Gophish

Gophish | Open-Source Phishing Framework
https://getgophish.com/

 “Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.”

This is an overview of using Gophish to set up a phishing campaign. What I’ve done below was just for learning purposes and at no point did I actually try to phish or deceive any 3rd party without their knowledge. Also the domain targeted in this test has been changed for obvious reasons.

If we wanted to phish users of the hypothetical yourdomain.com and we have obtained or bruteforced a list of email addresses that we can potentially target, we could do something along the lines of the following;

First we can bruteforce dns hostnames on our target domain using a tool such as nmap – https://nmap.org/nsedoc/scripts/dns-brute.html and from there we easily establish there is a valid and usable domain at https://mail.yourdomain.com/

Now that I have a potential hook, I register a similar domain ‘yuordomain.com’ in which I will send my phishing email through, We could in theory also host an infected replica webpage as part of our phishing attack if that’s what you wanted to do. We will now set up a campaign in gophish using this as our base. I can see on the official page that we’d like to mimic they use SecureEnvoy for 2FA so will include reference to that in the attack to give it some credibility.

Email template

The email template is the heart of your phish and depending on what you’re trying to achieve you can approach it differently. If you wanted to phish for malicious reasons you’d want to create a template that was as realistic and specific to your targets environment as possible – this is where your OSINT comes in to play. If you wanted to test internal employees for security awareness you want to try and exclude information that might unfairly influence them – for example you wouldn’t mimic an internal template that would otherwise be unknown to an external attacker.

In my test below I’ve only used information which I’ve gathered online. After a DNS scan of the domain I can see they have a web portal mail.yourdomain.com and when I connect to it I can see it uses SecureEnvoy for 2FA. I also did a search on Linkedin for employees and included the company logo in the email template (not shown below) to make it more convincing.

So, give your template a name, a convincing Subject and populate your email body with your requirements. You can also include a 1×1 pixel tracking image which allows you to see when an email was opened for well.. tracking purposes

If you’d like to link to a landing page, highlight the text in the email body and click the hyperlink button on the top row. You’ll get a pop up where you can set the link type as “URL” and then you can either enter an external URL, or use the template variable {{.URL}} which will link to what ever is set in the Landing Page section and can be tracked as part of your campaign.

email_template

Some of the vaiables that can be used in your mail are

{{.FirstName}} The target’s first name
{{.LastName}} The target’s last name
{{.Position}} The target’s position
{{.From}} The spoofed sender
{{.TrackingURL}} The URL to the tracking handler
{{.Tracker}} An alias for <img src=”{{.TrackingUrl}}”/>
{{.URL}} The phishing URL

One last option is the Add File button – This can be used to simulate the addition of malicious files to the email and this can also be tracked through your campaign for further user education but I haven’t tried this option yet.

Landing Page

Next we’ll create a landing page that the target will be able to access, either over the web or locally. In my case I’ve chosen to mimic mail.yourdomain.com. To do this, specify a Name and then click import site. When prompted enter the legitimate site https://mail.yourdomain.com as the target.

You can also set this page to be an educational warning about the dangers of clicking on unsafe links, or even just craft your own html to suit your needs 🙂

landing_page

You can also select from here to capture any submitted date, including usernames and passwords that the user may enter, however BE WARNED these are stored in plaintext.

Sending Profile

Next is the Sending Profile which will use the account and mail server details for the phishing domain we created as part of the attack. Give it a name, who you’d like the email to appear to come from, and your email credentials – you can also use an open relay. To test your configuration, just click on the “Send Test Email” button

sending_profile

Users and Groups

We will now specify our targets email address(es), we can either do this per user or import from a CSV. Give the group a name and here I’m just going to target a single user so have entered it manually using the +Add button.

new_group

Start the Campaign

Now that we have specified all the required components, we can start the campaign. Give it a name and then propagate the Email Template, Landing Page, Sending Profile and Groups with the names of the sub sections we just configured above.

For the URL this needs to be the IP (Internal or public depending on your target) and port of the Gophish host – this needs to be reachable by the end users. You can use the domain name instead if it resolves to IP correctly.Then click Launch Campaign to send the emails.

new_campaign

Based on the configuration we have done above, the target users will receive an email similar to the following (Some recipients may be prompted to download any images depending on their security settings))

sample_email

The Dashboard

Here we can see the status of the campaign. We can see a list of targets and their status. If a tracker was included we can see if the email has been opened.

If a user clicks on the link in the email they will be redirected to a replica of the mail. yourdomain.com page. At that point the status indicator will change to success. We can then expand per user and see a timeline of events, including passwords should we have chosen to capture those.
dashboard_details

You can expand each recipient for more details and a timeline of events.

dashboard_timeline

That’s all there is to it – now you can build on this and be creative with your campaigns.

time_to_relax

About the author