campaign_web_link 'DISPLAY TEXT', 'Landing' %} in the E-mail Content window.
9.)
Click Save to save the e-mail component.
Task 5: Setting Up a Web Server
1.)
From the Server Configurations area, click the Web Server button.
2.)
When the Web Server Configuration window appears, choose one of the following options:
This server’s IP address - Uses the IP address of the local machine.
This server’s host name - Uses the host name of the local machine.
Custom - Uses the domain name, if DNS is set up and is reachable by the Metasploit instance.
3.)
In the Listening Port field, enter the port that you want to use to run the web server. You should specify a port that is typically used for HTTP traffic, such as 80 or 8080.
4.)
Click Save to save the web server settings.
Task 6: Setting Up SMTP Settings
Skip this step if you have configured the SMTP settings through the global settings. Metasploit Pro will use the global SMTP settings to automatically set up the e-mail server.
1.)
From the Server Configurations area, click the Email Server button.
2.)
When the Email Server Configuration window appears, define the following fields:
Host - The fully qualified mail server address (e.g., mail.domain.com).
Port - The port that SMTP runs on. Typically, SMTP runs on port 25.
Username - The user name that the system uses to authenticate the mail server.
Password - The password that the system uses to authenticate the mail server.
3.)
Task 7: Saving the Phishing Campaign
·
From the Configure a Campaign page, click the Done button to save the campaign.
Task 8: Previewing the Web Page and E-mail
·
From the Manage Campaigns area, find the campaign that you just created and click the Preview link. The preview window appears and shows you what the generated e-mail and web page will look like. Use the buttons at the top of the window to switch between previews.
Task 9: Running the Phishing Campaign
1.)
From the Manage Campaigns tab, find the phishing campaign that you just created.
2.)
3.)
Click the Start button.
4.)
Immediately after you start the campaign, the Campaign Findings window appears and displays real-time statistics for the campaign. Additionally, the Task log appears in a separate tab. You will need to switch between the two windows to view their data.
Click on any of the stat bubbles to see a list of human targets associated with a particular finding. To view more detailed information about a target, click on their e-mail address to display the data that Metasploit Pro has collected from them. Click the Done button at any time to close the Findings window.
Task 10: Stopping the Phishing Campaign
As long as campaign is running, the web page is online and the human targets can access it. If you want to take the web page down or need to run a different campaign, you need to stop the campaign.
·