7 Minute Security19 Elo 2021

7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!

For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:

First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!

The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:

After domain registration, log into admin.google.com or click Manage Workspace button at checkout.
At the next screen click Workspace Admin Console. Sign in with the person you'll be spoofing from, and the temporary password emailed to your backup email account during checkout.
In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.
Now, in the upper right, hit Manage Your Google Account.
Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.
Back at the main admin page, under Less secure app access, click Turn on access (not recommended).
At the next screen click Allow less secure apps: ON
Back at the main screen, click 2-Step Verification and set it to On.
Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:

cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.

Kokeile Premiumia

Nauti 14 päivää ilmaiseksi

Tilaa Premium

Jaksot(705)

7MS #49: OSCP – The Final Chapter – part 1! (audio)

We've arrived at the exciting two-part finale to my bloody battle with the OSCP! 7MS #49: OSCP – the final chapter – part 1! (audio)

31 Maalis 20157min

7MS #48: So I Gave My Eight Year Old a Computer (audio)

Is it a good idea to give young kids a computer to play with? Maybe. Maybe not. Tune in to today's episode and weigh in! 7MS #48: So I Gave My Eight Year Old a Computer (audio)

21 Maalis 20158min

7MS #47: Logging and Alerting RELOADED (audio)

Hey, you should log the stuff going on in your network. This episode talks about that (again). And I reference some AD-related settings that may not be enabled in your environment…stuff you might want to turn on. Check out that information via this PDF here. 7MS #47: Logging and Alerting Reloaded (audio)

17 Maalis 20157min

7MS #46: So You Want to be a Hacker? (audio)

So you want to be a hacker? Cool. In this episode I toss myself under the bus and share why I used to have a really dumb perspective on what that meant, and how my view of hackers – and hacking – has changed (and hopefully matured). 7MS #46: So You Want to be a…

14 Maalis 20157min

7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

Warning, this is an off topic episode! I used to pirate software. There. I admitted it. But it's funny how a letter from the Comcast legal dept. will change your mind and let you see piracy in a whole new light! 7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

10 Maalis 20157min

7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

Warning, this is an off topic episode! Did you know it's fun to stay at the YMCA? Did you also know it's fun to annoy annoying people at the YMCA? Listen to this episode to find out why. 7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

7 Maalis 20157min

7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

Did you know that Web site vulnerability scanners can destroy your customer sites? If not, listen to this. 7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

28 Helmi 20157min

7MS #42: Vulnerability Scans vs. Pentests (audio)

I think everybody throws around the terms "vulnerability scans" and "pentests" and they mean completely different things from one person to the next. In this episode I try to clarify the differences and distinctions (in my mind, anyways). 7MS #42: Vulnerability Scans vs. Pentests (audio)

14 Helmi 20157min

Kaikki yhdessä sovelluksessa

Kuuntele kaikki suosikkipodcastisi ja -äänikirjasi yhdessä paikassa.

Sinulle valikoitua sisältöä

Podme-sovelluksessa kokoat suosikkisi helposti omaan kirjastoosi. Saat meiltä myös kuuntelusuosituksia!

Jatka kuuntelua koska tahansa

Voit jatkaa siitä mihin jäit, myös offline-tilassa.

Premium

9,99 €/kk

Kaikki premium-podcastit
Ei mainoksia
Ei sitoutumista, peruuta koska tahansa

Aloita 14 päivän kokeilu

Premium

13,99 €/kk

Kaikki premium-podcastit
Ei mainoksia
Ei sitoutumista, peruuta koska tahansa
Yksi lisäkäyttäjä

Kokeile 14 päivää maksutta

Suosittua kategoriassa Politiikka ja uutiset

rss-polikulaari-humanisti-vastaa-ja-muut-ts-podcastit

Tarinat ja äänet, joita rakastat kuunnella

Kuuntele kaikki suosikkipodcastisi ja -äänikirjasi

Lue lisää