EFFECTIVE PHISHING

with

GOPHISH

CactusCon 2019 | Mesa, AZ Jayme Hancock | BSI CSIR US

 ABOUT
Senior Network Penetration Tester for BSI AppSec
GXPN, OSCP, OSWP, CISSP, etc.
Co-Instructor: Full Scope Social Engineering @ BlackHat
Practical Remote Social Engineering @ WWHF
On Twitter at @highmeh

2
PHISHING OVERVIEW
Why is this important?
“

4
ABOUT THIS TALK

For beginners
(although 1337 SE’s may learn something, too)

Quickly set up a phishing server and build campaigns

Track user behavior –or- pwn users more effectively
The best way to teach good habits? Constant
reinforcement

And finally…
5 5
…ITS FUN TO DO BAD THINGS.

6
PHISHING BY
THE NUMBERS
For the C-Levels

7
 33% 32% 29%
of breaches in 2018 of breaches in 2018 of breaches in 2018
involved social involved phishing used stolen
engineering credentials

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

8
 78%
…of all espionage incidents involved phishing

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

9
OVERVIEW

Blue Team Red Team

• Set up a GoPhish Server • Set up a GoPhish Server
• Build believable campaigns • Build malicious portals to
• Scale up sophistication capture credentials
• Track user interaction, • Deliver payloads and reuse
reporting, and trends credentials

10
 GOPHISH FRAMEWORK

https://getgophish.com/
• Mature and Robust
• Actively Maintained
• GUI and API
• FREE

11
 GOPHISH SETUP IN 5 MINUTES

• Spin up an EC2 Instance

• Log in via SSH
• Install Golang
• Download and unzip GoPhish
• Run GoPhish

12
 GOPHISH SETUP IN 5 MINUTES

• Download and Configure (Details)

On your host:
$ ssh user@ip_or_hostname

On your server:
$ sudo apt-get update && sudo apt-get –y install golang unzip
$ wget https://github.com/gophish/gophish/releases/download/v0.8.0/gophish-v0.8.0-linux-64bit.zip
$ sudo unzip gophish-v0.8.0-linux-64bit.zip –d /opt/gophish
$ cd /opt/gophish
$ tmux new –s gophish *
$ sudo ./gophish
* Optional, kinda

13
 GOPHISH SETUP IN 5 MINUTES

• Log In

On your host:
$ ssh –Nf –L3333:localhost:3333
user@ip_or_hostname

In your browser:
https://127.0.0.1:3333
Username: admin
Password: gophish

14
….but it doesn’t do anything yet.

GoPhish is a framework used to create and manage

phishing campaigns, but it doesn’t create anything by
default

Fortunately, it’s painless to set up a campaign from scratch.

15
 BUILDING A CAMPAIGN: THE PIECES

Users & Groups Email Templates Landing pages Sending Profile

A list of users you The actual e-mail you The page that users The email server
want to phish, want to send, in are sent to and itself, and the
including emails, HTML, text, or both interact with, if they settings that allow
names, and titles click the link your phish to be
sent

A Campaign consists of all of the above items together

Email Template sent via Sending Profile to User Group directing to a Landing Page

16
 BUILDING A CAMPAIGN: MIX AND MATCH!

GROUP: Executives Email: Your password has Page: Office 365 Sending Profile:
expired AWS SES

GROUP: IT
Page: Intranet Sending Profile:
Email: Secure Message from
Human Resources Exchange
GROUP: Cust Svc
Page: Phishing
Email: Changes to Dress Code Training Sending Profile:

GROUP: Interns Sendmail

17
LETS BUILD A CAMPAIGN!

In the next few slides, we’ll build out a phishing

campaign in GoPhish, step by step.

18
LETS BUILD A CAMPAIGN! Sending Profile

The sending profile tells GoPhish how to

send the email itself.

The only required fields are Name, From,

and Host – but your server may require a
username and password, too.

19
LETS BUILD A CAMPAIGN! Sending Profile

The sending profile tells GoPhish how to

send the email itself.

The only required fields are Name, From,

and Host – but your server may require a
username and password, too.

20
LETS BUILD A CAMPAIGN! Users and Groups

Users and groups allows you to enter

logical groups of targets to phish.

The only required field is Email, but

entering all fields allows you to pull from
those fields into emails for a tailored phish

Tip: You can batch-upload via CSV file

21
LETS BUILD A CAMPAIGN! Users and Groups

Users and groups allows you to enter

logical groups of targets to phish.

The only required field is Email, but

entering all fields allows you to pull from
those fields into emails for a tailored phish

Tip: You can batch-upload via CSV file

22
LETS BUILD A CAMPAIGN! Landing Page

The landing page dialog gives you a

WYSIWYG editor to build the page the
user will see when they click the phishing
link

If “Capture Submitted Data” is checked,

any posted forms will capture all user
input (except passwords)

23
LETS BUILD A CAMPAIGN! Landing Page

The landing page dialog gives you a

WYSIWYG editor to build the page the
user will see when they click the phishing
link

If “Capture Submitted Data” is checked,

any posted forms will capture all user
input (except passwords)

24
LETS BUILD A CAMPAIGN! Landing Page

You can also import a valid site by using

the “Import Site” function.

This hotlinks images and keeps links

intact, so be careful!

Note: Some scripts may not work – test

before going live with a phishing
campaign

25
LETS BUILD A CAMPAIGN! Landing Page

For red team or offensive campaigns, the landing

page dialog box has an option to capture
passwords, and to redirect users to another page
after the form is posted.

Red Tip: Send the users to a malicious

payload (like an .hta) instead of a
webpage
Blue Tip: Capture data but not passwords,
redirect to a phishing education page

26
LETS BUILD A CAMPAIGN! Email Template

The Email Template dialog contains the text and

HTML emails that will be sent to your targets.
Note you can import an email if you have one you
want to clone.

27
LETS BUILD A CAMPAIGN! Email Template

The Email Template dialog contains the text and

HTML emails that will be sent to your targets.
Note you can import an email if you have one you
want to clone.

28
 LETS BUILD A CAMPAIGN! Variables

You may have noticed code such as {{.FirstName}} in previous slides. These are variables
that draw from other parts of GoPhish to customize a campaign.

Variables Source

{{.FirstName}}, {{.LastName}}, {{.Email}}, {{.Position}} Users & Groups

{{.RId}}, {{.TrackingURL}}, {{.Tracker}}, {{.URL}}, {{.BaseURL}} Campaigns

{{.From}} Sending Profile

29
 LETS BUILD A CAMPAIGN! Variables

You may have noticed code such as {{.FirstName}} in previous slides. These are variables
that draw from other parts of GoPhish to customize a campaign.
{{.LastName}}
{{.Email}}

{{.FirstName}} {{.Position}}

30
LETS BUILD A CAMPAIGN! Creating The Campaign

The Campaign dialog box ties everything

together. This allows you to mix and match by
selecting one of each:

- Sending Profile
- User Group
- Email Template
- Landing Page

31
LETS BUILD A CAMPAIGN! Creating The Campaign

The Campaign dialog box ties everything

together. This allows you to mix and match by
selecting one of each:

- Sending Profile
- User Group
- Email Template
- Landing Page
Note: As of this version, GoPhish doesn’t have a dropdown for the
URL. Be sure this is typed correctly and uses the correct protocol!

32
LETS BUILD A CAMPAIGN! Sending The Campaign

Once the campaign is sent and

confirmed, the user receives an email.
Note that the variables ({{.FirstName}},
etc.) are replaced with actual values.

If the phish is convincing, the user clicks

your link…

33
LETS BUILD A CAMPAIGN! Sending The Campaign

…and hits the landing page.

If the landing page is

convincing, the user enters
their creds…

34
LETS BUILD A CAMPAIGN! Sending The Campaign

In the GoPhish Admin Console, under Campaigns, we can see a timeline of

user interactions. Note that the one user in scope has opened the email,
clicked the link, and entered data.

35
LETS BUILD A CAMPAIGN! Sending The Campaign

Selecting a user and scrolling down gives a detailed timeline, and all
submitted data. We’ve now got credentials to continue our attack.

36
Now that we can phish,
lets talk Phishing
Strategy

37
BLUE TEAM
38
 GOALS: Blue Team

• Metrics, Metrics, Metrics

• Measuring security posture
• User Awareness Training
• Justification of services / controls

39
 GOALS: Blue Team

• Metrics, Metrics, Metrics

• Built in dashboard gives
(limited) info at a glance

https://twitter.com/jw_sec

40
 GOALS: Blue Team

• Metrics, Metrics, Metrics

• Campaign Export:
• Results
• Raw Events

“Export CSV > Results”

41
 GOALS: Blue Team

• Metrics, Metrics, Metrics

• Campaign Export:
• Results
• Raw Events
“Export CSV > Raw Data”

42
GOALS: Blue Team

Phishing Lifecycle:
Only the latest step is reported in the “Results” output

Email Submitted
Email Sent Clicked Link
Opened Data

43
 GOALS: Blue Team

• Metrics, Metrics, Metrics

• Reporting: GoReport
- Clean reporting style
- Customizable .docx
- Perfect for internal
deliverables

https://github.com/chrismaddalena/GoReport

44
 GOALS: Blue Team

• Measuring Security Posture

• Email Sophistication

What level of
sophistication gets
spotted/reported? Which
slips through?

45
 GOALS: Blue Team

• Measuring Security Posture

• Email Sophistication

Do users open emails with

attachments more often?

46
 GOALS: Blue Team

• User Awareness Training

• Redirect URL

Save static assets in:

gophish/static/endpoint

They’ll upload to:

https://phishingurl.com/static/file.html

47
 GOALS: Blue Team

• User Awareness Training

• Built-In Reporting

GoPhish has a “Report” functionality built-in.

Navigating to:
https://phishingurl.com/report?rid={{.Rid}}

Sets the report flag to “Yes”

48
 GOALS: Blue Team

• User Awareness Training

• Built-In Reporting

Downside: Server-side code exists to handle

reporting. Client-side does not.
- You can build an Outlook/Gmail plug-in
- You can give your admins a tool like
PhishReporter.py:
https://github.com/highmeh/phishing/blob/master/phishreporter.py

49
 GOALS: Blue Team

• Justification of services / controls

Pretty self explanatory: If your users continue to click

phishing emails despite testing and training, you may
be able to justify implementing additional technical
controls. Data talks.

50
RED TEAM
51
 GOALS: Red Team

• Capture Credentials
• Deliver Payloads

52
 GOALS: Red Team

• Capture Credentials
• Raw Capture
• Log in to service

53
 GOALS: Red Team

• Capture Credentials
• Raw Capture
• Log in to service

54
 GOALS: Red Team

• Capture Credentials
• Raw Capture
• Log in to service

55
 GOALS: Red Team

• Capture Credentials
• Raw Capture
• Log in to service

Sends a post request with the captured data in a

separate browser window

56
 GOALS: Red Team

• Deliver Payloads
• Email Attachment
• Host and redirect

57
 GOALS: Red Team

• Deliver Payloads
• Email Attachment
• Host and redirect

58
 GOALS: Red Team

• Deliver Payloads
• Email Attachment
• Host and redirect

Save payloads (ex: evil.hta) in:

gophish/static/endpoint

They’ll upload to: https://phishingurl.com/static/evil.hta

59
TARGET
COLLECTION
The important part

60
TARGET COLLECTION

Targeting the right users is crucial to both red and blue

team engagements

For Red: Staying in scope, finding likely targets

For Blue: Targeting training and continuous phishing

61
TARGET COLLECTION

Blue:

Determine users in scope, generate a list. Modify the

list as data is gathered

Use Open-Source Intelligence Gathering to determine

footprint available to an attacker

62
TARGET COLLECTION

Red:

Ask for a list of approved contacts, or a list of users to

exclude

Use Open-Source Intelligence Gathering to find your

targets

63
TARGET COLLECTION

Automation

Multiple open-source tools exist to help collect target

data from public internet sources.

64
TARGET COLLECTION

Automation: Lure

Lure scrapes webpages,

pilfers email search pages,
and checks databases to
find targets. It’s designed
to work with GoPhish.
https://github.com/highmeh/lure

65
BEST PRACTICES
Increasing Effectiveness

66
GENERAL TIPS: HTTPS

Configure HTTPS!

By default, GoPhish uses a self-signed certificate. This isn’t good if you want a
successful campaign.

- Use LetsEncrypt!
- After issuing a certificate, add the path to config.json and enable TLS:

"use_tls": true,
"cert_path": ”/etc/letsencrypt/live/domain/fullchain.pem",
"key_path": ”/etc/letsencrypt/live/domain/privkey.pem"

67
GENERAL TIPS: HTTPS

HTTPS: Multiple Phishing Domains

If you host multiple phishing domains, consider configuring a TLS certificate with
Subject Alternative Names:

$certbot certonly -d phishingdomain.com -d anotherphishingdomain.com –d

athirdphishingdomain.com –d evenmorephishingdomains.net

68
GENERAL TIPS: TRANSPARENCY

GoPhish adds two headers to each email by default:

“X-Mailer: GoPhish”
“X-Gophish-Contact: admin@domain.com”

These add transparency to your campaigns:

- Identifies you as non-malicious to incident responders
- Provides an abuse contact

More info: https://github.com/gophish/gophish/issues/1057

69
GENERAL TIPS: TRANSPARENCY

Red teaming and afraid this will burn you?

Compile it yourself; comment out references to “X-Mailer” and

“config.ServerName":

gophish/models/maillog_test.go
gophish/models/maillog.go
gophish/models/smtp_test.go
gophish/models/email_request.go
gophish/models/email_request_test.go

70
 GENERAL TIPS: MAIL SERVERS

High Reputation Mail Servers

Sure, you can install up Sendmail and get your DNS records configured…

- Is the server configured properly?

- Are SPF, DKIM, and DMARC configured correctly?
- Has your mail server’s IP been blacklisted in the past?

Consider using a high reputation mail server; many are available for free under a certain
threshold (usually around ~10,000 emails per month.) Ex: Amazon SES, Sendgrid

71
TAKEAWAYS
In summary…

72
KEY TAKEAWAYS

Phishing doesn’t have to be difficult.

Creating convincing campaigns shouldn’t be subject to your budget.

Attackers aren’t just hitting your external hosts and giving up – educate and
prepare your users.

Numbers talk – baselining your users’ social engineering readiness will get
initiatives pushed through faster.

73
THANKS!
ANY QUESTIONS?

@highmeh

74