So how do you go about performing a phishing attack during a pentest? Well, it depends on the scope of the pentest and whether or not you are allowed to actively compromise the user's station via client-side exploits or not. Do all you want to do is gather data on how many users clicked the links or how many submitted data? Do you want to capture that data? Usernames? Passwords? These are questions that a will be answered during scoping calls and meetings with the company in question.
What is the advantage of attacking the users? We know we'll gain access through at least one of them. Well, firstly, it's a becoming a more and more valid and acceptable attack vector both for pentesters and malicious attackers alike.
The information gathered can be used to show the organization the importance of user awareness training and education on security issues such as phishing, pharming, viruses and malware. It can be used to stress the importance of the end user in the protection of the organization's intellectual property and their own personal information.
We'll take the Social Engineering approach of the malicious email arriving in the user's inbox. Let's consider what is required to develop the phish and get it into the user's inbox. What the link contains is up to you. It could be a site requiring the user to sync their passwords or it could be a link to a client-side exploit from Metasploit.
First you need to harvest emails for your targeted phish. A tool like harvester.py from http://www.edge-security.com/soft.php is a good choice. This tool will scrape google and msn for emails based on the domain name provided. Addtionally, search the company website as it may have an employee directory with all the user information and email addresses that you need. Remember that the more information you have about the users, the more legitimate you can make your phishing emial.
Once you have you email list the next step is to craft an email that is going to look believable to an employee of the company. Research the company, what do they do? Is there a generic 'firstname.lastname@example.org' you can spoof? Do they have a mail server that allows relaying? If not use your own. The site you direct them to should also mimick their own branding and image and appearance as much as possible. Crafting the email in HTML allows you to obfuscate the url by 'hiding' it with a legitimate looking address. Encode the hidden URL or register another domain that is similar to the target company's as an added step to make the phish look realistic.
The next step is to send the email itself. I personally prefer not to send out hundreds of emails myself so I wrote a simple perl script to do this for me. It takes a text file that contains the employee emails as an argument. It also can be configured to slow down the sending of emails. Perhaps the target company has a mail/anti-spam gateway that has thresholding set up to prevent too many emails arriving from the same sending mail server in too short a period of time.
This script will need to be modified depending on the format of the email addresses. This example uses email addresses in the following format: email@example.com. The script parses each email and extracts the user's first name to add to the email as well. Make it look legitimate. I have added some HTML content for the body of the email. Edit this to suit your attack.
The script can be downloaded at mailer.pl
Depending on what your goal for the phish is just sit back and wait for the user data to roll in or for the shells to appear in Metasploit. The results are sometimes pretty astonishing or perhaps they should be expected. :)