Summary

This is a topic that I’ve been interested in learning about as we’ve all been subject to Phishing/Spam emails. As anything else in life, we learn by doing, at least I do, so I set forth with creating a common phishing service utilizing AWS and GoPhish.

Download link.
https://github.com/gophish/gophish/releases

GoPhish Docs.
https://docs.getgophish.com/user-guide/installation

Configuration

After configuring the Ubuntu instance and allowing the below ports, I patched the VM to the latest patch level.

Inbound rules. Don’t forget to adjust the source to your IP address for the management ports, 22 and 3333. Ports 80 and 443 will be set to public since users outside your home/office will need to connect to the GoPhish server’s landing page.

Prior to performing any downloads or anything more, I setup a subdomain for this application to keep things clean.

To do this, hop over to Route 53, create an A record and point it to your instance.

We then download GoPhish and change its permissions to execute by using the below command.

wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip

unzip gophish-v0.12.1-linux-64bit.zip

chmod +x

We also need to adjust the binding address within the “config.json” file to 0.0.0.0:3333, instead of the local host, so that it can be reached over the internet.

Start GoPhish.

sudo ./gophish

At this point you’ll see the URL, port, and credentials to use.

Open a web browser and navigate to https://1.2.3.4:3333

Log in using the above credentials, then you’ll be prompted to change the password.

SSL should be added at some point, but for now, I think that this should at least prove the point.

Next, we’ll need to setup Amazon Simple Email Service (SES) so that we can send emails using SMTP.

SES identity creation will be needed to confirm ownership of the sending email, so use one that you have access to and one that you don’t mind getting flagged as spam.

After selecting Create Identity, a confirmation email will be sent to your email’s inbox. Click on the link to verify ownership.

We also need to create an SMTP account within SES. Unfortunately, I didn’t get a chance to capture a screenshot, but you’ll notice a message that states that SMTP account needs to be created. Follow the prompts and jot down the credentials as they’ll only be displayed once.

Another thing to note is that we’re in a sandbox environment, so we’re a bit limited, but not too bad. We have the ability to send up to 200 emails per day and so many per second.

Now, let’s go back into GoPhish and setup a sending profile, email template, users and groups, landing pages.

The Sending Profile username and password are the credentials that we created above in the previous step.

We should now have a functioning service, we just need to adjust the campaigns and templates. I’ll leave that part up to you to explore as there are a lot of great articles out there covering this part in a lot more depth.

Conclusion

Utilizing Amazon’s EC2 and Simple Email Service, along with GoPhish, we now have a cloud based phishing service that we can adjust to our needs. We didn’t go into any obfuscation steps as this exercise was only meant to get the tools and services working as a Proof of Concept.

With this baseline, we are now free to register domains that are close to our intended target name, add SSL certificates to our server, configure DKIM, and overall try to clone the company as closely as possible to increase chances of our emails making it past the spam filters. This topic is its own specialty, so we barely covered its full potential. At this point, I just wanted to learn the infrastructure side of things so that I can better understand how these campaigns are generally orchestrated from a very high level.

I hope that you enjoyed this writeup. Until next time, take care.