Gophish

All about the open-source phishing framework Gophish, which you can grab here. We've got some good podcast episodes and notes about Gophish here and

Grab a domain + GSuite account

Use your registrar of your choice, or go right for grabbing the domain through Google Workspace so you can add the GSuite email at the same time.

Configure DNS

Within the Google admin portal, click manage domains and then View Details link next to your phishing domain. You should then be prompted to log into the Squarespace portal (just pass through your Google cred you setup for your phishing domain) and then you should see all the DNS records. The DNS records for Google mail should be setup, but now might be a good time to change the @ record to point to your phishing public IP.

tip

When you enter the DNS configuration area, you'll see a section called Squarespace Defaults which points the @ and www record to a Squarespace landing page. Hit the "trash" icon to delete these two records, then add the @ record of your phishing IP.

Configure email

One thing to do right away is head to the Settings and change Send mail as to be whatever you want the "send as" info to be. By default it will be whatever first name and last name you set the Workspace account up with, which is probably not what you want.

Setup "less secure" app-based email config

Search for "less secure" in the admin portal and go into the Less secure apps settings area, then change the Less secure apps setting to Allow users to manage their access to less secure apps.
Then under your account settings, click the Security link on the left menu, then click 2-step verification. At the next screen click Turn on 2-step verification. Choose your method (such as phone number) and confirm the code to finish the MFA enrollment.
Head to the app passwords page and generate a new app password. This is what you'll need to send SMTP emails through Gophish.

Download Gophish

Download Gophish here and unzip it in a directory of your choice.

Setup Letsencrypt cert

Install certbot (on Ubuntu 22.04) with sudo apt install certbot -y
Generate the cert for your domain and validate it by creating a DNS record

sudo certbot -d yourphishingdomain.com --manual --preferred-challenges dns certonly

From this command you'll get output like this:

Please deploy a DNS TXT record under the name:

_acme-challenge.yourphishingdomain.com.

with the following value:

20fj203f9j2039fj2039fj2039fj2039fj2039fj2

tip

When you add this DNS TXT record, you typically just add the _acme-challenge part as the TXT record, not the fully qualified _acme-challenge.yourphishingdomain.com.

Wait a few minutes after adding the DNS TXT record before you "Press Enter to Continue" and have Letsencrypt check the record. Otherwise validation might fail and you'll have to generate a new record.

The cert will install in a path like /etc/letsencrypt/live/yourphishingdomain.com/fullchain.pem and privkey.pem. To get these files in a location/format where Gophish can use them, cd to your Gophish server directory and issue these commands:

cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt
cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

Now edit the config.json file one more time and make these changes:

Change every instance of cert_path to point to domain.crt
Change every instance of key_path to point to domain.key.
Change the listen_url for the admin_server to be 0.0.0.0:3333 - then make sure to setup a firewall rule so only your public IPs can hit it.
In the phish_server section, change :80 to be :443
In the phish_server section, change use_tls to true

Start the Gophish admin server

Now that you're in your Gophish working directory and have generated the domain.crt and domain.key files, you can start the gophish server:

chmod +x gophish
sudo ./gophish

Watch carefully as the default username and password will come up in the first few lines of output. Login with those creds and then you'll be prompted to change the password.

Configure sending profile

Click Sending profiles on the left menu, then New Profile. Fill in all necessary information. The SMTP From and Username should be yourphishingaccount@yourphishingdomain.com, and the Host will likely be smtp.gmail.com:465. Hit Send Test Email should you desire. In my tests to my personal addresses I usually find these messages in the spam folder.

Setup a landing page

I have a simple sample here. The one annoying thing I always forget is that if you have logo files or any static asset you want to reference in the campaign, first SFTP into your droplet, go to ~/your-gophish-dir/static folder, then create a new subdirectory called endpoint and put the files there.

Then, when you reference those in your campaign, use a link similar to https://yourphishingdomain.com/static/logo.png. Silly me would think that if logo.png was in regular old /static subdirectory that would work, but noooooOOOOOOOOoooOOpe! You gotta have it in /static/endpoint.

Also, I'd recommennd in the Redirect to field, put something benign like https://the-company's-real-web-site.com so that when users submit credentials via your form, they're simply redirected to their own company's Web site. It seems to feel less suspicious to users that way.

Create a group of users to send to

Click the Users & Groups link to setup a group (or groups!) of users to send to.

Launch your campaign!

Fire up a campaign and then name it, select a template, select a landing page, set the URL (usually https://yourphishingdomain.com), select the sending profile, select your "Send to" group, and off you go!

Grab a domain + GSuite account​

Configure DNS​

Configure email​

Setup "less secure" app-based email config​

Download Gophish​

Setup Letsencrypt cert​

Start the Gophish admin server​

Configure sending profile​

Setup a landing page​

Create a group of users to send to​

Launch your campaign!​