Phishing Assessment

Phishing Penetration Testing Checklist

• Reconnaissance and Information Gathering:

  • Tools:
    • OSINT Framework
    • Shodan
    • WHOIS lookup.
  • Commands:
    • WHOIS Lookup: whois target.com

• Phishing Payload Creation:

  • Tools:
    • GoPhish
    • Social-Engineer Toolkit (SET).
  • Commands:
    • Start GoPhish: gophish
    • Launch SET: setoolkit

• Email Spoofing and Crafting:

  • Tools: Email spoofing tools, email client.
  • Commands:
    • Use your preferred email client to craft and send phishing emails.

• Domain Spoofing:

  • Tools: Domain registration services.
  • Commands:
    • Register domains similar to the target organization's domain.

• Sending Phishing Emails:

  • Tools:
    • GoPhish
    • SET
    • SMTP servers.
  • Commands:
    • Use GoPhish for campaign management: gophish

• Credential Harvesting:

  • Tools:
    • GoPhish
    • Custom phishing pages.
  • Commands:
    • Create and host phishing landing pages.

• Reporting and Analysis:

  • Tools:
    • GoPhish
    • Email clients.
    • Wireshark.
  • Commands:
    • Monitor campaigns with GoPhish: gophish
    • Analyze captured data with Wireshark: wireshark

• Advanced Techniques:

  • Tools and Frameworks:
    • Evilginx2: Advanced phishing with 2FA bypass.
    • King Phisher: Phishing campaign toolkit.
    • Phishery: URL-based phishing toolkit.
  • Commands:
    • Launch Evilginx2: evilginx2
    • Use King Phisher: king-phisher

• Password Cracking:

  • Tools:
    • Hashcat: Password cracking tool.
  • Commands:
    • Use Hashcat: hashcat

• Post-Exploitation:

  • Tools and Frameworks:
    • Empire: Post-exploitation framework.
    • Metasploit: Penetration testing framework.
  • Commands:
    • Launch Empire: empire
    • Use Metasploit: msfconsole