Multi-Domain Phishing campaign setup

Recent engagement led me to do more research on some nice technologies. This article is based on Gophish. Refer to their official website for more information on how the tool works. Gophish is a great tool and also there is potential for great improvements, on the flip side it does have some limitations as well, may be they are intentional who knows ?

In a nutshell current gophish platform, lets users create multiple campaigns, sending profiles, landing pages, and user groups to test phishing awareness (i say that with deep breath!!!). However it does not support multiple domains to setup with gophish. current setup only lets you standup phishing campaigns with one domain, and i have a need of setting up multiple domains once, so i can test users with multiple domains and campaigns for fun. obviously same spam email and landing page does not work second time πŸ™‚ maybe it does who knows ?

i will not cover how to setup gophish, and its functionalities as there is plethora amount of information available in Github(Thanks to Dev). once Gophish configured and you have landing page where you want to serve over multiple domains, following configuration comes into play

i will be using Nginx to front Gophish service and serve multiple domains using reverse proxy configuration. Necessary Background configuration in gophish is to make sure that application servers content over localhost i.e 127.0.0.1 and admin interface runs on public facing IP or 0.0.0.0

Above configuration change is necessary for this to work. Next step is to install Nginx and make server blocks for domains we want to use gophish campaigns.

Install Nginx

sudo apt-get update
sudo apt-get install nginx

At this point we have two domain, Domain-A and Domain-B pointing to gophish public IP address. Based on domain registrar, create A record for both domains pointing to Gophish server.

Following code is to edit Server block for accommodating Multiple domains using ngix default configuration file. This file is located in /etc/nginx/sites-enabled/default location.

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name DOMAIN-A.com;

    ssl_certificate           /etc/nginx/keys/domain-a.crt;
    ssl_certificate_key       /etc/nginx/keys/domain-a.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/domain-a.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the β€œIt appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:81;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:81 https://domain-a.com;
    }
  }

above configuration is an example configuration for Domain-A. Same server block can be copied for second domain i.e Domain-B as well. only thing that will change is domain name. Here is how final default configuration looks like for Domain-A

Few things worth Noting in aboveConfiguration.

I created a folder in /var/www/domaina.com and inside that folder i also created .well-known folder to make it easy for obtaining lets encrypt certificate.

Further Security Implementation would be to monitor accesslogs for this websites. Another good idea is to restricting only one public IP to access gophish admin portal. It can be done easily using aws or azure on the fly.

Ready to Phish ?

Once server blocks are created for multiple domains, assuming A records are correct, and ssl is configured for those domains, head over to admin panel in gophish and lauch campaigns. This still means create 2 campaigns in total one for each domain, inside campaign landing page points to respected domain i.e https://domain-a.com or https://domain-b.com. It is good practice to have campaign names organised(general hygiene)

Happy Phishing !!!

0 Comments

Leave a Reply

Your email address will not be published.