7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!

For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:

First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!

The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:

• After domain registration, log into admin.google.com or click Manage Workspace button at checkout.

• At the next screen click Workspace Admin Console. Sign in with the person you'll be spoofing from, and the temporary password emailed to your backup email account during checkout.

• In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.

• Now, in the upper right, hit Manage Your Google Account.

• Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.

• Back at the main admin page, under Less secure app access, click Turn on access (not recommended).

• At the next screen click Allow less secure apps: ON

• Back at the main screen, click 2-Step Verification and set it to On.

• Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:

cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.