Posted on

Gophish: Setup a Phishing Campaign

Hello aspiring ethical hackers. In this article you will learn how to setup a phishing campaign. Readers have learnt what is phishing and various phishing techniques in our previous blog posts. It is a fitting conclusion that the next article in our phishing series should be about creating a phishing campaign. Phishing campaign or Email phishing campaign or Spear Phishing campaign is the campaign that sends emails to the victims to lure them to the Phishing site.

Although, this tutorial is similar to phishing campaigns run by malicious hackers, this campaign can also be used to test the security of a company by assessing how vulnerable are the employees of the company to a phishing attack. There are many tools to simulate phishing attacks which are used by Red Team professionals. Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. It is available for both Windows and Linux operating systems.

I will be using a Windows version of Gophish as I want to install it on Windows. Installing Gophish on Windows is damn easy. Just download Gophish for Windows, extract the contents of the zip archive. open Windows command line and navigate into the extracted directory and execute the Gophish executable as shown below. This executes some commands as shown below.

Gophish 1

If you observe the CMD window, you will find the username and password for the Gophish dashboard. This part is highlighted in the image above. These credentials are needed to login into the Gophish dashboard. Keep the CMD window open, Open Browser and enter address https://127.0.0.1:3333. This is the default port on which Gophish runs. If you get any certificate error, click on advanced to bypass it and then enter submit the above mentioned credentials.

Gophish 2 1024x545
gophish

The first thing you will see after logging in is that the system prompts you to reset your password. Reset the password.

Gophish 4 1024x548

Now, you can access the Gophish dashboard.

Gophish 5 1024x544

The first thing we need to do is create a sender profile. This is the mail address from which the spear phishing email comes from.

Gophish 6 1024x545

Click on “Sending profiles” tab and then click on “New profile” to create a new Sending Profile. Set the options for the sending profile. For example, we set the name for this as “phishing campaign 1”. To send any type of email, we’ll need a SMTP server. For this tutorial, I will be using the SMTP server of Gmail as I will be sending an email from Gmail. In Real world phishing attacks and even in many phishing simulations, a new domain is created and the email is sent from that domain’s mail to make the phishing email appear genuine. The username is the Gmail username and password is Gmail password.

Gophish 7 1024x548

Save the changes. Send a test email to the email of your choice to see if the Phishing email appears as you want it to be.

Gophish 8 1024x548

The username we specify is very important here as it will be displayed. So it has to be made as convincing as possible. Once you are satisfied with the sending profile, you can save it.

Gophish 9 1024x542

Next, we need to create Users and Groups. This is where we assign target users for of our phishing campaign.

Gophish 10 1024x547

Click on “New Group” to create a new batch of recipients. I have named this group as Target_ 1.

Gophish 11 1024x545

For this tutorial, I’ll add only a single recipient.

Gophish 12 1024x547

If you want to add a large number of users, you can save them in a CSV file and just import those users with the “bulk import users option”.

Gophish 13 1024x543
Gophish 14 1024x544

It’s time to create an email template. This is the most important part of a phishing email since it has the email body that convinces a victim to click or take any other action.

Gophish 15 1024x545

But before we compose the spear phishing email, let’s create a phishing website. For this tutorial, we will be capturing some credentials. Hence we will be using a fake website created using Social Engineering Toolkit in Kali Linux. We can also create a phishing website with Weeman.

Se Toolkit 7

The phishing site is ready and will display any captured credentials on this terminal. Go back to Gophish. Click on “New Template” to create a new email.

Gophish 16 1024x543

Remember what I said. This part is the most important and the content of the email should convince the user take whatever action you want him to take. We are just showing the age-old account suspension mail. Let’s have a look at some of the spear phishing emails used in real world hacking attacks.

Gophish 16bb

The above mail is sent to Godaddy customers. The Logo, Customer support number etc almost convince even me but just look at the Sender Email. The domain of Godaddy is godaddy.com but sender email is really phishy.

Gophish 16cc

This above phishing email is a must read. Everything looks so convincing. Even I think I have a account at Suntrust. Only when we hover over the link that we can see it is suspicious.

Gophish 16aa

The above mail is directed towards Instagram users. Although sender email is phishy, have a look at the message of the mail. It says your Instagram password has been changed and if it is not you that changed the password, you are asked to click on the link they have provided to reset your password. It even provides a link to the Instagram Help Center to appear trustworthy.

I am sure readers got an idea about how phishing emails look like. If you find an email suspicious, just hover over the links instead of clicking on them. Once, the body of the email is complete, let’s add a hyperlink to the email content. Click on “source”.

Gophish 17 1024x544

I want the users to be redirected to my Kali Linux attacker machine.

Gophish 18 1024x544
Gophish 19 1024x545

The Email template is ready. It’s time to set the landing page. Landing page in Gophish is the page where users will be redirected to after clicking a link in the email.

Gophish 20 1024x544

Click on “New Page”. You can create a new landing page or you can import an already created landing page. Let me import the phishing site I created in SE Toolkit on Kali Linux. After capturing credentials,

Gophish 22 1024x546
Gophish 23 1024x546

Just like any phishing website, we can redirect the users to another webpage after capturing credentials. I want the victims to be redirected to the genuine site of Facebook.

Gophish 25 1024x541

Save the landing page.

Gophish 26 1024x544

Everything is ready. It’s time to start the phishing campaign. Go to campaigns and click on “New Campaign”.

Gophish 27 1024x474

Specify all the options like URl, the recipients etc and click on “Launch campaign”. You can set the date and timing for the phishing campaign.

Gophish 29 1024x543
Gophish 30 1024x245
Gophish 31 1024x544

In the dashboard you can view result of the campaign. You can see how many victims read your email and how many fell to your phishing campaign.

Gophish 32 1024x545

This is how the spear phishing email I created looks in Email Inbox.

Gophish 33 1024x141

Here is how the content of the email looks.

Gophish 34 1024x327

Here is the phishing site the user is redirected to once he clicks on the link.

Gophish 35 1024x423

Once the victim fails to notice the signs of a phishing email, he enters his credentials.

Gophish 36 1024x467

These credentials are captured in SETOOLKIT as shown below.

Gophish 37

Credentials captured and our phishing campaign is successful. This is how a successful campaign is run.

Posted on 30 Comments

Beginners guide to phishing

Hello, aspiring ethical hackers. In our previous article, you learnt what is social engineering. In this article, you will learn in detail about Phishing. Phishing is one of the most popular social engineering techniques. What exactly is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. This post demonstrates phishing tutorial for beginners. Although we make a phishing page of Facebook in this tutorial, it can be used to make a phishing page of any website. So now let’s phish.

Open your browser, go to the Facebook website, Right click on the webpage and click on “view page source”.

Phish1

The source of the web page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html”on your computer.

Phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and click on “Find Next”. Look at the value of action. This “action” specifies the website what to do after users enter credentials and submit those.

Phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the usual page Facebook loads.

Phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

Phish5

Now our files are ready. Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder. Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

Phish6

Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

Phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the URL of the fake page we are about to send him. The sending email address should be as convincingly close to Facebook as possible.

Phish8

When the victim clicks on the obfuscated URL, it will bring him to our fake site.

Phish9

If the victim is not cautious enough as to observing the URL and enters his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phishing tutorial

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

Phish11

Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

Phish12

See how to phish with Weeman HTTP Server and GoPhish.