Lunker Spear Phishing Toolkit
September 22nd, 2008
Josh Perrymon, myself and a few others are working on a spear phishing toolkit to be released at OWASP NYC later this week. Lunker will be available through OWASP and is a collaboration between the Raleigh NC and Alabama OWASP Chapters.
This Spear Phishing toolkit allows a pen tester (or an organization) to actively target an organization’s email users via a variety of payloads. This toolkit is a full point and click exploit via email and in our testing has been extremely successful.
We have seen some commercial apps like this (phishme.com), but none with the Metasploit-like payload delivery mechanism.
This tool will also provide an email and directory brute-forcer as well as some passive assessment tools to further allow the attacker/pen tester/internal auditor to examine the response from their network/users.
UPDATE: Due to early testing we have delayed the public release of this toolkit. We have decided to release a “slimmer” version of Lunker which is basically a framework only, rather than a full turnkey solution (for the meantime) and should be available soon. Check back for updates.
I have several clients asking for this exact tool set. Very nice.
Comment by Outlaw Josey Wales — September 23, 2008 @ 10:28 am
hi, has this tool come put yet, i cannot seem to find it on the owasp website?
many thanks
Comment by cellmast — October 18, 2008 @ 5:25 am
Well during our initial testing we found that this could be a very heavily abused tool, so we are revamping the current release to be less of a turn-key solution and more of a framework to build your own spear-phishing kit.
It may be another month or 2 before we release a public version.
Comment by donwalrus — October 22, 2008 @ 11:01 am
Is it possible for an IT security manager at a well-established and respected global company to get access to the tool? We were initially vetting the commercial solution, Phishme, but have become more interested in the Lunker capabilities. Could we discuss? Thanks.
Comment by IR Manager — October 23, 2008 @ 3:30 pm
We could certainly discuss that. Initially, Lunker was developed as an OWASP tool (collaboratively between the North Carolina and Alabama chapters) , so we were planning on releasing it via that venue.
We may still do that, but we plan to release the framework only, rather than a turn-key solution as initially anticipated.
I would anticipate a “ready-for-production” release to be available within the next 2 months that will be individually distributed, as opposed to being generally available to the public.
Comment by donwalrus — October 24, 2008 @ 10:08 am
[...] Read More at hackyourself.net [...]
Pingback by Paul Hite » Spear Phishing Toolkit Deemed Too Dangerous for the Public — November 9, 2008 @ 12:00 pm
Hi,
What’s the current status of the project? I couldn’t find it over at http://www.owasp.org. Thanks.
Comment by Mathew Brown — October 11, 2009 @ 8:01 am
The open source project was abandoned based on how successful of an attack framework it was. If you want the down and dirty manual replication process, i’ll be happy to share offline…amazingly simple
Comment by donwalrus — October 11, 2009 @ 7:04 pm
I’ll see if I can put together a 5-min intro and the basic PHP scripts required to get this up and running quickly. I can’t make any promises on when I will be able to do that unfortunately as this is the busy time of the year for me
Comment by donwalrus — November 3, 2009 @ 1:00 pm