All posts by SNM

This tutorial is based on the exroot Nexx 3020H build from THIS earlier post.

Responder has been the bread and butter in our toolkit…screwdriver in our sandwich? Wait, I think I lost the anology. Anyways, Responder is an amazing pen testing tool if you are on a local network. Building the Nexx 3020H as a network dropbox meant that Responder was one of the first tools that I wanted on a the device.

This post is going to be split into two sections since the install part went **spoiler alert** way easier than I had expected.

If you haven’t flashed your device to OpenWRT and setup exroot you can pop back over once that is done.

Part One: Setup and Usage

Download Responder from Spider Labs GitHub as a zipfile. (

GitHub Download for Responder

GitHub Download for Responder

SSH into the Nexx dropbox. I am going to put the files in /opt, you can unzip the file on your host or on the device. Doing it on the device has the drawback of requiring more disk space.


scp -r Responder-master root@
Unzip Responder-master

Unzip Responder-master

scp files from host to dropbox

scp files from host to dropbox

Verify Responder-master copied to dropbox

Verify Responder-master copied to dropbox

Excellent, there is one package that Responder requires and I will install nano to edit the config file later.

opkg update
opkg install python
opkg install nano

Since OpenWRT runs a web server and the device also acts as a WAP Responder won’t be able to start the DNS or HTTP module. Don’t believe me? Try it in Analyze mode.

./ -I br-lan -A
Completely expected error

Completely expected error

Disabling both the HTTP and DNS module allow Responder to start normally and not affect functionality. Disabling DNS would probably cause issues with hosts plugged into the LAN module which would probably end up getting the dropbox detected. Disabling the HTTP server would be less impactful but would limit a future use that I am working on so I’m taking that off the table for now.

Edit the Responder.conf file to disable both modules.

nano Responder.conf
HTTP = Off
DNS = Off
Responder.conf changes

Responder.conf changes

Restart Responder, I will use the br-lan interface as an example and use the -f option to fingerprint hosts.

./ -I br-lan -f
Responder on br-lan

Responder on br-lan

Part 2: On Interfaces and Theory

Running ifconfig on the dropbox shows all of the available interface.

iwconfig output

iwconfig output

br-lan is the LAN port on the Nexx 3020H
eth0.2 is the WAN port on the Nexx 3020H

Poisoning the br-lan interface only effects the hosts downstream of the dropbox, this limits the potential issues but also means fewer hosts. A common scenario would be to drop this in a waiting area on a receptionist system. Having a foothold on the network and hashes for one person is a good place to start.

The next option is to use eth0.2 and poison the WAN interface. In the same scenario this exposes all of the systems internal to the network to potential poisoning. The chance of getting a high value set of credentials or hash is much higher. But, if Responder causes issues on the network; which is not unheard of, then the chances that you lose the device is higher. Using a cron job to copy the log folder to a remote system reduces the risk of data lost.

The final option is to poison them both. Why? Why not. Test it on your systems and then get everything you can.

Comedy of Errors Scene 2, Act 2
Am I on earth, in heaven, or in hell? Asleep or awake? Crazy or sane? These people know me, but I don’t know myself! I’ll agree with them and keep with it, whatever happens. – ANTIPHOLUS OF SYRACUSE

I’ve used dropboxes in the past for penetration testing when onsite social engineering was allowed. The best thing about these were you could guarantee that they would be returned even if found and someone else paid for them.

I ended up with two Nexx WT3020H wireless NAS routers. Two you say? Yeah, comedy of errors act one. I went to Gearbest to order one. I’m not a huge fan of putting my credit card information into foreign sketchy website so I selected the paypal option. Then nothing … blank screen and a loading indicator. After a few minutes the page redirected back and a ‘Thank you for your order’ message appeared. I broke down and decided to order the same one from Amazon and pay the extra three dollars because there is no way that the other one would ship right? A week later the Amazon one shows up and a few days after that the Gearbest one is sitting in my mailbox. L33T H4x0R mode unlocked!

Act two, call up a few of the guys who I know that are interested in pen testing and meet at UNM. Nexx  box will not power up when connect to the USB port on my laptop or the USB power port on the wall receptacle. No big deal I planned ahead and brought a wall adapter; still no luck. Time spent with friends is never a waste but no work got done. I honestly thought the device was a brick at this point but I tried a different USB cable later that night and BOOM back in business. So, the cable that ships with the device was junk.

Third act…Every write-up you see says you flash the device, opkg a few installs, scp the SWORD ( files  from zer0byte to the web directory and then drop the device on a network and cause havoc. I believed these, the problem is most of those packages aren’t in the OpenWRT repos anymore and even if they were there isn’t enough space on the device. Feel free to move through these posts and find the errors yourself but if you want a working device and have an extra USB drive continue on.

Out of Space

Out of Space

Act IV, this is the real deal we are going to get some stuff done! Flashing to OpenWRT is the first step.
The Nexx 3020 has its own entry on the OpenWRT forum making downloading the firmware super easy. The links on that page weren’t working though! I ended up pulling them down from ( instead of using wiki links. Has it been fixed since then? Was it just a bad night? Doesn’t matter; use the one that works for you.

Its possible to use the command line to install the firmware but why not use the web interface? Someone spent time coding it, might as well use it.

Nexx Default Page

Nexx Default Page

Nexx Flash Page

Nexx Flash Page

Following the wiki instructions I used the factory firmware to get from the OEM to OpenWRT (openwrt-15.05.1-ramips-mt7620-wt3020-8M-squashfs-factory.bin). I’m kind of a belt and suspenders type person so I did this over the LAN ethernet interface and with the power plugged into an adapter on a powerstrip instead of the computer USB interface. I really wanted to limit the number of things that could go wrong.

Flashing to OpenWRT

Flashing to OpenWRT

The device rebooted the LED went from flashing to solid. Good news!

The default OpenWRT IP is and connecting to it gave me the default webpage. Twice this little beast didn’t turn into a brick!

OpenWRT Default Webpage

OpenWRT Default Webpage

Set a password for the root account and enable SSH on the interface you are using to administer the device. In a real world scenario you would probably enable SSH on the WiFi interface and disable it on the LAN interface. The usage scenario for this is to gain access to the device from the parking lot once it is deployed while leaving the fewest number of ports open on the LAN for detection.

Change the Password and Enable SSH

Change the Password and Enable SSH

This is where we are going to deviate from all of the simple tutorials. We need to do a exroot on the OpenWRT to get more space. In a real world scenario using a low profile 128GB USB drive would cost about twenty five dollars from Amazon. I used a 32GB one that I already had for this write-up but this doesn’t change the process.

Plug the USB drive into the router. SSH in using the root account, there are a few pieces of pre-work that we need to do. Ensure that the WAN ethernet port has internet access.

opkg update
Login and update opkg

Login and update opkg

opkg install fdisk
opkg install block-mount

Enable USB support and ext4 file system

opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install e2fsprogs

Set up the file system and exroot

fdisk -l

If everything installed correctly you should see your USB drive.

USB drive as /dev/sda1

USB drive as /dev/sda1

Delete old partition and create a new one, my USB was /dev/sda but your mileage may vary so change as required. I redacted some text, if you can do fdisk without using the help menu first you probably don’t need to be reading this part.

fdisk /dev/sda

root@OpenWrt:~# fdisk /dev/sdaCommand (m for help): d
Selected partition 1
Partition 1 has been deleted.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the new partition, 
root@OpenWrt:~# fdisk /dev/sda

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type
 p primary (0 primary, 0 extended, 4 free)
 e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-61489151, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-61489151, default 61489151):

Created a new partition 1 of type 'Linux' and of size 29.3 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Now that we have a partition format it to ext4. If you want to use a different file system just add those packages instead of ext4.

Format the drive to ex4.

mkfs.ext4 /dev/sda1
Format the USB drive

Format the USB drive

Create a mount point and mount the partition you just created.

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1

Copy the current file system to the USB stick partition.

mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot

The file system is copied over to the USB drive.

Get out your torches, but I don’t like vi so I installed nano. If you like vi just skip this step.

opkg install nano

Next use fstab to mount the USB drive when it boots up and use it as root.

nano /etc/config/fstab

create the initial /etc/config/fstab file using the following.

block detect > /etc/config/fstab

Add the following to the text file.

config 'mount'
 option target /
 option device /dev/sda1
 option fstype ext4
 option options rw,sync
 option enabled 1
 option enabled_fsck 0
fstab entry for exroot

fstab entry for exroot

Now is the moment of truth, time to reboot. If it doesn’t work you can always reflash it right?
With luck …lights blink …time passes…seasons change…then go solid! Not really it boots really fast. If it switches to a fast blink it came up in fail safe mode so try the ultimate IT hack, unplug it and plug it back in.

SSH to the router and see that all your hard work paid off:

Booted up with exroot

Booted up with exroot

How much space do you have activities now? So much room.

df to show space

df to show space

Finally, and I do mean finally lets get to work on making this a dropbox. I really like zer0bytes work and might take a stab at building packages in the future to revive SWORD but for now these are what is in the repos. The nmap version is fairly old but should do most things you need that don’t include NSE.

opkg update
opkg install bash --force-depends (this should already be installed)
opkg install nmap
opkg install tcpdump
opkg install aircrack-ng

I’m going to spend some more time on this in the near future. Building Nmap to a newer version and adding masscan at the request of the brain trust I bounce all of my ideas off of. Having Responder on the internal network would be my next priority so look out for that also. I have no idea how to get these built on OpenWRT or into the repos but when I figure it out I will let everyone know. Brainstorming some other uses came up with another idea but it will require some additional knowledge on my part and will be slightly farther down the road.

Sources I used because we all stand on the shoulders of those who came before us.
Just assume every OpenWRT page about USB storage, exroot, and I read through the repos to figure out why I couldn’t opkg install the SWORD packages.

Recently, I was asked to test all SMB enabled devices on a fairly large network to find any hosts that still supported SMBv1. This was about a month before Nmap released their SMB version enumeration NSE. I quickly threw together a script using Impacket from CoreImpact ( The initial script was about 10 lines including the imports, it was slow and only allowed for a single set of hardcoded input files. It was also single threaded so it was slow, about 4 seconds per address, it took almost a full day to complete for each iteration. Testing a patch program using this was untenable.

As we’re huge fans of code re-use I wrapped the script in my tried and true threading modules, re-learned argparse and created a function python program to only negotiate SMBv1 connections to a host. By only performing SMBv1 negotiation and not even including the options to enumerate others I didn’t duplicate the functionality from Nmap and don’t have to worry about false positives.

This script will generate a large amount of ARP requests during testing this is per RFC when connecting to port 139. If stealth is important reduce the threads using the -t option. Happy hunting and enjoy scanning for SMBv1.

We have added the repo to our GitHub requires netaddr, pycrypto and impacket
Install with:
 pip install pycrypto
 pip install impacket
 pip install netaddr
python [*options]
usage: smbv1 scanner [-h] [-i INPUT [INPUT ...] | -f FILE] [-t THREADS]
 [-o OUTPUT] [-v]

******* * * * * * * * Check SMB for Version 1 Support * * * * * * * *******

optional arguments:
 -h, --help show this help message and exit
 -i INPUT [INPUT ...], --input INPUT [INPUT ...]
 IP Address in CIDR Notation
 -f FILE, --file FILE file containing list of IPs to check
 -t THREADS, --threads THREADS
 Number of Threads
 -o OUTPUT, --output OUTPUT
 Output File Name
 -v, --version show program's version number and exit

******* * * * * * * * * * * * * * * * * * * * * * * * * *******

We had a pretty solid push the first half of the year with updates to the site and projects. We’ve picked up some business that has left us fairly busy. The forecast for 2018 looks is:

Software Projects

  1. IPv6 Scanner, I actually wrote this a few years ago on an assessment and then prompt lost the source so I’m cleaning it up and making it ready for prime time.
  2. SMBv1 Validator. Pretty self explanatory, that scanner is about 90% done I’m just adding threading because it is slow right now doing them one at a time with a full connection and handshake. Project is on GitHub and the post is Here
  3. Extra Secret Classified Project! Actually, we just don’t have a name for it yet but it is a mix of stuff we look for on assessments as some menu driven python code.


  1. Watering Hole Attacks, this is a favorite of mine.
  2. Metasploitable3 walk-through.
  3. Low power linux dropbox using Nexx 3020H hardware. Device build Here and installing Responder on the device is Here

I recently had an appointment at an ophthalmologist and because it was in New Mexico, where appointments mean nothing and linear time isn’t a thing, I had a long wait in the exam room. Stay with me I swear we are going to pen test some stuff. Most of the equipment in the room was from Welch-Allyn so why not take a look at their stuff to see how secure my data would be.

I’m not an amazing reverse engineer; it is on my list of things to improve so I took this opportunity to dig into some firmware upgrades. I’ve looked through firmware in the past and decompiling binary files never got me any results.

I was able to find the firmware for the Welch-Allyn RETeval-DR, it isn’t sold in the United States but the file was available for download without authentication.

Welch Allyn RETeval-DR™ Firmware
Version 2.5.0 | November 11, 2015
System requirements: Windows XP, Windows 8 and all previous versions
File type: .fw | File size: 35.2 MB

I used the ‘file’ command to learn some things about the .fw file type.

root@kali:~/Desktop/RETeval-DR# file reteval-2.5.0.fw 
reteval-2.5.0.fw: Zip archive data, at least v2.0 to extract

Zip archive, I know what to do with those. At this point I assumed that this was going to be another binary fine and wasn’t super excited. Extracting the contents of the zip file reveals a bunch of .img files and an script.

.fw File Contents

.fw File Contents

My first thought was that the file might contain a login of some sort or some other sensitive data. The script contains some checksum validation and uses dd to write the images to disk. A very helpful piece of text is the offsets for each file are directly after the seek= .

dd offset values

dd offset values

I mounted the rootfs.img and poked around the file system.

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data# mount -t auto rootfs.img mnt/
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data# cd mnt
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt# ls
bin  boot  dev  etc  lib  lib32  linuxrc  lost+found  media  mnt  opt  proc  root  run  sbin  sys  tmp  usr  var

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cat passwd
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cd shadow
bash: cd: shadow: Not a directory

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cat shadow

Pretty sure this means that the root password is blank…OPSEC 101. Almost 90% of penetration testings is asking yourself ‘What would happen if I did this?’ So, What would happen if I wrote that to a new disk on a virtual machine?

VMWare Blank Drive

VMWare Blank Drive


/dev/sdb added

/dev/sdb added

We will need to install pv for the installation to work, pv monitors progress of data and as data gets piped to it directly after it is unzipped and before it gets to the dd command in the install script. Also, we need to make the script executable before we try to use it.

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# apt-get install pv
<Redacted the install text>
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# chmod +x 
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# ./ --help
  -a <archive name> (required)
  -b update boot loader too
  -d <destination> (required)
  -f fresh install (on PC)
  -n numeric progress
  -v print firmware version
  First time programming: -a firmware.fw -f -d /dev/sdc
  Firmware update: -a firmware.fw -d /dev/mmcblk0
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# ./ -a ../reteval-2.5.0.fw -n -f -d /dev/sdb
<Redacted the install text>
/dev/sdb after dd

/dev/sdb after dd

I used fdisk /dev/sdb to set the bootable flag on partition 1 (/dev/sdb1).

fdisk Set Bootable

fdisk Set Bootable

I couldn’t get it to boot independently in a VM and I couldn’t get sdb3 or sdb4 to mount in my Kali Linux box. I tried to use the -t auto and it failed, I also tried every Linux type that I could with no luck. Oh, well. In a few minutes we found the default password for the device and determined if we could boot the drives up in VM. Not bad for an eye appointment.

Disclosure Notice: We contacted Welch-Allyn on May 17, 2017 and notified them of the issue. As of June 30th they had not given me any feedback about mitigation status so I am releasing this. Forty five days is more than enough time to mitigate this vulnerability.

Lucas,  one of the amazing guys I work with, built this script to automatically configure CentOS systems to capture packets. On a large distributed network packet captures are a must to troubleshoot network problems as well as do incident response. This script reduced the total time it takes to configure a system to do packet captures and reduces errors since all of the configurations are the same.

As advertised, it is designed and tested on CentOS but should work on Red Hat Linux and any of the derivative systems as well.


Let’s take inventory of the information we now have and decide where we will go from here.

Information Inventory

Figure 1 – Information Inventory

Using Modules

The three commands we used (show domains, show contacts, and show companies) will help us to decide which modules to use. The show modules command will display a list of modules to choose from.

show modules
show modules

Figure 2 – show modules

As a quick note for looking at the modules, the “-” delimiter divides the module into, “what you have and what you want”. So your command would look something like this: use I have recon/domains I want hosts/shodan_hostname

use recon/domains - hosts/shodan_hostname
recon-ng to shodan module

Figure 3 – recon-ng to shodan module

The red text indicates that an error occurred when running the module. The green text indicates the new elements added to the database.

shodan summary

Figure 4 – shodan summary

The module added hosts so using the show hosts command will show the additions.  Notice that we also have ports as well.

show hosts
show hosts results

Figure 5 – show hosts results

Notice this command displays the row id, the host, the ip address, and the module that was used.

show ports
show ports results

Figure 6 – show ports results

Remove Unwanted Entries

If we wanted to stay in the .com domain, we need a way to remove the .hk and other domains.

help delete
 help delete results

Figure 7 – help delete results

Remember show ports was the last command we ran so ports was the table we viewed. Running the show ports command again shows that the selected rows were removed ONLY for the ports table. To validate the command worked we will check the table again.

show ports
Cleaned ports table

Figure 8 – Cleaned ports table

The .hk domains are still present in the hosts table.  You will need to remove them from each table.

show hosts
show hosts results

Figure 9 – show hosts results

Exporting Data and Report Generation

Now that we’ve imported data from an outside source, ran several modules inside recon-ng, and we’ve even deleted data from the database, it’s time to create our report.  There are lots of options to choose from. The search reporting command gives us our choices.

search reporting
search reporting results

Figure 10 – search reporting results

The show dashboard command allows us to look at the modules used and the number of times they’ve been ran.  We can also see the amount of information inside the database.

show dashboard
show dashboard results

Figure 11 – show dashboard results

Some of the modules I ran were not in this tutorial.  From Figure 11 you can see all the modules used. Figure 12 is a continuation of the show dashboard command.  Here you can see the information that is captured in the database.  This also makes it easier for creating a report or exporting information.

show dashboard summary

Figure 12 – show dashboard summary

Exporting Data

We will use the reporting/list module to create a list of IP addresses to use in nmap.  This will tie in several things we’ve already covered.

  • Search for modules
  • Show options
  • Schema command
  • Set command

We will also use Nmap to scan for port 80.

search reporting
search reporting

Figure 13 – search reporting

use report/list
show options
report/list options

Figure 14 – report/list options

We will run the show schema and only show the truncated results so we can get the table schema.

show schema
show schema

Figure 15 – show schema

Next, use the set command to give recon-ng the file location.

set FILNAME /location/on/file/system
set file location

Figure 16 – set file location

Finally, run and let recon-ng generate the results. The screenshot is truncated so you can get an idea of what it looks like, your mileage may vary.

Report Results

Figure 17 – Report Results

<<Truncation Occurs>>>

Report Summary

Figure 18 – Report Summary

Using export_iplist.txt as input for our Nmap scan.

  • -iL input list filename
  • -p 80 port to scan
  • -Pn No Ping
nmap -iL export_iplist.txt -Pn -p 80
Nmap port 80 scan

Figure 19 – Nmap port 80 scan

Create Report

This section will show you how to create an HTML report using the same data set.

use reporting/html
show options
set CREATOR Pentester
set COMPANY United Airlines

Figure 20 – report/html

set options for report

Figure 21 – set options for report

We used the set command to add the creator and the customer properties for our report. Use the run command to execute the module.

generate report

Figure 22 – generate report

Not too exciting but we have our report waiting for us in the .recon-ng folder.

Report location

Figure 23 – Report location

Lets look at that file using a browser.

 File Browser

Figure 24 – File Browser

HTML Report Example

Figure 25 – HTML Report Example

The next set of figures will show the expanded results for the Summary, Domains, and Locations sections.

Summary Section

Figure 26 – Summary Section

Domains Section

Figure 27 – Domains Section

Locations Section

Figure 28 – Locations Section

The Contacts section we could have done a more with the information here.  One thing I like to do is us with this information is expand using the website. Using Pipl we could really dig into who any of the individuals are to create more effective spear phishing attacks or sales calls. Who are we kidding? We don’t do sales calls.

Contacts Section

Figure 29 – Contacts Section

Look through the Vulnerabilities section. We haven’t even started a technical vulnerability assessment and we already have a place to start. OSINT for the win!

Vulnerabilities Section

Figure 30 – Vulnerabilities Section

Vulnerabilities Section 2

Figure 31 – Vulnerabilities Section 2


In this tutorial we covered Recon-ng.  It can be found at  I really enjoy working with this tool.  Just playing with it can give you a better understanding of other ways to gather information about your target.  It really becomes about bread crumbs. How deep can you dig into a company, email address, or person?

Areas we covered:

  • Installation
  • Adding API Keys
  • Creating a Workspace
  • Importing information into the database “ Grep and Awk commands”
  • Using Modules
  • Removing unwanted entries
  • Exporting Data “ to use with nmap”
  • Creating Reports

This primer covers sending spoofed emails from an online service with a link to a clone credential harvesting site.  SET provides a clean, menu-driven interface for website cloning and automates the process. Using sendmail directly is also an option in SET; it requires a single change to the configuration and a mail relay to function correctly.

We will again use the Hackerone directory to identify a company but WILL NOT be sending phishing emails to them. This would be really bad form and potentially illegal. For this, we are going to pick on a known antivirus and security company, Kaspersky. Kaspersky was basically chosen because it is a large enough organization that we should be able to find a decent page to clone, and there should be enough email addresses in the wild to generate a list from a few different places.

Email Target List

The heart of any successful phishing campaign is the list of targets. Normally we would use recon-ng to build this list, but in this tutorial, we will do a few manual processes to show other methods. These can absolutely be automated, but for now lets do it the hard way.

From, I searched for “ -license”. This is because the top pastes were all license key dumps, and I was specifically looking for emails.

Pastebin Link 1 -
Pastebin Link 2 -

I threw the entire raw contents of the data in a text file, lets look in a few other places. We have already used theHarvester to find email addresses in the recon-ng tutorial, so let’s also use and put the results in the same text file.

root@kali:~/Desktop# theharvester -d -b all

We need to quickly pull out and de-duplicate the email addresses. This isn’t an issue with theHarvester but the pastebin data isn’t structured.

root@kali:~/Desktop# grep kasperskyRawEmails.txt > kasperskyEmail.txt
root@kali:~/Desktop# leafpad kasperskyEmail.txt
root@kali:~/Desktop# sort -d kasperskyEmail.txt > kasperskyEmailSorted.txt
root@kali:~/Desktop# sort -u kasperskyEmailSorted.txt > kasperskyEmail.txt

I used leafpad to clean up a few lines that had extra data. If there were more than a handful, I would have written a sed or awk script to clean it up, but with just a few, it was just as quick to do it manually. I sorted it with the -d option to put them in alphabetical order then -u to get rid of any duplicates. More importantly, by looking at the email addresses, we can easily guess anyone’s email in the company because they follow the A quick LinkedIn search of people who work at Kaspersky would provide us with another list. Personally, I would remove Eugene Kaspersky from the list since he is the founder, but hey, do what you want. In a normal penetration test, most companies would ask to approve the list and remove or add people as they see fit. For reporting reasons, running a wc -l against this list once approved will give you the number of emails. From these three searches, we have 142 unique targets.

While in the list, it is always good to look through and remove any email that is generic or does not direct to an actual person. Examples would be or Also and more importantly, remove anything that will get you caught. I hate to say this, but do not attempt to phish spam@ or abuse@ addresses; if it does work, you probably get extra h4x0r cred, though.

Baiting the Hook

To figure out who to spoof, I went on LinkedIn and searched for IT Support in the United States for Kaspersky. I’ve redacted the person’s name, but it is plausible that this person would send out an email about a website,  and since the email will be in English, that shouldn’t be a huge red flag. Sending out an email from an employee in the Russian Federation written in English should raise questions. Writing it in English and attempting to emulate a translation from Russian may work, as well.

Spoofed From Account

Spoofed From Account

Next, we need to identify a website to clone. We need a login on this page to spoof, so first we will use fierce to identify potential sub-domains.

root@kali:~/Desktop# fierce -dns

I looked through the fierce results and settled on for the page to be cloned. I like the simple page layout, so there are less chances for the clone to go wrong and log into a support page based on the title. VPN and Outlook Web Access (OWA) are normally my favorite pages, but occasionally, the clone needs to be massaged to make it look normal.

Next, let’s work on the Subject and Body of the email message.

Subject: Support Bot Login Page Test

All, We are testing the new login page for support bot at The old page had some certificate errors that prevented some users from reaching it so please let us know if this is still happening and also test that your password still works before the new systems goes live ( Let me know if you have any problems.


Spoofed IT Guy

Reading the email, we need to address a few things. First, is the certificate error that we get going to the real site? This is one of the many reasons why it is important to NOT train your users to click through certificate errors. Also, mixing a little bit of truth in with the lie helps to make it more effective.

Certificate Error

Certificate Error

Second, ask them to log into the page and contact us if there are any errors. Because we will be using a spoofed email and not a fake email address, this adds a little bit of risk that someone will respond and either confuse the IT staff or alert them to the phishing campaign that is underway. Spend some time thinking and crafting the email message to work for the company you’re testing.

We will use SET to clone the website and harvest credentials. The ***** indicates that I’ve redacted the screen text and have only shown the option to choose.

root@kali:/opt/social-engineer-toolkit# setoolkit
 Select from the menu:

1) Social-Engineering Attacks
 2) Penetration Testing (Fast-Track)
 3) Third Party Modules
 4) Update the Social-Engineer Toolkit
 5) Update SET configuration
 6) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

set> 1
 Select from the menu:

1) Spear-Phishing Attack Vectors
 2) Website Attack Vectors
 3) Infectious Media Generator
 4) Create a Payload and Listener
 5) Mass Mailer Attack
 6) Arduino-Based Attack Vector
 7) Wireless Access Point Attack Vector
 8) QRCode Generator Attack Vector
 9) Powershell Attack Vectors
 10) SMS Spoofing Attack Vector
 11) Third Party Modules

99) Return back to the main menu.
 set> 2
 1) Java Applet Attack Method
 2) Metasploit Browser Exploit Method
 3) Credential Harvester Attack Method
 4) Tabnabbing Attack Method
 5) Web Jacking Attack Method
 6) Multi-Attack Web Method
 7) Full Screen Attack Method
 8) HTA Attack Method

99) Return to Main Menu

 1) Web Templates
 2) Site Cloner
 3) Custom Import

99) Return to Webattack Menu


[-] Credential harvester will allow you to utilize the clone capabilities within SET
 [-] to harvest credentials or parameters from a website as well as place them into a report
 [-] This option is used for what IP the server will POST to.
 [-] If you're using an external IP, use your external IP for this
 set:webattack> IP address for the POST back in Harvester/Tabnabbing: 

The address is either for the local host (in this case) or for the server that will be hosting the web servers external interface. (NOTE: We are currently watching this thread, if a fix gets posted for the OpenSSL/PEM file issue we will update this)

[-] SET supports both HTTP and HTTPS
 [-] Example:
 set:webattack> Enter the url to clone:

[*] Cloning the website:
 [*] This could take a little bit...
 Python OpenSSL wasn't detected or PEM file not found, note that SSL compatibility will be affected.
Cloned Site

Cloned Site

Real Site

Real Site

If you wanted to add SSL support to improve the quality of the attack, SET absolutely supports it with a few changes. And will allow you to get free SSL certificates. I’ve highlighted the differences in the preceding images.

[*] Printing error: zipimporter() argument 1 must be string, not function

The best way to use this attack is if username and password form
 fields are available. Regardless, this captures all POSTs on a website.
 [*] The Social-Engineer Toolkit Credential Harvester Attack
 [*] Credential Harvester is running on port 80
 [*] Information will be displayed to you as it arrives below: - - [27/Apr/2017 16:11:47] "GET / HTTP/1.1" 200 -

Now, we send out bait and see who we can catch.

 Set the Hook

We have used a couple different email spoofing services and have recently settled on They work well, and they don’t get blacklisted in mail servers. It is a paid server; though, if you want premium features such as removing the tag line at the bottom or sending SMS messages. Below is a screen showing how to send messages in Sharpmail; there is an argument to be made that putting a few of the addresses together in the To: line would make it more believable, but for now, they are all in the BCC: line.

Sharpmail Example

Sharpmail Example

Finally, we would send this email out and simply wait to see who got hooked.

SET has a nice live update when credentials are captured and also packages up a report at the end.

Live Output

Live Output

HTML Report

HTML Report

From here it would depend on what the client requests. Do you use these credentials to attempt further exploitation or just produce the report? Your testing might be done, or you could have potentially generated a bunch of additional work for yourself.


I’ve conducted phishing campaigns at many different companies. Overall, I probably have a 10% success rate. Some were a little higher and some a little lower. That doesn’t sound too impressive, right? How many successes does it take to compromise a network? One. One user clicking on a link in an email exposes the entire network. So, for most companies, I got significantly more than that one success. How did I do it? More importantly, what tricks do I have up my sleeve that other penetration testers could steal? At almost every conference you will see a talk on some super sweet post-exploitation tool or privilege escalation technique if you can talk to the speaker 9 times out of 10 they gained initial network access through phishing. Phishing is the dirty pen testing secret that we all do but nobody wants to talk about because it isn’t nearly as cool as remote code execution.

Finding Targets

Generally, there are two methods for generating lists for phishing campaigns: either the client will provide you a list (which is boring) or you can find valid targets and get the list approved. Where can you find valid targets? I consider a valid target any email address already exposed on the internet.

  • Recon-ng
  • Linkedin
  • Pastebin
  • Google
  • FOCA
  • Web content

In the future, we will look at each of these methods in depth, but for now, let’s just assume you have a list.

Sending Emails

The FROM line in the address is just as important as the TO. Are you sending a fairly generic phishing email hoping to get a few clicks? If so, your success rate is going to be fairly low. For a company without security awareness training in place, this might be appropriate, but most tests are meant to be more sophisticated. I am going to show you how I make the sausage; fair warning, it isn’t pretty.

If you are going for a generic attempt without a spoofed email address, you can try to get an email address from any of the normal providers like Gmail or Outlook. Registering an email that looks at least semi-plausible will help. Outlook has a built-in limitation for new accounts to restrict the number of emails sent until the account ages or milestones are met (such as phone number verification). Also, filling in the display name and information to seem legitimate will increase the chance of success. CompanyHelpDesk@gmail is better than PhishingAttempt6@yahoo.

If you are allowed to spoof email addresses, a few better options are available. Setting up sendmail and sending everything through Social-Engineering Toolkit (SET) is a great option. Using a webmail service that allows spoofed emails is also a great option and protects your fixed IP from being banned for email abuse. It is also smart to pay the small fee that allows the footer to be removed. If you are performing a penetration test, it is the cost of doing business. I personally like using Sharpmail out of the UK but have used a couple other servers, as well. Sharpmail has SMS functionality, which I have used on assessments in the past.

Everyone has seen poorly crafted phishing emails signed Help Desk, so you need to step up your game and do some research. Find the company on Linkedin, and figure out who the IT person is. Getting an email from a help desk address signed Gary when employees know there is an IT person named Gary is way more convincing. The correct tone is important too, as a busy help desk person sending a curt email stating, ‘We are testing a new web server for email, can you log in and test it? -Gary‘ is more believable than a two-paragraph, formal-sounding email. I rarely even hide my URL behind a link for the same reason; I wouldn’t do that as a systems administrator in a company and want them to be believable.

Some clients will also want you to get the email text and targets approved. I’ve had to add typos and dumb down my emails for clients who wanted to make it easier to be spotted. Those assessments are the best because you can almost guarantee success if even their employers think they are going to click on anything. Most of these assessments will come shortly after the company has been breached by a phishing attack.

Microsoft Outlook Web Access or a VPN login page are my two favorite sites to clone in SET. We will conduct a primer on SET soon, but for now, just know that I use the clone website function with the capture credentials module. I’ve used Browser Exploitation Framework (BeEF) in the past, but keeping it simple usually works better.

Now What?

The first time I was assigned a phishing campaign, I had no idea what to do. I fired up SET but didn’t have sendmail installed and configured. The client for that assessment wanted multiple tests done. Not only was it testing employee awareness, it was testing the email security appliance in place. Sendmail took me most of the day to get set up and start sending emails. Let’s just say that it did not go well; the appliance blocked all my spoofing attempts and having an included URL hidden behind link text tripped the heuristics, with the end result being the end users didn’t even get the attempts. Not only that, but because I worked from home, the IP I paid for from my ISP got blacklisted for sending spam.

What lessons did I learn? One, I rarely use my own sendmail account anymore. Two, I’ve gotten simpler in my messages. Three, I respond to replies. What? That’s right, when your login fails on the credential harvesting site I’ve created and you reply to the email complaining, I’ll tell you I’m working on it and that I will let you know when it’s fixed. Why? So that you don’t tell other people you’re having a problem and potentially prevent them from giving me their credentials. Sneaky right?

Reporting on phishing is simple; we normally produce a statistics-based report that shows how many credentials were gathered versus the number of emails sent. We avoid giving specific names, which clients always want, because it is normally a systemic issue, not a user issue. We have performed custom redirects, after credential harvesting, to a site that forces users to complete a short training on phishing awareness.

Pulling it All Together

Now that you have read this tradecraft on phishing, you may be asking, “what are the next steps?” Next, we are going to create some primers on setting up phishing campaigns using sendmail and Sharpmail and using SET to clone a website and harvest credentials. This simply gave you a glimpse into the mindset of how we think about attacks and some of the pitfalls encountered.