Methodology


Create Campaign

Creating a new Campaign is simple and easy. Simply navigate to the Campaigns page and select the "New Campaign" button

Docs create new campaign

Only a name is required to create a campaign. Once you've entered a name click the "Create Campaign" button

Docs create new campaign 2

Customize Campaign

PF offers a number of ways to customize your phishing campaign. Navigate to the campaign options page and you will see a list of options listed like below.

Campaign options

Import Targets

It all starts with a few emails. How we are going to obtain those email addresses depends on the situation. Perhaps this is a blackbox penetration test and you need to use an automated tool like Phishing Frenzy's built in email harvester to search the internet or maybe you are performing a standard phishing assessment and your client will provide a list of email addresses to choose from. Either way email addresses are needed to phish.

Once you've obtained your email addresses they can be imported into Phishing Frenzy in a specific CSV format documented here.

The format can be entered in 3 different formats and each of them will work differently so ensure you fully understand how to import targets.

If you want to import a bunch of email addresses you can do this by simply adding a list without any commas. Here is an example of the format for adding 5 email addresses to a campaign.


email0@domain.net
email1@domain.net
email2@domain.net
email3@domain.net
email4@domain.net

If you wanted to import a list with an email address and the firstname, you would use the following CSV format: `firstname, email`. Here is an example of the format for adding 5 email addresses with a firstname tied to each email to be used within the phishing email.


firstname0, email0@domain.net
firstname1, email1@domain.net
firstname2, email2@domain.net
firstname3, email3@domain.net
firstname4, email4@domain.net

If you wanted to import a list with an email address, firstname, and lastname, you would use the following CSV format: “firstname, lastname, email”. Here is an example of the format for adding 5 email addresses with a firstname and lastname tied to each email to be used in the phishing email.


firstname0, lastname0, email0@domain.net
firstname1, lastname1, email1@domain.net
firstname2, lastname2, email2@domain.net
firstname3, lastname3, email3@domain.net
firstname4, lastname4, email4@domain.net

You can simply copy and paste your email addresses into the PF UI using a CSV format. Ensure you are using the proper CSV format while importing targets.

Docs import targets

Once you have imported the targets and saved the campaign you can click on the targets link as shown below.

Docs import targets 2

Look over the list of your newly imported targets and ensure everything was imported correctly.

Docs import targets 3

Once you’ve imported a list of targets you can double check to ensure they have been imported properly by clicking the targets number inside campaign options. This will show a table of all targets that are waiting to be sent to if and when you decide to launch the campaign.

Test Emails

Once you have sent some emails you can view the SMTP communications within the "Recent Blasts" section of the Campaign Options page. Expand the accordion and click the left most column to view the individual SMTP logs.

Docs smtp logs recent blasts

Once you click on the proper Blast link you can see the individual results of the SMTP communications. Below is an example of a failed attempt due to a blank "to:" field.

Docs smtp logs no to

Below is an example of a successful email sent.

Docs smtp logs success

Buy Domain

When sending your emails you need to determine if you'd like to spoof an email address or send from a valid email account. Spoofing an email account does not require you own a domain, but also has a higher chance of getting blocked by a SPAM filter.

Purchasing a valid domain name is not required, but I highly recomend it if you want to execute a successful phishing campaign. Domains typically cost around $12.95 for a non-premium domain. Once you've obtained a domain name we can customize it to help mitigate getting detected by spam filters.

Evading SPAM Filters

If your email messages are ending up in a SPAM filter, follow through these key items below to see if you can evade the most sophisticated SPAM filters on the market.

Hyperlinks

Hyperlinks within the email message can often make your message end up in a SPAM filter. If your using masked links within the email you may need to unmask the link in an attempt to bypass a SPAM filter

Subject Keywords

If you are using popular keywords like Efax, UPS, Facebook, Linkedin within the subjet line, your email might end up in a SPAM filter. Tweak your subject line to remove popular companies and keywords in an attempt to evade common SPAM filters.

Validate MX Records

In order to properly evade SPAM filters you need to ensure you have a valid MX record configured. MX record is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with the Simple Mail Transfer Protocol (SMTP).

This is critical to understand because why would any SPAM filter accept an email message if the domain does not have an MX record configured? It should never allow email in from a domain that has no MX records. This is because if the message was delivered to the users inbox and they clicked reply the server would have no idea where to send the email because of a missing MX record within the domain dns.

Ensure your domain always has an MX record configured. We can use the dig utility to validate an MX record is configured.

$ dig MX secure-domain.com

; <<>> DiG 9.8.3-P1 <<>> MX secure-domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18856
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;secure-domain.com.   IN  MX

;; ANSWER SECTION:
secure-domain.com.  3600  IN  MX  0 smtp.secureserver.net.
secure-domain.com.  3600  IN  MX  10 mailstore1.secureserver.net.

;; ADDITIONAL SECTION:
mailstore1.secureserver.net. 85 IN  A 68.178.213.203
smtp.secureserver.net.  101 IN  A 72.167.238.29

;; Query time: 39 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jul  6 13:33:40 2014
;; MSG SIZE  rcvd: 129
Domain configured with two MX records

Create SPF Records

Sender Policy Framework (SPF) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail servers to check incoming mail from the domain being sent from. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged sender addresses, so publishing and checking SPF records can be considered anti-spam techniques.

With most SPAM filters attempting to validate the authenticity of emails we should configure our domain with SPF properly configured. This way if the SPAM filter looks up the domain we have configured a set of servers that are authorized to deliver mail on our behalf. The example below is an illustration of SPF which authorizes sendgrid servers to send email on behalf of the domain.

$ dig TXT secure-domain.com

; <<>> DiG 9.8.3-P1 <<>> TXT secure-domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48219
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;secure-domain.com.   IN  TXT

;; ANSWER SECTION:
secure-domain.com.  3600  IN  TXT "v=spf1 a mx include:sendgrid.net ~all"

;; Query time: 71 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jul  6 13:58:48 2014
;; MSG SIZE  rcvd: 83
Domain configured with Sender Policy Framework in the DNS TXT record

Create Template

Navigate to the Templates page and click the "Create" button

Docs create new template

Only a name is required to create a Template. Once you've entered a name click the "Create Template" button

Docs create new template 2

When creating a new template for PF make sure to keep in mind that you’ll want to run your websites with a .php extension. You don’t actually have to write your websites using PHP, but PF will need to add specific PHP tags to your phishing website once they are deployed and active. This is required to ensure that each visitor is logged and tracked within the database. PF does this by using the UID parameter that is passed in from the phishing email to look up the target and log the results for your campaign.

Phishing templates leverage uploaded files which are assigned a specific function of email, website, embeded image attachment or a file attachment to the email itself. Image attachments are typically images you want to embed within the email. File attachments are files you can attach to your phishing emails.

Email files that are uploaded to a specific template should be named `*.html.erb`. This is so rails knows to send the email in HTML and the ERB tells rails to render the file as an embedded ruby block. This allows us to add ruby snippets within the email and leverage rails helpers when sending emails.

Website files are used to host the phishing website with PF. These files are uploaded to the filesystem of the PF box. Once a campaign goes active these website files are used to deploy an instance of the phishing website. By default PF will deploy the website to `phishing-frenzy/public/deployed/campaigns/:campaign_id` and configure `/etc/apache2/httpd.conf` to serve up the phishing website.

Once a file has been uploaded and assigned a function you can edit that file within the PF interface as long as it is an ASCII style format such as HTML, PHP, ERB or others.

If you are editing template files for an already deployed campaign these changes will not show up right away. You will need to make the campaign inactive first within the campaign options, and then re-activate the campaign. This will grab the most recent template files and deploy your recent changes.

Once a template is created and working the way you like it can then be exported and backed up by PF to share with another PF instance or any other person in the community running PF. When you click the “backup” button within PF, all of the template files are archived into a zip file along with a couple YML files. These YML files specify the function for each file and are required to import back into PF properly.

Restoring a template into your PF is easy and all done through the web interface. Simply click the “restore” button within the templates section and select your zip archive to restore back into PF. Ensure the zip archive was properly exported from a PF instance or it may not restore properly into PF.

Launch Campaign

When you launch a campaign there are a lot of moving parts that occur on the back-end. The first is that PF will ensure that the phishing website is live, and if not it will make your phishing campaign active. This will make the phishing website live by configuring Apache’s virtualhost’s with the `/etc/apache/httpd.conf` file and restart the service (make sure www-data has sudo abilities to restart the service).

www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload

Once a campaign goes active template website files are used to deploy an instance of the phishing website. By default PF will deploy the website to `phishing-frenzy/public/deployed/campaigns/:campaign_id`.

Monitor Statistics

Navigate to the Reports page. If you have not launched any phishing campaigns no reports will show up. Once you have launched a campaign you will see a "Stats" button like below. Click it to view a stats overview of the phishing campaign.

Docs campaign stats

Now you have the ability to drive down into the details of each email by clicking on the UID column in the datatable near the bottom.

Docs campaign stats 2

Now you have the ability to drive down into the details of each email by clicking on the UID column in the datatable near the bottom.

Docs campaign stats 3

Generate Reports

Navigate to the Campaign stats page and click the "More Options" button.

Docs export pdf Docs export pdf 3

Once the modal window displays select the option "Download PDF Campaign Report". This will download a PDF report with the campaign summary and details of each target.

Docs export pdf 2

Navigate to the Campaign stats page and click the "More Options" button.

Docs export pdf Docs export xml 2

Once the modal window displays select the option "Download XML Campaign Report". This will download a XML report with the campaign summary and details of each target.

Docs export xml 3

Enjoy Phishing all the Things