7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2
7 Minute Security19 Aug 2021

7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!

For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:

First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!

The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:

  • After domain registration, log into admin.google.com or click Manage Workspace button at checkout.

  • At the next screen click Workspace Admin Console. Sign in with the person you'll be spoofing from, and the temporary password emailed to your backup email account during checkout.

  • In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.

  • Now, in the upper right, hit Manage Your Google Account.

  • Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.

  • Back at the main admin page, under Less secure app access, click Turn on access (not recommended).

  • At the next screen click Allow less secure apps: ON

  • Back at the main screen, click 2-Step Verification and set it to On.

  • Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:

cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.

Episoder(706)

7MS #26: The Importance of Training and Awareness (audio)

7MS #26: The Importance of Training and Awareness (audio)

Training and awareness – specifically as it relates to infosec – is something companies can't spend enough $ on. But from my experience, not enough of them are making this a front-burner priority. This episode talks about one topic I'm particularly passionate about. I call it "How not to click on bad stuff." Download: 7MS #26:…

13 Sep 20147min

7MS #25: Writing Better Pentest Reports (audio)

7MS #25: Writing Better Pentest Reports (audio)

This episode talks about some pointers, tools and tips towards writing better pentest reports. Download: 7MS #25: Writing Better Pentest Reports (audio)

23 Aug 20148min

7MS #24: Why Wireless Scares Me (audio)

7MS #24: Why Wireless Scares Me (audio)

This episode is all about why you should (probably not) use wireless hotspots, and keeping yourself safe in general when surfing the Web. Download: 7MS #24: Why Wireless Scares Me (audio)

16 Aug 20147min

7MS #23: OSCP – part 2 (audio)

7MS #23: OSCP – part 2 (audio)

In this episode I talk more about my adventures with OSCP and Offensive Security! . Download: 7MS #23: OSCP – part 2 (audio) Show notes: I recommend documenting ALL the exercises in the PDF. My understanding is that extra effort could be rewarded if you don't do so hot on your final exam. Buffer overflows make…

9 Aug 20147min

7MS #22: Phishing with Black Squirrel (audio)

7MS #22: Phishing with Black Squirrel (audio)

In this episode I talk about using Black Squirrel to launch phishing campaigns! Download: 7MS #22: Phishing with Black Squirrel (audio) Show notes: Security Weekly is an excellent podcast/resource. Devour it regularly. Black Squirrel is the main tool discussed in this podcast. I've been using it for phishing campaigns and it's been excellent in that capacity.

27 Jul 20147min

7MS #21: OSCP – part 1 (audio)

7MS #21: OSCP – part 1 (audio)

In this episode I talk about my venture into Offensive Security! . Download: 7MS #21: OSCP – part 1 (audio) Show notes: It's official – I have a death wish and have started the OSCP training. This episode is the first of what I hope will be a multi-part, spoiler-free series about my experience with OSCP. With…

20 Jul 20147min

7MS #20: Moving from GoDaddy to DNSimple (audio)

7MS #20: Moving from GoDaddy to DNSimple (audio)

In this episode I talk about why I'm pulling my domains from GoDaddy, and making DNSimple their new home. Download: 7MS #20: Moving from GoDaddy to DNSimple (audio) Show notes: The service I'm talking about in this podcast is DNSimple. Troy Hunt's humorous/awesome article pushed me over the edge and convinced me to give DNSimple a…

15 Jul 20147min

7MS #19: Kioptrix! (audio)

7MS #19: Kioptrix! (audio)

In this episode I talk about a deliciously vulnerable series of VMs called Kioptrix, and how you can use them to sharpen your pentesting skills. Download: 7MS #19: Kioptrix! (audio) Show notes: The Kioptrix series of VMs is here: http://www.kioptrix.com/blog/test-page/ and here: http://vulnhub.com/?q=kioptrix&sort=date-des&type=vm. Got approved for my OSCP training and I start it in a few…

5 Jul 20147min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
bt-dokumentar-2
forklart
aftenpodden-usa
popradet
stopp-verden
det-store-bildet
dine-penger-pengeradet
fotballpodden-2
nokon-ma-ga
hanna-de-heldige
aftenbla-bla
rss-gukild-johaug
frokostshowet-pa-p5
rss-ness
rss-penger-polser-og-politikk
lydartikler-fra-aftenposten
e24-podden
unitedno