Josh Perrymon, myself and a few others are working on a spear phishing toolkit to be released at OWASP NYC later this week. Lunker will be available through OWASP and is a collaboration between the Raleigh NC and Alabama OWASP Chapters.

This Spear Phishing toolkit allows a pen tester (or an organization) to actively target an organization’s email users via a variety of payloads. This toolkit is a full point and click exploit via email and in our testing has been extremely successful.

We have seen some commercial apps like this (phishme.com), but none with the Metasploit-like payload delivery mechanism.

This tool will also provide an email and directory brute-forcer as well as some passive assessment tools to further allow the attacker/pen tester/internal auditor to examine the response from their network/users.

UPDATE: Due to early testing we have delayed the public release of this toolkit. We have decided to release a “slimmer” version of Lunker which is basically a framework only, rather than a full turnkey solution (for the meantime) and should be available soon. Check back for updates.