Professional Documents
Culture Documents
The Ultimate Guide To Phishing - Computer Insecurities
The Ultimate Guide To Phishing - Computer Insecurities
Posted by
Siddharth Balyan on August 03, 2021 · 15 mins read
Introduction
Why another Phishing guide?
Recently I’ve been able to get my hands dirty with Phishing and witness actual
Phishing campaigns due to the incredibly talented people at my workplace. To satisfy
my curiosity I tried to follow along with a small Phishing campaign against myself and
realized that, there doesn’t seem to be an all-inclusive, all-in-one guide for beginners
to understand the process and help them set up the infrastructure.
I’m going to assume the starting point that you already know what phishing is, but
would like to learn how to do it.
Note: This is simply my way of contributing to the security community. Please don’t use
this knowledge for malicious purposes!
Breakdown
The process of phishing can be split into two parts by my understanding;
https://sidb.in/2021/08/03/Phishing-0-to-100.html 1/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
The Phishing Website : This is the spoofed, fake website where the unknowing
user will enter their credentials. From here we would capture the said credentials
along with their session cookies.
The Phishing Mail: This is the email which would be sent to the victim with the
hope that they bite the bait and go to our spoofed website.
Getting a domain
A domain name needs to be convincing and similar enough to the domain of the
legitimate website. One can use urlcrazy or catphish to generate a list of typo
domains.
❯ urlcrazy linkedin.com
The domains marked are some examples of typo domains we can choose from. Rest
are all in use.
For demo purposes, I’m going to buy a free domain from Freenom. They offer free
domains from .tk, .ml, ga, .cf, .gq TLDs.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 2/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Note: Freenom is a bit buggy, so you may have to write the entire domain with TLD in
their search to be able to select and put it in your cart
Once the VM is created, go ahead and open the ports 80, 443 and 3333 for HTTP,
HTTPS and GoPhish, which we will use later on, respectively.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 3/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Go to the DNS Management page in your Freenom Domain and add the A record for
WWW.
Configuring EvilGinx2
First install Go by following the instructions here and make sure you add it to your
$PATH.
Then, clone the repo for evilginx2 ; cd into the directory and make the binary.
Additionally, add the binary to /usr/bin or /usr/local/bin and copy the phishlets and
templates directory to /usr/share/evilginx to use the tool from any path.
❯ cd evilginx2
❯ make
Run evilginx2 and if the phishlets have been loaded successfully you should see the
tool run.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 4/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Now edit the config to add your domain and IP and the redirect URL.
: config ip 52.172.136.70
Any Scanners scanning your domain without the lure parameter will automatically get
redirected to the redirect_url you set up here
We also need to set up a TLS Certificate for our domain. Luckily, the tool can handle
that for us. Do the following;
https://sidb.in/2021/08/03/Phishing-0-to-100.html 5/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
: lures get-url 1
https://www.linkdin.tk/BMvzCciy
We also need to add the URL the victim will get redirected to after logging in. This is
different from the config redirect_url as that one is for the scanners and unintended
users and this one is for the victims post-login.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 6/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Once that’s it, you can navigate to the lure URL to make sure it’s working
If you did everything right, you should see a LinkedIn login page!
Note: You can run evilginx2 in a tmux session so that when you quit your ssh
connection, the tool keeps on running.
Installing GoPhish
https://sidb.in/2021/08/03/Phishing-0-to-100.html 7/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
❯ go get github.com/gophish/gophish
sudo ./gophish
You should probably run gophish this in the same tmux session as evilginx2
The temporary credentials are printed in the logs here. Navigate to https://[your-
ip]:3333 and login using these credentials.
You are now in the GoPhish Admin Panel.
We set up and configure the email which shall be received by the victim here. To
make a convincing email template, go through your own inbox and try to find an
existing email from the website you’re trying to spoof. For my use case, I will use a
Password-Reset Confirmation Email which I received from LinkedIn.
Click on the three-dot options button and Download the Email you want to use as a
template.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 9/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Open the file and copy its contents. Now navigate to Email Templates tab and create a
new template. Here, click on Import Email and paste the copied contents here.
Optionally, check the Change Links to Point to Landing Page checkbox. This will
change all the links in the mail to point to the spoofed landing page.
Now, in the HTML tab, modify the contents to your own liking.
Crafting a convincing email is very important, so if you’re doing this for an assessment,
take your time to craft a phishing email.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 10/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
<html><head><script>
</script>
</head><body></body></html>
https://sidb.in/2021/08/03/Phishing-0-to-100.html 11/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
The phishing server runs on http:[your-ip]:80. This is the template variable for
{{.URL}}. Whenever the victim navigates to this page (through the link they will be
prompted to visit), they will get redirected to your evilginx2 lure.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 12/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Also add Authorized Recipients. As a free tier user, only authorized recipients can
receive emails from your Mailgun account.
Now, in the Sending Profile in the GoPhish panel, make a new profile and copy your
credentials and config here as follows.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 13/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
For demo purposes, I’ll be sending the mail to myself, so I’ll add my user in manually.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 14/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Now, it is very likely that your email has been marked as a phish and has been moved
to the Spam folder. You can go to the link in the mail, and you’ll notice something like
this;
Click proceed and look! evilginx2 has started logging all the data of the new visitor
(you).
On entering the password, you can see evilginx2 capturing the credentials and
displaying them.
https://sidb.in/2021/08/03/Phishing-0-to-100.html 15/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities
Running the sessions command will show you all the user credentials and cookies
you’ve captured, though this is out of our current scope.
Final Thoughts
Congrats! You’ve successfully understood how to run a phishing campaign, and that
too without shelling out a single rupee! Given there are a few caveats, the phishing
mail gets marked as a phishing mail, but that can be avoided by using a little
trustworthy domain and shelling out some cash for a premium Mailgun account.
Note that this is just the beginning of how you can conduct phishing assessments.
Once you proceed further, the complexity increases. Automation, spam evasion,
bypassing filters, aging your domains etc., come into play.
To get a better insight into
some of these topics, you can check out @grahamhelton3’s course on Practical
Phishing Assessments here.
Happy Hacking!
← PREVIOUS
POST
https://sidb.in/2021/08/03/Phishing-0-to-100.html 16/16