root@dafthack:~#‎ > ‎

How to Spear Phish Your Employees: Part 1, The Setup

posted Jan 31, 2014, 5:42 AM by Beau Bullock   [ updated Feb 3, 2014, 12:23 PM ]
The SPToolkit is a fantastic open-source tool for training your employees about the dangers of spear-phishing. I have been using it for a couple of years now to perform internal spear-phishing training against my employees. It can be used to send targeted emails to individuals within your organization with the intent of getting them to click a malicious link. It is possible to set up your own training materials so that once a user clicks a potentially malicious link they will be redirected to your own internal security training materials. There is a nice console built-in that will show you the users that clicked the malicious links so you can keep track of how many employees might be endangering your environment.

8 months ago the team at SPToolkit had to kill the project due to a lack of sponsors or backing for further development. They still have the code out on Github but their install guides are not live on their website anymore. This inspired me to write a new install guide so that hopefully others will be able to get their own SPToolkit up and running with ease. There are commercial offerings out there that you could spend a lot of money on that do very similar things that this tool does for free. Let’s go phishing!

These are the items you will need for this install:

Here are the steps:

1. I recommend downloading the Turnkey Linux LAMP Stack. It contains everything you need already built to run the SPToolkit. They have a few build options but for this guide I will be using the VMware build.

2. Unzip the archive after downloading it from
3. If you have previously installed VMPlayer all you need to do is double click the VMX to load the VM.

4. Once it boots up it will ask you to enter a new root password and then re-enter again.

5. Next it will ask to set the MySQL ‘root’ account password and then re-enter again.

6. The next screen asks to initialize hub services. Use the tab key to highlight “Skip” and click enter.

7. Turnkey LAMP will ask if you want to install Security Updates. This is a security blog so you know what the answer should be here. 

At this point LAMP has been setup and you should be able to SSH into the system.

8. Use a program like WinSCP to SFTP into the device and upload the SPToolkit archive file you downloaded into the /root directory.
9. SSH into the system using the root account and password you created in step 4.
10. unzip
11. cd sptoolkit-master
12. mv * /var/www/
13. apt-get update
14. apt-get upgrade
15. apt-get install php5-ldap php5-curl zip
16. /etc/init.d/apache2 restart
17. chgrp -R www-data /var/www/spt/ & chmod -R 775 /var/www/spt/
18. Navigate your browser to the https://<the servers IP>:12322
19. Login with the mysql root login you created earlier.
20. Click the Databases tab.

21. Under “Create new database” give your database a name like “spt” and click “Create”.

22. Navigate your browser to the SPT install page using your LAMP box’s IP http://<ip>/spt/install.php
23. Click I Agree
24. All of the checks should show green on the next page.  If not, hover over them with your mouse to get some help.
25. If all looks good click Proceed!
26. Fill in the information so SPT can connect to its own MySQL database. All that probably needs to be modified should be the root username you created, root password, and database name “spt”.

27. Click “Continue” and SPT should show you the new tables it has created.

28. Next we will create our first user for SPT

29. After creating this user it will drop you at the standard SPT login screen. Go ahead and login with your new user account.

30. Congratulations! We have successfully set up SPToolkit!

Now that we have SPToolkit installed you will want to start your spear-phishing training campaign! In part 2 of this guide I will show you how to use SPToolkit to create phishing messages, as well as custom training materials for those that get phished.


The gadget spec URL could not be found