The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ā„¹ļø0 - Pre-Engagement
  • šŸ”1 - Information Gathering
  • Passive (OSINT)
  • Active
    • šŸ•µļøHUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • šŸ’£2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • šŸŽ£Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • šŸ‘æ3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • šŸ““4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Result analysis
  • Phishing Evaluation Template
  1. HUMINT

Phishing Evaluation

Introduction

After a phishing campaign has been completed, it is time to give the obtained data to the customer. Furthermore, most customers need a grade in order to explain to their superiors how bad the results have been.

Thus, you must provide your customers with an objective result based on a comprehensive analysis of the phishing campaign's outcomes.

Result analysis

First, let's assign some values to the actions appearing on GoPhis.

Phishing actions
Value

Open the email

1

Click on the email link

3

Write credentials on the phishing page

5

Then, obtain the highest value achieved in a phishing campaign and obtain a set of intervals in which the grades will be divided.

The highest can be achieved with the following formula.

MaximumScore=NumEmailsSentāˆ—āˆ‘ScoreOfEachAction=NumEmailsSentāˆ—8MaximumScore = NumEmailsSent*\sum Score Of Each Action=NumEmailsSent*8MaximumScore=NumEmailsSentāˆ—āˆ‘ScoreOfEachAction=NumEmailsSentāˆ—8

After that, assign the percentages of victims required to obtain a certain grade, as can be seen in this table:

Business Size (BS)/Intervals
100000 Employees
10000 Employees
1000 Employees
100Employees
10 Employees

Excellent

0,20%

1%

1%

%1

10%

Acceptable

0,35%

1,5%

3%

5%

20%

Improvable

0,5%

5%

5%

10%

30%

Unsatisfactory

1%

10%

15%

20%

40%

Each value represents the maximum number of employees who must complete every action that makes up the phishing campaign to obtain the security level.

For example, a company with between 1,000 and 10,000 employees must have a maximum of 1% of employees completing all actions to be considered to have an excellent level of security.

After that, the intervals are determined using the following formula:

Level
Interval

Excellent

[0 , MaxScore*BS[Excellent] [

Acceptable

[ MaxScore*BS[Excellent] , MaxScore*BS[Acceptable] [

Improvable

[ MaxScore*BS[Acceptable] , MaxScore*BS[Improvable] [

Unsatisfactory

[ MaxScore*BS[Improvable] , MaxScore*BS[Unsatisfactory] [

Deficient

[MaxScore*BS[Unsatisfactory], MaxScore ]

The value of the phishing campaign is calculated with the following formula:

PhishinScore=āˆ‘PhishingActions(ActionValueāˆ—NumberOfVictims)PhishinScore=\sum_{Phishing Actions}(ActionValue*NumberOfVictims)PhishinScore=PhishingActionsāˆ‘ā€‹(ActionValueāˆ—NumberOfVictims)

Finally, you only have to relate the score to the interval to obtain the grade.

Phishing Evaluation Template

Because this explanation may have been a bit complicated to implement, I have prepared a spreadsheet for you to play around with.

Last updated 1 year ago

39KB
Phishing_score_calculator.ods