7MS #384: Creating Kick-Butt Credential-Capturing Phishing Campaigns
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.
In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include:
- Consider this list of top 9 phishing simulators.
- Check out GoPhish!
- Then spin up a free tier Kali AWS box
- Follow the instructions to install GoPhish and get it running on your AWS box
- Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
- Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
- Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this:
<html><head><title>Your rad awesome eyeball cool phishing portal!</title>
<style>
body {
background-image: url("https://YOURMALICIOUSDOMAIN/static/background.jpg");
background-repeat:no-repeat;
background-size:cover;
}
</style>
</head><body><br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<center>
<table style="width:40%">
<tbody><tr>
<th><img src="https://YOURMALICIOUSDOMAIN/static/company-logo.png"/></th>
<th><form action="" method="post" name="form">
<p style="color:white;"><label>User Name:</label> <input name="username" type="text"/>
</p><p style="color:white;"><label>Password:</label> <input name="password" type="password"/>
<br/>
<br/>
<input type="submit" name="submit" value="Log On"/>
</p></form>
</th>
</tr>
</tbody></table>
<br/>
<br/>
<center>
<p style="color:white;"><b>Unauthorized use is prohibited!</b>
</p>
</center>
</body>
</html>
- Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
- Have fun!!!