In previous posts, we covered how to configure Client-side phishing campaigns, reusable resources and how to manage campaigns.
We will now cover configuring Custom Campaigns.
Choose the option 'Custom Campaign', give it a name - Demo Custom Campaign. In the Campaign Components, we see there is one (+) that we can use to add an email, a web page, and a portable file type resources. We can add multiple of these to our campaign.
We click on Email & the first step is to configure E-mail settings. The configuration is similar to one described in previous posts. The new addition to this step is the 'Attack type' which can have 2 options:
- Attach File
With 'None' option, no attachments are sent with the email. With 'Attach File' option, we can configure & define various file types to be sent as attachment.
Give the attachment a name, and we can chose to zip (compress) it if needed. This is useful when the target SMTP server might be configured to block .exe attachments.
There are 3 types of files that can be generated:
- .EXE agent
- File format exploit
- User supplied file
.EXE agent generates a malicious file and send it as an attachment to our email. There is barely any information provided on this option in the Help documentation. Not clear what kind of agent this is supposed to create, what platforms does it target, what are the connect ports, is it encoded to prevent getting picked up by AV etc. A quick strings on the generated .exe file is shown here anyways:
root@localhost:Demos# strings MaliciousEXE.exe
root@localhost:Demos# file MaliciousEXE.exe
MaliciousEXE: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
I attempted to run it in my lab box XP SP3 & the .exe crashed. So I'd rather prefer other options over the .exe agent one.
The option User supplied file is probably more useful if you are sending out malicious files for getting connect backs; generate a meterpreter reverse shell using msfpayload in exe format, run this through encoding iterations using msfencode & it's good to go. We can choose to upload file from the files we uploaded in the Manage Reusable Resources area or can upload a new file on the fly.
For the demo, however, I have chosen the File format exploit attachment type.
Save the configuration, And that's all.
From here, we will create the E-mail Content.
Save the E-mail configuration and we come back out on the dashboard.
Alright, now it gets interesting. Now we will start setting up web pages. Remember, unlike in the canned phishing campaign type, we can create multiple web pages in the custom campaign.
For the Web Pages, there are five types of Attack types that we can configure:
- None (okay I didn't count this one in)
- Serve File
- Java Signed Applet
- Browser Autopwn
Let's create page 1 - Java Signed Applet Web Page - with Attack type as Java Signed Applet.
Configure the exploit.
Once we save the attack configuration and move to the Page Content step, we see it cannot be configured. Basically, the Content is disabled when serving exploits. So, this applied to all attack types except Phishing.
Similarly, we will configure web pages for Exploit, Serve File & Browser Autopwn attack types.
Now, we can also create a new web page where all the above configured web pages can be linked to (as an example) and we can then configure a new phishing web page & redirect the users to this Redirect To Web Page after they submit the phishing form.
Time to configure the Phishing Web Page. Here we have two options for redirection:
- Define a redirect URL ( can be one of the above web pages or a separate web server for example BeEF )
- Choose another attack page to redirect to - Select one of the web pages we configured earlier above
Make the phishing form & save the configuration.
One more piece that we can configure and plug in to our campaigns is malicious portable file(s). Following is the configuration screen:
At last, when we have configured all the required components, we can view them on the dashboard. The remaining configuration now is for the Email and Web server.
All sections for our custom campaign are now completed.
This new campaign is now listed under the Manage Campaigns area.
Preview it before launching it.
Progress of the campaign is periodically updated as and when the target user(s) perform a specific action - opening the email, clicking on the malicious url(s), submitted the phishing form and eventually getting pwned.
When the form is submitted, the information can be viewed by clicking on the email address. Note that the email address is being shown as Anonymous, because I did not click the link from the link, but instead opened the link directly in my lab box.
When the target box gets pwned successfully, and a session is opened, the stats get updaed in the last circle, and session information is populated in the table. Click on the session to manage the session.
To conclude, I will touch slightly upon the reporting capability as well.
To generate a new report for this campaign, we just need to click 'Generate Report' provided at the top. On the reporting screen, we have several options we can configure for the report.
We start by selecting the Report Type as Social Engineering Campaign Details. The report can be generated in the following four formats:
Give it a name, and next important step is to select the specific campaign for which we want the report generated for. We can select the campaign from the drop-down.
Next, depending on the audience & deliverable type of our testing engagement, we can include/exclude any specific sections from the report.
Report can be emailed as well if required.
This brings us to closure of Metasploit Pro Client Side campaigns writeups. The overall process is pretty simple & straight forward. While the canned phishing campaign limits the maximum web pages to two - landing page and a redirect to page - it is useful for setting up a campaign quick & dirty, and when only phishing is targeted at, for example. On a contrast, Custom campaigns give a great amount of flexibility in setting up the campaign.
There are few more limitations associated to running campaigns though:
- A campaign can contain one email only.
- Each metasploit pro instance can run only one campaign at a time.
- Metasploit pro does not serve images or asset files locally. For manually created web pages, we must define fully qualified urls.
See ya guys around.