Phishing Attacks Quick Start Guide

What Is Phishing?

Phishing is a social engineering technique that attempts to acquire sensitive information from a human target. During a phishing attack, a target receives a bogus email disguised as an email from a trusted source. The email contains a tracking link that opens an authentic looking web page that contains a form that you want the target to fill out. If the target fills out and submits the form, you can capture their information and use it as evidence.

This Quick Start Guide will guide you through the necessary steps to set up and run a phishing attack from Metasploit Pro.

What Do I Need to Set Up a Phishing Attack?

To get started with a phishing attack, you'll need the following components:

  • Campaign - A logical grouping of components that you need to perform a social engineering attack, such as a web page or email. Each social engineering attack is configured from within a campaign. Only one campaign can run at a time.
  • Email - A campaign component that defines the header and body for the e-mail that you send to targets.
  • Email Server - A machine that acts as a mail transfer agent (MTA). Metasploit Pro does not provide an MTA for you to send email. You must supply Metasploit Pro with the SMTP settings for your mail server. Before you define the SMTP server, make sure that the port that your mail server uses is not blocked by the Metasploit instance. Generally, ports 25 and 587 are recommended SMTP ports.
  • Web Page - A campaign component that you use to create the web page that the target visits.
  • Web Server - A machine that serves the web pages for the campaign. Metasploit Pro creates a web server locally to serve the web page.
  • Tracking URL - A HTML link that appears in the body of the email that enables click-through tracking. Each link is unique for each human target on the target list.
  • Target List - A list that defines the targets that you want to email a phishing attack.

How Do I Set Up a Phishing Attack?

Task 1 - Set up the SMTP settings for your mail server.
Task 2 - Create a campaign.
Task 3 - Create an email that includes a link to your phishing web page.
Task 4 - Clone a web page to create a fake web page.
Task 5 - Set up the web server to host the web page.
Task 6 - Generate a preview of the email and the web page.
Task 7 - Start the campaign.
Task 8 - View the campaign findings.
Task 9 - Stop the campaign when you are done and generate a report for the campaign.

Setting Up a Global Mail Server

If you intend to use the same mail server to send emails from Metasploit Pro, then you should set up your mail server through the global settings. After you globally define the SMTP settings for your mail server, Metasploit Pro will auto-fill the mail server information for your campaign.

  1. From the main menu, select Administration > Global Settings.
  2. When the Global Settings page appears, locate the SMTP Settings.
  3. Enter the following information to configure your SMTP settings:
    • Address - The fully qualified mail server address (e.g.,
    • Port - The port that the mail server runs on.
    • Domain - The hosted domain name for your mail server (e.g.,
    • Username - The username that the system uses to authenticate the mail server.
    • Password - The password that the system uses to authenticate the mail server.
    • Authentication - The authentication type that the mail server uses.
  4. Click the Update Settings button to save your changes.

Now you’re ready to create a campaign.

Creating a Campaign

  1. From within a project, click the Campaigns tab.
  2. Click the Configure a Campaign tab.
  3. Enter a descriptive name for the campaign. For example, "HR Phishing Scam" helps you identify the campaign type and the targets.
  4. Select Phishing Campaign as the setup option.

The next step is to configure the web page component.

Creating a Web Page

  1. From the Campaign Components area, click the Landing Page icon. The Web Page configuration page appears.
  2. Enter the URL that you want the page to be served at.
  3. Select the redirect page for the campaign. The redirect page can be a URL to a real web page or a web page that you create as part of your campaign. For the purpose of this Quick Start Guide, choose the Redirect to URL option and specify your company website.
  4. Click the Next button to continue to the Content page.
  5. When the Content page appears, click the Clone Website button.
  6. When the Clone Website modal window appears, enter the web page that you want to clone and click the Clone button. The web page that you are cloning must contain a web form.

When Metasploit Pro finishes cloning the web page, the HTML content will display in the Content Window.

  1. Click the Save button.

The Phishing Wizard takes you back to the Configure a Campaign page. The next step is to set up the email component.

Crafting the Email

  1. From the Campaign Components area, click the Email icon.
  2. When the email configuration page appears, enter the email header information. You need to specify a name for the email component, the email subject line, the from address and the from name.
  3. Click the Target list dropdown and choose Create a New Target List.
  4. When the New Target List window appears, enter a descriptive name for the list. For example, a name like "HR Targets List" helps identify the types of targets on the list.
  5. Under Manually Add Targets, enter the email address, first name, and last name for a target.
  6. Click the + button to add additional targets.
  7. Click the Submit button when you are done. This takes you back to the email configuration page.
  8. Click Next to continue.
  9. In the Content box, enter the body of the email.
  10. After you create the content, use the Link to Landing Page attribute to insert the link into the email.
  11. When the Insert a Link to Landing Page window appears, enter the display text for the URL.
  12. Click the Insert button to insert the hyperlink into the email. You’ll see the link appear as {% campaign_ web_link ‘DISPLAY TEXT, ‘Landing Page’ %} in the email content.
  13. Save the email. The email configuration page closes and takes you back to the campaign configuration page.

Setting Up the Local Web Server

  1. Under Server Configurations, click the Web Server icon. The Web Server configuration page appears.
  2. Enter the address, or URL, that you want to use to link to the web page. You can use the IP address for your local Metasploit Pro machine or if you have DNS set up, you can specify the domain name instead.
  3. Enter the port that you want to use to run the website. You should specify a port that’s typically used for HTTP traffic, such as 8080 or 80.
  4. Click Save to save the web server settings.
  5. From the campaign configuration page, click Done to save the campaign.

Please note that targets can view the web page only if they are able to access Metasploit Pro from their location on the network. If the target cannot reach the web server, tracking and web content may not work as intended.

Previewing the Email and Web Page

  1. From the Manage Campaigns area, find the campaign you just created.
  2. Click the Preview link.
  3. The preview window appears and shows you what the generated email and web page will look like. Use the Email and Landing Page tabs to switch between previews.

Starting the Phishing Attack

  1. From the Manage Campaigns tab, find the campaign you just created. If you successfully created the campaign, the campaign status should indicate that it is launchable.
  2. Click the Start button.
  3. A confirmation window appears and prompts you to confirm that you want to send the phishing email. Click OK to start the campaign.

When you start the campaign, the campaign status changes from launchable to running. This status indicates that phishing email has been sent and the web page is online and accessible to any human target that can reach the Metasploit Pro instance.

Metasploit Pro starts to track the human target after they open the email, which contains a tracking GIF that alerts the campaign when an email is opened. When the human target clicks on the link provided in the email and visits the spoofed web page, a cookie is set in order to accurately track the future actions taken by the human target.

You will be able to see the statistics for the campaign update in real-time from the Campaign Findings. For example, if the target submits their credentials through a login page, you will see the statistics for form submissions increment and you will be able to click on the stat bubble to see who has submitted the form.

Viewing Real-Time Stats

  1. From the Manage Campaigns tab, find the campaign that you just launched.
  2. Click the Findings link.

The Findings window appears and shows you the current statistics for the campaign. It shows a high level breakdown of how the targets responded to the phishing attack and reveals the level of success that the phishing attack had on the targets. You can click on any of the stat bubbles to see a list of targets associated with a particular finding.

Additionally, if you want generate a report at this point, you can click on the Generate Report button that is available on the Campaign Findings window.

Viewing the Report

  1. From the Manage Campaigns tab, click the Stop button to stop the campaign.
  2. Select the Reports tab from the Tasks bar. The New Report page appears.
  3. Click the Report Type dropdown and select Social Engineering Campaign Details. This report provides a high-level graphical breakdown of the statistics collected by Metasploit Pro, like the number of targets who opened the email, clicked on the link, and submitted the form. Additionally, you’ll see the configuration for the campaign, including the component settings and an expanded target list.
  4. Choose the file format you want to use to generate the report. PDF is a good choice.
  5. Enter a name for the report.
  6. Select the campaign that you want to generate a report for.
  7. Keep the default report sections and report options.
  8. Generate the report. The Tasks log displays and shows the generation of the report.
  9. After the report generation finishes, go back to the Reports area.
  10. Find the report that you just generated and click View.

The report opens and displays the data that is available for the phishing campaign. There’s a lot of data for you to peruse. For a quick overview, go to the Social Engineering Funnel section. You’ll see a high-level breakdown of response types from your human targets.

Phishing Attacks Quick Start Guide