If you want to learn more about phishing and social engineering attacks, visit: Social Engineering Attack Life Cycle: The Art of Human Hacking.
Some prerequisites need to be configured in Gophish before running a phishing campaign. In general, they can be divided into several important steps that must be completed before launching a successful campaign:
1. Templates. Patterns are a very important part of phishing. You should be able to create your patterns based on your game plan. The most commonly used templates are Office365, Webmail, and internal Facebook and Gmail logins.
Some templates can be found at https://github.com/PacktPublishing/Mastering-Kali-Linux-for-Advanced-Penetration-Testing-4E/tree/main/Chapter%2005 .
The following are the simple steps involved in creating templates: In the templates, click New Template, enter information in the Name and Subject fields, click HTML, copy the raw HTML content from the templates, paste them into the editor, and click Save sample”.
2. Landing pages. The effectiveness of a phishing campaign always depends on how you redirect victims to a legitimate website using landing pages. Similar to the steps in the “Templates” section, go to “Landing Pages” in the menu on the left, click, and on the new page, enter a Name, then copy and paste the template. You can also import the site directly. Finally, click “Save Page”.
3. Submitting Profiles: Profile is where you will have all the SMTP and sender details and details; Gophish allows attackers to define multiple profiles as well as custom email headers.
To create a profile, click Submit Profile, New Profile, and enter a name and interface type. The default is SMTP. Login to the From section with the email ID of your choice. The host is an SMTP server. Attackers can choose their own or use existing services such as AWS. In our case, we will use smtp.gmail.com:465 and enter the username and password. Most anti-phishing solutions block emails based on the header, so try using Microsoft Office Outlook XX or Outlook Express for Macintosh email headers. If all settings work, you can click: “Send Test Email”. A successful test email should look something like the image below. Finally, click “Save Profile”:
Testers using Gmail services should ensure that less secure application access is enabled to allow a third-party application to use the services. This can be done by visiting https://myaccount.google.com/lesssecureapps?pli=1 and enabling “Allow less secure apps”.
4. Users and Groups: Upload one or more email IDs of the targeted victims with their first and last names. Gophish allows testers to create groups and import them in CSV format. Go to “Users and Groups” in the menu, click “New Group”, and either import the CSV file or manually enter First Name, Last Name, Email ID, and Job Title. Click Add and then click Save Changes.
5. Account management: one instance can launch multiple phishing campaigns; therefore, individual users can have their account on the portal.
6. Webhook: A webhook is simply a web callback or HTTP Application Interface ( API ). This option allows testers to implement a webhook that can help send results directly to any third-party API.
Once we have all the templates, landing pages, users, and submission profiles in place, we are now set up to launch a campaign by clicking on Campaigns in the menu. Then click “New Campaign” and enter a Campaign Name. Select an email template, and landing page, and specify the host/IP URL that will serve the phishing pages; this is typically the same Kali Linux IP address that Gophish runs on. Select the launch date or schedule a date and time, then select the created sending profile, select the groups as shown in the image below, and finally click on “Launch Campaign”. We can select the date and time when the phishing will begin and the group of targeted victims. Gophish also provides the ability to check an email to see if it was blocked or delivered directly to the target’s inbox, depending on the templates selected:
After successfully launching the campaign, the victim should receive an email based on the templates selected when selecting the campaign. An email from Microsoft Teams Unread will look something like the image below:
When the target user clicks on any link in the email, they are taken to a landing page, along with a unique RID number generated by Gophish for the target user. The Office 365 sample should be visible on the landing page as shown in the image below:
The same landing page can be connected to the BeEF framework to capture browsers. Testers can track all emails sent, opened, clicked, and sent for each campaign as shown in the image below:
The Sent by Email option includes users who have detected phishing messages and reported them as suspicious. Typically, a member of the internal IT security team can use this output to assess users’ cybersecurity awareness. We’ve now looked at how to download, install and run Gophish , and run an email phishing campaign.
Using bulk transmission as phishing to deliver payload
Attackers can also use bulk file transfer software such as Smash, Hightail, Terashare, WeTransfer, SendSpace, and DropSend. Let’s take a simple scenario: Let’s say we’re targeting two people, and they’re the CFO and the CEO. Attackers can simply transfer files between these two victims by visiting one of the bulk transfer websites, such as sendspace.com, and downloading a malicious file, setting the sender as: financeadmin@targetcompany.com and ceo@targetcompany.com as the recipient. Once the file is uploaded, both parties will receive emails with a link to the file. In this case, ceo@targetcompany.com will receive an email indicating that the file was sent successfully, and financeadmin@cyberhia.com will receive something similar as shown in the image below:
In most cases, these bulk transfers are not on the block list of users in a corporate environment (if one is blocked, attackers can switch to another), so they provide direct access to internal staff to create an effective message, and the undetectable payload will provide a higher level success without revealing the identity of the attackers.
Summary
Social engineering is a method of hacking people that takes advantage of a person’s innate trust and willingness to attack a network and its devices. In this chapter, we looked at how social engineering can be used to facilitate attacks aimed at capturing credentials, activating malware, or helping to carry out further attacks. Most attacks are based on SET and Gophish; however, Kali has several other applications that can be improved using social engineering methodology. We explored how new bulk transfer companies could potentially be used to distribute payloads without using any email services to perform phishing. We also looked at how physical access, usually combined with social engineering, can be used to place hostile devices on a target network.
In the next section, we’ll look at how to scout wireless networks and attack open networks, as well as networks protected by WPA2-based encryption schemes. We will also look at common weaknesses in wireless and Bluetooth protocols that make them vulnerable to denial-of-service attacks.
❤️ If you liked the article, like and subscribe to my channel “Codelivly”.
👍 If you have any questions or if I would like to discuss the described hacking tools in more detail, then write in the comments. Your opinion is very important to me!
