This chapter covers phishing campaigns in penetration testing, a critical attack vector tested on the PT0-002 exam. You will learn the full lifecycle of a phishing campaign, from reconnaissance and payload creation to execution and post-exploitation. Approximately 15-20% of exam questions touch on social engineering and phishing, making this a high-yield topic. Mastering this chapter will help you design effective phishing tests and understand how to defend against them.
Jump to a section
Phishing in penetration testing is analogous to a spearfisherman who studies his target fish. A generic phishing campaign is like casting a wide net into the ocean—you catch many fish, but many are undesirable or not your intended target. A spearfisherman, however, identifies a specific fish, learns its habits, its preferred hiding spots, and the bait it cannot resist. He then crafts a single, precise spear and waits for the perfect moment to strike. In the same way, a penetration tester conducting a phishing campaign studies the target organization. They gather intelligence from open-source research, social media, and corporate websites to understand the employees' roles, the software they use, and the internal jargon. They then craft a highly personalized email that appears to come from a trusted source, such as IT support or a colleague, using a realistic domain and relevant context. The email contains a malicious link or attachment that, when clicked, executes the payload. Just as the spearfisherman's success depends on his knowledge of the fish and the precision of his spear, the tester's success depends on the quality of reconnaissance and the believability of the phishing lure. A generic, poorly crafted email is easily spotted and ignored, while a well-researched, targeted email can bypass human defenses and technical filters, leading to a successful compromise.
What is Phishing in Penetration Testing?
Phishing is a social engineering attack where an attacker masquerades as a trusted entity to trick a target into performing an action, such as clicking a malicious link, opening an infected attachment, or providing sensitive information. In penetration testing, phishing is used to assess an organization's susceptibility to such attacks. The PT0-002 exam tests your ability to plan, execute, and report on phishing campaigns as part of a broader security assessment.
Types of Phishing
Spear Phishing: Targeted at specific individuals or organizations. Uses personalized information to increase credibility.
Whaling: Spear phishing targeting high-profile executives (the 'big fish'). Often uses legal or financial pretexts.
Vishing: Voice phishing over phone calls, often using VoIP spoofing.
Smishing: SMS phishing using text messages with malicious links.
Pharming: Redirecting users from legitimate websites to fake ones, often via DNS poisoning.
For PT0-002, the focus is on email-based phishing, especially spear phishing.
Phishing Campaign Lifecycle
1. Reconnaissance: Gather information about the target organization, employees, email formats, internal systems, and security controls. Use OSINT tools like theHarvester, Maltego, and social media scraping. 2. Infrastructure Setup: Set up a phishing domain that looks legitimate (e.g., using typosquatting or lookalike domains). Configure an SMTP server or use a phishing framework like GoPhish or SET (Social Engineering Toolkit). Obtain SSL/TLS certificates for HTTPS spoofing. 3. Payload Creation: Create the malicious link or attachment. Common payloads include: - Malicious URL: Redirects to a credential harvesting page or a drive-by download. - Malicious Attachment: Office macro, PDF with embedded script, or executable. - Callback Phishing: Email with a phone number that leads to a vishing attack. 4. Email Crafting: Write the email body with a compelling pretext. Common pretexts include:
- IT security alert (e.g., "Your password will expire") - HR notification (e.g., "Updated benefits package") - Invoice or payment request (e.g., "Overdue invoice") - Package delivery notification (e.g., "Missed delivery") 5. Sending Campaign: Deploy the emails using a bulk mailer or framework. Configure sending limits to avoid triggering spam filters. Use email spoofing techniques like Sender Policy Framework (SPF) bypass or subdomain takeover. 6. Monitoring and Tracking: Track opens, clicks, and credential submissions. Use embedded tracking pixels or unique URLs. Log all actions for the final report. 7. Post-Exploitation: If a user clicks, execute the payload to gain initial access. This may involve establishing a reverse shell, installing a backdoor, or harvesting credentials. 8. Reporting: Document the campaign details, success rate, and recommendations. Include metrics like open rate, click rate, and credential submission rate.
Key Components and Defaults
GoPhish: Open-source phishing framework. Default ports: 80 (HTTP), 443 (HTTPS), 3333 (admin interface). Default admin credentials: admin/gophish.
SET (Social Engineering Toolkit): Pre-installed on Kali Linux. Used for spear-phishing attacks with attack vectors like credential harvester or malicious macro.
SMTP Servers: Use Amazon SES, SendGrid, or a self-hosted Postfix server. Ensure proper DNS records (SPF, DKIM, DMARC) to avoid spam folders.
Domain TTL: Use domains with a TTL of 300 seconds or less for quick changes. Register domains at least 24 hours before sending to avoid reputation issues.
Email Headers: Analyze headers to detect spoofing. Look for Received-SPF: fail or DKIM: FAIL.
Configuration and Verification Commands
GoPhish Setup:
# Download and run GoPhish
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
cd gophish-v0.12.1-linux-64bit
./gophishAccess admin interface at https://<server_ip>:3333.
SET Spear Phishing Attack Vector:
# Launch SET
setoolkit
# Select Social-Engineering Attacks
1
# Select Spear-Phishing Attack Vectors
1
# Select Create a Payload and Listener
2
# Choose payload (e.g., Windows Reverse TCP Meterpreter)
1
# Set LHOST and LPORTEmail Header Analysis (Linux):
# Use swaks to send a test email
swaks --to target@example.com --from attacker@spoofed.com --header "Subject: Test" --body "Test" --server mail.attacker.com
# View headers on received email
cat email.eml | grep -E "Received|SPF|DKIM|DMARC"How It Interacts with Related Technologies
SPF, DKIM, DMARC: Email authentication protocols that help prevent spoofing. Penetration testers often try to bypass these by using lookalike domains (e.g., rnicrosoft.com instead of microsoft.com) or by compromising a legitimate sender.
Web Proxies and Sandboxes: Used by organizations to inspect links and attachments. Testers must ensure their payloads evade detection by using URL shorteners, redirects, or encrypted payloads.
Multi-Factor Authentication (MFA): Credential harvesting alone may not be sufficient if MFA is enforced. Testers may use adversary-in-the-middle (AiTM) phishing kits that capture session cookies to bypass MFA.
Endpoint Detection and Response (EDR): Malicious macros or executables may be blocked. Testers may use living-off-the-land binaries (LOLBins) or fileless techniques.
Legal and Ethical Considerations
Always obtain written authorization before conducting phishing tests.
Define scope: which users, what type of emails, and acceptable hours.
Have a stop condition: if a user reports the email, cease sending to them.
Ensure no harm: avoid phishing for personal information or causing panic.
Follow rules of engagement (ROE) and obtain a signed agreement.
Common Metrics and Reporting
Open Rate: Percentage of users who opened the email.
Click Rate: Percentage of users who clicked the link.
Credential Submission Rate: Percentage who entered credentials.
Reporting Rate: Percentage who reported the phishing email to IT.
Time to Click: Average time from send to click.
Example report table: | Metric | Value | |--------|-------| | Emails Sent | 500 | | Emails Opened | 300 (60%) | | Links Clicked | 150 (30%) | | Credentials Submitted | 50 (10%) | | Reported | 20 (4%) |
Advanced Techniques
Clone Phishing: Clone a legitimate email from a previous conversation and resend with malicious link.
Watering Hole Attack: Compromise a website frequently visited by target users.
Business Email Compromise (BEC): Impersonate a CEO or vendor to request wire transfers or sensitive data.
AI-Generated Phishing: Use ChatGPT or similar to write convincing emails with perfect grammar.
Detection and Defense
User awareness training: Regular simulated phishing tests.
Email filtering: Advanced spam filters with attachment sandboxing.
DMARC enforcement: Reject or quarantine emails failing authentication.
MFA: Reduces impact of credential theft.
Incident response: Clear process for reporting phishing.
PT0-02 Exam Focus
Know the difference between phishing, spear phishing, and whaling.
Understand the SET tool and its attack vectors.
Be able to identify email spoofing indicators (SPF fail, DKIM fail).
Know the legal requirements: signed authorization, scope, ROE.
Recognize common pretexts and how to craft them.
Understand metrics and reporting requirements.
Reconnaissance and Target Selection
Begin by gathering intelligence on the target organization. Use OSINT tools like theHarvester to collect email addresses, subdomains, and employee names. Check LinkedIn for employee roles and relationships. Identify key personnel such as IT staff, executives, and finance teams. Determine the email naming convention (e.g., first.last@company.com). Note any recent events (mergers, layoffs) that can be leveraged as pretext. Also, identify security controls like email filters, web proxies, and MFA. This step determines the success of the entire campaign.
Infrastructure Setup
Register a phishing domain that closely resembles the target's domain (e.g., using a common typo like 'rnicrosft.com' instead of 'microsoft.com'). Configure an SMTP server or use a phishing framework like GoPhish. Set up SSL/TLS certificates for HTTPS to avoid browser warnings. Configure DNS records: SPF, DKIM, and DMARC for the phishing domain to improve deliverability. Use a VPS with a clean IP reputation. Set up landing pages that mimic login portals or document download sites. All infrastructure should be ready before sending any emails.
Payload and Email Crafting
Create the malicious payload. For credential harvesting, set up a fake login page that captures usernames and passwords. For malware delivery, create a document with a malicious macro or a PDF with an embedded link. Write the email body using a convincing pretext. For example, an IT security notice: 'Your password will expire in 24 hours. Click here to reset.' Personalize the email with the recipient's name and relevant details. Ensure the email passes basic spam checks by avoiding trigger words like 'free' or 'urgent' in excess. Use a reputable sending IP and warm up the domain if possible.
Sending the Campaign
Use GoPhish or SET to send the emails. Configure sending limits (e.g., 10 emails per minute) to avoid being blacklisted. Set the from address to a spoofed domain or a lookalike. Enable open tracking via a transparent pixel. Use unique links for each recipient to track clicks. Schedule sends during business hours for realism. Monitor the sending process for bounces and adjust accordingly. If using SET, the tool will automatically set up a listener for reverse connections.
Monitoring and Post-Exploitation
Track the campaign in real-time. In GoPhish, view the dashboard for opens, clicks, and submitted data. If a user clicks and submits credentials, those are captured. If a payload executes, you gain a shell or backdoor. In SET, the listener provides a Meterpreter session. From here, enumerate the compromised system, escalate privileges, and pivot to other hosts. Document all actions for the final report. After the test, clean up any artifacts like dropped files or registry changes.
Reporting and Remediation
Compile a detailed report including: campaign objective, methodology, metrics (open rate, click rate, credential submission rate), list of compromised accounts, and screenshots. Highlight users who failed the test. Provide recommendations: security awareness training, email filtering improvements, MFA enforcement, and incident response enhancements. Include a timeline of events and any sensitive data accessed. The report should be delivered to the client in a clear, non-technical summary with technical appendices.
In my experience as a penetration tester, I have deployed phishing campaigns across various industries, each with unique challenges. One common scenario is testing a financial institution. These organizations typically have robust email filters and MFA, so we often use spear phishing targeting executives (whaling) with pretexts like 'SEC filing review' or 'Board meeting minutes.' We set up a lookalike domain, e.g., 'bankofamerica-secure.com', and clone the corporate login page. Despite MFA, we use an AiTM proxy to capture session cookies, allowing us to bypass authentication. The campaign achieved a 40% click rate and 15% credential submission, but MFA blocked most logins. However, the AiTM proxy captured 5 valid sessions, demonstrating the need for phishing-resistant MFA like FIDO2 keys.
Another scenario involved a healthcare provider. We used a pretext of 'Updated HIPAA compliance training' with a malicious macro embedded in a Word document. The email was sent to 200 employees. The open rate was 70%, but the click rate was only 10% because the attachment was blocked by the email sandbox. We had to switch to a link-based payload hosting a macro-enabled document on a compromised site. The second wave achieved 25% clicks and 5% successful macro execution, giving us initial access to the internal network. We then used PowerShell Empire to pivot and eventually exfiltrate patient data (simulated). The client was alarmed by the ease of lateral movement.
A third scenario was a university with a decentralized IT environment. We used a generic phishing campaign with a 'Campus Portal Update' link. The open rate was 80% and the click rate was 60%, but only 2% reported the email. This highlighted poor security awareness among students and staff. We recommended mandatory training and DMARC enforcement. The university's lack of SPF records allowed us to spoof the official domain easily. These real-world examples show that phishing campaigns are highly effective and that defenses must be layered and continuously tested.
The PT0-002 exam tests phishing campaigns under Objective 3.3 (Attacks, Exploits). You must know the following:
Types of Phishing: Be able to distinguish spear phishing (targeted), whaling (executives), vishing (voice), smishing (SMS), and pharming (DNS). The exam often presents a scenario and asks which type is being used.
Tools: SET is the most tested tool. Know its menu structure: Social-Engineering Attacks > Spear-Phishing Attack Vectors > Create a Payload and Listener. Also know GoPhish for campaign management.
Email Spoofing Indicators: The exam expects you to identify spoofed emails by analyzing headers. Look for Received-SPF: fail, DKIM: FAIL, and DMARC: fail. A common wrong answer is that a valid DKIM signature guarantees legitimacy – but it only verifies the domain, not the content.
Pretexts: Common pretexts include IT alerts, HR notifications, and package delivery. The exam may ask which pretext is most effective for a given target (e.g., finance department gets invoice requests).
Legal and Ethical: You must know that written authorization is required before testing. A common trap is that verbal approval is sufficient – it is not. Also, scope must be defined, and you must have a stop condition.
Metrics: The exam may ask for the definition of click rate (clicks/emails sent) or credential submission rate (submissions/clicks). Know the difference.
Bypassing MFA: The exam tests the concept of AiTM phishing. A common wrong answer is that MFA completely prevents credential theft – but AiTM captures session cookies, bypassing MFA.
Malicious Attachments: Know that macros are commonly used. The exam may ask which file type is most likely to contain a macro (e.g., .docm, .xlsm). Also, be aware of Living Off the Land (LOL) techniques like using PowerShell or WMI.
Domain Lookalikes: The exam tests typosquatting (e.g., 'g00gle.com') and homograph attacks (using Unicode characters that look like ASCII).
Reporting: The exam expects you to know that a phishing test report should include metrics, compromised accounts, and recommendations. A common wrong answer is that only successful compromises are reported – you must report all metrics, including those who reported the email.
To eliminate wrong answers, focus on the mechanism. For example, if a question says 'SPF check passed' but the email is spoofed, remember that SPF only checks the envelope sender, not the header from. If the attacker uses a legitimate domain they control, SPF can pass. Always consider the attack surface and the specific control being tested.
Phishing is a social engineering attack that can be executed via email, voice, SMS, or physical media.
Spear phishing is targeted and uses personalized information; whaling targets executives.
SET (Social Engineering Toolkit) and GoPhish are the primary tools for phishing campaigns in penetration testing.
Email spoofing can be detected by analyzing headers for SPF, DKIM, and DMARC failures.
MFA can be bypassed using adversary-in-the-middle (AiTM) phishing kits that capture session cookies.
Written authorization is required before conducting any phishing test; verbal approval is insufficient.
Common phishing metrics include open rate, click rate, credential submission rate, and reporting rate.
Common pretexts include IT security alerts, HR updates, invoice requests, and package delivery notifications.
Macro-enabled documents (.docm, .xlsm) are common payloads for malware delivery phishing.
Phishing campaigns should include a stop condition and a clear reporting mechanism for users.
These come up on the exam all the time. Here's how to tell them apart.
Spear Phishing
Targets specific individuals or groups
Uses personalized information from OSINT
Higher success rate but more effort
Often uses social media research
Example: Email to CFO about 'urgent wire transfer'
Generic Phishing
Sent to large numbers of recipients
Uses generic templates (e.g., 'Your account is compromised')
Lower success rate but less effort
May rely on spam-like tactics
Example: 'You won a gift card' email
Credential Harvesting Phishing
Goal: steal usernames and passwords
Payload: fake login page
Often uses link to phishing site
Bypass MFA with AiTM proxy
Example: 'Verify your account' email
Malware Delivery Phishing
Goal: install malware on victim's system
Payload: malicious attachment or drive-by download
Often uses macro-enabled documents
May use exploits or social engineering to execute
Example: 'Invoice attached' email with .docm
Mistake
Phishing only involves email.
Correct
Phishing can occur via email, voice (vishing), SMS (smishing), social media, and even physical media (USB drops). PT0-002 tests all these vectors.
Mistake
A valid SSL certificate means the website is legitimate.
Correct
SSL only encrypts the connection; it does not verify the site's authenticity. Attackers can get free SSL certificates for lookalike domains via Let's Encrypt.
Mistake
SPF and DKIM always prevent email spoofing.
Correct
SPF and DKIM reduce spoofing but are not foolproof. Attackers can use lookalike domains that pass SPF/DKIM for their own domain. DMARC with p=reject is more effective but still bypassable with subdomain attacks.
Mistake
MFA completely stops credential theft.
Correct
MFA can be bypassed using adversary-in-the-middle (AiTM) phishing kits that capture session cookies. The attacker uses the cookie to authenticate without needing the second factor.
Mistake
Phishing tests do not require written authorization.
Correct
Written authorization is mandatory. Verbal approval is insufficient. The scope, rules of engagement, and stop conditions must be documented and signed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Spear phishing is a targeted phishing attack aimed at a specific individual or group, using personalized information to increase credibility. Whaling is a type of spear phishing that specifically targets high-profile individuals within an organization, such as CEOs, CFOs, or other executives. The key difference is the target's status: whaling focuses on 'big fish' (hence the name). For the PT0-002 exam, remember that whaling is a subset of spear phishing, and the pretext often involves legal, financial, or confidential matters that an executive would handle.
To bypass SPF, use a domain you control and set up SPF to allow your sending server. For DKIM, sign your emails with your own domain's private key. For DMARC, ensure your domain's policy is not set to reject; many domains have p=none. Alternatively, use a lookalike domain (e.g., 'rnicrosoft.com') that has no SPF/DKIM/DMARC records, so checks are not performed. Another technique is to compromise a legitimate email account or use a subdomain of a trusted domain that lacks DMARC enforcement. On the exam, know that SPF only checks the envelope sender, not the header from, so you can spoof the header from while using a legitimate envelope sender.
The best pretext is one that aligns with their daily responsibilities. For finance, common pretexts include: 'Overdue invoice from a vendor', 'Payment confirmation required', 'Updated vendor payment details', or 'Direct deposit change request'. These emails appear urgent and relevant. For the PT0-002 exam, you may be given a scenario and asked to choose the most effective pretext. Look for options that reference financial transactions, vendor relationships, or payroll. Avoid generic pretexts like 'Your password will expire' for finance, as they are less convincing.
An AiTM phishing kit is a tool that acts as a proxy between the victim and the legitimate login page. When the victim enters their credentials and MFA code, the proxy forwards them to the real site and captures the session cookie returned. The attacker can then use that cookie to access the victim's account without needing the password or MFA again. This bypasses traditional MFA. For the exam, remember that AiTM is a common technique to defeat MFA and that it requires a sophisticated setup with a reverse proxy.
Key metrics include: open rate (emails opened / emails sent), click rate (links clicked / emails sent), credential submission rate (credentials submitted / emails sent or / clicks), and reporting rate (users who reported the email / emails sent). Also track time-to-click and time-to-report. For the PT0-002 exam, be able to calculate these metrics from given numbers. A successful campaign typically has a high click rate and low reporting rate. The report should include all metrics, not just successful compromises.
You must have written authorization from the client that specifies the scope, rules of engagement, and stop conditions. The test must not cause harm, such as deleting data or causing a denial of service. You should have a clear process for users to report phishing and a way to stop the campaign if requested. For the PT0-002 exam, remember that verbal approval is not acceptable; a signed agreement is required. Also, ensure you comply with relevant laws like the Computer Fraud and Abuse Act (CFAA) in the US or similar in other jurisdictions.
A phishing campaign is a specific type of social engineering attack that can be part of a broader penetration test. A penetration test is a full-scale security assessment that includes vulnerability scanning, exploitation, and reporting across all attack vectors. Phishing is just one method to gain initial access. On the PT0-002 exam, phishing is covered under Objective 3.3 (Attacks, Exploits), while penetration testing methodology is covered in other domains. Understand that phishing is a tool used during the exploitation phase.
You've just covered Phishing Campaigns in Penetration Testing — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?