The Evolving Security Landscape: A Dynamic Challenge

Overview

Here, we will delve into three distinct types of phishing campaigns and social engineering tactics:

• Email Phishing with Password Entry - GoPhish (jump to section)
• Multi-Factor Authentication (MFA) Bypass Phishing - Evilgnix (jump to section)
• SMS Phishing(Smishing) (jump to section)

The following tools will be explored and utilized:

• AWS Route 53 - For domain registration.
• AWS EC2 - For server hosting
• Mailgun - For email sending configuration (SPF, DKIM, MX, CNAME records)
• Gophish - For managing basic phishing campaign
• Evilgophish/Evilginx - For managing advanced phishing and SMShing campaigns
• Twilio - For SMS sending

Disclaimer

It is crucial to understand that the techniques and tools presented in this course can potentially be misused for malicious purposes. Therefore, it is imperative to adhere to the following guidelines:

• Social engineering exercises should only be conducted on clients from whom explicit written permission has been obtained to perform such testing.
• All service providers involved in phishing campaigns must provide explicit written consent to utilize their infrastructure for these purposes.
• Individuals utilizing the information from this course assume full liability for any misuse of the techniques and tools for malicious purposes.

The Evolving Threat Landscape

The security perimeter is constantly shifting, with major service providers like Microsoft, Google, Okta, and Fortinet regularly updating their authentication techniques to counter emerging threats. Adversaries must adapt and overcome multiple layers of email inspection, including spam filters, email gateways, and suspicious email reporting mechanisms. Additionally, they must circumvent domain whitelists to reach their intended targets.

Moreover, most high-privilege user accounts now require multi-factor authentication (MFA), rendering the mere acquisition of passwords insufficient for successful compromises.

Phishing Domain Setup

To achieve success in modern phishing campaigns, the following considerations are essential:

• Ensure the domain has been active for more than 30 days to bypass filters that target new domains.
• Build trust in the domain by actively visiting the site.
• Verify that the site is not categorized as malicious by security solutions.
• Explore domain takeover techniques, which can also facilitate business email compromise attacks.
• In cases where the above measures are not feasible, collaborate with the client to whitelist the domain and sender email address.

Multi-Factor Authentication Considerations

While multi-factor authentication (MFA) is a robust security mechanism, it is not infallible. If a client allows text message-based MFA, attempting to obtain the code from the user through social engineering techniques (known as "vishing") may be possible. Additionally, techniques such as Evilginx can be utilized to bypass MFA.

It is important to note that SIM swapping attacks and other vectors can lead to MFA codes being intercepted, and MFA fatigue attacks are becoming increasingly prevalent.

Avoiding Spam Filters

To enhance the chances of success in phishing campaigns, the following best practices should be observed:

• Avoid directly using words from vendor emails or copying their email formats and website designs verbatim.
• Engage in HTML editing to customize the phishing content, if possible.
• Refrain from using urgent language and leverage spell-checking and AI tools, especially if English is not the primary language.
• Tailor each phishing attempt to the specific client, including their dialect and tendencies.
• Conduct thorough open-source intelligence (OSINT) and passive information gathering to gather insights into the client's IT tools and common email formats.

Whitelisting Considerations

Collaborating with the client is essential to ensure that the domain and IP address are whitelisted across multiple security layers, including:

• Email gateways
• Spam filters
• Domain whitelists
• IP address whitelists

Additionally, it is recommended to send test emails and work directly with the client to verify successful delivery and reception.

By adhering to these guidelines and best practices, security professionals can effectively assess an organization's resilience against phishing and social engineering attacks, ultimately enhancing their overall security posture.

Back to top

GoPhish - Basic Phishing

Creating an EC2 Instance

• Create an Ubuntu EC2 Instance (free tier is fine!)

• Save your private key somewhere safe

• Open port 22 (SSH) to your IP address

• SSH to your server:

  ssh ubuntu@<publicIP> -i <yourPrivateKey>.pem

GoPhish Setup

• GoPhish Github Link: https://github.com/gophish/gophish
• How to Setup:

  • Update our server

    sudo apt update

  • Update our server

    sudo apt upgrade

  • Install Golang

    sudo apt install golang-go

  • Clone Gophish

    git clone https://github.com/gophish/gophish.git

  • Change to GoPhish directory

    cd gophish/

  • Build gophish binary

    go build

    Portal Login Credentials:

    Site: http:YourPhishingDomain.net:3333

    Username: admin

    Password: ********YourPhishingDomain

Configuring Gophish as a System Service

Steps to Perform

**Edit config.json to change our "listen_url" to 0.0.0.0:3333**

```
nano config.json
```

**Create a service file to run gophish as a system service:**

```
sudo nano /etc/systemd/system/gophish.service
```

**Add the following lines:**

```
[Unit]
Description=gophish-service

[Service]

Type=simple
WorkingDirectory=/home/ubuntu/gophish/
ExecStart=/home/ubuntu/gophish/gophish

[Install]
WantedBy=multi-user.target
```

**Enable the gophish service:**

```
sudo systemctl enable gophish.service
```

**Start the gophish service:**

```
sudo systemctl start gophish.service
```

**Check the Status of the service:**

```
sudo systemctl status gophish.service
```

**Open port 3333 in AWS Security Groups for port 3333 to YOUR IP address only.**

**Login to the admin panel and navigate to**

```
https://<publicPhishingServerIP>:3333
```

Configuring TLS Certificates

Setting up TLS Certificates

• Setup AWS Firewall Rule to Open Port 443

• Install Certbot

```
sudo apt install certbot
```

• Generate TLS Certificate:

```
sudo certbot certonly -d <domain> --manual --preferred-challenges dns
```

• Now, populate Amazon AWS Route 53 with the challenge string from certbot for a new TXT record.

- Populate a new TXT record for _acme-challenge.<yourdomain.com>

• Press enter in the Ubuntu Terminal

• Copy certificates to the gophish directory

  sudo cp /etc/letsencrypt/live/mydomain.com/privkey.pem mycert_privkey.pem

  sudo cp /etc/letsencrypt/live/mydomain.com/fullchain.pem mycert_fullchain.pem

• Edit the config.json in gophish directory to point to port 443

  nano /home/ubuntu/gophish/config.json

  • Change the phishing server port from 80 to port 443
  • Change the privkey and fullchain to your newly copied certificates
  • Change use_tls to true

• Stop and Restart Gophish Service

  sudo systemctl stop gophish.service

  sudo systemctl start gophish.service

  Visit your phishing server on port 443 and make sure it works:

   https://yourdomain.com

Email Sending Profile Setup

From Mailgun:

• Copy your email and password to the sending account from Mailgun to the sending profile in GoPhish.

• In the SMTP Server section, use:

  smtp.mailgun.org:587

Sending Our First Campaign**

• Steps to Create a Campaign:

  • Create a sender profile. Login to the gophish admin page. Select Sending Profiles and New Profile:

  

  • We will populate the form with the information we created earlier in mailgun, noting the SMTP port should be 587 for secure SMTP (encrypted):

    

  • Send a Test Email and if you received the email successfully(check the SPAM folder too) you can select Save Profile:

  

  • The next step is to create an Email Template (Email Templates > New Template):

  

  • Populate the form as shown below:

  

  • Note that for the email body, the HTML tab should be selected then the Source button should be clicked before you can enter text and apply styling to it. The words click me were selected and a link {{.URL}} attached to it: represented by the HTML source code below.
    The example below is heavily simplified. There should be leading text with images for authenticity and a link for the user to click:

  <html>
  <head>
  <title>Test message from GP</title>
  </head>
  <body>
  Hello,<br>
  Please <a href="{{.URL}}">click me.</a> <br>
  Thank you.</body>
  </html>

  • Select the link icon in the toolbar and populate the form as shown below - Protocol https, URL {{.URL}} This will allow Mailgun to automatically complete the URL when sending :

  

  • Save the template. Note the Add Tracking box is checked(This adds an invisible image):

  

  • Create a landing page template for the mailing campaign (Landing Pages > New Page):

  

  • Give a name to the form and the HTML code for the page. This can. be imported from another site if preferred. Ensure the two checkboxes have been checked and the redirect URL has been entered:

  

  • Create Users and Groups to send to:

  

  • Select new group and populate the form like the below before selecting +Add and save changes :

  

  • Create a new campaign:

  

  • Complete the form, selecting from the files created earlier:

  

  • Select Launch Campaign to schedule for launch and confirm:

  

  • In the dashboard the Campaign status can be seen:
  • Checking the inbox we can see the message has been recieved:

  

  • The message has been opened with the URL visible:

  

  • When the Gophish Campaign Dashboard is checked we can see the email has been opened:

    

  • After clicking on the link in the email:

  

  • Dashboard status update that linked has been clicked:

  

  • Expanding the Details area show the timeline for the campaign:.

  

  • The landing page with a custom URL appears in the web browser after clicking on the link:

  

  • After clicking on the padlock we can see the site is secure:

  

  • Credentials entered in page and login button selected:

  

  • Redirect to google.com as per redirect setting in landing page:

  

  • Gophish dashboard status shows data was submitted. By going to the Details section we can see the timeline and the login credentials entered on the landing page:

  

  • If the Replay Credentials button is pressed a window will appear where the login URL can be entered and the captured credentials entered for further exploitation:

  

  Back to top

Evilgophish/Evilgnix

This guide provides instructions for deploying and utilizing the Evilgophish/Evilginx tools for advanced cybersecurity assessments and penetration testing engagements. These powerful tools enable security professionals to simulate sophisticated phishing campaigns and evaluate an organization's resilience against social engineering attacks. The guide covers the complete lifecycle of setting up and managing phishing campaigns, including:

Installation and Configuration:

Step-by-step procedures for installing and configuring Evilgophish and Evilginx on various platforms. Integration with third-party services such as Mailgun, Certbot, and Twilio for enhanced email delivery, SSL/TLS certificate management, and SMS capabilities.

Campaign Creation and Management:

Techniques for crafting highly realistic phishing emails and SMS messages tailored to specific target audiences. Strategies for evading detection by modern email and web security solutions. Best practices for tracking and monitoring campaign progress and user interactions.

Data Capture and Analysis:

Methods for securely capturing user credentials and other sensitive data submitted through phishing landing pages. Guidance on analyzing and interpreting the collected data to identify potential vulnerabilities and security gaps.

Advanced Techniques:

Exploration of cutting-edge techniques such as multi-factor authentication (MFA) bypass using Evilginx. Strategies for maintaining persistence and evading detection during prolonged phishing campaigns.

Throughout the guide, a strong emphasis is placed on adhering to ethical and legal guidelines. All procedures and techniques outlined should only be employed with explicit written consent from the target organization and under the supervision of qualified cybersecurity professionals. The guide serves as a comprehensive resource for security researchers, penetration testers, and incident response teams seeking to enhance their capabilities in assessing and mitigating the risks associated with phishing and social engineering attacks. By leveraging the powerful features of Evilgophish and Evilginx, organizations can proactively identify and address potential vulnerabilities, ultimately strengthening their overall cybersecurity posture.

• SSH to the EC2 server and from the home directory, clone the Github repository for Evilgophish:Clone

  git clone https://github.com/fin3ss3gOd/evilgophish.git

• This failed as it required a username and password so I ran wget to download the repository files:

  wget [https://github.com/fin3ss3g0d/evilgophish/archive/refs/heads/main.zip](https://github.com/fin3ss3g0d/evilgophish/archive/refs/heads/main.zip)

• Install unzip on the server:

  sudo apt install unzip

• Extract the archive to the evilgophish-main folder:

  unzip main.zip

• Change to the installation directory:

  cd evilgophish-main

• Change permissions on the installation script so the installer can execute:

  chmod 700 setup.sh

• Run the setup script:

  ./setup.sh

• Review the console output for any issues or missing parameters:

  

• Run the setup script specifying the required parameters:

• Completed command with required parameter settings:

  sudo ./setup.sh YourPhishingDomain.net "accounts" false https://google.com true keyname true

• The installation will progress and at the end there will be a prompt to install a TLS certificate:

  

• Generate a new TLS certificate for server with Certbot:

• ssh into EC2v server in a second session. Copy the certbot installation command from the first session and paste it into the second session window, prefixing sudo at the beginning:

  sudo certbot certonly --manual --preferred-challenges=dns --email [admin@YourPhishingDomain.net](mailto:admin@YourPhishingDomain.net) --server [https://acme-v02.api.letsencrypt.org/directory](https://acme-v02.api.letsencrypt.org/directory) --agree-tos -d '*.YourPhishingDomain.net' -d '[YourPhishingDomain.net](http://YourPhishingDomain.net/)'

• The Apache2 service should then be restarted:

  sudo systemctl restart apache2

• Change directories to the evilgophish/gophish directory:

  cd ~/ubuntu/evilgophish/gophish

• Configure the config.json file

  nano config.json

• Change the gophish listening url to “0.0.0.0:3333” :

  

• Stop the gophish service:

  sudo systemctl stop gophish.service

• Edit the gophish service configuration:

  sudo nano /etc/systemd/system/gophish.service

• Change the working directory to the new working directory within evilgofish:

  

• Save and exit nano then start the gophish service:

  sudo systemctl start gophish.service

• Update the gophish.service with the new configuration

  sudo systemctl daemon-reload

• Start the gophish service

  sudo systemctl start gophish.service

• Check the status of the gophish.service:

sudo systemctl status gophish

• If the text is truncated, press the right arrow to scroll to the right see the text outside the window. Note the temporary credentials as you will need this for the initial login.

• Login to the page at http://:333 :

  

• , Select Advanced then Accept the Risk and Continue :

  

• Login with the temporary credentials and reset the password:

  

• View updated dashboard pages with the new features:

  

Evilginx Setup

• On the EC2 server, change directories to the evilgnx directory:

cd ubuntu/evilgophish/evilgnx3

• Change the permissions on the installer:

sudo chmod +x evilginx3

• Run evilgnix in a tmux session, specifying the path to the gophish database:

  What is tmux?

  Tmux is a tool that creates multiple virtual Terminal sessions, each with a unique process. Tmux allows for task collaboration, maintaining background processes, and saving Terminal state after disconnection, making it ideal for managing a virtual private server.

  Detaching and Attaching Sessions

  After you create a new session, you will be automatically attached to it. To detach and leave the tmux client, press "Ctrl-b +d". To reattach to the most recent session, use the tmux attach-session command. You can also reenter a specific shell by entering:

  tmux attach-session -t [session-name]

  Alternatively, reattach to a specific target session using its ID number. Since tmux starts the order from 0 by default, enter the following to access the first shell:

  tmux attach-session -t 0

  Managing Sessions

  To list all active sessions, run either of the following tmux commands. You can do so within the main or virtual shell:

  tmux ls

  Your command-line interface will show all sessions with details like their name, ID, number of windows, and creation date. You’ll also see which one you are currently attached to (here it is evilgnix).

  

  If you are currently in a virtual Terminal session, you can switch to another one using the following command. Similar to reattaching, use the name or ID number:

  tmux switch -t [session-name-or-id]

  To terminate the current session, enter exit or press Ctrl-d. Meanwhile, run this command if you want to shut down a specific one:

  tmux kill-session -t [session-name-or-id]

  Configuration of evilgnix continued

  Navigate to the directory holding the evilgnix executable:

  cd /home/ubuntu/evilgophish/evilgnix3/

  Enter the following to start a terminal session in the background running evilgnix3. It it recommended you do this each time (the tmux command creates a new session called evilgnix):

tmux new-session -s evilgnix

The terminal window will change:

• Enter the following command to start evilgnix:

sudo ./evilginx3 -p legacy_phishlets/ -g /home/ubuntu/evilgophish/gophish/gophish.db

• You should see the process start:

• At the end you should see the current configuration status for the phishlets:

sudo ./evilginx3 -p legacy_phishlets/ -g /home/ubuntu/evilgophish-main/gophish/gophish.db

Set up a phishlet

The below which appears after a successful installation of evilginx3 shows the phishlets are all disabled:

• Commands are normally entered after the : prompt when evilgenix is runnning. It is possible to use the Tab key for autocompletion.

• Setup the network parameters:

  • The server domain:

    config domain <domain>

  • The server’s external IP address:

    config ipv4 external <ip_address>

To list all of your available phishlets by typing phishlets. Whenever you need help and to confirm available commands, type help. To see more information about a specific command, type help <command> e.g. help phishlets.

For this example we'll set up Office365 phishlets to demonstrate how to set up your first engagement.

Set up a hostname for your Office365 phishing URL. You can pick whatever hostname you want with as many subdomains as you want, under the condition that it ends with the top level domain you set up with config domain.

: phishlets hostname o365 <domain>

Enable the phishlet.

: phishlets enable o3652

If successful you should see something like the below:

To check the status of the phishlet enter the following:

phishlets

You should see something like the below, confirming the domain has been configured and the phishlet is enabled:

Evilginx will start to automatically obtain the required TLS certificates from LetsEncrypt.

If the EC2 firewall rules for inbound traffic on TCP 443 and UDP 53 ports are set up correctly to allow all incoming traffic, Evilginx should be able to successfully obtain the security certificates and the phishlet should now be ready to use.

• Setup the Email Sending Profile, using the information provided by Mailgun in the Email setup section earlier:

  

• Send a Test Email:

  

• If this was successful, the window will update. Close the window and save the profile:

  

• Setup the Email/SMS Template and save it:

• Setup the Users & Groups with an email target:

Creating a Lure

• Create a lure for Office3652 in evilngnix3:

lures create o365
lures create o3652
lures get-url 0
lures get-url 1

• The lure URLs should be created:

  

• : lures get-url 1

• : phishlets enable o3652

• Copy the lure URL:

• Create a new Email Campaign by selecting New Email Campaign from the menu. Paste the lure URL into the form in the section evilgnix URL and complete the rest of the form:

• Select Profit to schedule the Campaign. When confirmation is requeste, select Launch:

• A confirmation should then appear:

• After checking the disposable email address (https://10minutemail.net) we can see it was received:

• If we check the dashboard in evilgophish we can monitor the status of the Campaign:

• Currently under Details we can see the mail was sent successfully. The dashboard also reflects this.

• When the email is opened we can see the message:

  

• The dashboard will update showing 1 email was opened and when the Reset Password link is clicked, the dashboard will update the Clicked Link Value:

Input Capture

Back to top

Sending SMS Phishing messages (Smishing)

Twilio for Smishing Campaigns

Twilio is a platform that allows you to send SMS messages from a computer with a virtual number:

• Sign up for a Twilio account at https://twilio.com
• When requested, enter a cellphone number for verification
• Enter the confirmation code when received.
• Save the Recovery code in a safe place.

• Login to Twilio and get a phone number (will be us-based for testing):

• Click next:

• Click next:

• Complete the registration process. Make a note of the following from Twilio that will be used to send SMS messages:

  • Phone number
  • Account SID
  • Authentication Token

• Setup the SMS Sending Profiles > New Profile using the information from Twilio:

• Launch SMS Campaign > New SMS Campaign and complete the form before selecting “Profit”:

• Confirm the campaign can be launched:

• Smishing Campaign scheduled: