The Ultimate Guide to Phishing

Learn how to Phish using EvilGinx2 and GoPhish

Posted by Siddharth Balyan on August 03, 2021 · 15 mins read

/img/posts/phishing/Pasted image 20210725214046.png


Introduction

Why another Phishing guide?

Recently I’ve been able to get my hands dirty with Phishing and witness actual Phishing campaigns due to the incredibly talented people at my workplace. To satisfy my curiosity I tried to follow along with a small Phishing campaign against myself and realized that, there doesn’t seem to be an all-inclusive, all-in-one guide for beginners to understand the process and help them set up the infrastructure.

So, this is my attempt at that.

I’m going to assume the starting point that you already know what phishing is, but would like to learn how to do it.

Note: This is simply my way of contributing to the security community. Please don’t use this knowledge for malicious purposes!

Breakdown

The process of phishing can be split into two parts by my understanding;

  • The Phishing Website : This is the spoofed, fake website where the unknowing user will enter their credentials. From here we would capture the said credentials along with their session cookies.
  • The Phishing Mail: This is the email which would be sent to the victim with the hope that they bite the bait and go to our spoofed website.

The Phishing Website

Infrastructure and Tools Used

  1. Urlcrazy: A tool generating typo domains.
  2. Freenom: For buying a free domain for testing/learning purposes.
  3. evilginx2 : A man-in-the-middle-proxy for setting up the Phish Website which can capture credentials.
  4. Free Azure Account: Azure’s free standard VM for setting up all the infrastructure and tools.

Getting a domain

A domain name needs to be convincing and similar enough to the domain of the legitimate website. One can use urlcrazy or catphish to generate a list of typo domains.

❯ urlcrazy linkedin.com

/img/posts/phishing/Pasted image 20210730085951.png

The domains marked are some examples of typo domains we can choose from. Rest are all in use.

For demo purposes, I’m going to buy a free domain from Freenom. They offer free domains from .tk, .ml, ga, .cf, .gq TLDs.

I’ll be buying linkdin.tk for now.

/img/posts/phishing/Pasted image 20210730091058.png

Note: Freenom is a bit buggy, so you may have to write the entire domain with TLD in their search to be able to select and put it in your cart

We have a Phishing domain where we will have our site on.


Getting a Phishing Machine

To run evilginx2 , the man-in-the-middle HTTP Proxy. I am using an Azure B1S Standard tier VM running Ubuntu 20.04 LTS, which I got free with my Azure for Students subscription.

Once the VM is created, go ahead and open the ports 80, 443 and 3333 for HTTP, HTTPS and GoPhish, which we will use later on, respectively.

/img/posts/phishing/Pasted image 20210731063903.png


Adding DNS Records

Go to the DNS Management page in your Freenom Domain and add the A record for WWW. /img/posts/phishing/Pasted image 20210731093400.png


Configuring EvilGinx2

First install Go by following the instructions here and make sure you add it to your $PATH.

Then, clone the repo for evilginx2 ; cd into the directory and make the binary. Additionally, add the binary to /usr/bin or /usr/local/bin and copy the phishlets and templates directory to /usr/share/evilginx to use the tool from any path.

❯ git clone https://github.com/kgretzky/evilginx2.git
❯ cd evilginx2                                       
❯ make           
❯ sudo cp bin/evilginx /usr/bin
❯ sudo cp -r phishlets/ /usr/share/evilginx/
❯ sudo cp -r templates /usr/share/evilginx/

Run evilginx2 and if the phishlets have been loaded successfully you should see the tool run.

/img/posts/phishing/Pasted image 20210731072503.png

Now edit the config to add your domain and IP and the redirect URL.

: config domain linkdin.tk
[01:25:52] [inf] server domain set to: linkdin.tk

: config ip 52.172.136.70
[01:25:59] [inf] server IP set to: 52.172.136.70

: config redirect_url https://xxxx.xxxx
[02:02:52] [inf] unauthorized request redirection URL set to: https://xxxx.xxxx

/img/posts/phishing/Pasted image 20210731074902.png

Any Scanners scanning your domain without the lure parameter will automatically get redirected to the redirect_url you set up here

We also need to set up a TLS Certificate for our domain. Luckily, the tool can handle that for us. Do the following;

: phishlets hostname linkedin linkdin.tk
: phishlets enable linkedin 

/img/posts/phishing/Pasted image 20210731075410.png

Our LinkedIn phishlet is all set up! /img/posts/phishing/Pasted image 20210731075612.png


Creating EvilGinx2 Lure

The next task is to create a lure, which would be the phishing URL to send the victims to.

: lures create linkedin 
[04:31:37] [inf] created lure with ID: 1

: lures get-url 1
https://www.linkdin.tk/BMvzCciy

We also need to add the URL the victim will get redirected to after logging in. This is different from the config redirect_url as that one is for the scanners and unintended users and this one is for the victims post-login.

: lures edit 1 redirect_url https://www.linkedin.com/
[04:46:06] [inf] redirect_url = 'https://www.linkedin.com/'

/img/posts/phishing/Pasted image 20210731101638.png

Once that’s it, you can navigate to the lure URL to make sure it’s working

If you did everything right, you should see a LinkedIn login page!

/img/posts/phishing/Pasted image 20210731102052.png

Congratulations! You now have a Phishing Website set up!

Note: You can run evilginx2 in a tmux session so that when you quit your ssh connection, the tool keeps on running.


The Phishing Mail

Infrastructure and Tools Used

  1. GoPhish: The phishing framework used to manage users, email templates and phishing campaigns.
  2. Mailgun: The email service used to send the emails to the victims.

Installing GoPhish

GoPhish is an open-source phishing framework which makes it easy to configure, run and track Phishing campaigns. Install it by either downloading the binary for your system from here, or you can build it for your system using;

❯ go get github.com/gophish/gophish

Then navigate to the directory of installation, (usually ~/go/src/github.com/gophish/gophish) and run go build. You should have a binary called gophish in your directory. In the same directory, there should be a file called config.json. Here, change the listen_url from 127.0.0.1:3333 to 0.0.0.0:3333.

/img/posts/phishing/Pasted image 20210802202324.png

You can now run the binary;

sudo ./gophish

You should probably run gophish this in the same tmux session as evilginx2

/img/posts/phishing/Pasted image 20210802202557.png

The temporary credentials are printed in the logs here. Navigate to https://[your-ip]:3333 and login using these credentials. You are now in the GoPhish Admin Panel.

Setting up an Email Template in GoPhish

We set up and configure the email which shall be received by the victim here. To make a convincing email template, go through your own inbox and try to find an existing email from the website you’re trying to spoof. For my use case, I will use a Password-Reset Confirmation Email which I received from LinkedIn.

/img/posts/phishing/Pasted image 20210802212746.png

Click on the three-dot options button and Download the Email you want to use as a template.

/img/posts/phishing/Pasted image 20210802213141.png

Open the file and copy its contents. Now navigate to Email Templates tab and create a new template. Here, click on Import Email and paste the copied contents here. Optionally, check the Change Links to Point to Landing Page checkbox. This will change all the links in the mail to point to the spoofed landing page.

/img/posts/phishing/Pasted image 20210802213359.png

Now, in the HTML tab, modify the contents to your own liking.

Crafting a convincing email is very important, so if you’re doing this for an assessment, take your time to craft a phishing email.

For reference, here’s my template;

/img/posts/phishing/Pasted image 20210802214338.png

Setting up the Landing Page in GoPhish

The landing page is what you want users to “land” on once they click on the link in the email. Once in the GoPhish admin panel, navigate to Landing Pages and create a new page. Give it a page name and for the page content, add the following;

<html><head><script>
        window.location.replace("<YOUR EVILGINX LURE URL");
    </script>
</head><body></body></html>

It should look similar to this;

/img/posts/phishing/Pasted image 20210802203424.png

The phishing server runs on http:[your-ip]:80. This is the template variable for {{.URL}}. Whenever the victim navigates to this page (through the link they will be prompted to visit), they will get redirected to your evilginx2 lure.

Setting up Sending Profile with GoPhish and Mailgun

Now that we have the phishing mail, the spoofed website and the all the tools, all we need to do is send the email. For this, we will use Mailgun’s free tier user account. Make an account at Mailgun and navigate to the sending tab. Here, in the SMTP section, you’ll notice your SMTP credentials.

/img/posts/phishing/Pasted image 20210802220509.png

Also add Authorized Recipients. As a free tier user, only authorized recipients can receive emails from your Mailgun account.

/img/posts/phishing/Pasted image 20210802220837.png

Now, in the Sending Profile in the GoPhish panel, make a new profile and copy your credentials and config here as follows.

/img/posts/phishing/Pasted image 20210802220749.png

You can also verify your domain and send mails through that by following the steps here.

Adding Users in GoPhish

You have to add the victims in the Users & Groups section. Navigate to the section, and you’ll see you can either do it manually or in bulk using their CSV template.

For demo purposes, I’ll be sending the mail to myself, so I’ll add my user in manually.

/img/posts/phishing/Pasted image 20210802222020.png

Creating and Launching the Campaign

All your GoPhish set up is done! Now all you have to do is create a new campaign in the campaign section, add all the config you’ve done and launch it!

/img/posts/phishing/Pasted image 20210802222457.png

Now, it is very likely that your email has been marked as a phish and has been moved to the Spam folder. You can go to the link in the mail, and you’ll notice something like this;

../img/posts/phishing/Pasted image 20210803064238.png

Click proceed and look! evilginx2 has started logging all the data of the new visitor (you).

On entering the password, you can see evilginx2 capturing the credentials and displaying them.

../img/posts/phishing/Pasted image 20210803064622.png

Running the sessions command will show you all the user credentials and cookies you’ve captured, though this is out of our current scope.

Final Thoughts

Congrats! You’ve successfully understood how to run a phishing campaign, and that too without shelling out a single rupee! Given there are a few caveats, the phishing mail gets marked as a phishing mail, but that can be avoided by using a little trustworthy domain and shelling out some cash for a premium Mailgun account.

Note that this is just the beginning of how you can conduct phishing assessments. Once you proceed further, the complexity increases. Automation, spam evasion, bypassing filters, aging your domains etc., come into play. To get a better insight into some of these topics, you can check out @grahamhelton3’s course on Practical Phishing Assessments here.

Be sure to reach out to me @alt__glitch for any fixes or queries regarding this blog, or to just talk security!

Happy Hacking!