🎣
Gophish (Phishing)
This section provides the general steps to perform a phishing campaign and the commands to retrieve the campaign results.
Before installing Gophish, perform the following changes, so the phishing platform is not detected by modern AVs.
- Default "404 page not found" web page: Replace the function
http.NotFound(w, r)oncontrollers/phish.goby a function that returns a custom template. - Email headers:
sed -i 's/X-Gophish-Contact/<NEW_HEADER>/g' models/*.go
- Signature:
sed -i 's/X-Gophish-Signature/<NEW_SIGNATURE>/g' webhook/webhook.go
- Server name:
sed -i 's/const ServerName = "gophish"/const ServerName = "<NEW_SERVERNAME>"/' config/config.go
- Default phishing parameter:
sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "<NEW_PARAMETER>"/g' models/campaign.go
To install Gophish, simply execute the following command.
git clone https://github.com/gophish/gophish.git
cd gophish
sudo go build
go install github.com/gophish/gophish@latest
go: downloading github.com/gophish/gophish v0.11.0
# github.com/mattn/go-sqlite3
sqlite3-binding.c: In function ‘sqlite3SelectNew’:
sqlite3-binding.c:128049:10: warning: function may return address of local variable [-Wreturn-local-addr]
128049 | return pNew;
| ^~~~
sqlite3-binding.c:128009:10: note: declared here
128009 | Select standin;
| ^~~~~~~
To fix this, you must compile it with the following environment variable.
sudo bash -c 'export CGO_CFLAGS="-g -O2 -Wno-return-local-addr"; go build'
In order to have a certificate signed by AC to make the phishing page more trusted, you can use Let's encrypt.
sudo apt-get update
sudo apt-get install certbot
The easiest way to verify the domain is through DNS, so you only have to add the TXT record that the script tells you during its execution.
sudo certbot certonly -d <PHISHING_DOMAIN> --manual --preferred-challenges dns
After that, the certificate will be generated on your system.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<DOMAIN>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<DOMAIN>/privkey.pem
Your certificate will expire on 2022-12-11. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
Then, copy the files into the Gophish directory and modify the
config.json like so:[...]
"phish_server": {
"listen_url": "0.0.0.0:443",
"use_tls": true,
"cert_path": "fullchain.pem",
"key_path": "privkey.pem"
[...]
To execute Gophish, execute the following commands.
cd ~/go/pkg/mod/github.com/gophish/[email protected]
sudo ./gophish
Note: If it is the first time you are running Gophish, you will be prompted with the password for the administration interface on the CLI. After logging in, you will be requested to change it.
OK 20201201000000_0.11.0_account_locked.sql
OK 20220321133237_0.4.1_envelope_sender.sql
time="2022-09-12T03:29:40-04:00" level=info msg="Please login with the username admin and the password c081abbdf3183a53"
time="2022-09-12T03:29:40-04:00" level=info msg="Creating new self-signed certificates for administration interface"
If you see that the admin web interface doesn't work and some errors appear on the browser console like:
The resource from “https://127.0.0.1:3333/js/src/vendor/ckeditor/adapters/jquery.js” was blocked due to MIME type (“text/plain”) mismatch...
If you try to access the URL, you will obtain a 404 not found. That is because they have not been downloaded.
To fix that problem, execute the following commands.
cd /tmp/
git clone -q https://github.com/gophish/gophish.git
sudo cp -r gophish/static/js/src/vendor/ ~/go/pkg/mod/github.com/gophish/gophish@*/static/js/src/
In order to perform the phishing campaign, you will need to buy a fake DNS domain that must point to the Gophish instance, where the landing page will be located.
You will require an SMTP server to perform the phishing campaign to send the phishing emails to your targets.
To do so, you only need to install postfix.
sudo apt update && sudo apt -q install postfix -y
Then, the sending profile will look like this:
New sending profile
Warning: If your postfix server is running on a VPS, you might encounter any outgoing traffic pointing to port 25 is been rejected; that is because the VPS policy doesn't allow outgoing traffic to port 25 to prevent users from performing phishing attacks.
However, the easiest way to bypass this is to install postfix your VM and redirect the traffic using Ngrok
ngrok config add-authtoken <YOUR_AUTH_TOKEN>
ngrok tcp 25
Finally, you will only need to set the domain and port in the "Host" field provided by Ngrok.
To create a landing page, you can craft your own, download some templates or clone it.
Phishing templates:
Web page cloner (Might not work in every case):
Furthermore, if you want to obtain information provided by the target, then the data must be submitted through a POST request to the landing page; the name of the variables can be whatever you want, else will not be gathered by Gophis.
Nonetheless, if you want to use the below commands to retrieve the username and password from the
EVENTS_RAW.CSV, name the variables username and password.Finally, if you want to add static files such as images, fonts, and files to be downloaded... you need to upload them into the folder
<GOPHIS_PATH>/static/endpoint/. Then, you must do the reference with the URL /static/<FILE>.Once the campaign is over, you might want to obtain data about the number of clicked links, data submissions and obtain submitted usernames and passwords.
- Obtain users who clicked the link.
cat <RESULTS.CSV> | grep "Clicked Link" | csvtool format '%(9)\n' - | sort -u > Clicked_link.txt
- Obtain users who submitted data.
cat <RESULTS.CSV> | grep "Submitted Data" | csvtool format '%(9)\n' - | sort -u > Submitted_Data.txt
- Extract all usernames and passwords from the EVENTS CSV file.
csvtool format '%(5)\n' <EVENTS_RAW.CSV> | grep -i password | jq '.payload | .username[0] +";" +.password[0]' | sort -u | tr -d '"' > credentials
Last modified 1yr ago