Phishing Methodology
Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the š¬telegram group, or follow me on Twitter š¦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ā on github to motivate me to continue developing this book.
Methodology
Recon the victim
Select the victim domain.
Perform some basic web enumeration searching for login portals used by the victim and decide which one you will impersonate.
Use some OSINT to find emails.
Prepare the environment
Buy the domain you are going to use for the phishing assessment
Configure the email service related records (SPF, DMARC, DKIM, rDNS)
Configure the VPS with gophish
Prepare the campaign
Prepare the email template
Prepare the web page to steal the credentials
Launch the campaign!
Generate similar domain names or buy a trusted domain
Domain Name Variation Techniques
Keyword: The domain name contains an important keyword of the original domain (e.g., zelster.com-management.com).
hypened subdomain: Change the dot for a hyphen of a subdomain (e.g., www-zelster.com).
New TLD: Same domain using a new TLD (e.g., zelster.org)
Homoglyph: It replaces a letter in the domain name with letters that look similar (e.g., zelfser.com).
Transposition: It swaps two letters within the domain name (e.g., zelster.com).
Singularization/Pluralization: Adds or removes āsā at the end of the domain name (e.g., zeltsers.com).
Omission: It removes one of the letters from the domain name (e.g., zelser.com).
Repetition: It repeats one of the letters in the domain name (e.g., zeltsser.com).
Replacement: Like homoglyph but less stealthy. It replaces one of the letters in the domain name, perhaps with a letter in proximity of the original letter on the keyboard (e.g, zektser.com).
Subdomained: Introduce a dot inside the domain name (e.g., ze.lster.com).
Insertion: It inserts a letter into the domain name (e.g., zerltser.com).
Missing dot: Append the TLD to the domain name. (e.g., zelstercom.com)
Automatic Tools
Websites
Bitflipping
In the world of computing, everything is stored in bits (zeros and ones) in memory behind the scenes. This applies to domains too. For example, windows.com becomes 01110111... in the volatile memory of your computing device. However, what if one of these bits got automatically flipped due to a solar flare, cosmic rays, or a hardware error? That is one of the 0's becomes a 1 and vice versa. Applying this concept to DNS request, it's possible that the domain requested that arrives to the DNS server isn't the same as the domain initially requested.
For example a 1 bit modification in the domain microsoft.com can transform it into windnws.com. Attackers may register as many bit-flipping domains as possible related to the victim in order to redirect legitimate users to their infrastructure.
For more information read https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/
Buy a trusted domain
You can search in https://www.expireddomains.net/ for a expired domain that you could use. In order to make sure that the expired domain that you are going to buy has already a good SEO you could search how is it categorized in:
Discovering Emails
https://github.com/laramies/theHarvester (100% free)
https://phonebook.cz/ (100% free)
In order to discover more valid email addresses or verify the ones you have already discovered you can check if you can brute-force them smtp servers of the victim. Learn how to verify/discover email address here. Moreover, don't forget that if the users use any web portal to access their mails, you can check if it's vulnerable to username brute force, and exploit the vulnerability if possible.
Configuring GoPhish
Installation
You can download it from https://github.com/gophish/gophish/releases/tag/v0.11.0
Download and decompress it inside /opt/gophish
and execute /opt/gophish/gophish
You will be given a password for the admin user in port 3333 in the output. Therefore, access that port and use those credentials to change the admin password. You may need to tunnel that port to local:
Configuration
TLS certificate configuration
Before this step you should have already bought the domain you are going to use and it must be pointing to the IP of the VPS where you are configuring gophish.
Mail configuration
Start installing: apt-get install postfix
Then add the domain to the following files:
/etc/postfix/virtual_domains
/etc/postfix/transport
/etc/postfix/virtual_regexp
Change also the values of the following variables inside /etc/postfix/main.cf
myhostname = <domain>
mydestination = $myhostname, <domain>, localhost.com, localhost
Finally modify the files /etc/hostname
and /etc/mailname
to your domain name and restart your VPS.
Now, create a DNS A record of mail.<domain>
pointing to the ip address of the VPS and a DNS MX record pointing to mail.<domain>
Now lets test to send an email:
Gophish configuration
Stop the execution of gophish and lets configure it.
Modify /opt/gophish/config.json
to the following (note the use of https):
Configure gophish service
In order to create the gophish service so it can be started automatically and managed a service you can create the file /etc/init.d/gophish
with the following content:
Finish configuring the service and checking it doing:
Configuring mail server and domain
Wait
The older a domain is the less probable it's going to be caught as spam. Then you should wait as much time as possible (at least 1week) before the phishing assessment. Note that even if you have to wait a week you can finish configuring everything now.
Configure Reverse DNS (rDNS) record
Set a rDNS (PTR) record that resolves the IP address of the VPS to the domain name.
Sender Policy Framework (SPF) Record
You must configure a SPF record for the new domain. If you don't know what is a SPF record read the following page:
You can use https://www.spfwizard.net/ to generate your SPF policy (use the IP of the VPS machine)
This is the content that must be set inside a TXT record inside the domain:
Domain-based Message Authentication, Reporting & Conformance (DMARC) Record
You must configure a DMARC record for the new domain. If you don't know what is a DMARC record read the following page:
You have to create a new DNS TXT record pointing the hostname _dmarc.<domain>
with the following content:
DomainKeys Identified Mail (DKIM)
You must configure a DKIM for the new domain. If you don't know what is a DMARC record read the following page:
This tutorial is based on: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
You need to concatenate both B64 values that the DKIM key generates:
Test your email configuration score
You can do that using https://www.mail-tester.com/ Just access the page and send an email to the address they give you:
You can also check your email configuration sending an email to check-auth@verifier.port25.com
and reading the response (for this you will need to open port 25 and see the response in the file /var/mail/root if you send the email a as root).
Check that you pass all the tests:
Alternatively, you can send a message to a Gmail address that you control, view the received emailās headers in your Gmail inbox, dkim=pass
should be present in the Authentication-Results
header field.
āRemoving from Spamhouse Blacklist
The page www.mail-tester.com can indicate you if you your domain is being blocked by spamhouse. You can request your domain/IP to be removed at: āhttps://www.spamhaus.org/lookup/
Removing from Microsoft Blacklist
āāYou can request your domain/IP to be removed at https://sender.office.com/.
Create & Launch GoPhish Campaign
Sending Profile
Set some name to identify the sender profile
Decide from which account are you going to send the phishing emails. Suggestions: noreply, support, servicedesk, salesforce...
You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
It's recommended to use the "Send Test Email" functionality to test that everything is working. I would recommend to send the test emails to 10min mails addresses in order to avoid getting blacklisted making tests.
Email Template
Set some name to identify the template
Then write a subject (nothing estrange, just something you could expect to read in a regular email)
Make sure you have checked "Add Tracking Image"
Write the email template (you can use variables like in the following example):
Note that in order to increase the credibility of the email, it's recommended to use some signature from an email from the client. Suggestions:
Send an email to a non existent address and check if the response has any signature.
Search for public emails like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
Try to contact some valid discovered email and wait for the response
The Email Template also allows to attach files to send. If you would also like to steal NTLM challenges using some specially crafted files/documents read this page.
Landing Page
Write a name
Write the HTML code of the web page. Note that you can import web pages.
Mark Capture Submitted Data and Capture Passwords
Set a redirection
Usually you will need to modify the HTML code of the page and make some tests in local (maybe using some Apache server) until you like the results. Then, write that HTML code in the box. Note that if you need to use some static resources for the HTML (maybe some CSS and JS pages) you can save them in /opt/gophish/static/endpoint and then access them from /static/<filename>
For the redirection you could redirect the users to the legit main web page of the victim, or redirect them to /static/migration.html for example, put some spinning wheel (https://loading.io/) for 5 seconds and then indicate that the process was successful.
Users & Groups
Set a name
Import the data (note that in order to use the template for the example you need the firstname, last name and email address of each user)
Campaign
Finally, create a campaign selecting a name, the email template, the landing page, the URL, the sending profile and the group. Note that the URL will be the link sent to the victims
Note that the Sending Profile allow to send a test email to see how will the final phishing email looks like:
I would recommend to send the test emails to 10min mails addresses in order to avoid getting blacklisted making tests.
Once everything is ready, just launch the campaign!
Website Cloning
If for any reason you want to clone the website check the following page:
Phishing2.0
The previous attack is pretty clever as you are faking a real website and gathering the information set by the user. Unfortunately, if the user didn't put the correct password or if the application you faked is configured with 2FA, this information won't allow you to impersonate the tricked user.
This is where tools like evilginx2 are useful. This tool will allow you to generate a MitM like attack. Basically, the attacks works in the following way:
You impersonate the login form of the real webpage.
The user send his credentials to your fake page and the tool send those to the real webpage, checking if the credentials work.
If the account is configured with 2FA, the MitM page will ask for it and once the user introduces it the tool will send it to the real web page.
Once the user is authenticated you (as attacker) will have captured the credentials, the 2FA, the cookie and any information of every interaction your while the tool is performing a MitM.
Detecting the detection
Obviously one of the best ways to know if you have been busted is to search your domain inside blacklists. If it appears listed, somehow your domain was detected as suspicions. One easy way to check if you domain appears in any blacklist is to use https://malwareworld.com/
However, there are other ways to know if the victim is actively looking for suspicions phishing activity in the wild as explained in:
You can buy a domain with a very similar name to the victims domain and/or generate a certificate for a subdomain of a domain controlled by you containing the keyword of the victim's domain. If the victim perform any kind of DNS or HTTP interaction with them, you will know that he is actively looking for suspicious domains and you will need to be very stealth.
References
Last updated