This is the second part of the blog post series related to the preparation of a phishing campaign for security awareness training or red team operation. In part one, you could read how to set up tools like VPS, domain, SSL cert, and install GoPhish. This post will get your trough on how to use GoPhish, and how to set up and run your first phishing campaign.
Setup presented in this post will not require you having your own SMTP server or access to an SMTP relay to send emails. For simplicity, we will be using outlook.com, but any other free email provider could do the trick. Having your own configured SMTP server or having access to any SMTP relay can be better for more advanced scenarios.
Logging In
In the first post, we ended up with configured and started GoPhish on our server. So without further ado let’s login to GoPhish. Go to: https://your_domain.xxx:admin_server_port.
Login with default creds: login admin
and password gophish
Change the password after the login.
Configuration – Sending Profiles
We will start by creating Sending Profiles. Sending profiles is a configuration of SMTP host and user on the host from which we will be sending phishing emails. For sending a profile you could input data of one of your compromised email accounts of your target company. Or you could also use the account from your own SMTP server. For the purpose of this example, I will be sending emails from a free outlook.com account. If you want to send from any other free email provider (i.e. Gmail) obviously you need to have an account there. Be aware as sending from some free email providers might be problematic and you might need to configure some additional settings. For outlook.com as of writing this post, in order to send more than 5 emails it was sufficient to add and verify a mobile phone number.
Insert your valid account data, make notice on host field format for the host: server_address:smtp_port
. To test if it’s working, use “Send Test Email” and send it to your own email address. If the email arrives, save the profile.
Configuration – Email Templates
Once you configured how you will be sending emails, now is time to prepare the email template. An email template is what the targeted victim receives. Email can be a plain text or in HTML format. Email content should convince a victim to click the link and possibly provide credentials. I believe you should already have some idea what content should be inside. Phishing is a Social Engineering technique so use your imagination to make your victim click.
You may notice some fields in this example have brackets. To insert your phishing URL and for example name or surname of the victim, you can use the template hooks. For example, paste this hook into the email body: {{.URL}}
and you will get the phishing campaign-unique URL in a given place of your email.
For full template reference go there: https://docs.getgophish.com/user-guide/template-reference
If you wish to use HTML email templates, you can create your own or search some preprepared ones on GitHub or google. Few examples: https://github.com/search?q=PhishingTemplates.
You can check the checkbox for pixel tracking, so if the victim’s mail client allows displaying remote content, you will be notified when they open the email.
Configuration – Landing Pages
Now we will configure the landing page. A landing page is what users will be directed once they click on the link sent in the email body (an {{.URL}} hook). To create a landing page, the best is to clone a site, play with the Import Site button. Depending on your phishing theme context, it can be a mail login page of your target organization or some other web application login from which you want to collect credentials. Remember to click “Capture Submitted Data” (as well as “Capture Passwords” if also needed – but remember they are stored in clear text in the current version of GoPhish).
The redirect page is not a mandatory setting, but you could use it to redirect the user to the real page after they submit their credentials to GoPhish. This way they can eventually login without realizing that they were phished.
If you don’t want to collect credentials, but just count clicks of your victims instead, you can just simply create any dummy page informing the user that he/she was just phished. This is good for security awareness training.
The look of the imported website might not always work flawlessly. Some pages will not be cloned or will not look exactly as on the live version. Some will require to do just some small tweaks in the HTML code. Most changes will require you to fix CSS and image relative links to point exactly on the location of the server they come from. Other sites might be intentionally blocked by some JavaScript code not allowing to be cloned.
Configuration – Users & Groups
We now know how to send emails (sending profiles), we have our email and a landing page, now it’s time to configure our targets. Go to Users and & Groups and fill the list of your email recipients.
You can also bulk import users from a CSV file in the below format:
First Name,Last Name,Email,Position
Example,User,foobar@example.com,Systems Administrator
Few words to complete this section. From my experience it’s better not to create large recipient groups, it is better to create several groups with smaller number of emails. i.e. five emails per group. This will create less noise on the SMTP servers and is more likely to go unnoticed.
Configuration – Campaign
The last step is to create and launch a campaign, it will be a quick one as all you need is just to pick one of the previously created configurations. One important field is the URL – it must contain a domain name configured with the https protocol (if you configured SSL).
Also, remember (in order not no burn your work) to test before launching.
Once you hit launch you will see stats of how many emails were delivered, and other useful info like who clicked the link or submitted data.
Conlusion
I hope I briefly described the process of launching a simple phishing campaign for security awareness training or red team operation with this great and easy to use framework. I wish you successful phishing!
References:
https://docs.getgophish.com
https://github.com/gophish/gophish