
Hey guys, this is me @dheerajydv19 , and in today’s blog, we will learn about how phishing attacks actually happen and how you can create a phishing campaign to test the security of your company or organization. As we all are familiar with phishing and have a basic idea, so let’s directly jump to the practical part.
Requirements -
An AWS account with a valid credit card and a Mailgun account and knowledge of Linux navigation, gophish, and evilginx.
Pre-Engagement -
Finding the target list -
The target list can be found in three ways -
- scraping the emails from their official website
- searching the emails in public databases like searching on Phonebook.cz
- scraping the emails from their LinkedIn page
Setting up the AWS environment -
The first thing we need to do is purchase a domain that is similar to our target domain and try to make it as similar as possible so that people can easily trust the domain.
Once, you purchased the domain, start an EC2 instance as per your requirement. You can use the free tier and can create the EC2 instance via that.
Once you are done with creating the EC2 instance, configure the AWS security group and enable all the required ports.
Connect with the Linux machine either via ssh or via the link given in AWS. Now install the gophish and evilginx in your Linux machine(in EC instance) using ssh.
Now, create the Mailgun account and do all the setup things.
Launching your campaign -
Test your infrastructure if everything’s done now. Create a phishing mail template in HTML and upload all the required data in gophish and remember to keep your evilginx server up. Launch the campaign and keep your eye on Linux sever of the EC2 instance and boom, you will be able to see once you hit something.
Post-engagements -
Report your findings in a well-written report. Tranfer the domain back to the target once you finished testing.
Take the necessary actions to train your employees to prevent any phishing attempts in the near future.
That’s it, this is the simple process of performing a phishing campaign. The article was just to give you a rough idea of how exactly things work. In the near future, I would try if can create a tutorial on this, till then keep reading other blogs on hacklido.
You can read my previous blog on Phishing Email Analysis for getting more knowledge about Phishing.
https://hacklido.com/blog/193-phishing-email-analysis-a-complete-guide
Follow me on Twitter: https://twitter.com/Dheerajydv19