root@dafthack:~#‎ > ‎

How to Spear Phish Your Employees: Part 2, Testing Functionality

posted Jan 31, 2014, 11:15 AM by Beau Bullock   [ updated Feb 7, 2014, 10:09 AM ]
Now that we have SPToolkit set up after following part 1 of this series we will begin testing the functionality of the software. First we will walk through sending ourselves a test phishing message, make sure the training materials are able to be accessed on link click, and then import a list of targets for future tests.

You may end up sending yourself quite a few test messages in the process of setting up the perfect attack. If you run into any issues with the below guide, make sure you correctly configure your SMTP environment. Configuring an SMTP relay is out of the scope of this guide but you may be able to get some information from error messages in /var/log/apache2/error.log.

1. To begin, you can test SPToolkit by sending yourself a test phishing message.
2. Depending on your environment you may need to set up an SMTP Relay server. Click the settings tab on the left, and then click the “SMTP Server” button to add in your SMTP Relay.

3. Click the Campaigns side tab, and the click the “Campaign” button.

4. Give it a name.

5. Click the Targets tab. Select Admins – Test. (Note this group is auto created and includes only your email address)

6. Click Schedule and select a start date and time for your test phishing message. You may also skip this step to start the phishing attack 60 seconds after you finish setting up the attack.

7. Click Template and select a phishing email template.

8. Click Education and select the training template you would like to receive on link click.

9. Select SMTP Relay and click select either None – Direct SMTP or the SMTP Relay server you set up in step 2.
10. For this initial test don’t worry about throttling, shortener, or audit at the moment.
11. You can click the green “Check” symbol to send your first phishing message!
12. You should now see that your campaign is active.  You should receive the message in your inbox momentarily.

13. Depending on the email client you are using as well as SMTP Relay the message may or may not be flagged as a phishing message. For the sake of testing go ahead and move the message to your inbox if it ended up in junk and enable the links if they were disabled. Go against all security rules and click one of the links in the phishing message. This should land you on a training page describing what has just happened!

14. Go back to your SPT console. Click Campaigns, then the Finished tab.

15. Click the name of your campaign. This will pull up a window showing you the details of the campaign you launched. You should see the Name of your target, their Email address, the time you sent it, whether they clicked it or not, the IP they were at when they clicked it, and whether or not they read the training and clicked that they read it on the training page.

Now that we know SPToolkit is functioning correctly you can begin setting up other users to send phishing messages to.

1. Click the Targets tab in the console.  To set up a single target click the icon that says “one”.

2. Fill in the information about this target and click the green “Check” symbol when you are done.

3. To add multiple targets you are going to want to import from a CSV file containing the targets information in this format:(fname, lname, email, group).
4. After you create your CSV click the “Import” button. Browse to where you created the import CSV and click the green “Check” symbol.
Now when you start a campaign you will be able to select these targets to send phishing messages to.

In part 3 of this guide we will close out with customizing the training materials and phishing messages.


The gadget spec URL could not be found