# Gophish
All about the open-source phishing framework Gophish, which you can grab [here](https://getgophish.com/).  We've got some good podcast episodes and notes about Gophish [here](https://7minsec.com/blog/tag/phishing/) and 

## Grab a domain + GSuite account
Use your registrar of your choice, or go right for grabbing the domain through [Google Workspace](https://workspace.google.com/) so you can add the GSuite email at the same time.  Once you register the domain, wait a bit and you should get an email asking you to verify the account/domain.  Once you do that you can continue to the next part (configuring DNS).

## Configure DNS
Within the Google admin portal, click [manage domains](https://admin.google.com/ac/domains/manage) and then *View Details* link next to your phishing domain.  You should then be prompted to log into the Squarespace portal (just pass through your Google cred you setup for your phishing domain) and then you should see all the DNS records.  The DNS records for Google mail should be setup, but now might be a good time to change the `@` record to point to your phishing public IP.  

:::tip
When you enter the DNS configuration area, you'll see a section called *Squarespace Defaults* which points the `@` and `www` record to a Squarespace landing page.  Hit the "trash" icon to delete these two records, then add the `@` record of type `A` that points to your phishing IP.
:::

## Configure email
One thing to do right away is head to the [Settings](https://mail.google.com/mail/u/0/#settings/accounts) and change *Send mail as* to be whatever you want the "send as" info to be.  By default it will be whatever first name and last name you set the Workspace account up with, which is probably not what you want.  

### Setup "less secure" app-based email config
1. Search for "less secure" in the admin portal and go into the *Less secure apps* settings area, then change the *Less secure apps* setting to **Allow users to manage their access to less secure apps**.

2. Then under [your account settings](https://myaccount.google.com/), click the **Security** link on the left menu, then click **2-step verification**.  At the next screen click **Turn on 2-step verification**.  Choose your method (such as phone number) and confirm the code to finish the MFA enrollment.

3. Head to the [app passwords page](https://myaccount.google.com/apppasswords) and generate a new app password.  This is what you'll need to send SMTP emails through Gophish.

## Download Gophish
1. Download Gophish [here](https://github.com/gophish/gophish/releases/) and unzip it in a directory of your choice.
 
## Setup Letsencrypt cert

1. Install certbot (on Ubuntu 22.04) with `sudo apt install certbot -y`

2. Generate the cert for your domain and validate it by creating a DNS record

```
sudo certbot -d yourphishingdomain.com --manual --preferred-challenges dns certonly
```

From this command you'll get output like this:

```
Please deploy a DNS TXT record under the name:

_acme-challenge.yourphishingdomain.com.

with the following value:

20fj203f9j2039fj2039fj2039fj2039fj2039fj2
```

:::tip
When you add this DNS TXT record, you typically just add the `_acme-challenge` part as the `host` part of TXT record, not the fully qualified `_acme-challenge.yourphishingdomain.com`.
:::

Wait a few minutes *after* adding the DNS TXT record before you "Press Enter to Continue" and have Letsencrypt check the record.  Otherwise validation might fail and you'll have to generate a new record.

The cert will install in a path like `/etc/letsencrypt/live/yourphishingdomain.com/fullchain.pem` and `privkey.pem`.  To get these files in a location/format where Gophish can use them, `cd` to your Gophish server directory and issue these commands:

```
cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt
cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key
```

Now edit the `config.json` file one more time and make these changes:

* Change every instance of `cert_path` to point to `domain.crt`
* Change every instance of `key_path` to point to `domain.key.` 
* Change the `listen_url` for the *admin_server* to be `0.0.0.0:3333` - then make sure to setup a firewall rule so only *your* public IPs can hit it.  
* In the `phish_server` section, change `:80` to be `:443`
* In the `phish_server` section, change `use_tls` to `true`

## Start the Gophish admin server
Now that you're in your Gophish working directory and have generated the `domain.crt` and `domain.key` files, you can start the gophish server:

```
chmod +x gophish
sudo ./gophish
```

Watch carefully as the default username and password will come up in the first few lines of output.  Login with those creds and then you'll be prompted to change the password.

### Configure sending profile
Click **Sending profiles** on the left menu, then **New Profile.**  Fill in all necessary information.  The *SMTP From* and *Username* should be *yourphishingaccount@yourphishingdomain.com*, and the *Host* will likely be **smtp.gmail.com:465**.  Hit **Send Test Email** should you desire.  In my tests to my personal addresses I usually find these messages in the spam folder.

### Setup an email template
In the *Envelope Sender* field you can put something like `Totes LegitUser <totes@legit.com>` so that when the user gets the email, it's from "Totes Legit" and not just the raw `totes@legit.com` email address (which could look phishy).

For the body of the message, I like to switch to HTML mode and do something like:

```
<p>Hello,</p>

<p>Here is where you put the tantalizing "bait" for your phishing campaign.</p>

<p>And here is where you sell people on clicking your phishing link: {{.URL}}</p>

<p><strong>Note:</strong>And maybe here you put some information about how important it is that they click this link and submit their creds a bunch of times.</p>

<p>And maybe in this paragraph you tell people that if they have any questions, please send an email to (<a href="mailto:you@yourphishingdomain.com">you@yourphishingdomain.com</a>).</p>

<p>Sincerely,<br>
Thomas C. Callahan</p>
```

### Setup a landing page
I have a simple sample [here](https://7minsec.com/blog/2022/02/23/7ms-509-creating-kick-butt-credential-capturing-phishing-campaigns-part-4/).  The one annoying thing I *always* forget is that if you have logo files or any static asset you want to reference in the campaign, first SFTP into your droplet, go to `~/your-gophish-dir/static` folder, then create a new subdirectory called `endpoint` and put the files there.

Then, when you reference those in your campaign, use a link similar to `https://yourphishingdomain.com/static/logo.png`.  Silly me would think that if `logo.png` was in regular old `/static` subdirectory that would work, but noooooOOOOOOOOoooOOpe!  You gotta have it in `/static/endpoint`.

Also, I'd recommend in the `Redirect to` field, put something benign like `https://the-company's-real-web-site.com` so that when users submit credentials via your form, they're simply redirected to their own company's Web site.  It seems to feel less suspicious to users that way.

### Create a group of users to send to
Click the **Users & Groups** link to setup a group (or groups!) of users to send to.

### Launch your campaign!
Fire up a campaign and then name it, select a template, select a landing page, set the URL (usually `https://yourphishingdomain.com`), select the sending profile, select your "Send to" group, and off you go!

## Misc phishing tips
* On a Mac, you can use Digital Color Meter app to find a color to "steal" from a company's Web site you're trying to mimic.