Sign up to save your podcasts
Or
Share Gophish: An Open-Source Phishing Framework
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Gophish: An Open-Source Phishing Framework
If you or any friend, family member, or acquaintance has ever used an email account, chances are that at some point, they've received a phishing email. And while during the early stages of the internet, such deception usually looked so fake and misaligned that you could spot it right away as an attempt to mislead you, this isn't so true anymore. === An accustomed internet user with a keen eye might spot the fakery in the above picture, mainly because of the suspicious-looking email address. But its look and feel are very similar to that of an actual, legitimate message.
This design task (worthy of a craftsman web designer) used to be a time-consuming endeavor that could take several hours to get right, but that's no longer the case with the arrival of complete frameworks that make today's "Deception as a Service" ecosystem feasible. Today we're taking our previous article Phishing Toolkit: Top 20 Best Phishing Tools one step further, by highlighting one of the tools listed: Gophish, the open-source phishing framework. ## Red Team Phishing Exercise For this post, what we propose is for you to take the lead in a red team exercise for your own company.
We'll target fake characters, giving you an example of how you can do it to yourself—by using our own apps and infrastructure to simulate the test, just as a cyber espionage team would do. By doing this we intend to show you today's tool-goodies, but more importantly, we also want to show you a great way to test your own company's behavior against this kind of attack.
Lastly, we'll explore how easy it is to clone any web page and corporate email template to make it look **almost real** , with an emphasis on the **real** part, as these techniques and frameworks have evolved to the point where you could easily pretend to be anyone or anything, and not just the usual social networks and global free email services that are usually targeted. ## Phishing 101 Phishing is one of the most common types of cybercrime that may require getting several pieces together to work, with their different flavors depending on the focus of the attack (such as so-called "whaling" when specifically targeting very high profile executives or government individuals).
In comparison with other types of attacks, such as its little, but more widespread brother the scam, like the infamous Nigerian scam, you may find phishing attacks more on the technical side. This attack requires not only a good-looking and carefully crafted email to work, but also a functioning link that leads the deceived users to its real core, the prize-collecting webpage. While this may be at the frontier of the phishing definition, it is somewhat unusual for people to "just find" phishing websites.
Instead, they're usually cleverly conducted toward them by malicious actors who commonly host fake websites in awkward domain names and URL paths. By creating clever ways to deceive people into entering the link within an email, victims fall into the trap and end in a hostname similar to the one in the image above. This link will contain the necessary files to appear as the real service the victims believe they are in, working in conjunction with methods to store and forward gathered information to the attacker. ### Getting the software Gophish is available here for the three main operating systems, Windows, Linux, and MacOS.
Once downloaded, and after comparing the hash checksum to the obtained zip file we can execute the binary to start the application. ## Running Gophish When running, Gophish, by default will start two listeners on TCP ports 3333 for the admin interface and 80 for phish-webpage requests. Once the process has started, we can invoke the browser on and enter the admin interface using the admin:gophish credentials.
If desired, you can create and configure your own set of certificates or place your own in case you have any for this purpose. In any event, the installation documentation may help. Ok, we're inside! Le...
View all episodes
By SecurityTrailsIf you or any friend, family member, or acquaintance has ever used an email account, chances are that at some point, they've received a phishing email. And while during the early stages of the internet, such deception usually looked so fake and misaligned that you could spot it right away as an attempt to mislead you, this isn't so true anymore. === An accustomed internet user with a keen eye might spot the fakery in the above picture, mainly because of the suspicious-looking email address. But its look and feel are very similar to that of an actual, legitimate message.
This design task (worthy of a craftsman web designer) used to be a time-consuming endeavor that could take several hours to get right, but that's no longer the case with the arrival of complete frameworks that make today's "Deception as a Service" ecosystem feasible. Today we're taking our previous article Phishing Toolkit: Top 20 Best Phishing Tools one step further, by highlighting one of the tools listed: Gophish, the open-source phishing framework. ## Red Team Phishing Exercise For this post, what we propose is for you to take the lead in a red team exercise for your own company.
We'll target fake characters, giving you an example of how you can do it to yourself—by using our own apps and infrastructure to simulate the test, just as a cyber espionage team would do. By doing this we intend to show you today's tool-goodies, but more importantly, we also want to show you a great way to test your own company's behavior against this kind of attack.
Lastly, we'll explore how easy it is to clone any web page and corporate email template to make it look **almost real** , with an emphasis on the **real** part, as these techniques and frameworks have evolved to the point where you could easily pretend to be anyone or anything, and not just the usual social networks and global free email services that are usually targeted. ## Phishing 101 Phishing is one of the most common types of cybercrime that may require getting several pieces together to work, with their different flavors depending on the focus of the attack (such as so-called "whaling" when specifically targeting very high profile executives or government individuals).
In comparison with other types of attacks, such as its little, but more widespread brother the scam, like the infamous Nigerian scam, you may find phishing attacks more on the technical side. This attack requires not only a good-looking and carefully crafted email to work, but also a functioning link that leads the deceived users to its real core, the prize-collecting webpage. While this may be at the frontier of the phishing definition, it is somewhat unusual for people to "just find" phishing websites.
Instead, they're usually cleverly conducted toward them by malicious actors who commonly host fake websites in awkward domain names and URL paths. By creating clever ways to deceive people into entering the link within an email, victims fall into the trap and end in a hostname similar to the one in the image above. This link will contain the necessary files to appear as the real service the victims believe they are in, working in conjunction with methods to store and forward gathered information to the attacker. ### Getting the software Gophish is available here for the three main operating systems, Windows, Linux, and MacOS.
Once downloaded, and after comparing the hash checksum to the obtained zip file we can execute the binary to start the application. ## Running Gophish When running, Gophish, by default will start two listeners on TCP ports 3333 for the admin interface and 80 for phish-webpage requests. Once the process has started, we can invoke the browser on and enter the admin interface using the admin:gophish credentials.
If desired, you can create and configure your own set of certificates or place your own in case you have any for this purpose. In any event, the installation documentation may help. Ok, we're inside! Le...