How to prepare a phishing campaign with GoPhish – part 1 tools

You might need to perform security awareness training related to phishing for your customers. Or you just starting red team operation and want to start from phishing. For this reason, you start looking for tools and available options. This is what happened to me and in this post, you will read how to prepare tools to conduct a phishing campaign with the open-source Gophish framework. We will configure the rest of the necessities like the VPS server, the domain, and the SSL certificate, and in the second post, I will guide you on how to use this tool to send first phishing emails.

As mentioned above we will be using an open-source Gophish framework, which is excellent for launching fast phishing campaigns. This easy to use tool with great documentation will help your customer see who from his employees is lacking security awareness and clicks those nasty links in the phishing emails.

What will be needed

To get things done you will need:

  • a VPS server form any provider of your choice (my preference is Digital Ocean for its simplicity and speed – if you wish to get 100$ of free credit and support this blog, create an account from this referral link),
  • a convincing phishing domain.

Setup virtual private server

As a base for our VPS setup, I will use Digital Ocean smallest droplet with the Ubuntu system version 18.04 LTS, which is enough to provide for our needs. Additionally, when creating a droplet, pick region closest to your location and set up a private SSH key, then launch the droplet. Once all is done login with SSH.

What is great in Digital Ocean is that they have tons of tutorials on how to perform almost every task, from simple initial configuration to advanced topics. Here is one guide explaining how to create and set up your first droplet: https://www.digitalocean.com/docs/droplets/how-to/create/ and here you can read how to prepare your VPS in order to follow best security practices https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04.

Digital Ocean droplet setup

Install and initially configure Gophish

  1. Go to Gophish GitHub repository release folder: https://github.com/gophish/gophish/releases/ and download appropriate version, for our case 64 bit Linux
Gophish GitHub repository release folder

2. From your VPS terminal download and unzip

$ sudo wget https://github.com/gophish/gophish/releases/download/v0.9.0/gophish-v0.9.0-linux-64bit.
zip
$ sudo unzip gophish-v0.9.0-linux-64bit.zip

3. Now we will update Gophish listening address in its config file config.json. Use your favorite editor and change listen_url to 0.0.0.0:port_number. Where port_number is the number of the TCP port you will log in to the Gophish dashboard. I suggest changing the default port to something different. For this example, I used port 8634. Save and exit.

Gophish config.json initial setup

4. Run for the first time to check if everything works by issuing below command:

$ sudo ./gophish

If everything went well, you can check your initial Gophish login page under https://doplet_IP:port. You should see certificate error but we will solve this issue in further steps.

5. Login with default credentials and change the password of the admin user. Default username is admin with the default password gophish. For now, you can stop the Gophish server.

Assign a domain to your VPS

Now we will configure the domain and point it to your Digital Ocean VPS. If you don’t have a domain yet, use your favorite domain registrant provider. If you don’t want to pay then look up some free domain service registration.

Of course for making sure your targets will be clicking on the link the better and more convincing domain name should be registered. You could approach this topic from several different ways like looking up for expired domains with similar names to your target domain. One additional benefit will be that these domains are already categorized and will most likely pass spam filters if you plan to use this domain later for more advanced phishing. You could also try to use the typo-squatting or homoglyph techniques for the names of your domains.

Point your registered domain in your domain registrant panel to Digital Ocean DNS servers, which are:

ns1.digitalocean.com; ns2.digitalocean.com; ns3.digitalocean.com

Once done, go to Digital Ocean networking panel and enter the domain name pointing to your VPS:

Adding a domain to your droplet

In few minutes after DNS changes propagate, you can verify the new settings by going to this URL and adding your domain name: https://check-host.net/ip-info?host=<yourdomain>. Then check if it’s pointing to your VPS IP address. Alternatively, you can make a test with python3 http.server module and entering your domain name in the web browser.

$ sudo python3 -m http.server 80

Add a free SSL certificate from Lets Encrypt

Time to configure a free SSL certificate from Let’s encrypt. This is an optional step but will definitely help your phishing site look more legit and less suspicious.

First, we download the certbot tool and make it executable.

$ sudo wget https://dl.eff.org/certbot-auto
$ sudo chmod a+x certbot-auto

Next, we issue the below command. This command will install the necessary dependencies and after that, you will have to answer several questions.

$ ./certbot-auto certonly -d <your_domain.xxx> --manual --preferred-challenges dns

When it finishes installing, you will be asked several questions. Answer them similarly as shown on the picture below. At the last step hold before hitting enter, as you will need to add a TXT record.

Series of questions in order to create Let’s encrypt SSL certificate

Then you will need to do the last step, which is verification if the domain for which you are requesting a certificate belongs to you. Go to the domain control panel in Digital Ocean and input your DNS TXT values as on the screenshot below. Put _acme-challenge in the hostname field of the TXT entry. Lastly, wait few mins for DNS propagation and hit enter in certbot menu.

Adding a DNS TXT challenge request record for your domain in Digital Ocean control panel

If everything went OK, you can copy created certificates to your Gophish directory:

/opt/gophishdir$ sudo cp /etc/letsencrypt/live/yourdomain.xxx/fullchain.pem phishing.crt
/opt/gophishdir$ sudo cp /etc/letsencrypt/live/yourdomain.xxx/privkey.pem phishing.key

Update the Gophish config.json file pointing to certificate files you just copied to Gophish directory. Also, change the port number to value 443:

Updated config.json

When that’s done, run $sudo./gopish and check if you can see Let’s Encrypt cert in the web browser. Navigate to URL https://your-domain.xxx:<your_port>.

Finally

In this short post, I hope I presented a helpful guide on how to prepare a phishing campaign. Now it is your turn to login to Gophish and send your first campaign. It shouldn’t be hard as Gopish has very easy to understand web GUI. In case you will get lost you can read the second blog post in which I describe step by step how to prepare a campaign and send first phishing emails.

References:
https://docs.getgophish.com
https://github.com/gophish/gophish