A few weeks back I started testing and researching phishing techniques to discover the best method to carry out phishing campaigns or simple one off phishes. This ultimately lead me to create a python script for the most common method used. Here are some of the great resources I found and steps I took to discover what would meet my needs.
In my usual fashion I sought out videos and articles with up to date information on the topic:
- What’s the go to phishing technique or exploit by @armitagehacker
- Email delivery what pen testers should know by @armitagehacker
- Introducing phishing frenzy by @zeknox
I found some tools along the way that both assisted me and inspired me to start writing a script:
- Spear phisher beta by @TrustedSec
- Phishing Frenzy by @zeknox
- Cobalt Strike (specifically the phishing functionality) by @armitagehacker
Spear phisher beta was one of the first tools I tested. I especially like that you can modify html code and have it preview in the upper pane. This was very helpful except for the fact that I was manually replacing links in the message (Cobalt Strike has the functionality to do this for you).
Creating a template
The next thing I tested out was taking html templates from legitimate emails and modifying them for my own purposes. This can be done with a wide variety of emails. Proper recon on your target can effectively help you decide which type of email is most likely to be successful. You can view the html from emails with any email client and start picking out and crafting each section of the phishing email. I chose to hand craft the new email with only the necessary pieces assuring that all the pictures were linked directly to actual Amazon website pictures so that anybody opening the email would be able to view them. I also manually rebuilt certain elements to match the legitimate email.
Below is an example that I crafted from an Amazon review email:
Sending your phish
After you create an email template you need credentials to an email server that will allow you to send email. This is where things can get more technical. Some email servers have greater security to disallow the features that need to be turned on to allow connecting directly to SMTP. I’ll spare you the troubleshooting details but if you have any questions contact me. After all this I simply wanted to have a way to take a crafted html email, replace all the links with one of my choosing, and send the email. This is where I began working on PyPhisher a simple python tool for phishing.
PyPhisher.py --server mail.server.com --port 25 --username user --password password --html phish.txt --url_replace phishlink.com --subject Read --sender email@example.com --sendto firstname.lastname@example.org
In the above example you can see that you need to populate the name of the email server and SMTP port as well as the credentials of an account that can send email. You must also provide the path to the pre-crafted html file that you created. The url replace argument allows you to choose the url to the replace all links in the email with. With the sender argument you can specify any sender however some email clients will flag this and you should read the article Email delivery what pentesters should know for more information. What I found was if I send from a domain that exists it often would get flagged due to SPF especially by gmail but if I modified it to a non-existant but similar sounding domain it seemed to pass and go directly into the inbox. Testing your emails before you send them to a target is necessary to assure proper delivery.
PyPhisher is posted to github and I will be updated with more features as needed
What I found from all this is that it is necessary to spend some time learning about phishing and the technologies involving email and message sender integrity. Once you do this if you spend the time to properly do recon on a target and make decent looking emails your click rate for phishing campaigns should go up. I hope to continue learning more about the topic and building upon the tool. Feel free to give me some suggestions on twitter or irc. Also I’m not attempting to compete with any of the great tools that have many more features. I have simply found a lot of benefits to having an simple phishing script.
Expanded list of Phishing videos
- DEF CON 17 – Valsmith, Colin Ames, and David Kerb – MetaPhish
- Hack3rcon – Advanced Phishing Tactics Beyond User Awareness Eric Milam, Martin Bos
- CarolinaCon 11 – Joshua Schroeder: SPAM, Phish and Other Things Good to Eat
- BSidesLV 2015 – Phishing Going from Recon to Credentials Adam Compton Eric Gershman