Wednesday, June 7, 2017

Phishing with Gophish+Mail-in-a-box (MIAB)

Phishing is often the first phase of an attack after reconnaissance . This is mainly because it works well since it involves psychological manipulation of the human mind. To counter this 'Phishing as a Service' routine has been introduced which involves using tools that can create fully automated campaigns. Employees are trained on how to spot phishing emails, and then get tested with mock phishing emails. The percentage of those who fall victim decreases with each round though it is impossible to get to a zero response rate. This article tries to show how to configure Gophish; one of the phishing simulators out there with Mail-in-a-Box a dedicated Linux Mail Server.

Gophish is a simple phishing toolkit that allows the easy management of phishing campaigns. It handles the malicious web pages that you create, email templates and SMTP configs. It is available for all OS types.
MIAB is an easy-to-deploy mail server in a box. It helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server, a mail server in a Linux box. Both of the two applications use a VPS for hosting, this blog post does concentrate mostly on Gophish and how to configure the two to run on one Linux box to save on hosting costs. For a complete detailed guide on how to set-up MIAB go to https://mailinabox.email/guide.html or for a video set-up guide head out to this YouTube video https://youtu.be/9WOmkoEYMIg

Installing Gophish

This takes places on the MIAB Linux Server. Assuming you have already set up MIAB and it already running download the latest version of Gophish:
wget https://github.com/gophish/gophish/releases/download/v0.3.0/gophish-v0.3-linux-64bit.zip

Once that is downloaded unzip the folder:
unzip gophish-v0.3-linux-64bit.zip -d Gophish

Change directory into that folder and  make the Gophish file executable:
cd Gophish
chmod +x Gophish


Open the config.json file and edit the listen_urls, paths to TLS certificates and keys:
vim config.json

MIAB use TLS certificates provisioned by Let’s Encrypt for your domains. You are going to use the certificates and keys on our Gophish application. The path to the certificates is: /home/userdata/ssl/. Next change the Listen url to 0.0.0.0, this allows Gophish to listen on all interfaces. After the edits the config.json file should look something like this:
{
"admin_server" : {
"listen_url" : "0.0.0.0:3333",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path" : "/home/user-data/ssl/ssl_private_key.pem"
},

"phish_server" : {
"listen_url" : "0.0.0.0:80",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path": "/home/user-data/ssl/ssl_private_key.pem"
},

"db_name" : "sqlite3",
"db_path" : "gophish.db",
"migrations_prefix" : "db/db_"
}

You can change the admin server port to your liking but the one of the phish server must be 80 since it will be the url that points to the malicious cloned web pages and also port 80 is a well-known port for http servers. This though would lead to errors because MIAB uses the same port on its Nginx Webserver. You would have to disable Nginx web server: 
service nginx stop

You can use netstat to confirm the services running on various ports: 
netstat –tulpn

NOTE that you will not be able to access you web-mail and that is why you must ensure your MIAB is running before you configure for Gophish. Remember the end goal is phishing and minimizing VPS hosting costs since MIAB was created to run on a fresh machine dedicatedly.

Now you can go ahead and start Gophish:
./gophish

Gophish should now be started and if you look at the terminal that you started Gophish you should see that two servers have been created; the admin interface which allows us to manage our phishing campaigns and the phishing server to create malicious clones.

Proceed to your browser and log in by using the credentials of admin:gophish You can change that from the settings tab. After you have logged into you are presented with the dashboard. From here you can navigate to the Sending Profiles tab on the left-hand side of the site and click New Profile. You then proceed to fill out the form presented with the mail details from MIAB. Fill in your email-address, SMTP details and password. Click on Send Test Email to ensure the details have been entered correctly.

You can then move on to the Landing Page. This is where the victim will be directed after clicking a link on the email message. Just like before click New Page and in the form entering the required details. Choosing a Page Name that you can remember, later on, I recommend using the same name as whatever website it is you are going to clone. Then you are able to import the site that you want to clone by clicking import site by inputting the legit web URL. With the new popup that appears, you simply add the URL of the site you want to clone. Once that is done you select Capture Submitted Data and Capture Passwords. You can then add a Redirect to the site i.e. the actual page the victim will be redirected to. In this case LinkedIn log in page. Note sometimes after cloning sites and running a campaign some may not work because of some JavaScript codes. You will have to manually go through the code and delete the unneeded codes. The “POST” function in the forms is the important part of the code.

Moving on to Email Templates, you again name the template with the name you used before on the landing page. You can then import an email template. In Gmail you are able to view the email source and copy this into the Email Content on Gophish. You then have the to change the links to point to Landing Page, this will allow any link in the email to automatically send us to the phishing cloned page. You can then save this template.


You then add Users and Groups, to which you add the Group Name. This is where the target email addresses are stored. Add the first and last name, an email and their position and add this to the list. You can also bulk import users into the group.

The last step is launching a campaign. You need to enter all the information you previously entered in our other steps along with naming the campaign and adding the URL of the site to which will capture the data. In this case, you have set-up and bought a domain that you had set up with MIAB. You can the schedule when you want the email to be sent. Also be sure you check the time-zone of the VPS you are using it to complement with where you are before you launch the campaign.



You can now see the active campaign in your dashboard as you wait for the email to be received. Within the dashboard you can also see a timeline of the campaign when the campaign was created, the email sent, the email opened if the link was clicked and if there was any data submitted. The submitted data allows you to see what data was entered. You can also replay the credentials and this allows you to automatically login to that site with them credentials.


References
https://getgophish.com/documentation/https://github.com/gophish/gophish/releases
https://mailinabox.email/
https://www.skyhighnetworks.com/cloud-security-blog/top-phishing-test-tools-and-simulators/

[root@e13olf]# exit

3 comments:

  1. They managed the project well digital product development agency and the customer felt they were on-track throughout the entirety of their involvement despite changes to the project requirements.

    ReplyDelete

  2. This post is so helpfull and informative.keep updating with more information...
    Modern Artificial Intelligence
    Current State Of AI

    ReplyDelete