Entry Level Phishing And Forensics

LAB 1: Phishing Email Investigation – “catch The Hook”

Lab Type: VM-Only Cybersecurity Lab
Mapped Frameworks: CIS Control 14 (Security Awareness & Training), NIST PR.AT, CompTIA Security+

What Are We Doing

This lab is going to teach you how phishing emails are created, delivered, and analyzed. you will

  • Build a safe, isolated virtual lab environment

  • Simulate a phishing campaign using Kali Linux

  • Investigate the phishing message using Ubuntu Server

All traffic occurs inside your VM network (host-only) with optional NAT for updates.

What You Will Need To Complete This Lab

  1. Kali Linux ISO

  2. Ubuntu Server

  3. VirtualBox

Step 1

  1. Open VirtualBox

  2. Go to: File > Host Network Manager

  3. Click Create

    • IPv4 Address: 192.168.56.1

    • Subnet Mask: 255.255.255.0

    • Uncheck DHCP Server

      We are doing this because it makes a closed network for our lab VMs to talk to each other without touching the internet.

Step 2 (Create our network adapter)

  1. Go to: File > Preferences > Network > NAT Networks

  2. Click Create if none exist (The same options that use used to make the Host Only Network)

  3. Settings:

  • Name: Internet

  • IPv4 Prefix: 10.0.2.0/24

  • DHCP: Enabled (Make sure this is checked!!!)

This will allow our VMs to access the internet for updates and tools. We will need to get some tools later on down the line.

Role, Send phishing email, Kali, Kali Linux, Victim & Analyst, Ubuntu, Server 25.04, Victim & Analyst.

Step 3 Kali Linux Setup

Adapter 1: Host-Only > vboxnet0 (for internal lab)

Adapter 2: NAT > (for the internet)

Step 4 (Configure Static IPs)

Now that you have your VM all set up we are going to set its static IP inside the VM itself

These are the configs I did but you can always change them depending on what you are wanting to do sudo nano /etc/network/interfaces

# Internal lab network
auto eth0
iface eth0 inet static
  address 192.168.56.102
  netmask 255.255.255.0
  gateway 192.168.56.1

# NAT internet adapter
auto eth1
iface eth1 inet dhcp

Save and restart networking:

sudo systemctl restart networking

(Note: If you have never used Nano before I am a huge fan it makes editing config files a breeze in this case. If you have never used it before, I recommend doing some research on it and playing around with it a bit. In this case, though I will let you know how to write and save, once you have inputted your ip’s hit ctrl + o, then enter, then ctrl x.

Step 5

(We are going to have to update our DNS as well as our IP routing)

In the off chance you can ping google.com off the start then you probably do not need to worry about this, solving this was a huge headache because when you first boot your VM you need an internet connection to get configuration files.
If ping to google.com fails try this
sudo nano /etc/resolv.conf

Add:
nameserver 8.8.8.8
nameserver 1.1.1.1
Then lock the file so it doesn’t get overwritten:
sudo chattr +i /etc/resolv.conf
Fix default route:
sudo ip route del default

Step 6 (Configuring the Ubuntu Server Network)

Adapter 1: Host-Only (enp0s3)

Adapter 2: NAT (enp0s8)

(Note: This will be the same setting as the Kali machine)

Step 7 (What to do in your Ubuntu machine)

sudo nano /etc/netplan/00-installer-config.yaml

Paste:
network:
  version: 2
  ethernets:
    enp0s3:
      addresses: [192.168.56.103/24]
    enp0s8:
      dhcp4: true
      optional: true
      routes:
        - to: 0.0.0.0/0
          via: 10.0.2.1
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]

Apply changes:
sudo chmod 600 /etc/netplan/00-installer-config.yaml
sudo netplan apply
sudo reboot

Step 8

(Installing SSH this is what we are going to use to take our email .txt file and analyze later from our host machine to our VM)

Step 1: Install the SSH server

sudo apt update && sudo apt install openssh-server -y

Step 2: Start and enable the SSH service

sudo systemctl enable ssh
sudo systemctl start ssh

Step 3: Verify SSH is running

sudo systemctl status ssh

Look for Active: active (running) in green.

Why: SSH allows secure remote access and file transfer (via scp). Needed to copy our phishing email to Ubuntu fromour host mechine.

Test the Network (From All VMs)

ping 192.168.56.102   # Kali
ping 192.168.56.103   # Ubuntu
ping google.com       # DNS resolution

Step 8 (Simulate a Phishing Attack)

Step 1: Install Email-Sending Tool on Kali

sudo apt update && sudo apt install sendemail -y

Step 2: Get SMTP Credentials from Mailtrap

  1. Visit: https://mailtrap.io

  2. Create a free account

  3. After login:

  4. Go to Inboxes > Select your inbox

  5. Click SMTP Settings

  6. Set Integration to: sendemail

  7. SMTP server (e.g., sandbox.smtp.mailtrap.io)

  8. Port (e.g., 2525)

  9. Username (your Mailtrap Username)

  10. Password (your Mailtrap password)

Step 3: Send Phishing Email from Kali

sendemail -f attacker@fakebank.com -t victim@ciaskills.lab -u "ACTION REQUIRED" \
  -m "Click here to unlock your account: http://malicious.fakebank.com" \
  -s sandbox.smtp.mailtrap.io:2525 -xu your_username -xp your_password -o tls=no

Now this is a long command with a bunch of options, here is a kind of breakdown of what is happening

  • -f: sender address (spoofed)

  • -t: recipient

  • -u: subject line

  • -m: body of the email

  • -s: SMTP server and port

  • · -xu: SMTP username

  • -xp: SMTP password

  • -o tls=no: disable TLS if Mailtrap requires it

If successful, your email will appear in Mailtrap’s inbox.

Copy Email File to Ubuntu (Analyst)

From your Windows host, run this to copy the phishing email:

scp phishing_email.txt <ubuntu_user>@192.168.56.103:/home/<ubuntu_user>/

Replace <ubuntu_user> with the actual username on your Ubuntu VM (e.g., vboxuser). You can confirm it by running whoami on Ubuntu.

If prompted for a password, enter the password for that Ubuntu user.

Verify on Ubuntu:
Analyze the Email on Ubuntu (Victim)

·         Open the phishing_email.txt file using:

cat phishing_email.txt

What to Look For:

·         From: address and domain (spoofed?)

·         Subject line: urgent language, all caps, threats?

·         Links: Do they go to legitimate domains?

·         Message body: misspellings, fake logos, unusual tone

·         Header artifacts (if included): reveal the real sender’s IP or system

Indicators of a Malicious Email (Red Flags)

Use this section to spot phishing in raw email content:

Message-ID: Non-standard domain (e.g. @kali) → likely from spoofed CLI tool

From Address: Untrusted or suspicious sender domain (e.g. attacker@fakebank.com)

Subject Line: Urgency, threats, or all caps (e.g. ACTION REQUIRED)

X-Mailer: Tools like sendEmail or PHPMailer are often used in phishing kits

Links: Fake URLs, mismatched anchor text (e.g., real-looking links pointing to malicious sites)

Content-Type: Multipart formatting to embed logos, HTML, or fake UIs

Done :)