How to Phish Using a Jump Box Part 1
Installing Postfix
First thing you need to do to get started is install postfix on your jump box.
⋊> /e/gophish sudo apt-get install postfix
Once you have it installed you'll need to configure the main.cf
file.
After making changes to your main.cf file make sure that the service actually runs. If you run the postfix service with sudo service postfix start
do a quick netstat and see if you see port 25 open and listening. If you netstat and don't see port 25 open and listening you likely have an issue somewhere in your main.cf file.
It also goes without saying that you should back this file up before making changes to it. cp /etc/postfix /etc/postfix.bak
will do you well! You can see my postfix config file below:
Configuring Postfix Main.cf
⋊> ~ cat /etc/postfix/main.cf 22:28:02
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
#myhostname = localhost.members.linode.com
myhostname = Beefhooks.com << CHANGE THIS
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mail.Beefhooks.com << CHANGE THIS, localhost, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# I ADDED EVERYTHING BELOW ⬇⬇⬇⬇
# My edits - [Thanks Jake]
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
#transport_maps = hash:/etc/postfix/transport
# SSL Stuff - This makes Postfix encrypt the email upon sending
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
Setting up SSL Encryption 📼
Now that Postfix has been setup you should be ready to start getting SSL set up for your server. In my situation I went with letsencrypt (I think most people do). It's free! I also knew that I would be using a subdomain during my engagement so I created a wildcard certificate. To get started you'll need to install the letsencrypt certbot which will be used to generate the SSL keys and certs and what not:
Install The Letsencrypt Certbot
⋊> /e/g/gophish
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
Once that’s installed you’ll need to use it to create the cert. This is where you’ll need to add the string that letsencrypt generates to a TXT record on your domain’s DNS settings. You did purchase a domain right?? If not you should probably go and do that. Then you’ll need to go to where you edit the TXT/MX records:
Generating the Wildcard Letsencrypt Certificate
⋊> /e/g/gophish ./certbot-auto certonly -d '*.Beefhooks.com' --manual --preferred-challenges dns --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for Beefhooks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.Beefhooks.com with the following value:
ftYJ_RjVZUzEeKxzgwjlWqzlqwzCbkrsXknduewigd
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/Beefhooks.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/Beefhooks.com-0001/privkey.pem
Your cert will expire on 2019-11-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
So when the certbot pauses and waits for you to update your TXT record you'll be left in limbo before you can hit enter on the prompt signaling that this record has been digested by DNS. So what you can do to check this is use the watch
command with dig to see if and when the TXT record gets updated. I do this below:
Checking on Letsencrypt Challenge DNS Record Update
clutchisback1@HOMEPC /e/g/enum4linux$ watch dig -t txt _acme-challenge.Beefhooks.com
Every 2.0s: dig -t txt _acme-challenge.Beefhooks.com HOMEPC: Fri Aug 23 16:33:16 2019
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> -t txt _acme-challenge.Beefhooks.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35211
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.Beefhooks.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.Beefhooks.com. 581 IN TXT "ftYJ_RjVZUzEeKxzgwjlWqzlqwzCbkrsXknduewigd"
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Aug 23 16:33:16 MDT 2019
;; MSG SIZE rcvd: 118
See that long string ftYJ_RjVZUzEeKxzgwjlWqzlqwzCbkrsXknduewigd
? Your certbot TXT record will populate there after some time once it's digested and registered with your domain. If you don't know about the watch
command it obviously had a ton of other applications. It runs the command every n seconds and will change the output based on whatever relevant changes occur. It's pretty cool. Oh and say you wait for a while (10 or so mins) and nothing updates, hit enter and see if it just works. It's DNS so expect the unexpected. Sometimes it'll just work/not work. You know how it is...
Configuring Gophish
So, now that your letsencrypt files are generated you'll need to update the Gophish config.json
file located in your Gophish dir. You'll need to specify the letsencrypt key file and crt file in this configuration file. I copied them from the letsencrypt folder to my Gophish folder, that's why there's no path in this field. Here's a snapshot of my config file:
⋊> /e/g/gophish cat config.json 01:56:30
{
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:443",
"use_tls": true,
"cert_path": "Beefhooks.com.crt", # CHANGE THIS
"key_path": "Beefhooks.com.key" # CHANGE THIS
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": ""
}
}
Make sure that you're changing the phish_server
parameters and NOT the admin_server
parameters. Once you've made it to this point you should be good to start fooling around with creating the phishing campaign with Gophish, the application. I may create a part 2 if I'm able to find the time but this should be enough to get you all started Phishing from your own jump boxes! Shout out to Jake N.
[The Cobra] and Ryan V.
[1337llama] for showing me all the things!
_______________
< L33T PHi$HiNg >
---------------
\
\ /\/\
\ /
| 0 >>
|___|
__((_<| |
( |
(__________)
| |
| |
/\ /\