🎣Gophish (Phishing)

Introduction

This section provides the general steps to perform a phishing campaign and the commands to retrieve the campaign results.

Pre-Installation

Before installing Gophish, perform the following changes, so the phishing platform is not detected by modern AVs.

• Default "404 page not found" web page: Replace the function http.NotFound(w, r) on controllers/phish.go by a function that returns a custom template.

• Email headers:

sed -i 's/X-Gophish-Contact/<NEW_HEADER>/g' models/*.go

• Signature:

sed -i 's/X-Gophish-Signature/<NEW_SIGNATURE>/g' webhook/webhook.go

• Server name:

sed -i 's/const ServerName = "gophish"/const ServerName = "<NEW_SERVERNAME>"/' config/config.go

• Default phishing parameter:

sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "<NEW_PARAMETER>"/g' models/campaign.go

Installation

To install Gophish, simply execute the following command.

git clone https://github.com/gophish/gophish.git
cd gophish
sudo go build

SQLite Error

During Gophish installation, you might encounter the following issue.

go install github.com/gophish/gophish@latest
go: downloading github.com/gophish/gophish v0.11.0
# github.com/mattn/go-sqlite3
sqlite3-binding.c: In function ‘sqlite3SelectNew’:
sqlite3-binding.c:128049:10: warning: function may return address of local variable [-Wreturn-local-addr]
128049 |   return pNew;
       |          ^~~~
sqlite3-binding.c:128009:10: note: declared here
128009 |   Select standin;
       |          ^~~~~~~

To fix this, you must compile it with the following environment variable.

sudo bash -c 'export CGO_CFLAGS="-g -O2 -Wno-return-local-addr"; go build'

Certificate creation

In order to have a certificate signed by AC to make the phishing page more trusted, you can use Let's encrypt.

sudo apt-get update
sudo apt-get install certbot

The easiest way to verify the domain is through DNS, so you only have to add the TXT record that the script tells you during its execution.

sudo certbot certonly -d <PHISHING_DOMAIN> --manual --preferred-challenges dns

After that, the certificate will be generated on your system.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<DOMAIN>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<DOMAIN>/privkey.pem
   Your certificate will expire on 2022-12-11. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"

Then, copy the files into the Gophish directory and modify the config.json like so:

[...]
	"phish_server": {
    	"listen_url": "0.0.0.0:443",
        "use_tls": true,
        "cert_path": "fullchain.pem",
        "key_path": "privkey.pem"
[...]

Execution

To execute Gophish, execute the following commands.

cd ~/go/pkg/mod/github.com/gophish/gophish@v0.12.0
sudo ./gophish

Note: If it is the first time you are running Gophish, you will be prompted with the password for the administration interface on the CLI. After logging in, you will be requested to change it.

OK    20201201000000_0.11.0_account_locked.sql
OK    20220321133237_0.4.1_envelope_sender.sql
time="2022-09-12T03:29:40-04:00" level=info msg="Please login with the username admin and the password c081abbdf3183a53"
time="2022-09-12T03:29:40-04:00" level=info msg="Creating new self-signed certificates for administration interface"

JavaScript library error

If you see that the admin web interface doesn't work and some errors appear on the browser console like:

The resource from “https://127.0.0.1:3333/js/src/vendor/ckeditor/adapters/jquery.js” was blocked due to MIME type (“text/plain”) mismatch...

If you try to access the URL, you will obtain a 404 not found. That is because they have not been downloaded.

To fix that problem, execute the following commands.

cd /tmp/
git clone -q https://github.com/gophish/gophish.git
sudo cp -r gophish/static/js/src/vendor/ ~/go/pkg/mod/github.com/gophish/gophish@*/static/js/src/

Domain - DNS

In order to perform the phishing campaign, you will need to buy a fake DNS domain that must point to the Gophish instance, where the landing page will be located.

Emails - SMTP Server

You will require an SMTP server to perform the phishing campaign to send the phishing emails to your targets.

To do so, you only need to install postfix.

sudo apt update && sudo apt -q install postfix -y

Then, the sending profile will look like this:

Warning: If your postfix server is running on a VPS, you might encounter any outgoing traffic pointing to port 25 is been rejected; that is because the VPS policy doesn't allow outgoing traffic to port 25 to prevent users from performing phishing attacks.

However, the easiest way to bypass this is to install postfix your VM and redirect the traffic using Ngrok

ngrok config add-authtoken <YOUR_AUTH_TOKEN>
ngrok tcp 25

Finally, you will only need to set the domain and port in the "Host" field provided by Ngrok.

Landing page

To create a landing page, you can craft your own, download some templates or clone it.

Phishing templates:

• Zphiser's templates

• PyPhisher's templates

Web page cloner (Might not work in every case):

• PyPhisher

• goclone

Furthermore, if you want to obtain information provided by the target, then the data must be submitted through a POST request to the landing page; the name of the variables can be whatever you want, else will not be gathered by Gophis.

Nonetheless, if you want to use the below commands to retrieve the username and password from the EVENTS_RAW.CSV, name the variables username and password.

Finally, if you want to add static files such as images, fonts, and files to be downloaded... you need to upload them into the folder <GOPHIS_PATH>/static/endpoint/. Then, you must do the reference with the URL /static/<FILE>.

Parsing results

Once the campaign is over, you might want to obtain data about the number of clicked links, data submissions and obtain submitted usernames and passwords.

• Obtain users who clicked the link.

cat <RESULTS.CSV> | grep "Clicked Link" | csvtool format '%(9)\n' - | sort -u > Clicked_link.txt

• Obtain users who submitted data.

cat <RESULTS.CSV> | grep "Submitted Data" | csvtool format '%(9)\n' - | sort -u > Submitted_Data.txt

• Extract all usernames and passwords from the EVENTS CSV file.

csvtool format '%(5)\n' <EVENTS_RAW.CSV> | grep -i password | jq '.payload | .username[0] +";" +.password[0]' | sort -u | tr -d '"' > credentials

References

• Gophish - Installation Guide

• Gophish - Let's encrypt

• Gophish - Documentation

• Phishing with GoPhish and DigitalOcean

• Gophish MODs