7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2
Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!
For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:
First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!
The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:
-
After domain registration, log into admin.google.com or click Manage Workspace button at checkout.
-
At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout.
-
In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.
-
Now, in the upper right, hit Manage Your Google Account.
-
Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.
-
Back at the main admin page, under Less secure app access, click Turn on access (not recommended).
-
At the next screen click Allow less secure apps: ON
-
Back at the main screen, click 2-Step Verification and set it to On.
-
Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!
Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:
cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt
cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key
Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.