Ctrlk
TwitterBlog
For the complete documentation index, see llms.txt. This page is also available as Markdown.

🎣Gophish (Phishing)

Introduction

This section provides the general steps to perform a phishing campaign and the commands to retrieve the campaign results.

Pre-Installation

Before installing Gophish, perform the following changes, so the phishing platform is not detected by modern AVs.

sed -i 's/X-Gophish-Contact/<NEW_HEADER>/g' models/*.go
sed -i 's/X-Gophish-Signature/<NEW_SIGNATURE>/g' webhook/webhook.go
sed -i 's/const ServerName = "gophish"/const ServerName = "<NEW_SERVERNAME>"/' config/config.go
sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "<NEW_PARAMETER>"/g' models/campaign.go

Installation

To install Gophish, simply execute the following command.

SQLite Error

During Gophish installation, you might encounter the following issue.

To fix this, you must compile it with the following environment variable.

Certificate creation

In order to have a certificate signed by AC to make the phishing page more trusted, you can use Let's encrypt.

The easiest way to verify the domain is through DNS, so you only have to add the TXT record that the script tells you during its execution.

After that, the certificate will be generated on your system.

Then, copy the files into the Gophish directory and modify the config.json like so:

Execution

To execute Gophish, execute the following commands.

Note: If it is the first time you are running Gophish, you will be prompted with the password for the administration interface on the CLI. After logging in, you will be requested to change it.

JavaScript library error

If you see that the admin web interface doesn't work and some errors appear on the browser console like:

If you try to access the URL, you will obtain a 404 not found. That is because they have not been downloaded.

To fix that problem, execute the following commands.

Domain - DNS

In order to perform the phishing campaign, you will need to buy a fake DNS domain that must point to the Gophish instance, where the landing page will be located.

Emails - SMTP Server

You will require an SMTP server to perform the phishing campaign to send the phishing emails to your targets.

To do so, you only need to install postfix.

Then, the sending profile will look like this:

New sending profile

Warning: If your postfix server is running on a VPS, you might encounter any outgoing traffic pointing to port 25 is been rejected; that is because the VPS policy doesn't allow outgoing traffic to port 25 to prevent users from performing phishing attacks.

However, the easiest way to bypass this is to install postfix your VM and redirect the traffic using Ngrok

Finally, you will only need to set the domain and port in the "Host" field provided by Ngrok.

Landing page

To create a landing page, you can craft your own, download some templates or clone it.

Phishing templates:

Web page cloner (Might not work in every case):

Furthermore, if you want to obtain information provided by the target, then the data must be submitted through a POST request to the landing page; the name of the variables can be whatever you want, else will not be gathered by Gophis.

Nonetheless, if you want to use the below commands to retrieve the username and password from the EVENTS_RAW.CSV, name the variables username and password.

Finally, if you want to add static files such as images, fonts, and files to be downloaded... you need to upload them into the folder <GOPHIS_PATH>/static/endpoint/. Then, you must do the reference with the URL /static/<FILE>.

Parsing results

Once the campaign is over, you might want to obtain data about the number of clicked links, data submissions and obtain submitted usernames and passwords.

  • Obtain users who clicked the link.

  • Obtain users who submitted data.

  • Extract all usernames and passwords from the EVENTS CSV file.

References

Last updated