Phishing with Gophish
Setting up of Gophish, a popular open source phishing framework on a VPS server and an attempt to bypass spam checks in email providers such as Gmail and Yahoo. Contributors - @5kYp01n7
Last updated
Setting up of Gophish, a popular open source phishing framework on a VPS server and an attempt to bypass spam checks in email providers such as Gmail and Yahoo. Contributors - @5kYp01n7
Last updated
Get trusted TLD such as .com, .net, etc. ".xyz" is flagged as an untrusted TLD by Apache SpamAssassin "PDS_OTHER_BAD_TLD". In the below screenshot you can see ".xyz" being flagged.
The below screenshot shows it as a bad TLD as well.
For this article, we are trying to send phishing emails to a hypothetical organization "ressurect". Let's try to find some domains that look similar to them using these websites:
Let's head off to Spamhaus Project to check if the domain name has been blacklisted before. Note: The IP address of the VPS server being used could be in a blacklist apart from the domain name and could be blocked by the email service provider.
In order to send mails from "mail.ressurect.xyz", we will set the following records.
v=spf1 a:mail.ressurect.xyz -all
v=DMARC1; p=none; rua=mailto:admin@mail.ressurect.xyz
If you've already set up postfix in your VPS server, you'll need to follow this article to set up DKIM. If not, you need to install postfix first and then set up DKIM.
Host: default._domainkey.mail
Value: v=DKIM1; k=rsa; p=[redacted]
Once set up, wait for a few mins to get the changes propagated to the nameservers from where your domain has been purchased.
In order to verify all the SPF, DMARC and DKIM records, run the following commands:
This is necessary as well to make sure the IP address of the SMTP server from where the email was send points back to the domain name used for the email address. It is fairly simple for digital ocean. We just need to edit the name of the droplet.
Run the following command to verify:
nslookup <server IP>
Download the source code of Gophish. We will now be modifying it's code as per the following article:
https://www.redteam.cafe/phishing/gophish-mods
The "gophish" keyword occurs mostly in the email headers while sending the emails. You could also manually remove the occurrences of the keyword by searching using grep and carefully editing the files:
grep -ir gophish
Compile the project:
go build
The VPS from digital ocean doesn't have the basic packages to install Go binary. Run the following commands if installing from scratch:
You'll need to install an SSL certificate if the Gophish landing page (Phishing webpage) need to be accessible over HTTPS. Run the following commands:
Once done, edit the config.json file in the Gophish directory and provide the path to the SSL certificate and private key generated from acme.sh:
Note: Setting the "listen_url" to "0.0.0.0"36101" for "admin_server" will make it accessible over public IP. Hence, changed the default port of 3333 to 36101. Would suggest setting up an iptables rule. If you haven't worked with firewall rules, set the rules carefully. You may block yourself from the SSH connection as well. If you're connected to your company's VPN, the following command can be set to drop all traffic to port 36101 except your company's IP. Yes, the order matters:
This will be the details of your SMTP server. A genuine sender's name could be "no-reply@mail.ressurect.xyz".
This would be the webpage that the Phishing URL would point to. We could perform OSINT to discover the target organizations login pages. The login pages for the 3rd party applications that the organization uses could also work just as fine.
This is by far the most trickiest part where your email would be decided as spam or not.
Note: During our research, we were able to successfully send the email to the inbox of Yahoo email whereas Gmail had spammed us. The sender's email address was successfully spoofed as well in Yahoo mail. We are currently researching as you read to bypass the spam filters in Gmail and Outlook. Outlook is no joke when it comes to detecting spam. Please read some of the information on it in the Appendix A Section.
Tips:
Place the email body at Autoklose Email Spam Checker to detect the usage of spam words: https://autoklose.com/email-spam-checker/
Apache SpamAssassin will flag your email if the size is too low. The solution would be to add more words, specifically the e-mail size has to be over 3200 bytes to not be flagged by the set of "HTML_IMAGE_ONLY_xx" rules.
Place the {{.URL}} in the email template to redirect to the landing page.
Note: The above email was not the one to bypass the Yahoo mail spam filter. It is for reference purposes only.
This would contain the email addresses of the target users who would be receiving the phishing emails. Add legit names like "Ravish Yadav" etc. as these are a part of certain spam checks.
Some of the websites offer spam checks online. One being mail-tester. Choose the email address displayed on their website and add it to the Gophish "Users & Groups".
Fire up the campaign by choosing all the landing pages, email templates, sending profiles and users. The URL would be "mail.ressurect.xyz". This is what would be used for the landing page for e.g. mail.ressurect.xyz?rid=124
So, checking it on mail-tester.com, we got a decent score of 7.1. This could have been >9.
So, as mentioned above while setting up the domain name, the TLD ".xyz" has received an aggregate negative score of -2.4. Whereas the domain name was recently registered.
What we learned so far:
No matter how good you've tried to bypass the spam filters, everyone (all departments) in the target organization may not receive the phishing email. Try sending out phishing emails to a certain user within the target organization and confirming if it has reached the inbox. Even if all are received successfully, chances are that different departments may have individual policies as well and some may be bypassed and some may not. If nothing is consistent...Get the freakin' IP address whitelisted.
https://docs.microsoft.com/en-us/exchange/troubleshoot/antispam-and-protection/cautions-against-bypassing-spam-filters âĸ If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through. Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time. âĸ It is important that you take the following precautions: â Never put domains that you own onto the Allow and blocklists. â Never put common domains, such as microsoft.com and office.com, onto the Allow and blocklists. â Do not keep domains on the lists permanently unless you disagree with the verdict of Microsoft. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide (Recommended) Use mail flow rules ======================= Checkist ======================= 0365 - Spam/antiphising bypass filter checklist Are there links in the email that point to login pages that are detected by link protection scanning mechanisms? Is the attachment in the email known to be malicious? Or is detected or flagged by signature based systems? (custom) Is the sender domain a permutation of the receiving domain? (custom) Is the sender domain a newly created or uncategorized domain? Content Filtering Disabling image links (or âbugsâ, an indicator used by phishing platforms to determine if targets opened the initial email). IP address links, which are commonly used to bypass web proxy filters on an internal network. Domain TLD blacklsits. Content specific filtering, blocking of sensitive words or other indicators Identifying if links within emails point to downloadable content (think binaries and documents) and passing these through their attachment scanning engines. Analyzing URL reputation from various partner sources, identifying whether or not the URL is malicious. O365 Advanced Threat Protection (ATP) Addon Spoof intelligence, a mechanism in place to detect spoofed email to/from your organization domain. Machine learning and other capabilities for detecting phishing emails. ATP and the âSafe Linksâ Rewrite Feature Determine if the link is blacklisted by the organization Identify whether the link points to downloadable content (documents, binaries) and scan them Has the link been designated as malicious previously? Safe link policies possibility: policy applies to - Users, Groups, Domains - real-time URL scanning for suspicious links and links that point to files - Wait for URL scanning to complete before delivering the message - Apply Safe Links to email messages sent within the organization - Select the action for unknown or potentially malicious URLs within Microsoft Teams - Do not track user clicks - Do not allow users to click through to original URL - Do not rewrite the following URLs Safe links possible bypasses: - Send an email to someone containing an evil link without the link - Organizations to add their own domains to the Safe Links whitelist policy, we can use URL obfuscation techniques. - Block or re-direct requests from the Exchange Online Protection by blocking EOP IP ranges available online on your webserver with some .htaccess rules. - Replace the phishing URLâs site content after a message is being scanned (Less chance of this being implemented at victim) - fool Microsoftâs Safe Link: <a x=">" href="http://badurl.com">click me</a> ^--- the regex? engine stops to detect the <a> tag here, and leaves the href unchanged. - Another obvious way to fool the Safe Link re-writer is to use a <form>-tag (it may not work in all email clients). You may be safe until spammers figure this out. <form action="http://badurl.com"><input value="click me"></form>