Phishing

Credential Gathering - Phishing with Go Phish

GoPhish

Phishing Server Setup Guide: For our phishing email we will be using Go Phish to create the phishing email with a link to our malicious domain. The method show was to gain sensitive information. This same method can be used to gain credentials to other accounts, but in an attempt to avoid violating the policy agreements with a company like amazon or google, we are using a local restaurant to spoof our website.

Step 1: Download GoPhish

https://github.com/gophish/gophish/releases The prereq to this is you have the ability to port forward traffic to your own Linux VM at home or are using a VM on a VPS provider.

Step 2: install go phish

Unzip the file and modify the file gophish to be an executable mkdir /opt/gophish unzip gophish.zip -d /opt/gophish chmod +x gophish ./gophish

Step 3: Purchase Domain

Add an A record to your public IP

Step 4: Generate TLS Certificate for the site

Install certbot and generate cert

apt-get install certbot certbot certonly -d <domain> --manual --preferred-challenges dns

Add TXT record with challenge information to your domain. Verify that the TXT record was updated and then press enter.

Replace the default certificates with the newly generated ones First, move the new certificates to the gophish directory (optional)

Second update the config.json with the new certificate names and the IP of the VM.

Stop ./gophish and start it back up to enable the new certificates This will make the website look a little bit more legit.

Step 5: Configure phishing attack.

Add the targeted users: Go to Users & Groups; add the targeted user and email address.

Create Email Template: Go to Email Templates. It’s important to add the embedded URL into your email to make it look slightly more legit. Add photos and signatures as needed to make the phishing email more believable!

Import the site and then add your form to capture their input

Add email that the phishing emails will send from:

Enabling Gmail Account for SMTP Relay: Go to myaccount.google.com and select the Security tab. From there allow less secure application access

Test email credentials by using the Test Email button at the bottom:

Check your email for the test email from the phishing account. Once that is verified you’re redy for the final step

Step 6: Create Campaign

Head on over to the Campaign tab and fill out the campaign information.

Key thing is to add the URL of the domain you’re trying to impersonate. aka the domain you purchased

PreviousPrivilege EscalationNextLNK Script

Last updated