Tuesday, December 25, 2012

[Metasploit Pro] Managing Resources & Campaigns

In the last post, we covered how to configure a new phishing campaign. We will now cover the 'Manage Reusable Resources' area of the Campaigns dashboard.

Let's start.

Manage Reusable Resources section offers four resource types to be created:

  1. Target Lists
  2. Email Templates
  3. Web Templates
  4. Malicious Files
Selecting Target Lists option shows all the Target Lists we may have created earlier or need to create if not already. In our example, we had already created one Demo Target List earlier.



Clicking on the target list shows all the email addresses in that list. Notice that there is no option to edit the email addresses. If I need to make a change to target emails, I will need to delete old email and add the new email address.


Also Metasploit does not allow deleting all the email addresses from a target list. There needs to be at least one email address in the target list. 


So, now I will add a new email address and delete previous 2 emails.


Pretty cold, mechanistic message comes up!


The Target List is successfully updated.

Next, we can create Email & Web Templates. Templates are message content that we can reuse in our campaigns. Let's start with Email Templates.


Click New Email Template, give it a name and add the message.
Note: We must add the tag {{email_content}} to our message else Metasploit does not allow saving and creating the template.


Similarly, we create a New Web Template, give it a name and add the HTML.
Note: As with email template, we must add the tag {{ web_page_content }} to our message else Metasploit does not allow saving and creating the template. By default this tag is added in the template(s) that come with Metasploit.


The last resource type is Malicious Files. Here we can upload different malicious files which we can attach and send out in our emails. For example, file format exploits (pdf, word etc), reverse meterpreter exe, etc.


Note: The file name must have the file extension provided.


At this point, we have configured a campaign, and configured reusable resources. The final aspect is Managing our campaigns. This is done through the 'Manage Campaigns' area in the dashboard.

As shown below, we have one campaign configured and it has two components - Email & Web. The Start button is still enabled and on the right end, there is an 'Launchable' status message, so we know we are ready to go. We can also Preview, Edit or Delete the campaign.


Preview shows each component configuration one by one. Here we see the E-mail config.


Similarly shown is preview of Landing Page and the Redirect Page



Once we confirm the preview, we can go ahead and launch the campaign.


Once we start the campaign, we can monitor the progress in the Findings screen. This screen gives information on the number of emails sent, % of recipients that opened the email, % of recipients that clicked the link (that we sent in our emails), and % of recipients that submitted the (phishing) form.

We can view the progress in the Task window as well. 




These statistics are updated as and when the target user(s) perform an action - checking email, clicking the link, and submitting the form.

As shown below, when I submit the phishing form, my email & timestamp information gets populated under the 'Recipients that clicked the link' circle.


To view the information submitted to the form, simply click on the email address which then opens a new page with all the details.


And with this we come to a closure to this campaign run.

In future posts, we will cover Custom Campaigns & Reporting. For Custom Campaigns, the process is the same. However unlike phishing campaigns, we can create multiple web pages, each with its own attack method, redirect pages, malicious files to attach etc. Custom Campaigns simply level up the flexibility and add value to the test configurations.

I hope you find these posts useful.

Stay connected.

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.