In this blog, I am going to walk you through a step-by-step guide on how to conduct a successful phishing assessment in your organization from scratch. Phishing assessments are getting very common these days, with most of the attacks happening in the recent past through phishing and social engineering activities. Organizations are therefore coming up with these assessments at regular intervals to train their employees to spot phishing attempts.
In our previous post, we discussed the step-by-step guide on how to install the phishing assessment tool ‘Gophish.’ Let’s begin this post with the prerequisites and go through the complete process to conduct a successful phishing assessment using Gophish and SendGrid.
Tools Required to Set up a Phishing Environment and Conduct Phishing Assessment
Following are some of the tools we are going to need to set up our phishing environment and conduct our phishing assessment:
- A Virtual Private Server (VPS) to host our phishing website.
- A phishing assessment tool (Gophish) to run our phishing assessment and analyze the results.
- A valid domain name.
- An SMTP relay (SendGrid) to send emails to our victims.
How to Conduct a Successful Phishing Assessment?
Phishing assessments are crucial in evaluating the security posture of organizations and identifying vulnerabilities in their systems. By simulating real-world phishing attacks, businesses can assess their employees’ susceptibility to such threats and implement appropriate security measures.
This section will guide you through the step-by-step process of conducting a successful phishing assessment, enabling you to enhance your organization’s resilience against phishing attacks. We divided the whole process into five sub-sections to ease the process. You can see the theoretical explanation of each subsection here. However, the practical explanations with screenshots have been covered in the following sections.
Steps to Conduct a Successful Phishing Assessment
Time needed: 2 days.
Phishing assessments are crucial in evaluating the security posture of organizations and identifying vulnerabilities in their systems. By simulating real-world phishing attacks, businesses can assess their employees’ susceptibility to such threats and implement appropriate security measures. This article will guide you through the step-by-step process of conducting a successful phishing assessment, enabling you to enhance your organization’s resilience against phishing attacks.
- Find a Virtual Private Server (VPS) and Install the Phishing Assessment Tool, Gophish
To begin your phishing assessment, it is essential to set up a Virtual Private Server (VPS) capable of running the necessary tools. A VPS provides a secure and isolated environment to execute phishing simulations. Once you have obtained a VPS, proceed to install the phishing assessment tool called Gophish. Gophish offers a user-friendly interface and features that facilitate the creation and execution of phishing campaigns.
- Purchase and Set Up a Domain with a Valid SSL
A domain name is a crucial element in phishing assessments, as it lends authenticity to simulated phishing attacks. Purchase a domain name that aligns with your organization’s brand or objectives. Ensure that the domain has a valid SSL (Secure Sockets Layer) certificate to establish a secure connection between your phishing website and the target’s web browser. The SSL certificate enhances credibility and protects sensitive information during data transmission.
- Set Up an SMTP Relay
To effectively conduct phishing assessments, you need to set up an SMTP (Simple Mail Transfer Protocol) relay. An SMTP relay allows you to send phishing emails using your own domain name. By configuring an SMTP relay, you can ensure that the emails appear legitimate and increase the chances of successful simulation. Choose a reliable SMTP service provider and configure the necessary SMTP settings for seamless email delivery.
- Create Phishing Emails
Creating convincing and realistic phishing emails is crucial to the success of your assessment. Craft emails that mimic real-world phishing attacks, incorporating elements such as urgency, enticing offers, or professional requests. Pay attention to the email’s subject line, body content, and visual elements to make it appear authentic. However, always ensure that the purpose remains educational and that no actual harm is inflicted on recipients.
- Launch Your Phishing Attack and Analyze Results
With all the necessary preparations in place, it’s time to launch your phishing attack. Deploy the phishing emails to your selected targets and monitor the response. Gophish provides comprehensive tracking and analytics features that allow you to assess the effectiveness of your campaign. Analyze metrics such as open rates, click-through rates, and the submission of sensitive information. These insights will help you identify vulnerabilities and areas for improvement in your organization’s security awareness.
Find a Virtual Private Server (VPS) and Install the Phishing Assessment Tool, Gophish
A Virtual Private Server (VPS) is a virtualized server environment created by partitioning a physical server into multiple virtual instances. We will be using Digitalocean as our VPS provider. We have covered this section in our previous blog. You can refer to how to set up VPS, download, and install Gophish in our previous article.
Purchase and Set Up a Domain with a Valid SSL
Acquiring and setting up a domain is a crucial step in our journey. It’s important because having a valid domain name and SSL certificate is necessary for credibility. In fact, most organizations have a policy that requires a valid domain name, at least 1-2 weeks old, and a proper SSL certificate before allowing any public website to operate. Therefore, in this section, we will explore how to purchase and set up a domain with a valid SSL certificate to make our phishing server appear legitimate.
For this demonstration, I have already bought a domain from Godaddy. You can visit Godaddy or any other domain provider to choose the domain you prefer.
Once you’ve purchased the domain, the first thing we need to do is change its nameservers so that it points to your public IP provided by Digital Ocean. To accomplish this, follow these steps:
- Go to the website where you purchased your domain and log in.
- Find the option to manage your domain’s settings, often called “Manage DNS.”
- Look for the nameserver section and update the nameserver information. Replace the default nameserver provided by Godaddy with the nameservers given by Digital Ocean.
By following these steps, you will ensure that your domain directs visitors to the correct location, which is our public IP address hosted on Digital Ocean.
If you are using Digital Ocean as your hosting service, the nameservers you need to specify are usually:
These nameservers will ensure that your domain points to the correct location on Digital Ocean’s servers.
If you are using a different hosting service, you can easily find the nameservers they require by conducting a simple Google search. Just search for the name of your hosting service followed by “nameservers,” and you should be able to find the necessary information.
Remember, it’s important to use the correct nameservers to ensure that your domain functions properly and directs visitors to the right location.
After making the changes to the nameservers in your domain provider’s portal, it’s important to update the DNS settings in your Digital Ocean account as well. This step ensures that Digital Ocean knows which public IP address to associate with your domain.
By updating the DNS settings in your Digital Ocean account, you establish the connection between your domain and the correct public IP address. Keep in mind that it may take some time for these changes to propagate and take effect. So, don’t be alarmed if you don’t see immediate results. Typically, it can take up to 24-48 hours for the changes to fully propagate across the internet.
Once the DNS changes have propagated, your domain will successfully point to your desired public IP address hosted on Digital Ocean.
For that, we go to the digital ocean portal and click on “Add domain.” Then we add the domain we just bought, and you’ll see “NS” and “A” records added automatically.
The “NS” records specify the nameservers for your domain, which you have previously set to Digital Ocean’s nameservers in your domain provider’s portal. These records ensure that requests for your domain are directed to Digital Ocean’s DNS servers.
The “A” records associate your domain with the specific public IP address hosted on Digital Ocean. These records indicate the location where your domain should point.
By adding the domain to the Digital Ocean portal, along with the automatic inclusion of the “NS” and “A” records, you establish the necessary configurations for your domain to function correctly with Digital Ocean’s services.
This “A” record is very important as it points to our public IP. Sometimes, this is not added automatically. In that case, you’ll have to add it manually by adding the domain name and your VPS’s public IP.
Please note here these changes will not be reflected immediately and will take some time. This is called DNS propagation, and it can take up to 24 hours. You can check the DNS propagation status by going to https://www.whatsmydns.net/ and entering your domain name as shown below.
All right, this went smoothly. Our next step is to add an SSL certificate to this domain. As I said earlier browser would not trust the domain unless it has a valid SSL certificate, and corporate laptops will not open such domains.
So, we’ll add a free SSL certificate from https://zerossl.com/. You can sign up here with a free subscription which provides 2 free SSL certificates for 90 days.
Once signed up, go ahead and click on Create a Certificate.
Enter the name of the domain and select “Next Step.” Once select the free plan, we’ll have to verify that this domain actually belongs to us. For that, select DNS (CNAM) verification, as it’s fast and easy. Zerossl will provide a CNAME record which we need to enter into your digital ocean hosting portal.
Copy the name and value and go to digital ocean and paste them under the CNAME section as shown below. Please note here the name “.horizenex.com” already gets reflected; hence only the first part of the name needs to be posted. You can paste the entire value and TTL, as mentioned.
Once added, go to zerossl and click on verify. Within a minute, your SSL certificate will be generated. You can download the zip file in default format which we’ll send to our VPS.
After downloading the file and unzipping it, you’ll see something like this.
We need the certificate as well as the private key to install this certificate. To install the certificate, we’ll open it with Notepad and copy its content into a new file on our VPS. Let’s do that, then.
As you SSH into your VPS, you’ll see 2 files in Gophish folder named “Gophish_admin.crt” and “Gophish_admin.key.” These are sample files for the certificate and private key. Change its name to the name of your domain, as shown below.
# mv Gophish_admin.crt horizenex.com.crt
# mv Gophish_admin.key horizenex.com.key
Now we’ll copy the content of the certificate in the “.crt” file and the content of the private key in the “.key” file.
Once copied, this is how your crt and key file should look like. I used Vim for copying the content as Nano wasn’t copying the content properly. After this, we’ll add a certificate and key file to our config file. Let’s open the config.json file and add these files.
This is how the config file should look after adding the crt and key file. We can add the same certificate to both the 443 port which is our web server and the 43333 port which is our Gophish admin panel. Now let’s start the Gophish application again and check if this is working properly.
It’s working!! As you can see the Gophish admin panel opened and it shows the connection is secured. This means our SSL certificate is working.
Set Up an SMTP Relay
Digital Ocean by default blocks SMTP ports to avoid spam and abuse and they will not entertain any request to open an SMTP port(refer: https://docs.digitalocean.com/support/why-is-smtp-blocked/#:~:text=SMTP%20port%2025%20is%20blocked,other%20abuses%20of%20our%20platform.&text=SendGrid%20delivers%20your%20transactional%20and,cloud%2Dbased%20email%20delivery%20platform). Hence, we are going to utilize an external SMTP relay service like Sendgrid(https://sendgrid.com/) or Mailchip(https://mailchimp.com/).
Here I’m going to use Sendgrid. You can subscribe to its free plan with which, we can send 100 emails per day.
Once signed up, we have to first authenticate and verify our domain to send mail from that. Go ahead with “authenticate your sending domain.”
We have to verify the domain similar to how we did for getting the SSL certificate i.e by copying the CNAME records on our domain. Click on “Get Started.”
For the DNS host since the digital ocean is not specified in the list, I selected “other Host (not listed)” and entered the digital ocean. On the next page, we’ll enter our domain name and move ahead to verify.
Now we’ll copy the CNAME records to our domain and click on verify.
Once done verifying our domain, we have to add a sender identity also i.e. the email with which we are going to send mail. For that, let’s go to “Create sender identity.”
Here, we can create a sender identity by clicking on “Create identity.”
After creating this, we have our sending identity ready.
The next step is to create an SMTP relay API. Since we are going to use SendGrid SMTP relay service for our third-party Gophish application, we have to create an API key with which we can integrate it into Gophish. This is a very simple process. We’ll go to Email API>Integration Guide and land on the below page.
Click on SMTP relay, give your API key a name and your API key will be created.
Keep these details handy and save the username and password somewhere securely. Now, we’ll go to the Gophish application to integrate this. For this, we’ll open the Gophish application admin page and go to sending profile.
Here, we’ll add the above-provided details as shown below along with your API key username and password. For details, I entered the sender identity(email@example.com) created on SendGrid. We can’t use any other sender identity however, if you want you can create multiple sender identities and use them. Once added, we can send a test mail to see if it’s working properly.
As you can see below, I received the test mail from Gophish confirming that the setup is working perfectly fine. If you use any sender identity other than one created in SendGrid, your mail will fail to send.
OK, that was all, our phishing environment is now ready. Now the only thing left is to create phishing mail and landing pages and send it to our targets. I will not go through this process very thoroughly as Gophish is fairly easy and simple to use. Also, you will find multiple templates online for Gophish which can help you get started. However, the key here is to be creative.
Create Phishing Emails
Now, comes the final step of our journey, creating the phishing emails and sending them. As discussed earlier, there are a number of templates available online to start with, but you have to be creative and unique if you want to phish your target. This starts with knowing what all services are they using, what all subscriptions they have, or what all think can intrigue them in clicking on links. What I personally do is take inspiration from my own corporate emails, go through some of the third-party services that the company has taken, and target that. For example, I got to know one of my clients was using a third-party application “Horizon XE” in their internal network and hence, I chose to use it to my advantage and bought the domain “horizenex.com”. For the sake of showing, I am taking a fairly simple email template here.
Firstly, we will start the Gophish service and go to the admin panel. Then, under email templates, we will paste our email template in HTML format. If you want you can also write a text mail.
Next comes the landing page. This is where the target will be redirected when they click on the malicious link. With Gophish, you can enter a URL and Gophish can clone that web page, although in some cases, you’ll have to do changes. For example, if the page has too many hyperlinks, you might have to take those off.
Here, I have created a simple Microsoft sign-in page by importing from the original Microsoft sign-in page.
Finally creating email groups. This is also fairly easy; you can download the template to fill it and re-upload it in case you have bulk email IDs. In my case, I have just added one email to test it.
Now, our phishing setup is ready to attack. All we have to do is create a campaign. Under the campaign, we can select the email template, user list, and landing page and also schedule the emails. Under URL, we’ll add the URL of our phishing server that is running on port 443.
Launch Your Phishing Attack and Analyze Results
Now, comes the final step of our journey, creating the phishing emails and sending them, all we have to do is create our campaign. Inside the campaign, we can select the email template, user list, and landing page and also schedule the emails. Under URL, we’ll add the URL of our phishing server that is running on port 443 and start the campaign.
Let’s launch our campaign now.
And as you can see, I received the mail, and it didn’t land in the spam or quarantined folder. On clicking the link, it redirected us to Microsoft sign-in page. But if you see the URL, it’s our phishing server.
On our Gophish admin page, we can see the stats of our phishing campaign regarding how many users clicked and submitted data.
This finishes our walkthrough for setting up a phishing environment. Before ending this blog, I want to share some tips which might help you gain success in your phishing assessment.
- Do not send too many test emails to check if it’s working or not. The more we send phishing emails, the more reputation of our domain and email declines, and finally it might not land in our target’s mailbox or even if it lands, browsers may flag the domain as a potentially dangerous site. Therefore, stick to your target and send only genuine mail to test the setup.
- Try not to mimic the name of the company or any famous brand as your domain name. Those are the first things to get detected and blocked. For example, try not to use names like “micros0ft.com” or “ubemy.com” as your domain name. Similarly, let’s say you are doing a phishing assessment for a company Starbucks, don’t use domain names like starbuks.com. Anti-phishing tools have rules set to block mail from any domain name similar to theirs.
- Do not try to impersonate a person from their leadership team like CEO, CFO, etc. Those can also be blocked.
- Timing is very crucial here. If you send hundreds of emails together, the email gateway can block it as spamming activity. If you are sending them one by one and if few of them flag it as phishing activity, their security team will block any further incoming emails. Therefore, you have to find a sweet spot. Try to keep a delay in between each mail (Gophish has the option to do that) and send mail in smaller groups. Also, try to time the emails so that the target can read them immediately.
- Since Gophish is a popular phishing tool now, it is very much possible that it can be detected, you can try to change some of the Gophish signature to make it stealthy and hard to detect. Check out this GitHub repo and blog writing to do that. (https://github.com/puzzlepeaches/sneaky_Gophish)
phishing environment can be set up. There are more things that can be done like removing go phish signatures to avoid email gateway to detect it. But we can dwell on those topics some other day.
And with that, our blog comes to an end. I believe this will help you to get some idea on how to conduct a successful phishing assessment in your organization and will help you get success in your upcoming phishing engagement. Happy Hacking!!