In this blog post, we will be going over how to conduct basic phishing campaigns using Gophish, an open-source tool for testing an organization’s vulnerability to phishing. Gophish’s UI makes it simple to create templates that can be instantly emailed out to targets, and it also allows you to easily keep track of the results of the phishing campaign for reporting purposes. Gophish is quite customizable and can be used to send payloads for a variety of phishing engagements.
Installation
To install Gophish, you need to download the correct release for your operating system here. There are versions for Windows, Mac OS, and Linux in the releases section of Gophish’s GitHub page. Once you have downloaded the .zip file, you should extract its contents through the unzip command as shown below. One of the files in the .zip file is the Gophish binary, which you will execute momentarily.
Configuration
You should notice a file called “config.json” in the extracted directory. As you can see from the configuration file, there are two servers: the admin server and the phish server. The admin server contains the interactive UI for Gophish, and it should only be used by yourself or any other penetration testers involved in the phishing engagement. On the other hand, the phish server contains the malicious website that each target will see when they click on a link from a phishing email (more on this later). Make sure that you change the value of “listen_url” to the IP address that you would like Gophish to be listening on.
You can also change other values in the configuration as well, such as the database being used, or whether logging is enabled. However, we will keep the default values for this blog post.
Running Gophish
When you run Gophish for the first time, it will print out a set of credentials along with the URLs of the admin website and the phishing website.
Visiting https://127.0.0.1:3333 in our web browser, we can see a login page for the admin website. You can sign in using the credentials that were just printed out in the terminal window, but you will have to change the credentials right after logging in for the first time.
After logging in, we will be granted access to Gophish’s dashboard page, which will allow us to change the settings of our phishing campaign.
Sending Profiles
A sending profile indicates where a phishing email originated from, and it requires that you have legitimate login credentials for a legitimate email service. For this example, I created the following Gmail account: jr2389ierfd9oj90osdijfi@gmail.com. Since this is just an example, I just randomly typed in a bunch of characters for my Gmail account username, but for an actual phishing test you would want to create an account on Gmail (or any other email service) with a less suspicious-sounding username.
If you are using Gmail, make sure that less secure app access is turned on. If less secure app access is turned off, then Gmail will not allow you to login from Gophish. If you are using some other email provider, make sure that it does not also have a similar option enabled.
Inside of Gophish’s interface, click on “Sending Profiles” on the left side. Then click on “+New Profile” to create a new Sending Profile. This should bring up a menu allowing you to edit the configuration options for your sending profile. The Name parameter can be set to whatever you believe will help you remember what the profile is used for. The From parameter should be set to your malicious email address. The Host parameter should be set equal to the SMTP server that is hosting your malicious email account (for Gmail accounts, this will be “smtp.google.com”). Finally, you will have to set the Username and Password parameters to the correct login credentials for your email account, so that Gophish can send emails from that account. Click “Save Profile” when you are done.
Landing Pages
When the victim clicks on our malicious link, they will be redirected to one of our landing pages. The landing page should contain a login form where the victim can enter data. When the target POSTs their information (which hopefully contains login credentials), we should be able to see the data that they sent to us. To create a landing page, click on “Landing Pages,” and then click on “+New Page.” Note creating a landing page is optional and may not be required for your phishing email.
The form for creating landing pages gives us the option to type in our own HTML code. For this example, I simply copied and pasted HTML code for a basic login page available here, but in a real phishing engagement, you would want your fake login page to look just like a real login page, so that users are enticed to type in their credentials. You can copy the HTML code from a real website by clicking on “Import Site” and pasting the URL of that website into the prompt that pops up next.
You may check “Capture Submitted Data” and “Capture Passwords” to ensure that you obtain the correct login credentials. There is also an option to redirect the user to another page afterwards. When the landing page appears to be configured correctly, click on “Save Page.”
Email Templates
All phishing emails that are sent out from Gophish are based off email templates. An email template indicates the email’s subject, the text that is contained within the email, and any extra files that should be attached to the email. You can create a new email template by clicking on “Email Templates” and then clicking on “+New Template.”
The subject and text of the email template should be credible, in order to lure an unsuspecting victim to click on the email and believe in its validity. Variables such as {{.FirstName}}, {{.Email}}, and {{.URL}} will be automatically replaced by Gophish with their correct values when you start the phishing campaign. You can also choose to embed a Tracking Image that triggers when someone clicks on the email. If you do not want to use a landing page, you can instead add a malicious file attachment (such as a macro-enabled Word document) by clicking on “+Add Files.” Click on “Save Template” when you are finished creating the email template.
Users & Groups
We are going to need to give Gophish a list of possible targets that it can email. This can be done by clicking on “+New Group,” which is located under the “Users & Groups” tab. You can either import many targets at once by loading up a .CSV file, or you can manually type each line into Gophish one by one and click “+Add” for each line. When you are finished entering in the data, you can click “Save changes” to store the data. In this example, I will use myself as the target for the phishing campaign.
Launching The Campaign
Once everything is in place, we can finally start our campaign by clicking on “+New Campaign” under the “Campaigns” tab. You can set the name of the campaign to be whatever you want. The Email Template, Landing Page, Sending Profile, and Groups parameters should be set equal to the template, page, profile, and group that we had created earlier, respectively. You can specify a date and time when you want the emails to be sent, or you can send them immediately.
The URL must be a value that is accessible to anyone clicking on the malicious email, so you may have to port forward your Gophish landing page and use a publicly registered domain name. (Since I have done neither of these for this tutorial, I will just be using my internal IP address and click on the link in the same machine as Gophish.) Click on “Launch Campaign” when you are ready to start.
Keep in mind that it may take a few minutes before the victim can see the malicious email in their inbox. Once the phishing campaign starts, you should get redirected to a page that prints out the results of the campaign. At this point, you have done everything that you need to do, and all you can do is wait and hope that a victim clicks on one of your emails.
If the email went through, then the victim should be able to receive the email that was sent. Keep in mind that spam filters or other email defenses may try to block your emails or notify a system administrator that your email appears to be suspicious. If this occurs, you should try creating less suspicious email templates, payloads, landing pages, and sending profiles.
Before burning through their best payloads, most penetration testers will first try to probe their target’s phishing mitigations by sending basic payloads to check whether they get blocked or not. For example, they might first send a few test emails to check whether macro-enabled Word files, macro-enabled Excel files, malicious links, or custom binaries are blocked. If certain payloads are getting blocked by your target’s email server, then you can check whether you can circumvent these defenses in any way. You should make multiple email templates for each type of probe if you wish to use this strategy. Canarytokens is an excellent tool for quickly generating payloads that trigger an alert if opened.
Here is what the phishing attack looks like from my personal Gmail account. If Tracking Images are enabled, then the results page of the campaign should get updated after the victim clicks on the email.
When the victim clicks on the given link, the following landing page is displayed to the user, which allows the user to submit login credentials after clicking on the button labeled “Login.”
When the user POSTs their login credentials, the parameters that they have submitted can be viewed in the results page of the campaign in the admin server. You may have to click on “Refresh” before you see the results.
That is all it takes to run a phishing campaign using Gophish! When you are done with your phishing engagement, click on the button labeled “Complete.” You can export the results or raw events from your phishing engagement as a CSV file by clicking on “Export CSV” and choosing what you would like to export.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com