Phishing using Gophish/Gophish实战

This article is written in Chinese and English, and the content is exactly the same. To view the Chinese version, please scroll down.

本篇文章采用中文和英文两种语言编写,内容完全相同。如需查看中文版请下滑。

Gophish actual combat

[TOC]

Gophish is a recently open source phishing email testing platform. It does not have the function of sending emails, but a management platform that integrates email template customization, phishing pages, and statistical results.

*! ! ! Note, please do not use the techniques described in the article for attacks or unauthorized testing! ! ! *

Installation of Gophish

The installation of Gophish is very simple. First of all, use a Linux server (other systems can also be used), I uses CentOS8, follow the instructions of gophish to install. Execute the command to download the zip compressed package to the local. The compressed file link can be found at here.

1
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip

After the download is complete, unzip, enter the corresponding directory to edit the config.json file, and change the corresponding ip address

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
"admin_server": {
"listen_url": "127.0.0.1:3333", #Management platform entrance, change the local ip or don't change the ssh link
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:80", #phishing webpage entrance
"use_tls": false,
"cert_path": "example.crt",
"key_path": "example.key"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
}

Start gophish

1
2
chmod +x gophish
./gophish

If using ssh link

1
ssh root@ip -L3333:localhost:3333 -N -f

See the following output from the server side

When you start gophish for the first time, the initial password will be displayed here. The default user name is admin. The first time you log in to the management platform, you need to set a password. After the setting is completed, you will enter the main page.

Configure SMTP repeater

The management platform for the phishing test is set up, and then a mail server needs to be set up. There are two options here. The first is to use a mail server such as 163, and the other is to set up another mail server. The advantage of the former is that it is convenient and fast. You only need to obtain an SMTP authentication key to start the phishing test. The disadvantage is that it is not flexible and realistic. Although the construction of the latter is cumbersome, it can be resolved to a high imitation domain name for realistic phishing deception.

After choosing the latter one, there are two situations. The first is to build gophish and the mail server on the same host, and the other option is to build them separately. I chose the latter to build gophish on the intranet and the mail server on the external network. In this way, if the big guys turn it around during the test, the data that has been collected and stored on gophish will not be lost.

I uses postfix as a mailing tool. Install first

1
yum install postfix -y

After installation, the default configuration file is in /etc/postfix/main.cf. The main purpose of configuring the mail server is to modify this configuration file, but it is not enough now, and a domain name is needed.

I bought a cheap domain name on Godaddy, xyz is only $1 for the first year at the end. If it is for experimentation, you can buy one for fun.

Need an A record pointing to the host ip, an MX mail record pointing to mail.domianName.xyz, and a CNAME record.

After the configuration is complete, you can use the telnet command on the mail server to take a look

Next, you can start to change the configuration file. The configuration file of postfix is very long. I also refer to a lot of blogs and experiments to come up with a configuration method that meets my own needs. You can refer to my configuration. If there is a problem, go to the Internet to search for other people’s configuration, just look at the description of the configuration file carefully.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#Configuration file line 77, add the domain name resolved by DNS
myhostname = mail.*****ship.xyz

#Configuration file line 85, add DNS resolution domain name
mydomain = *****ship.xyz

#Configuration file line 101
myorigin = $mydomain

#Configuration file line 115
inet_interfaces = all

#Configuration file line 121
inet_protocols = all

#Comment out line 166 of the configuration file, uncomment line 167
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#In the 267th line of the configuration file, add the ip of the gophish server and the ip of the mail server
mynetworks = 104.*.*.131, 122.*.*.18, 10.*.*.153

#In the 299th line of the configuration file, add the ip of the mail server and the corresponding DNS resolution domain name
relay_domains = $mydestination, 104.*.*.131, 122.14.62.18, *****sihp.xyz

At this point, the basic configuration of the mail server is completed, and test whether the mail can be sent successfully.

Log in to my gmail, see that the email has been sent, the red box should show the high imitation domain name resolved by DNS.

Now the mail server can forward mail normally, but anyone who knows this server can use it to forward mail. In order to prevent the results of our labor from being stolen by others, it is also necessary to add authentication services to the postfix service.

Here I moved the bricks directly, so I put the original link directly here https://blog.51cto.com/shani/363788.

After following the article to the end of the sending test, the SMTP repeater is configured.

Gophish starts phishing test

First click Sending Profiles, and configure the linkage with the SMTP relay here. Fill in the sender you want to impersonate in From, which can be HR department, corporate executives, etc. Fill in the domain name of the mail server in Host, and fill in the username and password authenticated by postfix in the username and password below, not the username and password of the SMTP relay server. There is a Send Test Email at the bottom, you can click to test whether the setting is successful.

Next, write an email template in Email Templates. I recommends to save the email you want to forge from the email client to the local, open it with a browser, copy the HTML source code, and paste it into the gophosh email template generator. I personally think that Gophish’s own Import Email is not very useful. Next, add Gophish’s own placeholder in the name (if any)

There are more placeholders, you can check Gophish’s manual to get.

The most important thing is to insert a phishing link. In order to be realistic, you can hide the phishing link behind the button. Make sure that the link is represented by a URL placeholder.

1
{{.URL}} #URL placeholder

Finally, you can click Add Tracker to add a picture tag, or you can uncheck it for authenticity. The function of the Tracker here is to detect whether the recipient has opened the email, and if it is opened, it will request the Tracker image, and the server will receive a specific request to determine whether the email is opened (note that the link is not clicked) .

Add test targets in Users&Groups. It is best to import them directly when conducting large-scale tests. You can also add them one by one for small-scale tests. The names and positions added here will be read by placeholders.

Click on the Landing Pages, use the Import Site function to enter the URL of the webpage you want to imitate, and import it into a phishing page. *Don’t forget to check the two options below! *

Finally click on Campaings, choose the name of this test, the phishing email template used, the imitated phishing webpage, the address of the Gophish server is written in the listening URL, and finally select the sending method and target, and click Start.

Gophish’s test results are very beautiful. You can see the overall timeline of each tested person, the data submitted, the operating system and the browser used.

Improve

When sending mail using your own domain name, because of the missing SPF record, sometimes it will be rejected by the receiving server. The way to add SPF records is also very simple, just configure TXT records during DNS resolution.

5 ways to bypass SPF for mail forgery (you can forge qq)
https://zhuanlan.zhihu.com/p/147372091
Some new ideas about mail forgery (forgery is explained in detail)
https://www.jianshu.com/p/671bce334ea7?from=groupmessage

In addition, some receiving servers check email headers. Gophish can provide a certain degree of email header customization. You can add custom email headers when setting up Sending Profiles, but this function is not easy to use. If you modify it, You need to recompile Gophish. Using Swaks can be forged, but it involves a series of issues such as linkage.

This article does not elaborate on techniques such as how to avoid detection of phishing emails, but only introduces the construction method of the basic settings, and repeats it at the end. *! ! ! Note, please do not use the techniques described in the article for attacks or unauthorized testing! ! ! *

Gophish实战

[TOC]

Gophish是一个最近开源的钓鱼邮件测试平台。它本身不具备发送邮件的功能,而是一个集成了邮件模板定制、钓鱼页面、统计结果的管理平台。

!!!注意,请不要将文中所述的技术用于攻击,或者未得到授权的测试!!!

Gophish的安装

Gophish的安装非常简单。首先用一台Linux系统的服务器(其他的系统也可以),笔者用的是CentOS8,参照gophish的指导进行安装。执行命令将zip压缩包下载到本地,压缩文件链接可以在这里找到。

1
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip

下载完成之后解压,进入对应目录下编辑config.json文件,更改对应的ip地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
"admin_server": {
"listen_url": "127.0.0.1:3333", #管理平台入口,改成本机ip或者不改使用ssh链接
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:80", #钓鱼网页入口
"use_tls": false,
"cert_path": "example.crt",
"key_path": "example.key"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
}

启动gophish

1
2
chmod +x gophish
./gophish

如果使用ssh链接

1
ssh root@ip -L3333:localhost:3333 -N -f

从服务器端看到如下输出

第一次启动gophish会在这里显示初始密码,默认用户名为admin,第一次登陆管理平台需要设置密码,设置完成后进入到主页面。

配置SMTP中继器

进行钓鱼测试的管理平台搭建好了,接下来需要搭建一个邮件服务器。这里有两个选择,第一个是使用163一类的邮件服务器,另一类就是自己另起一台邮件服务器。前者的好处在于方便快捷,只需要获取一个SMTP认证的key就可以开始钓鱼测试,缺点就是不灵活不逼真。后者虽然搭建工作比较繁琐,但是可以解析到一个高仿域名上进行逼真的钓鱼欺骗。

选择了后者之后还分为两种情况。第一种是将gophish与邮件服务器搭建在同一台主机上,另一种选择是分开搭建。笔者选用的后者,将gophish搭建在内网,邮件服务器在外网。这样在测试的时候万一被大佬反过来搞了,已经收集到的存储在gophish上的数据也不会丢。

笔者使用的postfix作为发信工具。先安装

1
yum install postfix -y

安装完毕之后默认的配置文件在/etc/postfix/main.cf,配置邮件服务器主要就是要对这个配置文件进行修改,但现在还不及,还需要一个域名。

笔者是在Godaddy上买了一个便宜的域名,xyz作为结尾第一年只要7块钱,如果是为了实验可以买一个玩玩。

需要一个指向主机ip的A记录,一个指向mail.domianName.xyzMX邮件记录,一个CNAME记录。

配置完成后可以在邮件服务器上使用telnet命令看一看

接下来就可以开始更改配置文件了,postfix的配置文件很长,笔者也是参考了很多的博客+实验才拼出来一个符合我自己需求的配置方法。大家可以参考我的配置,如果出现了问题去网上搜搜别人的配置,仔细看看配置文件的描述就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#配置文件第77行,添加DNS解析的域名
myhostname = mail.*****ship.xyz

#配置文件第85行,添加DNS的解析域名
mydomain = *****ship.xyz

#配置文件第101行
myorigin = $mydomain

#配置文件第115行
inet_interfaces = all

#配置文件第121行
inet_protocols = all

#注释掉配置文件的第166行,取消第167行的注释
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#在配置文件的第267行,将gophish服务器的ip,邮件服务器的ip加上
mynetworks = 104.*.*.131, 122.*.*.18, 10.*.*.153

#在配置文件的第299行,将邮件服务器的ip,对应的DNS解析域名加上
relay_domains = $mydestination, 104.*.*.131, 122.14.62.18, *****sihp.xyz

到此,邮件服务器基本配置完毕,测试一下是否能成功发送邮件。

登录我的gmail,看到邮件已经发过来了,红框里应该显示DNS解析的高仿域名。

现在邮件服务器已经可以正常转发邮件了,但是任何知道这台服务器的人都可以用它来进行邮件转发。为了不让我们的劳动成果被别人窃取,还需要对postfix服务添加认证服务。

这里我是直接搬砖的,所以直接把原文链接放在这里https://blog.51cto.com/shani/363788。

跟着文章到最后进行发信测试后,SMTP中继器就算配置完毕了。

Gophish启动钓鱼测试

首先点击Sending Profiles,在这里配置与SMTP中继器的联动。From中填写想要冒充的发信人,可以是hr部门,企业高管等等。Host中填写邮件服务器的域名,下面用户名密码填写postfix认证的用户名密码,而不是SMTP中继服务器的用户名密码。在最下面有一个Send Test Email,可以点击测试一下是否成功设置。

接下来在Email Templates中撰写邮件模板。笔者建议将想要伪造的邮件从邮件客户端中保存到本地,用浏览器打开复制HTML源代码,粘贴到gophosh邮件模板生成器中。Gophish自带的Import Email笔者个人觉得不是很好用。接下来在名字(如果有)的地方加上Gophish自己的占位符

还有更多的占位符,可以去查看Gophish的手册获得。

最重要的是插入钓鱼链接,为了逼真可以将钓鱼链接藏在按钮后面,一定注意链接要用URL占位符表示。

1
{{.URL}}	#URL占位符

最后可以点击Add Tracker加上一个图片标签,也可以为了真实性不勾选。这里的Tracker起到的作用是检测收件人是否打开了邮件,如果打开了就会请求Tracker图片,服务器就能收到一条特定的请求,从而判断邮件是否被打开(注意不是链接是否被点击)。

Users&Groups中添加测试目标,当进行大型测试的时候最好直接导入,小范围测试一个一个添加也可以。这里添加的姓名,职位都会被占位符读取。

点击Landing Pages,使用Import Site功能输入想要模仿的网页网址,导入做成钓鱼页面。千万不要忘记勾选下面的两个选项!

最后点击Campaings,选择本次测试的名称,使用的钓鱼邮件模板,模仿的钓鱼网页,监听URL就写Gophish服务器的地址,最后选择发信方式和目标,点击启动即可。

Gophish的测试效果展示非常好看,可以看到每一个被测人员的整体时间线,提交的数据,使用的操作系统以及浏览器。

改进

当使用自己的域名发送邮件的时候,因为缺失了SPF记录,有时候会被收信服务器拒绝。添加SPF记录的方式也很简单,在DNS解析的时候配置TXT记录即可。

邮件伪造之SPF绕过的5种思路(可以伪造qq)
https://zhuanlan.zhihu.com/p/147372091
关于邮件伪造的一些新思路(详细讲解伪造)
https://www.jianshu.com/p/671bce334ea7?from=groupmessage

另外有些收信服务器对邮件头进行检查,Gophish可以提供一定程度的邮件头自定义,在设置邮件发送(Sending Profiles)的时候可以添加自定义的邮件头,但是这个功能并不好用,修改的话则需要重新编译Gophish。使用Swaks的话可以伪造,但又涉及到联动等一系列问题。

本文并没有针对如何避免钓鱼邮件被探测到等技术进行阐述,只是介绍了基础设置的搭建方法,最后重复强调一下。!!!注意,请不要将文中所述的技术用于攻击,或者未得到授权的测试!!!