GoPhish & Evilginx2 for Phishing
To start, we will need two domains, one for the GoPhish server and one for the Evilginx2 server. We will also be hosting GoPhish on AWS, and Evilginx2 on DigitalOcean, and we will also be setting them up in that order. So let's start with GoPhish. Below are some crucial GoPhish links, including their detailed wiki (which has install guides), the GoPhish templating format for automating your phishing campaigns, and a setup video, to explain the role of sending profiles, email templates, landing pages, and target users. Following that I have some notes on "gotchas" or snags I hit in following the basic setups.
GoPhish Setup Guide:
GoPhish Gotchas:
- Admin Interface
- Make sure you only expose this port to yourself and change the pw on first login.
- Sending Profiles
- I used Sendgrid for this, later we can also set up redirectors here.
- You should also make sure if you are spoofing, your spoof target dosn't have DMARC.
- Email Templates
- These take a bit of tweaking to get the HTML and templating exactly the way you want.
- Landing Pages
- This is where we will redirect to Evilginx2, using our landing URI and verification values.
- Targets / Users
- You will have to source your phishing targets via OSINT.
Very cool! From here our landing page will redirect to our Evilginx2 instance, to our instance, including the landing URI and verification key. Lets jump into the Evilginx2 setup, to iron these exact details out. Below is a link to the "Winter Update", which involves a breaking change to the Phishlet file format. I've also updated the Okta Phishlet to the 2.2v format. All that said, the install video is pretty good for this tool, but it still contains a number of "Gotchas" you should be aware of below.
Evilginx2 Important Links:
Evilginx2 Setup Guide:
Evilginx2 Gotchas:
- Hosting
- Had to host this on digitial ocean as it requires port 53, 80, and 443 (53 is used locally on AWS for a DNS resolver).
- Versions are key
- Requires golang 1.10 min, and new phishlet 2.2.0 formats.
- Phishlets
- Needs full .yaml extension (.yml files will not be parsed).
- Phishlets are very finicky, requires lots of tweaking.
- I used certbot for generating certs as doing it in Evilginx2 was causing errors.
- Make sure you include your verification key and verification token in your GoPhish redirect landing page.
- You need to set up DNS A records pointing to Evilginx2 for each subdomain the target sites uses.
- Hosting
- Had to host this on digitial ocean as it requires port 53, 80, and 443 (53 is used locally on AWS for a DNS resolver).
- Versions are key
- Requires golang 1.10 min, and new phishlet 2.2.0 formats.
- Phishlets
- Needs full .yaml extension (.yml files will not be parsed).
- Phishlets are very finicky, requires lots of tweaking.
- I used certbot for generating certs as doing it in Evilginx2 was causing errors.
- Make sure you include your verification key and verification token in your GoPhish redirect landing page.
- You need to set up DNS A records pointing to Evilginx2 for each subdomain the target sites uses.
By now you should have a working GoPhish instance that can send phishing emails and redirect victims to your standing Evilginx2 instance, which can act as your landing page and MITM your target site. This is a pretty advanced / modern phishing setup, so you should be good with this infrastructure for awhile, provided you maintain proper operational security. That's it for now, but I'll likely be building on this framework in the future, as I have plans to intercept and backdoor binary payloads as well. Make sure to stop back in the future to see how we can build on this infrastructure design.
