Setting up reliable phishing campaign is very painful process. it have lot of moving parts. i will discuss each by listing out things so you can skip to relevant part, this post is about setting up phishing campaign to perform various tasks like tracking, credential harvesting and so on.
- campaign requirements
- domain purchase
- phishing server setup
- test, test and test
This is very crucial phase as in this phase red team will liaise with client and find out purpose of the campaign. some companies might want to to do phishing and give them report but do not conduct any credential harvesting, some others might want you to perform completed black box. when you conducted passive or active recon and gather results it is crucial to identify email addressees you will target for phishing.
Mass emails are bad: say the company securitynuggets have 1000 + employees and you manged to scrape 150 emails, it may not be best to blast your campaign and send phishing email to 150 employees, because if one employee sees it and report to blue team, they will block your domain, ip and everything, it will be game over, and most importantly your domain may get blacklisted under spam. choose targets carefully in small batches, do some social media scraping to see if they are technically sound in company, its less likely you can get credentials from CIO ( not impossible though) than you can trick not technical personnel. with that being said we can move to next phase.
its always best to buy domain with Email, since it will reduce one step for you i.e setting up SMTP server, or else we can also do it on our own. in some cases you can just spoof email address of organisation to send emails, in this case you do not need to buy email service as you can achieve it through plenty of tools. Also make sure to buy domain and check if its already reported as spam, if you are re buying domain it might have already blacklisted and all your efforts go in vain.
If you are RED Team then its likely you know the drill, setup your server once and reuse it. Think big!!! you should try and minimize number of times you have to redeploy campaigns for what ever the reason(believe me there will be plenty :-)). if you know python write some scripts, use them to save some time. or setup infrastructure in a way if domain gets compromised we should be able to move to next domain soon.
For this demonstration i will be using PhishingFrenzy. its a great tool, not getting updated but the fact that its got some brilliant templates and you can also design your own template with bit of hard work like any other tool, makes it great. its got good documentation and troubleshooting section in official website which is always added bonus. For now its our tool may be in next post i will cover more tools.
So assuming we have our domain purchased, my personal preference is namecheap but you can choose your own. following is Domain configuration, i am also using Digital Ocean for my cloud platform. they are great, for so many reasons.
Phishing Frenzy Setup:
This guide assumes you have domain purchased, and following are settings in namechep to redirect your domain to digital ocean. go to domains > manage > nameservers > custom DNS and redirect them to digital ocean platform.
Thats all you need to do, we will now use this domain on digital ocean. Logon to digital ocean, create project(its good idea to keep everything under one hood) from create tab on top right corner
Add domain you just purchased, it should immediately added your domain to digital ocean and created following records.
next create two droplet with ubuntu 16.04.4 x64 with your likeness config. i would not over kill it. May be 2gb ram, 1vcpu and 50gb hdd is more than enough. one is for phishing frenzy and another is for our email, we can buy email address from Godaddy, gmail, or use replay like sendgrid, but i would like to keep my infrastructure under my control so i will use my own SMTP server.
Create following records in digital ocean domain to point domain name to newely created virtual machine.
Once above records created we should have @ pointing to both mail and primary domain, also mx record pointing to mail server for handling emails.
Now in total we have one domain, 2 virtual machines, and proper DNS records so we can get the ball rolling.