Posts Passing the Phish
Post
Cancel

Passing the Phish

At the core of it, phishing involves tricking a user into doing something they shouldn’t do. Also, not all phishing techniques involve tricking a user into clicking a malicious link on an email, entering their credentials on a phishing site or downloading a malicious file.

The primary goal for phishing is either to get shells and/or credentials. Many techniques exist for shell phishing and maybe in upcoming blogs I’ll look into CSRF, XSS, HTML smuggling and the most common technique, maldocs. However in this article, we’ll be focusing on credential phishing with evilginx and gophish.

From the official documentation, Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. Gophish is also free, accessible and really easy to use. Evilginx, a tool written by @mrgretzky, on the other hand, is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows us to bypass 2-factor authentication protection.

Even though Gophish has a fully functional capability to collect credentials, it only works if the login page is static and doesn’t necessarily have 2FA/MFA set. This is where evilginx comes in. Evilginx works as a relay/proxy between the real website and the target. As the target interacts with the real site, evilginx captures all the data, including the session cookies, being transmitted between the two parties.

[how_evilginx_works.png]

Image from breakdev.org

We’ll integrate the ease of phishing with Gophish and the man-in-the-middle functionality of evilginx to create a robust phishing campaign that is able to collect session cookies/tokens and login credentials from applications that have 2FA enabled.

Prerequisites

For this demonstration, we’ll need:

  1. One domain to be assigned to your evilginx server.
  2. A fully functional SMTP server. Gophish will use the SMTP details from the SMTP server you set up. In this demonstration, we’ll use SendGrid as our SMTP server. However, in red team assessments, it is best to have complete control over your infrastructre rather than using third party services.
  3. Two VPSs for both Gophish and evilginx. 1GB RAM for each works just fine.

Process

  1. We’ll start by installing Gophish on the first VPS and populating all the necessary sections.
  2. Get and use a SendGrid account as our SMTP server.
  3. Install evilginx and create a link that we’ll use to lure the target into clicking.
  4. Integrate the link into Gophish and send the email.
  5. Wait for the target to click on our link.

1. Gophish Installation

Gophish is pretty easy to install but there are a few gotchas. We’ll begin by downloading the zip file, unzipping it and launching the executable.

1
2
3
4
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip
unzip gophish-v0.11.0-linux-64bit.zip -d gophish  
cd gophish  
chmod +x gophish  

Because Gophish by default listens on port 80, running the executable requires root permissions. Before we run gophish, we do have to edit the config.json file which holds the configuration settings for gophish. The only thing we’ll change is the admin_server.listen_url value from the localhost IP to that of your VPS.

It should look like this:

[json.png]

OPTIONAL: You can choose to have your admin server available over HTTPS by creating an SSL certificate and private keys by using the following command:

1
openssl req -newkey rsa:2048 -nodes -keyout gophish.key -x509 -days 365 -out gophish.crt

Answer the questions generated by the CSR process but since this is a local self-signed certificate the details are not that important. After the process is over, it will create the certificate file and the key - gophish.crt and gophish.key. Move both files into the gophish root directory, where the config.json is located and edit the config.json file as follows:

[json-edit.png]

Now we can launch gophish.

1
sudo ./gophish

Port 80 will host you phishing site and port 3333 allows you to connect to your admin console. Once we run, we see that gophish is running on port 3333 of our Gophish server. We also get auto-generated credentials that we can use to access the server.

[launch.png]

Launch gophish using the link and accept the certificate warning. Login using the credentials generated. It will prompt you to change your password. After that is successful, we’ll get to Gophish’s Dashboard.

[dashboard.png]

To complete our campaign, we need to setup a few things:

  1. Users & Groups which is the list of users you want to phish, including emails, names, and titles. Add one email that you have control over.

[users.png]

  1. An email template which is the actual email we want to send, in HTML, text or both. We’ll get to this a little later.

[template.png]

  1. The Landing page which is the page that our targets are sent to and interact with, if they click the link. In our case, this is the link we’ll generate with evilginx.

[landing.png]

  1. The Sending Profile which is the actual email server (SendGrid, in our scenario), and the settings which allow our phish to be sent. We’ll get to this in the next step. [sending.png]
  2. After all that is setup, we can finally schedule and launch our Campaign. [campaign.png]

2. Setting Up SendGrid as our SMTP Server

In order to send to send our phishing emails, we’ll need to either set up a mail server or use a third party option. For this demonstration, we’ll use SendGrid which is a third party SMTP relay. The advantage that SendGrid offers is that is free, you don’t need to put your credit card details and you’ll be using your relay’s provider servers which have an established reputation on most spam filters. Additionally, you can use port 587 for SMTP even if outbound port 25 is blocked by your VPS provider. (Looking at you, Vultr) The biggest downside is that to send a decent amount of emails, you’ll need to pay.

First things first, register an account. In order to send our first email, we need to create a sender identity.

[sender.png]

Enter your details. In my case I entered the same email address in the ‘From Email Address’ and ‘Reply To’. Basically I just emailed myself to verify my email address as the source address. I also used fake addresses generated by this site. Once you are done, click ‘Create’.

[id.png]

Head over to your email address, click on the verification link and if it’s successful, you should receive a congratulatory message.

[verified.png]

Next, we’ll get our SMTP Relay credentials. To do that, we’ll click on the ‘Start’ button under the ‘Integrate using our Web API or SMTP Relay’.

[start.png]

We’ll select the SMTP Relay option.

[smtp.png]

Here, the important thing is to create a key. Give a name to your key and create it. Once that’s done, your key will be generated.

[api.png]

Back to Gophish’s Sending Profile. The configurations generated by SendGrid will correspond to the settings we use on our Sending Profile. Essentially, our sending profile will look like this:

  • Username: the username generated by SendGrid
  • Password: your API key.
  • Host: The SMTP server configuration that you take from sendgrid.
  • From: the sending email address.

[profile.png]

Let’s test whether this configuration is correctly set by sending a test email.

[test.png]

It works!

[works.png]

When we check our email:

[sent.png]

Now that our phishing server works as expected, in the next post, we’ll integrate it with evilginx in order to capture credentials.

This post is licensed under CC BY 4.0 by the author.