0x00 Offensive and defensive drill fishing
The reason is that in large-scale offensive and defensive drills, the traditional web-level Nday management breakthrough becomes more difficult, so more and more attack teams will join in phishing operations. This article introduces the phishing of regular emails, and there will be IM in the future. Very effective way.
0x01 Build a Gophish fishing platform
Gophish is a powerful open source phishing framework that is very easy to install and run.
Github address: https://github.com/gophish/gophish
1. Download
https://github.com/gophish/gophish/releases
Download the corresponding version
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip
unzip gophish-v0.11.0-linux-64bit.zip
2. Modify config.json
vim config.json
-
admin_server Change 127.0.0.1 to 0.0.0.0, and direct access from the external network requires 0.0.0.0
-
listen_url should also be 0.0.0.0:81, my port 80 is occupied, so change it to 81
3. Run
chmod u+x gophish
./gophish
The default admin password is at the end, find it yourself
4. The construction is completed
https://VPS-IP:3333/
You can also use the public mailbox directly, just open it. But if you post too much, it will be blocked, so we still build it ourselves.
0x02 Purchase a domain name
It is recommended to use foreign domain names and cloud vps
You need to find a similar domain name sender to send some phishing emails, buy this yourself
Add two records to the DNS management page of this similar domain name:
0x03 Mail server setup
- In fact, public mailboxes are also possible, but if you post too much, they will be blocked, so we still set up our own.
- Since my VPS has always been Ubuntu, I chose to use Postfix+mailutils
(If it is centos, there is a better platform to build EwoMail, refer to the official document to build it step by step http://doc.ewomail.com/docs/ewomail/install)
1. Install Postfix
apt install postfix
Write your own domain name, no prefix required
2. Install the mailx package
apt install mailutils
3. Add test users
This user is the user with the same name who will send and receive emails in the future.
useradd -m -s /bin/bash master
passwd master
4. Test email sending
root@10-7-21-215:~# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 10-7-21-215 ESMTP Postfix (Ubuntu)
ehlo localhost
250-10-7-21-215
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject:this is test qq mail
qqqq
ssss
.
250 2.0.0 Ok: queued as 09B30C444A
quit
221 2.0.0 Bye
Connection closed by foreign host.
5. Receive test email
6. Reply to the email, you can accept the email
switch user
su - master
mail
7. Mail server done
0x04 Actual fishing
The environment is set up, then the formal fishing will begin
1. Sending Profiles-mailbox configuration
Use this machine just to accompany the good mail server
What needs to be noted here is the Host:
- Because most domestic cloud vendors have disabled port 25 to prevent mail flooding due to regulatory requirements, so the port of SMTP service with SSL can be used: port 465.
- I can use it because the vps I use is from abroad, and everyone can change it by themselves.
- Because our Gophish server is on the same VPS as the mail server, so fill in 127.0.0.1 here
send to test
received e-mail
2. Email Templates-phishing email templates
the first to write
<html>
<head>
<title></title>
</head>
<body>
<p>您好:</p>
<p>近期检测到您在学者网教学科研协作单位平台的密码已过期, 请点击<a href="{
{.URL}}">此链接</a>尽快修改密码,谢谢配合!</p>
{
{.Tracker}}</body>
<p>请不要直接回复本邮件。</p>
<p>学信网</p>
</html>
The second can import existing mail
First export the original email to eml format.
just import
Add the URL tag to the part of the hyperlink, and finally set the phishing page
3. Landing Pages- fake phishing pages
After configuring the phishing email, you can use the LandingPages module to create a new phishing website page.
1. Handwritten html files are supported here
2. Directly clone the website
I use the second one:
Among the options:
- CaptureSubmitted Data and CapturePasswords record the account number and password entered by the victim.
- Redirect to fill in the real address of the page, so that the victim can automatically jump to the real website after clicking the submit button.
4. Users& Groups-Mail users and groups
At this point, you can proceed to the next step of configuration, setting the email address for phishing attacks
Import in batches using templates, and import mailboxes can be added in batches using CSV
(The format can be clicked Download CSV TEmplate
to obtain the template)
5. Campaigns-phishing test
Configure Campaigns, fill in the Name, select the phishing email template, select the phishing website template, fill in the phishing website URL, fill in the sending mailbox, and select the victim mail group.
Note that this URL is the one configured by gophish on the VPS at the beginning
It is http://vps-ip:81
6. Check the results
Here are the stats for all missions
7. Open the details
You can see the successfully sent email, the status of opening the email, the status of clicking the link, and the status of submitting data
0x05 summary
This is just the infrastructure construction and basic usage of email phishing. There are still many points in the follow-up, such as Trojan horse avoidance, phishing speech skills, mailbox collection and so on. . . In addition, the way of IM is also very effective, and we will talk about it later.