# Gophish (Phishing)

## Introduction

This section provides the general steps to perform a phishing campaign and the commands to retrieve the campaign results.

## Pre-Installation

Before installing Gophish, perform the following changes, so the phishing platform is not detected by modern AVs.

* [ ] **Default "404 page not found" web page**: Replace the function `http.NotFound(w, r)` on `controllers/phish.go` by a function that returns a [custom template](https://raw.githubusercontent.com/edermi/gophish_mods/master/controllers/phish.go).
* [ ] **Email headers:**

```bash
sed -i 's/X-Gophish-Contact/<NEW_HEADER>/g' models/*.go
```

* [ ] **Signature**:

```bash
sed -i 's/X-Gophish-Signature/<NEW_SIGNATURE>/g' webhook/webhook.go
```

* [ ] **Server name**:

```bash
sed -i 's/const ServerName = "gophish"/const ServerName = "<NEW_SERVERNAME>"/' config/config.go
```

* [ ] **Default phishing parameter**:

```bash
sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "<NEW_PARAMETER>"/g' models/campaign.go
```

## Installation

To install Gophish, simply execute the following command.

```bash
git clone https://github.com/gophish/gophish.git
cd gophish
sudo go build
```

### SQLite Error

During Gophish installation, you might encounter the following [**issue**](https://github.com/mattn/go-sqlite3/issues/803).

```bash
go install github.com/gophish/gophish@latest
go: downloading github.com/gophish/gophish v0.11.0
# github.com/mattn/go-sqlite3
sqlite3-binding.c: In function ‘sqlite3SelectNew’:
sqlite3-binding.c:128049:10: warning: function may return address of local variable [-Wreturn-local-addr]
128049 |   return pNew;
       |          ^~~~
sqlite3-binding.c:128009:10: note: declared here
128009 |   Select standin;
       |          ^~~~~~~
```

To fix this, you must compile it with the following environment variable.

```bash
sudo bash -c 'export CGO_CFLAGS="-g -O2 -Wno-return-local-addr"; go build'
```

### Certificate creation

In order to have a certificate signed by AC to make the phishing page more trusted, you can use **Let's encrypt**.

```bash
sudo apt-get update
sudo apt-get install certbot
```

The easiest way to verify the domain is through DNS, so you only have to add the TXT record that the script tells you during its execution.

```bash
sudo certbot certonly -d <PHISHING_DOMAIN> --manual --preferred-challenges dns
```

After that, the certificate will be generated on your system.

```bash
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<DOMAIN>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<DOMAIN>/privkey.pem
   Your certificate will expire on 2022-12-11. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
```

Then, copy the files into the Gophish directory and modify the `config.json` like so:

```json
[...]
	"phish_server": {
    	"listen_url": "0.0.0.0:443",
        "use_tls": true,
        "cert_path": "fullchain.pem",
        "key_path": "privkey.pem"
[...]
```

## Execution

To execute Gophish, execute the following commands.

```bash
cd ~/go/pkg/mod/github.com/gophish/gophish@v0.12.0
sudo ./gophish
```

**Note**: If it is the first time you are running Gophish, you will be prompted with the password for the administration interface on the CLI. After logging in, you will be requested to change it.

```bash
OK    20201201000000_0.11.0_account_locked.sql
OK    20220321133237_0.4.1_envelope_sender.sql
time="2022-09-12T03:29:40-04:00" level=info msg="Please login with the username admin and the password c081abbdf3183a53"
time="2022-09-12T03:29:40-04:00" level=info msg="Creating new self-signed certificates for administration interface"
```

### JavaScript library error

If you see that the admin web interface doesn't work and some errors appear on the browser console like:

```bash
The resource from “https://127.0.0.1:3333/js/src/vendor/ckeditor/adapters/jquery.js” was blocked due to MIME type (“text/plain”) mismatch...
```

If you try to access the URL, you will obtain a 404 not found. That is because they have not been downloaded.

To fix that problem, execute the following commands.

```bash
cd /tmp/
git clone -q https://github.com/gophish/gophish.git
sudo cp -r gophish/static/js/src/vendor/ ~/go/pkg/mod/github.com/gophish/gophish@*/static/js/src/
```

### Domain - DNS

In order to perform the phishing campaign, you will need to buy a fake DNS domain that must point to the Gophish instance, where the landing page will be located.

### Emails - SMTP Server

You will require an SMTP server to perform the phishing campaign to send the phishing emails to your targets.

To do so, you only need to install **postfix**.

```bash
sudo apt update && sudo apt -q install postfix -y
```

Then, the sending profile will look like this:

![New sending profile](https://3683125600-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FAiuSjJMFQ72nHxKtvtIh%2Fuploads%2Fgit-blob-d97e025b23fa068ea24f7ec23e8b57bfb05818ad%2Fimage.png?alt=media)

**Warning**: If your postfix server is running on a VPS, you might encounter any outgoing traffic pointing to port 25 is been rejected; that is because the VPS policy doesn't allow outgoing traffic to port 25 to prevent users from performing phishing attacks.

However, the easiest way to bypass this is to install postfix your VM and redirect the traffic using **Ngrok**

```bash
ngrok config add-authtoken <YOUR_AUTH_TOKEN>
ngrok tcp 25
```

Finally, you will only need to set the domain and port in the "Host" field provided by Ngrok.

### Landing page

To create a landing page, you can craft your own, download some templates or clone it.

**Phishing templates**:

* [Zphiser's templates](https://github.com/htr-tech/zphisher/tree/master/.sites)
* [PyPhisher's templates](https://github.com/KasRoudra/PyPhisher/releases/download/v2.0/websites.zip)

**Web page cloner** (Might not work in every case):

* [PyPhisher](https://github.com/KasRoudra/PyPhisher)
* [goclone](https://github.com/imthaghost/goclone)

Furthermore, if you want to obtain information provided by the target, then the data must be submitted through a POST request to the landing page; the name of the variables can be whatever you want, else will not be gathered by Gophis.

Nonetheless, if you want to use the below commands to retrieve the username and password from the `EVENTS_RAW.CSV`, name the variables `username` and `password`.

Finally, if you want to add static files such as images, fonts, and files to be downloaded... you need to upload them into the folder `<GOPHIS_PATH>/static/endpoint/`. Then, you must do the reference with the URL `/static/<FILE>`.

## Parsing results

Once the campaign is over, you might want to obtain data about the number of clicked links, data submissions and obtain submitted usernames and passwords.

* **Obtain users who clicked the link.**

```bash
cat <RESULTS.CSV> | grep "Clicked Link" | csvtool format '%(9)\n' - | sort -u > Clicked_link.txt
```

* **Obtain users who submitted data.**

```bash
cat <RESULTS.CSV> | grep "Submitted Data" | csvtool format '%(9)\n' - | sort -u > Submitted_Data.txt
```

* **Extract all usernames and passwords from the EVENTS CSV file.**

```bash
csvtool format '%(5)\n' <EVENTS_RAW.CSV> | grep -i password | jq '.payload | .username[0] +";" +.password[0]' | sort -u | tr -d '"' > credentials
```

## References

* [Gophish - Installation Guide](https://docs.getgophish.com/user-guide/installation)
* [Gophish - Let's encrypt](https://www.n00py.io/2017/09/phishing-with-gophish-and-letsencrypt/)
* [Gophish - Documentation](https://docs.getgophish.com/user-guide/)
* [Phishing with GoPhish and DigitalOcean](https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean)
* [Gophish MODs](https://www.redteam.cafe/phishing/gophish-mods)