Thursday, December 16, 2010

Conducting a Phishing Campaign in Metasploit Pro


So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it


2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.


3. Fill out your name of the template and the html of what you want it to say


4. By default it will run browser autopwn


5. Lets just pick an exploit to throw at them instead of all of them


6. Once you click save, it should look something like this:


7. After that you can set up the email portion of the phish


8. Fill out the sending server options

9. Then fill out the text for the body of your email


10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in


11. Kinda looks like this when its all filled out. To start click the start campaign button


12. You can see the status of your sent emails and as people click them the percentage will change


13. I guess what the email could look like if you werent trying too hard :-)


14. And the web page serving up the exploit


15. You can now see that a user clicked the link and our percentage has changed


I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.

-CG
CG

No comments: