EH-Net

I'm on a roll today...

Just before leaving for SANS last week, I was hit up and told that we need to implement our own home-grown phishing tests.  My first thought was "crap, gotta build a box, write code, run tests, maintain code, etc"...

Well, I went to a phishing lunch and learn at the conference, and found out about the PhishMe company/service.  I like the idea of it, and I'm try to get approval to move forward with a demo, HOWEVER, cost is always an object.  We got an initial quote, and it's probably going to be difficult to get funding.

Which, puts me back at building my own solution.  As I was looking up reviews on PhishMe, there were mentions in articles about scripts and programs in the open source community that assist in phishing tests, but my google-foo is not up to snuff this morning and I'm coming up blank.

So, I'm putting out a call to anyone with information on building a platform for this.  What scripts/programs/frameworks do you utilize to perform phishing exercises?

As always, thanks for any input!

Have you had a look at The Social Engineer Toolkit (http://www.social-engineer.org/) Am certain it contains a module for Phishing attacks.

+1 to SET and sendmail on a backtrack box.  You should be ok then.

I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P Imagine the fun you could have just issuing instructions to staff. No need to hack anything, just go all HBGary on them and ask for the SSH credentials  ;D

I've been considering a VPS for awhile now and I think I was just persuaded!


LOL

We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 

A colleague of mine recently did something similar. However, he created an URL similar to famous social networking site. The organization had a URL filtering software in place and the spoofed site could not be accessed by the users.
Something to keep in mind. :)

If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked.  That's why I recommended copying their own corporate home page.  I'd be slightly surprised to see someone blacklisting their own site.

If you need to phish users from common services that many people use, there's SET by the Social Engineer project, but also many other free and open source projects you could look into.

Many of these may be unfinished, perhaps even buggy, but there is one in particular that should catch your interest.

I'm glad my memory is with me today, as it has been a few years since people talked about this:
http://forum.intern0t.net/offensive-guides-information/2262-phishing-google-wave-hacking-google-buzz.html
http://blog.nparashuram.com/2008/06/tackle-javascript-based-phishing-kit.html

A friend of mine also wrote a blog entry which you may be interested in checking out:
http://www.e-x-e.dk/2010/07/03/how-to-phish-the-effective-and-smart-way-using-xss-3/


Enjoy and use it for ethical purposes only!  ;)

Looks like SET is the way to go, going to have to find some time to take a peek at it.

Thanks to everyone for all the info!