1. Go click on campaigns and star filling stuff out like what you want to call it
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZS426bM_Utix5RqhOoZdTGTI32yuXpsxxri0AeyfBnDsmkDbno10NpgCT5FMqMoBgXPL450A-MbaleLfnNuJWQh-91EaV93fI_PhcGQ6FwJUxIJ3-47bD_LPwIm1uLOr7rCTHa4akDxQ/s400/phish-campaign1.png)
2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEittfHvwuBX04HFDh8lfUgwstYjIw71wSA66hEppoICrs_eqv6Wz2xiDocOFUDgXGCuhcdHmaiBvA190_VleB8ZHU8jKr0pASu_jxsAau6hxtDhPxb4Rk1vR76kjKOx6k2MILMp18Gi8hM/s400/phish-campaign2.png)
3. Fill out your name of the template and the html of what you want it to say
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9BmbQ-YeM36NDymPlJtGYK-m1M0xxFKytUQ7nBcs2T6SGJLBWasdja-kIoxTE1Mr4Hd9lOuOPk7EQm1ZxLvmFklxzsVKk2wVHsjxqbfyFjEwk2RJJJxBwsEOApah42ZRUHzMD5zetzlk/s400/phish-campaign3.png)
4. By default it will run browser autopwn
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ64geZjFLTBgUdyWAOEXffg5CUHndhIJyXhH9rRPTbhuYt2B0O0dhehyphenhyphenzgDQ5GBo9PMjEpGMzrYypd6uCx_Ihs1em-9RJI9w0PLy3CvQ8oSBu45t7APGskrS5op3HQzRJGlla7mdNIhM/s400/phish-campaign4.png)
5. Lets just pick an exploit to throw at them instead of all of them
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqgiYHTbBW77u-zowZGZuLBI_M0HMKI7EvBsrEhZ_Zr8240n8cydGMTzaQlepNS1r-G8Qc7xmYWnyKuf8QZSIIzxAj2CtIylCLp6Xk0Yz3u72nLdZuUWwqmnwoeGdCR8B6KgbfWHjdJLk/s400/phish-campaign5.png)
6. Once you click save, it should look something like this:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQW_VKtVUyyDWD0nX2A6WfsfclOxtxFpCwZNjm_hkOuZlrajU4RO8KkEiotBZkyDG72w24JKDD1UHKBDzCjWKxrVxOMXfv1vxeSk1RL-4NKJ5xoEtIeWsp68aweA5Ul7gzpTAQ2wmIMJc/s400/phish-campaign6.png)
7. After that you can set up the email portion of the phish
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDxNlEP_7L6WvFBdq7Rleg72LBEMVgzCGdTwn8DK8EuSBVOtcvr4IeJNPGF7dtGPqu8XAyueHtUt9AJ6ufzfar5F5wy_Z5Ny4D1kyO151Smbco_VNUL3-ABGK2Rzj2M9NfnnQbR1l6J40/s400/phish-campaign7.png)
8. Fill out the sending server options
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-2VmdbKs41b8jkRin7GUX81JP8aSpt59dtin6XcClOkfGEjqunsJQrblhHfjC6PU6eRlXbguLRT2rdtP0Vw4K8Ta8htLnUR5RF0WEuBDoJdalAJor-YN0NxQOPqmtwAH21uRJk5Wmwwg/s400/phish-campaign8.png)
9. Then fill out the text for the body of your email
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPUqhOx9D9FGqgrJMxXqSunUHWEyoY2wv2pcyfO-v0HSgpDb-dFmoBI_TRkJLXraiVq7V91zlf2Pr03oATLjXCErEG1wyvG7PoqprkAB7Q-JaU1ODAVfs7GFjWIoa832-glzWlYUoP4uk/s400/phish-campaign9.png)
10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDrAcTancf5_I01Lnis76Hgwwm5PzbbqZEBK4CCRHatVcmjlT70em50bg97VA9uBvZJR6g1uY_MWGZVzmAcEv8-VGtj4gZzGzWb1F1Jawf5qgzpQT3AuCTq8XybzRSDKhsC8JdcNJ4bIY/s400/phish-campaign10.png)
11. Kinda looks like this when its all filled out. To start click the start campaign button
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmX1-3jCSE3sUIBaoq6wdMLK8bfoQ4Y6xl_4-RfopR4dZgozq-0yegOUKK9Dr642T0OyUcMhKMynYHJ6_MAlY1RDEiOE3oYf7a1tL9cSTA_PAlkIMLe1yEjqhKifZ7A55dFP53iljwt1c/s400/phish-campaign11.png)
12. You can see the status of your sent emails and as people click them the percentage will change
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYh5RUG0m3A3SB2U8eP1eIjaNXp7siVtSrMf1FqGnUD60UfEz8_M8jz9iMN4ssJU79T38loudRWcNFNChWMJK6i9mDVDVe7ORMv4qdGDcwqg4PmULYmDfGRqyjralvlYrf_b0SKPD8Bp8/s400/phish-campaign12a.png)
13. I guess what the email could look like if you werent trying too hard :-)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-n1RgDIFL2vryEniuFT6lC4HcELXQqKV2g1dW0bFFygnCeR1F1hJNTNb-rbr6SQmOSunyYYXuTpqty9K1jA0pKPIwQ_yFoOUR8ox8qDWhmpFSTTAhaYPisd6al6goYz4Q2a6rgU7Feww/s400/phish-campaign13.png)
14. And the web page serving up the exploit
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinNNLj6ptXRwtNiNzT8ePqDf_sJstTBsu2EqK7IphaZBbBeoIqSwMvxrfMEaMz0LGzRMX53wBsqeUyyjf77OSxMSpy6tM_rAOX96nCRiWKZ4UGywYdWA7Y9_z5AEJMEdhCKDd4M75Dth0/s400/phish-campaign14a.png)
15. You can now see that a user clicked the link and our percentage has changed
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU9jno1EI8nGNWGi_xFFJnTWctKKvIi-ZH8KLn91nIIMyxoaJH6R2xI6HBZXoaCdYS5I0pLTwi0gUOVOuf9qeOBnOu8ZfaQnX14fZk-8E3f2IGIc044gvU2YbYp1FPKfnpgLxbt-XXS40/s400/phish-campaign15.png)
I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.
-CG
No comments:
Post a Comment