Review Your Findings

When you start the campaign, the campaign status changes from “launchable” to “running.” This status indicates that phishing emails have been sent and the web page is online and accessible to any human target that can reach the Metasploit Pro instance.

What does the campaign report on?

The campaign reports on the number of recipients who opened the spoofed email, clicked on the web page link, submitted data, and the number of sessions the campaign was able to open.

Metasploit Pro tracks the human target after they open the email, which contains a tracking GIF that alerts the campaign when an email is opened. When the human target clicks on the link provided in the email and visits the spoofed web page, a cookie is set in order to accurately track the future actions taken by the human target.

You will see the statistics for each stage of the campaign update in real-time from the Campaign Findings window. Phishing campaigns in Metasploit Pro go through four different states from start to finish:

  1. You've sent the emails to your human targets.
  2. The human targets have opened the emails.
  3. The human targets have clicked on links.
  4. The human targets have submitted the form.

Targets

The leftmost bubble represents the number of targets that were sent emails. All of your targets are in this state once you launch your campaign. From there, each human target can enter subsequent states based on their interactions with the phishing email and the landing page.

ANONYMOUS Targets

A target will show as having an "ANONYMOUS" email address, first name, and last name if they interact with the link without having the cookie. Some ways a human target can do this is by providing the link to someone, using an ad blocker or opening the link on a different device.

Emails Opened

The second bubble from the left represents the number of targets who have already opened the email they received.

Tracking the number of human targets who have opened your email is tricky. Metasploit Pro embeds a single-pixel image in each email as a unique identifier. If your target's email client doesn't automatically download images, this identifier will only be tracked if the target chooses to manually download the image. So, it's possible for a target to open the email without triggering the tracking mechanism, so this number may not always be accurate.

Links Clicked

The next bubble represents the number of targets who have clicked on the link embedded in the email.

The number of recipients that click the link in the email should be accurate, because Metasploit uses cookies to track which targets have clicked the link. Using cookies means that a unique identifier for each human target is added to the end of the URL, such as http://10.20.44.174:8080/amazing88?d=E%2Bv0mBPr9LjLg68Ht. However, the stats on the “Campaign Facts” page might get thrown off if a target removes the cookie and directly connects to the root URL. In our previous example, this would be http://10.20.44.174:8080/amazing88.

Form Submissions

The rightmost bubble represents the number of targets who have submitted their credentials through the login page.

Metasploit uses the same cookie to track which targets have submitted the form, so the same caveat about a target connecting to the root URL applies to the accuracy of this stat.

Viewing Data Submitted

From the “Campaign Findings” page, click on a stat bubble.

When the list of human targets appears, click on an email address to open the history page for that human target. You’ll see the data that the human target has submitted for any campaign that they are a part in the 'body' section.