Core Impact Phishing Attacks Using SMTP

This video demonstrates how to setup a phishing attack using an SMTP relay, including how to:

  • Create users
  • Redirect users for credential harvesting
  • Use and modify email templates
  • Configure mail settings
  • And more




Client-Side Information Gathering

There are several steps you can use for information gathering. You can pull in information using the wizard through the following discovery methods:

  • Crawl web site
  • Search engines (Google and Bing)
  • LinkedIn
  • PGP, DNS, and WHOIS server entities
  • Import from file
email gathering

Client-Side Phishing Wizard

There are options in the wizard to either redirect users to a web page or to a web page clone. There are also options regarding email templates. You can either use a predefined email template, or you can import and edit a template of your own. With Core Impact's predefined templates, you can change HTML settings or create data tags to enhance the user experience and make it appear more legitimate.

phishing type selection menu

Advanced Phishing Attack Options

The advanced settings are what is most important.

  • Mail settings is where you can use your SMTP relay
  • Web server option is when you are listening back for incoming connections from the users who were sent emails.

In the advanced settings, you can setup obtain SMB credentials when a user clicks a link. If obtained, you could create something on the network side to install an agent using SMB using those credentials for another pen testing exercise. You can also obfuscate your URL.

Email Sending Settings

In the email sending settings, you can enter in your mail settings as provided by your domain provider. You want to make sure the web server is listening on an available port. You can have a report to your local agent as hosted in Core Impact. However, if you want to pivot off an agent somewhere else, like in AWS, you can setup an agent and have it report back.

Web Server Settings

In the web server settings, you can modify the URL prefix and URL base settings. This is the URL that will show up in a user's browser if they click a link.

Verify Correct Configurations

It's a good idea to check your executed module log to ensure everything is executing smoothly. There will be times when something errors out. In this case, we can see that it successfully sent the email through and then disconnected itself. You can see on the web server that it is listed on the port I instructed it to earlier.

phishing module - success log


Monitor Results

Any incoming connections will be monitored from my web server. When a user clicks a link, a data tag will be created. It shows you which user clicked and what actions were taken.

phishing user clicked link - data tag created