Phishing, and particularly spear phishing, is a major security concern, however it is often not taught in any detail on security courses. We have developed a framework in which students can try to perform phishing attacks against a simulated company. On this VM the students find a website for a fictional company (with employee details), an e-mail client and common tools used for phishing. A script in the VM processes every e-mail sent by the student and uses rules to decide if they have produced a realistic spear phishing e-mail. If the e-mail passes this test then any attached executable, or any macros in office documents will be run. Hence, the students need to both craft a successful phishing e-mail and a payload. The VM is free to use, please e-mail me with any questions you might have.
- The framework VM can be found here. The password for the hacker account is "password"
- A 2 page discription of the framework can be found here
- A hand out describing everything you need to know about creating phishing payloads for this exercise can be found here.
- A longer video with a detailed walk through of one of the phishing attacks can be found here.