Phishing Attack with Spoofed Mail from Scratch

7 min readAug 23, 2023

Content

Introduction
Lab Installation Guide
Simulation Workflow
Conclusion

Introduction

I decided to set up a local virtual lab to try phishing techniques and create a scenario about it. So I started to research email scams because phishing over websites and credential harvesting has one goal; take the credential, send it back to me and save this information to the file. I found some tools for sending mail using SMTP. Let’s set up the local lab.

Lab Installation Guide

Requirements

Kali Linux,
Windows 10 device for receiving mail and hMailServer installed as SMTP Server,
PHP installed on your Kali,
Gophish installed on your Kali,

Installation

Kali Linux Bare Metal Installation: https://www.kali.org/docs/installation/hard-disk-install/
Kali Linux Guest VM Installation: https://www.kali.org/docs/virtualization/install-virtualbox-guest-vm/
Windows 10 Installation: https://www.groovypost.com/howto/windows-10-install-virtualbox/
Install “hMailServer”: https://medium.com/@coffmans/setup-your-own-simple-smtp-server-how-to-c9159cfc7934

Actually, in a real scenario, we just need an SMTP Server for sending mail but we are going to see how the mail comes. So we need to set up an entire mail system including IMAP.

When we set the “hMailServer” we can open the mailbox using Outlook or the Mail app Microsoft:

Create a domain and account like the installation document shows you and when open Outlook, just type the account that you created.

After that, you need to choose IMAP from here.

Fill these server fields with the IP of your Windows machine because hMailServer is installed and working on this machine. It needs to go there and send and receive mail from that server.

Type the password of the user and voilà :) You have a mailbox. Now you can send and receive mail locally.

Now we need to send spoofed mail so we need a tool called Gophish, I gave the installation link above when you install Gophish on your Kali Linux everything will be perfect and we are going to be ready to go.

💡 Troubleshooting Tips: If your Outlook doesn’t connect to your mailbox you need to permit these ports from Windows Firewall Advanced Settings Inbound Rules (25, 110, 143)

Download the latest Gophish release and extract it from the archive.

Go to the folder that you have extracted on the command line and set permission to the executable file.

Now you can run the executable file.

It opens a user interface on 127.0.0.1:3333 and a phishing server at 0.0.0.0:80 and it gives us the one-time admin password for the admin interface.

Because we will use our phishing website, we need to change the port of gophish landing page from 80 to 8080

Open the config.json file with the text editor.

Change the listen_url value under phish_server from 0.0.0.0:80 to 0.0.0.0:8080

We are doing this because we need to share our phishing website from port 80 and there should be no service on port 80.

Simulation Workflow

This is the most important part, we are going to see the workflow of our scenario. Let’s quickly check;

We have a Windows 10 machine which is the victim’s computer but remember this is a simulation and we need an SMTP Server We are using this victim’s machine as a Mail Server and we installed “hMailServer” on this machine.

We have a Kali Linux machine for hacking of course :) We installed php on this because it will publish our phishing website for other users and catch the POST request. We have gophish installed on Kali too and gophish is a tool to create mail phishing simulations as you can guess.

Now I am ready to create my mail template as HTML.

We are going to attack Instagram and we need a mail like “New login to your account, if it is not you, you can secure your account from this link”. So I am using the mail from my mailbox :)

It is Turkish mail but it is saying “You have a login from the device new, You can ignore this mail if it was you, if you don’t do that you can secure your account from here.” and something like that.

Open your developer tool and choose the mail content.

Right-click on this element and copy it as HTML.

Go to Gophish’s e-mail template tab and create a new e-mail template.

Paste this HTML code to HTML here, We just need to change text values maybe pictures and it depends on your skills. You need to put a link here for a phishing website. We are simulating so I have changed my Windows host file and added “www.instegram-secure-your-account-6wf35.com.tr". You can add files to your mail if you want.

I am running this website on my local network so I wrote my Kali’s ip because I will stream my website on it.

Save all of these settings and turn back to gophish settings.

Go to Sending Profiles and create a new profile.

Enter the mail address that you want to show to the victim and you need to type your SMTP server address and username password if there is but in our lab, we don’t have a username password.

After all of this tiredness, you just need to create a user group add users to it and create a campaign.

💡 You need to create a landing page too but we are not going to use it you need to leave it blank. If you don’t create an empty landing page gophish is not working on the campaign step.

Send a test mail and see what is going on :)

Now, we can send spoofed mail. It is time to prepare our phishing website.

I am going to do it an easy way and find a phishing website tool, we can use their templates of course. I will install Nexphish for this but I will just take its template.

As you can see there are hidden folders, The “.Modules” folder has a lot of website templates and “login.php” files. When I inspected those files a little bit I noticed that they are just sending user credentials with POST protocol and saving them in the “usernames.txt” file in the existing folder.

Now we need to open our console here and publish this website with the code below.

Now we can access this website from Windows machines if we are in the same network.

Remember we typed something in the “hosts” file on the Windows machine, that was Kali’s IP and the website link of our website.

Let’s start the campaign and see if this phishing works.

This panel shows you all the things about the campaign.

Hey! We have received a mail from security@mail.inst(e)gram.com :)

When we click the link.

When we enter our credentials (Not the real ones) it redirects us to a real Instagram page. We can check the “usernames.txt” file in the website folder and see the credentials.

Conclusion

If you have recieved a mail like this and you need to change your password, open the browser and change your password manually, not with sent link and the most important thing, use two factor authentication. Two factor authentication is so hard to brake, of course nothing is impossible but you need to becareful and take as many precautions as you can.

💡 I am waiting for your feedback about this blog post, please let me know If I have a mistake. Feel free to pull requests.

Originally published at http://github.com