December 24, 2012 Karn Ganeshen

[Metasploit Pro] Client-Side Campaigns

Playing around with Metasploit Pro after the latest update, I noticed there has been a complete makeover in how Campaigns are set up. Campaigns are used in / for the Client-side testing (read: social engineering, phishing emails, phishing forms, web server serving exploits, file format exploits, etc.).

So I thought of sharing the new configuration steps with you ninjas. Let’s begin.

Start with creating a new project.

Here’s our new project home.

Click on the Campaigns at the top of project home. This will bring up the Campaigns home dashboard.

As we can see here, there are 3 areas in the Campaigns dashboard:

  1. Configure a Campaign
  2. Manage Campaigns
  3. Manage Reusable Resources
We will start with Configuring a Campaign to keep things simple. I will cover the other two areas as well.
Configuring a Campaign screen shows 3 areas that we need to configure:
  1. Name of Campaign, Type of Campaign – Phishing or Custom
  2. Campaign Components – Email – Landing Page
  3. Server Configuration – Email Server and Web Server
Enter a name for our Campaign – Test Campaign 1 and we will start with a ‘Phishing Campaign.’ I will cover the ‘Custom Campaign’ as well after this.
Now we need to jump in to configure Campaign Components.
Note: At the start of configuration, notice that all the components have a dotted boundary. Once we configure the components, this shall change to a solid one.
Clicking on Email component brings us to a new configuration page. This is a 2 step process:
  1. Configure E-mail Header
  2. Configure E-mail Content
We start with configuring the Email Header. Fill in the Subject, From address, From name and then we have to choose a Target List. Target List is a list of email addresses to which we will send our email. Since we have not (yet) defined a Target List, we should select ‘Create a new Target List.’
This brings up a new screen to create a ‘New Target List.’ Here we either:
  1. Import Target List (email addresses) – from a file in csv format; or
  2. Manually add Targets (email addresses)
Let’s add 2 target email addresses manually & press Submit. This will bring us back to Configure E-mail Header page and we will proceed to add content to our email.
In the E-mail Content screen, we write an email for our targeted users. Email can have either Rich-text or Plain Text content. Metasploit provides custom attributes that we can use in our email. We can choose to insert these from the drop-down on the top right under ‘Insert Custom Attribute’.
Attributes auto-fill the email with data from the Target List we created earlier. For example, first name, last name, & email address. We can also add link to our Landing Page as is shown below.
Note: We can also choose to use Email Templates from the ‘Template’ drop down option. We can create the templates under ‘Manage Reusable Resources’ area. I will cover this as well but for now we will stick to the example above.
Save the configuration and the next component we need to configure is the ‘Landing Page’. Landing Page is the web page where the user will get phished! This is typically a form through which we aim to harvest information from the target user; for example, login information, Social Security Number, date of birth, bank account numbers, ATM pin etc.
Configuring Landing Page is a 2 step process:
  1. Configure Landing Page Settings
  2. Create Landing Page Content
Under the Landing Page Settings configuration, we can define a URL path to the web page. By default, a random string is generated here.
The next configuration defines the redirection behavior ‘After’ the (phishing) form is submitted by the target user. It offers 2 options:
  1. Redirect to a custom URL
  2. Redirect to the Campaign Redirect Page
We will select Campaign Redirect Page for this configuration. At the moment, this page does not exist. We will create this page once we complete the current configuration.
A custom URL can be any URL. It can be URL to a legitimate web site to which the target user originally intended to go to, or can be URL of a malicious web server where we choose to run browser autopwn or serve exploits.
Next step is to create content for our Landing Page. Metasploit Pro provides an option to Clone Website which I will show to you in a moment. For now, we will use a simple form example.
Note: Only forms are allowed here.
Save the configuration and we are back on our Campaigns Dashboard. Now we see there is a new component (‘Redirect Page’) created for us to configure (look it’s got a dotted boundary). This is the Campaign Redirect Page that we came across above earlier.

Proceed to configure the Campaign Redirect Page. It has 2 steps:

  1. Page Name
  2. Page Content


We can add any HTML code here. Save the configuration and we can proceed to configure Email and Web servers.

But hold on folks, there’s something else I’d like you to show. It won’t take long. : )

Let’s go back to Configure Landing Page Settings, and this time I just want to show we can enter a custom Redirect-To URL here.


The next thing I’d like to show is the ‘Clone Website’ option we have in the Create Landing Page Content screen. To Clone a web form, say of a target organization’s employee login or a bank’s login page or perhaps an administrative portal login, we click on the ‘Clone Website’ button on the top right. It shall bring up a pop up box. Here, we can provide our target form URL and configure few more options (explanation copy-pasted from HELP):
  1. Strip Javascript – Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site.
  2. Set referer – Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the site’s administrator as a user that browsed to the website (e.g.,
  3. Set user agent – Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser.
  4. Resolve relative URLS – Resolves any relative URLS to absolute URLs in the cloned HTML. This option is selected by default.


From here, we save the configuration and it will bring us out on the Dashboard.
The final component is the Server configuration – Email and Web.


With this final component configured, the phishing campaign is ready.

Save & Launch Campaign to start the run.!
I have covered one of three areas in the Campaigns dashboard. In the next few posts, I will cover ‘Manage Reusable Resources’ in which we can create different templates for Email content, Web page content, Email address lists and Malicious files (which we can send in our emails). Additionally, I will cover the ‘Manage Campaigns’ area, where we can review, edit and monitor progress of our campaigns.
The whole workflow is pretty simple to configure and quite straight forward.
Stay connected for more.
Tagged: , , , , , , ,

Comments (2)

  1. Anonymous

    Just wondering if you have come up with a way to use the default server IP address without outlook or the other e-mail clients flagging it as SPAM and Phishing???

Leave a Reply

Your email address will not be published. Required fields are marked *