Gophish Setup Guide: Launching Phishing Campaigns
Phishing Scenario : CASE 1 - Breaking news
Objective: The objective of this phishing campaign is to lure employees into clicking a malicious link disguised as breaking news from the company. The landing page masqueraded as a Gmail sign-in page, prompting users to enter their login credentials. This page was designed to steal users' email account credentials.
Install Gophish framework
Make the required changes in the config.json file
Launch Gophish and our first step would be to set up the sending profile by which we will send out phishing emails.
Let’s assume that the target company is using Gmail server
(When setting up the sending profile in Gophish using a Gmail account, you have to enable 2FA and give app access to Gophish)
Since our target company is using Gmail server, we will use Gmail email on our phishing campaign so we have set host as smtp.gmail.com:587. After creating the sending profile, we have to test if the sending profile works by sending a test email.
We're using the email address [email protected] as our designated Gmail account for sending phishing emails. Make sure to include the password that was generated when granting Gophish access to this Gmail account. After configuring the sending profile, we can test it by sending a test mail.
This is what the test mail will look like:
The next step involves integrating an email template for the phishing campaign. We can opt for a pre-made template, for example, here we use a Breaking News email template, for initial testing. We can incorporate a tracking image within the emails to monitor various engagement metrics, including email opens, clicks, and receipt statuses. It also has an option where we can add a link which will redirect the victim to the landing page. On the landing page we can proceed to request for more valuable information from the user.
In the third step, set up a landing page where targets will be directed after clicking a link in the email. This landing page plays a crucial role in the phishing campaign, as it's where you can capture sensitive information like passwords. Gophish defaults to using http://0.0.0.0:80 for the landing page, but we can customize it to look like a legitimate login page or other enticing content to attract targets. We'll need to specify a redirect page where users will be sent after submitting their credentials.
In the User & Groups section, you'll need to input the email addresses of your targets. Gophish framework requires you to provide the first name, last name, email address, and the rank of each target individual on the user groups page. You can also upload target details from a CSV file stored on your local system using import feature.
Install and set up Ngrok:
Install ngrok via Apt with the following command:
curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc \
| sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \
| sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok
Run the following command to add your authtoken to the default ngrok.yml configuration file.
ngrok config add-authtoken 2crm6P5lWlbTm4rwoGqn0QSHhPA_6nf7WmMJFKXVSD2SgBohF
Create an index.html page for the landing page and launch python http server in the port 8001
• python3 -m http.server 8001
Note: Verify in the browser if it's actually accessible.
We can also use other login page cloning techniques like built in gophish cloner, or Github projects (we used), Custom or by using third party clones (ex-goclone).
If it's a php file use the following command instead:
• php -S localhost:8001 -t .
ngrok http http://localhost:8001/
Use the URL under forwarding and paste it on the Gophish URL section in the campaign page shown below:
Creating Gophish Campaign:
Go to the Campaigns section.
Choose the right email and landing page templates.
Enter the landing page server URL.
Start the campaign and monitor its progress.
Once we click on the link we are directed to the landing page, where we can enter our credentials.
You can find all the phishing reports related to a specific campaign on the Dashboard in the Gophish framework. Here, you can see details such as sent emails, opened emails, clicked links, submitted data, and any emails reported as phishing by the targets. This page provides a comprehensive overview of the ongoing phishing campaign.
Phishing scenario: Case 2 - Password Reset Campaign
The aim of this phishing campaign is to trick users into divulging their login credentials by pretending to offer account protection in response to a fake mailbox compromise.
Users received an urgent email claiming their mailbox was compromised. They were directed to a phishing landing page disguised as a password reset portal.
Upon clicking the link, Users were redirected to a fake password reset page resembling the email service provider's design, where they were prompted to enter their login credentials.