Phishing with Gophish

Setting up of Gophish, a popular open source phishing framework on a VPS server and an attempt to bypass spam checks in email providers such as Gmail and Yahoo. Contributors - @5kYp01n7

1. Setting up a Domain Name

a) Getting Trusted TLD

Get trusted TLD such as .com, .net, etc. ".xyz" is flagged as an untrusted TLD by Apache SpamAssassin "PDS_OTHER_BAD_TLD". In the below screenshot you can see ".xyz" being flagged.

The below screenshot shows it as a bad TLD as well.

b) Domain Name Variations

For this article, we are trying to send phishing emails to a hypothetical organization "ressurect". Let's try to find some domains that look similar to them using these websites:

c) Check if the Domain Name is in a Blacklist

Let's head off to Spamhaus Project to check if the domain name has been blacklisted before. Note: The IP address of the VPS server being used could be in a blacklist apart from the domain name and could be blocked by the email service provider.

d) Setting up SPF, DMARC and DKIM

In order to send mails from "mail.ressurect.xyz", we will set the following records.

d.1) SPF (Sender Policy Framework)

v=spf1 a:mail.ressurect.xyz -all

d.2) DMARC

v=DMARC1; p=none; rua=mailto:admin@mail.ressurect.xyz

d.3) DKIM

If you've already set up postfix in your VPS server, you'll need to follow this article to set up DKIM. If not, you need to install postfix first and then set up DKIM.

Host: default._domainkey.mail Value: v=DKIM1; k=rsa; p=[redacted]

Once set up, wait for a few mins to get the changes propagated to the nameservers from where your domain has been purchased.

In order to verify all the SPF, DMARC and DKIM records, run the following commands:

dig +noall +answer mail.ressurect.xyz txt
dig +noall +answer _dmarc.mail.ressurect.xyz txt
dig +noall +answer default._domainkey.mail.ressurect.xyz txt

e) Setting up Reverse DNS

This is necessary as well to make sure the IP address of the SMTP server from where the email was send points back to the domain name used for the email address. It is fairly simple for digital ocean. We just need to edit the name of the droplet.

Run the following command to verify: nslookup <server IP>

2. Installing Gophish

Download the source code of Gophish. We will now be modifying it's code as per the following article:

https://www.redteam.cafe/phishing/gophish-mods

The "gophish" keyword occurs mostly in the email headers while sending the emails. You could also manually remove the occurrences of the keyword by searching using grep and carefully editing the files: grep -ir gophish

Compile the project: go build

The VPS from digital ocean doesn't have the basic packages to install Go binary. Run the following commands if installing from scratch:

yum group install "Development Tools"
wget https://go.dev/dl/go1.17.6.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.17.6.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
go build

3. Installing SSL/TLS Certificate

You'll need to install an SSL certificate if the Gophish landing page (Phishing webpage) need to be accessible over HTTPS. Run the following commands:

curl https://get.acme.sh | sh -s email=root@mail.ressurect.xyz
acme.sh --issue -d mail.ressurect.xyz --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
# Add a TXT record "_acme-challenge.mail" with TTL 1 min
acme.sh --renew -d mail.ressurect.xyz --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Once done, edit the config.json file in the Gophish directory and provide the path to the SSL certificate and private key generated from acme.sh:

{
	"admin_server": {
		"listen_url": "0.0.0.0:36101",
		"use_tls": true,
		"cert_path": "/root/Gophish/cert/domain.crt",
		"key_path": "/root/Gophish/cert/domain.key"
	},
	"phish_server": {
		"listen_url": "0.0.0.0:443",
		"use_tls": true,
		"cert_path": "/root/Gophish/cert/domain.crt",
		"key_path": "/root/Gophish/cert/domain.key"
	},
	"db_name": "sqlite3",
	"db_path": "gophish.db",
	"migrations_prefix": "db/db_",
	"contact_address": "",
	"logging": {
		"filename": "",
		"level": ""
	}
}

Note: Setting the "listen_url" to "0.0.0.0"36101" for "admin_server" will make it accessible over public IP. Hence, changed the default port of 3333 to 36101. Would suggest setting up an iptables rule. If you haven't worked with firewall rules, set the rules carefully. You may block yourself from the SSH connection as well. If you're connected to your company's VPN, the following command can be set to drop all traffic to port 36101 except your company's IP. Yes, the order matters:

iptables -A INPUT -p tcp --dport 36101 -s <IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 36101 -j DROP

4. Setting up a Gophish Campaign

4.1) Sending Profile

This will be the details of your SMTP server. A genuine sender's name could be "no-reply@mail.ressurect.xyz".

4.2) Landing Page

This would be the webpage that the Phishing URL would point to. We could perform OSINT to discover the target organizations login pages. The login pages for the 3rd party applications that the organization uses could also work just as fine.

4.3) Email Template

This is by far the most trickiest part where your email would be decided as spam or not.

Note: During our research, we were able to successfully send the email to the inbox of Yahoo email whereas Gmail had spammed us. The sender's email address was successfully spoofed as well in Yahoo mail. We are currently researching as you read to bypass the spam filters in Gmail and Outlook. Outlook is no joke when it comes to detecting spam. Please read some of the information on it in the Appendix A Section.

Tips:

Place the email body at Autoklose Email Spam Checker to detect the usage of spam words: https://autoklose.com/email-spam-checker/
Apache SpamAssassin will flag your email if the size is too low. The solution would be to add more words, specifically the e-mail size has to be over 3200 bytes to not be flagged by the set of "HTML_IMAGE_ONLY_xx" rules.
Place the {{.URL}} in the email template to redirect to the landing page.

Note: The above email was not the one to bypass the Yahoo mail spam filter. It is for reference purposes only.

4.4) Users and Groups

This would contain the email addresses of the target users who would be receiving the phishing emails. Add legit names like "Ravish Yadav" etc. as these are a part of certain spam checks.

Some of the websites offer spam checks online. One being mail-tester. Choose the email address displayed on their website and add it to the Gophish "Users & Groups".

4.5) Campaign

Fire up the campaign by choosing all the landing pages, email templates, sending profiles and users. The URL would be "mail.ressurect.xyz". This is what would be used for the landing page for e.g. mail.ressurect.xyz?rid=124

5) Spam Check

So, checking it on mail-tester.com, we got a decent score of 7.1. This could have been >9.

So, as mentioned above while setting up the domain name, the TLD ".xyz" has received an aggregate negative score of -2.4. Whereas the domain name was recently registered.

6) Summary

What we learned so far:

No matter how good you've tried to bypass the spam filters, everyone (all departments) in the target organization may not receive the phishing email. Try sending out phishing emails to a certain user within the target organization and confirming if it has reached the inbox. Even if all are received successfully, chances are that different departments may have individual policies as well and some may be bypassed and some may not. If nothing is consistent...Get the freakin' IP address whitelisted.

7) To-Do

Testing out the email spoofing tool - espoofer
Test out Secure Email Gateway (SEG) evaluation toolkit - Phishious

Appendix A - Bypassing O365 Spam Filters

https://docs.microsoft.com/en-us/exchange/troubleshoot/antispam-and-protection/cautions-against-bypassing-spam-filters • If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through. Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time. • It is important that you take the following precautions: ◇ Never put domains that you own onto the Allow and blocklists. ◇ Never put common domains, such as microsoft.com and office.com, onto the Allow and blocklists. ◇ Do not keep domains on the lists permanently unless you disagree with the verdict of Microsoft. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide (Recommended) Use mail flow rules ======================= Checkist ======================= 0365 - Spam/antiphising bypass filter checklist Are there links in the email that point to login pages that are detected by link protection scanning mechanisms? Is the attachment in the email known to be malicious? Or is detected or flagged by signature based systems? (custom) Is the sender domain a permutation of the receiving domain? (custom) Is the sender domain a newly created or uncategorized domain? Content Filtering Disabling image links (or ‘bugs’, an indicator used by phishing platforms to determine if targets opened the initial email). IP address links, which are commonly used to bypass web proxy filters on an internal network. Domain TLD blacklsits. Content specific filtering, blocking of sensitive words or other indicators Identifying if links within emails point to downloadable content (think binaries and documents) and passing these through their attachment scanning engines. Analyzing URL reputation from various partner sources, identifying whether or not the URL is malicious. O365 Advanced Threat Protection (ATP) Addon Spoof intelligence, a mechanism in place to detect spoofed email to/from your organization domain. Machine learning and other capabilities for detecting phishing emails. ATP and the ‘Safe Links’ Rewrite Feature Determine if the link is blacklisted by the organization Identify whether the link points to downloadable content (documents, binaries) and scan them Has the link been designated as malicious previously? Safe link policies possibility: policy applies to - Users, Groups, Domains - real-time URL scanning for suspicious links and links that point to files - Wait for URL scanning to complete before delivering the message - Apply Safe Links to email messages sent within the organization - Select the action for unknown or potentially malicious URLs within Microsoft Teams - Do not track user clicks - Do not allow users to click through to original URL - Do not rewrite the following URLs Safe links possible bypasses: - Send an email to someone containing an evil link without the link - Organizations to add their own domains to the Safe Links whitelist policy, we can use URL obfuscation techniques. - Block or re-direct requests from the Exchange Online Protection by blocking EOP IP ranges available online on your webserver with some .htaccess rules. - Replace the phishing URL’s site content after a message is being scanned (Less chance of this being implemented at victim) - fool Microsoft’s Safe Link: <a x=">" href="http://badurl.com">click me</a> ^--- the regex? engine stops to detect the <a> tag here, and leaves the href unchanged. - Another obvious way to fool the Safe Link re-writer is to use a <form>-tag (it may not work in all email clients). You may be safe until spammers figure this out. <form action="http://badurl.com"><input value="click me"></form>

PreviousC# - P/Invoke NextPentest Diaries

Last updated 2 years ago