The Ultimate Guide to Phishing

The Ultimate Guide to Phishing

Author: Siddharth Balyan
Why another Phishing guide?
Recently I’ve been able to get my hands dirty with Phishing and witness actual Phishing campaigns due to the incredibly talented people at my workplace. To satisfy my curiosity I tried to follow along with a small Phishing campaign against myself and realized that, there doesn’t seem to be an all-inclusive, all-in-one guide for beginners to understand the process and help them set up the infrastructure.

So, this is my attempt at that.

I’m going to assume the starting point that you already know what phishing is, but would like to learn how to do it.

The process of phishing can be split into two parts by my understanding;
  • The Phishing Website: This is the spoofed, fake website where the unknowing user will enter their credentials. From here we would capture the said credentials along with their session cookies.
  • The Phishing Mail: This is the email which would be sent to the victim with the hope that they bite the bait and go to our spoofed website.
The Phishing Website
Infrastructure and Tools Used
  1. Urlcrazy: A tool generating typo domains.
  2. Freenom: For buying a free domain for testing/learning purposes.
  3. evilginx2: A man-in-the-middle-proxy for setting up the Phish Website which can capture credentials.
  4. Free Azure Account: Azure’s free standard VM for setting up all the infrastructure and tools.
Getting a domain
A domain name needs to be convincing and similar enough to the domain of the legitimate website. One can use urlcrazy or catphish to generate a list of typo domains.
❯ urlcrazy
[Image: TumFiuU.png]
The domains marked are some examples of typo domains we can choose from. Rest are all in use.

For demo purposes, I’m going to buy a free domain from Freenom. They offer free domains from .tk, .ml, ga, .cf, .gq TLDs.

I’ll be buying for now.
[Image: kQ7ZsqM.png]
Note: Freenom is a bit buggy, so you may have to write the entire domain with TLD in their search to be able to select and put it in your cart

We have a Phishing domain where we will have our site on.

Getting a Phishing Machine
To run evilginx2, the man-in-the-middle HTTP Proxy. I am using an Azure B1S Standard tier VM running Ubuntu 20.04 LTS, which I got free with my Azure for Students subscription.

Once the VM is created, go ahead and open the ports 80, 443 and 3333 for HTTP, HTTPS and GoPhish, which we will use later on, respectively.
[Image: 3dNHqPY.png]

Adding DNS Records
Go to the DNS Management page in your Freenom Domain and add the A record for WWW.
[Image: 0rOyWNx.png]

Configuring EvilGinx2
First install Go by following the instructions here and make sure you add it to your $PATH.

Then, clone the repo for evilginx2; cd into the directory and make the binary. Additionally, add the binary to /usr/bin or /usr/local/bin and copy the phishlets and templates directory to /usr/share/evilginx to use the tool from any path.
❯ git clone
❯ cd evilginx2                                     
❯ make         
❯ sudo cp bin/evilginx /usr/bin
❯ sudo cp -r phishlets/ /usr/share/evilginx/
❯ sudo cp -r templates /usr/share/evilginx/
Run evilginx2 and if the phishlets have been loaded successfully you should see the tool run.
[Image: 1O5JbKD.png]
Now edit the config to add your domain and IP and the redirect URL.
Quote:: config domain
[01:25:52] [inf] server domain set to:

: config ip
[01:25:59] [inf] server IP set to:

: config redirect_url https://xxxx.xxxx
[02:02:52] [inf] unauthorized request redirection URL set to: https://xxxx.xxxx
[Image: ke3nqk9.png]
Any Scanners scanning your domain without the lure parameter will automatically get redirected to the redirect_url you set up here.

We also need to set up a TLS Certificate for our domain. Luckily, the tool can handle that for us. Do the following;
Quote:: phishlets hostname linkedin
: phishlets enable linkedin
[Image: PtcYBqL.png]
Our LinkedIn phishlet is all set up!
[Image: DU0vdiU.png]

Creating EvilGinx2 Lure
The next task is to create a lure, which would be the phishing URL to send the victims to.
Quote:: lures create linkedin
[04:31:37] [inf] created lure with ID: 1

: lures get-url 1
We also need to add the URL the victim will get redirected to after logging in. This is different from the config redirect_url as that one is for the scanners and unintended users and this one is for the victims post-login.
Quote:: lures edit 1 redirect_url
[04:46:06] [inf] redirect_url = ''
[Image: CCLMHvr.png]
Once that’s it, you can navigate to the lure URL to make sure it’s working

If you did everything right, you should see a LinkedIn login page!
[Image: kD9Rh5J.png]
Congratulations! You now have a Phishing Website set up!

Note: You can run evilginx2 a tmux session so that when you quit your ssh connection, the tool keeps on running.
The Phishing Mail
Infrastructure and Tools Used
  • GoPhish: The phishing framework used to manage users, email templates and phishing campaigns.
  • Mailgun: The email service used to send the emails to the victims.
Installing GoPhish
GoPhish is an open-source phishing framework which makes it easy to configure, run and track Phishing campaigns. Install it by either downloading the binary for your system from here, or you can build it for your system using;

❯ go get

Then navigate to the directory of installation, (usually ~/go/src/ and run go build. You should have a binary called gophish in your directory. In the same directory, there should be a file called config.json. Here, change the listen_url from to

[Image: Gru5mX7.png]

You can now run the binary;
sudo ./gophish

You should probably run gophish this in the same tmux session as evilginx2

[Image: 0eCeib0.png]
The temporary credentials are printed in the logs here. Navigate to https://[your-ip]:3333 and login using these credentials. You are now in the GoPhish Admin Panel.

Setting up an Email Template in GoPhish
We set up and configure the email which shall be received by the victim here. To make a convincing email template, go through your own inbox and try to find an existing email from the website you’re trying to spoof. For my use case, I will use a Password-Reset Confirmation Email which I received from LinkedIn.

[Image: TXYpfP3.png]

Click on the three-dot options button and Download the Email you want to use as a template

[Image: BOKg63X.png]

Open the file and copy its contents. Now navigate to Email Templates tab and create a new template. Here, click on Import Email and paste the copied contents here. Optionally, check the Change Links to Point to Landing Page checkbox. This will change all the links in the mail to point to the spoofed landing page.

[Image: jPsrVv0.png]

Now, in the HTML tab, modify the contents to your own liking.

Crafting a convincing email is very important, so if you’re doing this for an assessment, take your time to craft a phishing email.

For reference, here’s my template;
[Image: ORi3zJl.png]

Setting up the Landing Page in GoPhish
The landing page is what you want users to “land” on once they click on the link in the email. Once in the GoPhish admin panel, navigate to Landing Pages and create a new page. Give it a page name and for the page content, add the following;

        window.location.replace("<YOUR EVILGINX LURE URL");

It should look similar to this;
[Image: QhIVA4D.png]

The phishing server runs on http:[your-ip]:80. This is the template variable for {{.URL}}. Whenever the victim navigates to this page (through the link they will be prompted to visit), they will get redirected to your evilginx2 lure.

Setting up Sending Profile with GoPhish and Mailgun
Now that we have the phishing mail, the spoofed website and the all the tools, all we need to do is send the email. For this, we will use Mailgun’s free tier user account. Make an account at Mailgun and navigate to the sending tab. Here, in the SMTP section, you’ll notice your SMTP credentials.

[Image: b3q49hf.png]

Also add Authorized Recipients. As a free tier user, only authorized recipients can receive emails from your Mailgun account.

[Image: aq8WTPO.png]

Now, in the Sending Profile in the GoPhish panel, make a new profile and copy your credentials and config here as follows.

[Image: QoG2BA4.png]

You can also verify your domain and send mails through that by following the steps here.

Adding Users in GoPhish
You have to add the victims in the Users & Groups section. Navigate to the section, and you’ll see you can either do it manually or in bulk using their CSV template.

For demo purposes, I’ll be sending the mail to myself, so I’ll add my user in manually.

[Image: 4QVVpqB.png]

Creating and Launching the Campaign
All your GoPhish set up is done! Now all you have to do is create a new campaign in the campaign section, add all the config you’ve done and launch it!

[Image: K9z24Sj.png]

Now, it is very likely that your email has been marked as a phish and has been moved to the Spam folder. You can go to the link in the mail, and you’ll notice something like this;

[Image: ThRGA9f.png]

Click proceed and look! evilginx2 has started logging all the data of the new visitor (you).

On entering the password, you can see evilginx2 capturing the credentials and displaying them.

[Image: yHl4zkh.png]

Running the sessions command will show you all the user credentials and cookies you’ve captured, though this is out of our current scope.
Final Thoughts
Congrats! You’ve successfully understood how to run a phishing campaign, and that too without shelling out a single rupee! Given there are a few caveats, the phishing mail gets marked as a phishing mail, but that can be avoided by using a little trustworthy domain and shelling out some cash for a premium Mailgun account.

Note that this is just the beginning of how you can conduct phishing assessments. Once you proceed further, the complexity increases. Automation, spam evasion, bypassing filters, aging your domains etc., come into play. To get a better insight into some of these topics, you can check out @grahamhelton3’s course on Practical Phishing Assessments here.
Wonderful thread! I already knew some of the tools, but this is the first time I've seen anyone using them all together. The result is really very convincing, thank you very much for posting here!
(01-26-2022, 08:23 PM)Corvo Wrote: Wonderful thread! I already knew some of the tools, but this is the first time I've seen anyone using them all together. The result is really very convincing, thank you very much for posting here!

No problem Smile Yeah it was quite a complete guide. Had to archive it here.
something worth noting when using evilginx2.

evilginx2 will create an http header in the GET request that says "x-Evilginx:" or some such

search through the source code and there is an obfuscated byte array among other lines that need to be removed or commented out.
(02-04-2022, 08:08 PM)tyupp Wrote: something worth noting when using evilginx2.

evilginx2 will create an http header in the GET request that says "x-Evilginx:" or some such

search through the source code and there is an obfuscated byte array among other lines that need to be removed or commented out.

Fair point. I've done similar things with nginx in the past. Comment out certain error messages that reveal too much information before compiling the source code.
Nice man thank you but is there any other alternative for Azure?
(02-13-2022, 10:02 AM)slq Wrote: Nice man thank you but is there any other alternative for Azure?

Obviously. Just use any VPS or server you want.
I just found a very interesting script, I'll leave it here for anyone who wants to take a look. IMPORTANT: there is a snippet with hex code. It is a block at the very beginning (lines 124 to 138) and a call further down (line 460). I still couldn't identify the usefulness, so I removed the parts and the code worked normally* bringing the login credentials. Despite this, everything else looks ok and works great. I also checked the files the code creates in $HOME/.site and $HOME/.websites, everything seems to be ok. But I always recommend looking for yourself, because why not? Smile

* Except for not having brought the information of each access.
Советую прочитать и прочитать то, как нужно подтягивать ремень грм при замене помпы.
<a href="">ключ грм 16 клапанный отзывы </a>
sani leonisex xxx
school grils xx
ponestar sex hd
cinemax xxx movie
xxx porenmove hd
yui tatsumi porn
xxxy new vidio
indian black ladysex
cousin sex porn
breszzes sexx video
dasi free sex
sani lone xxx
download step-mom porn
nxxxx sexy video
sani loney sex
gulabi chut videos
video xxxx video
sapna chodhari xxxcom
indian sexe vedyo
tipu tipu xxx

big fuck tv http://xn----7sbabde0b4cdqervo.xn--p1ai/bitrix/rk.php?goto=
bf sex urdu
sexy picture mp4
shahina x video
xxx videos office
huma qureshi porn
bike ka xxx
sexi xxx videi
karmela sex vedio
sakila sex clips
dwnload xxx tube
xxx video amarica
xxx 2017 hdki
xxx hd bazzara
xxx uido 3gp
sanny lonny xnxx
www.inglis xxx
xxx hot movies
pussy licksex videos
doodhwali bbw sex

www.indian sex
action xxx move
gujratisex hd vidios
dudchipa sex hd
thoppul antuy tamil
prom sexy vidoes
sexy gandi angreji
brazzers 24
delhi maid fuck
sexi video
dacing bear com
sexyvedeo full hd
sanny lion xxxhd sex videos
pushy wap com
aspen rao sex
chinese sexx vidio
daddy cresh xxx
xxx fuck boobs
kerala hidden pron

srabanti porn video
new virginity lossmms
प रोन वीडियोस
स वीट चुत
musalman xxxx com
punjab xx.xi yodw http://xn--80aaa9bbbi.xn--p1ai/bitrix/rk.php?goto=
deci pron com
xxxvideo hd video
xnxx manar actress
shakila xxx videos xxx videos&url= porn watch
japan jangling
kowlaky sex videos
sanny lione xxxx
buxar sex video
hiddencam sex office
team skeet
hd pollachi sex
big land brazzers
bbs sex videos

japan tiny sex
natasha malokova
xxx porn deflation vdio dangole
jadugar xxx porn
crystal condom sex
xxn videoes rain
gagged white xxx
indin kumani sex
dot sex hd
sunny lane
brazzers horror porn
xx mobile vido
sexi video canada
sxe vidose www
oil massge sex
maslum balu falim
romans porn video
xxx wap gujarati
sex fucknvideo xx

www bornwap com
hd xx 2019 rus chudayi
shotari xxx video
pornhub sex videos
xxx stu den
xxx vidoe deic
step mom bathing
heroine ka bf
xxx chuchi chusai
video sexs jepang am
nikkyaksh sex videos
black porn 3g
sel sex v
www sexy
mom lav xxx
sweet porn
pirn virgin 13
brazzrrs sex movies

doctor gril
d roshan porn videos&url=
doig xxx
six boobs com
xxxxx porn vid
hdmom xxx
striming onlime bokep
komboz sax videos
sexy 18 picture
xxxxxxx xxxxxxx vp
hd sexy xvidoes
sunny 2019xxx vedio
naught amareka com
sexy video bidesi
hungry sex vidios
spy cam
xxx indian xx
red xxx big
sex cina selingkuh
sex video pusey

avenshi pic nude
nude gujrati video
saxy porn 2019
seel pack sex.xom
amearikan bf bideo
porn indeon xxx
bangle xvideo new
unit xxx sex
a nymphomaniac babysitter
xvideos tamil unblocked
dad xxx hd
syunny leone nude
marwadi xxx
japanese xvideo bus
leaked mms scandal
habsi porn videos
xxx jodpur
sex in massage
x nx vido
qolaya era istrefi

sniliyon sexxx viseyo
punjabi xxxi vido
girls litel xxxsix
xxxx mp4 dawmload
stree sex video
xxx sex ghad
amazing animalsex mobi
sex bideo indian
www 3xbideo come 3gp hardcore
xxx frist new
xx china xx
bangla saxxx bideyo
girls out west
bipi fima hd
ozbek yulduzlari sex
nipple training slave
pure xxx bf
fuk sunny leone
search hors xxxvideo

xus xus xxx
hofis sex mms
hd fock video
six dase xxx
small pussy xxx
alka yagnik xvideos
xxx mala college
bacho ke xxx
www xxx
xxx ebhaeem sex
xxx girl Ш§ШіШ±Ш§ЫЊЩ„
xxxnx video ficked
xxx bald wala
school hot sexxxxx
chinese bf xxxxx
xnxx classic com
raj wep come
niyakalipaa sex video
apoorva aunty porn
xxx sani leanio

desi anal mms
saniliyoni hd xxx
krichan sex school
xxx bf 45
www srx hd
big sister seduced
xnxx vedeo downlod
punjabi xxxn hd
hd xax vidios
hot x movies
garil to garilxxx
mallu teens porn
mistake sex videos
moom step xxx
free download
x japanese video
desi nri mms
sexvideo dwonload 3gp
zimbabwe girl xxx
japan porno downlod

romantic xxxi vedios
vidio xxx nanada
www.x xind
black xxx dawnlod
atikah suhaime sex
xxx pussi water
hd hindi 3minies only
redwap 3gp porn
hindi porna video
xxxx beautiful hd
muslim sex mms
haever xxx videos
www.xxnx video
sunny leone bathroomsex
massage sex vitnam
maa laura porn
hq pussi xxx
arbi sistar xxx
xxx porn lutz

xxxvideos momsleep sonrape
सपना चौधरी
xxx vobio 2017
ref bf xxx
xxx small gril
johnny sins ariella
xxx new fuk
xxxl and picture
xxx old anty
3gp king pussy
car sex viodes
collage xxx downlod
pakistani fucking hd
america xxi video
xxxii six bf
xxx hoot videos
hd kand xxx big boobs
snuuy leoue xxx
jgadtp xxx video

odiasiqurity xxx vidio¤ѕа¤€.html
big xxx dolod
godan ka sex
xxnxxcom hindi gujarati
fuck cousin ass
डीपीएस सेक स
my soor xxx
nagi video hotes
china bf videos
naked shruti husan
xxx alix beauty
xnx wap com
sexy beti sex
sex chor vidio
sinega sexy video
xredwap musilm squriting
prom sex vidos
भोजपुरी हिंदी बीएफ
xxxx vibeo 20016
mama muda threesome

indian xx mobi
xxxn dr kiss
2girls sex video
dawr vmwji xxx
porn x cerpen
aloha sex vedios
xxx video collgn
sex video 20018
new xxx vidiod
m2m sex video
muslim family xxxx
japnish porn videos
mom cum licking
xxx waptrik
teelugu sex videos
ШіЩЉЩѓШі Ш±Ш¶Ш§Ш№Щ‡ Щ€Щ…Шµ
red xxx wwwcom
grandfather girl mms
sany lieon sex
images dayaben xxx

ted colunga menatplay
xxvi xxvii 2019xxnx
sonal khatri porn
xx mussage video
mol xxx com
rep rajsthani xxx
www punyu
sexy xhxx hd
3xx sax
kompoz shivane sex
video stden saxx
x art japanesse
odio xxx video
mia scarlet xxx
piss shit xvideo
chaina mom porn
www lxx con
virgin american scandal
xnxx china mobile
picocksso julia ann

xxx porn hdvide0
tori black milking
insan sex hd
raj sex movies
chele bf video
wwx saxy video
www.indarani haldar bluefilm
b.f videos download
1time xvideos com
assa xx video
priyank chopra xvidios
xxx virgin
xx sex xx
www six 18
pathan local sex
xxnx seny leone
sex girls downlods
telugu swx videos
girl power sex
kissing pussy cake

seal band
xsy video com
brazil adult movies
skul garlsxxx video
full pron xxx bef canara loss
bokep pijat india
nigoro sex video
video porns download
meena sexs vedio
xxx video dancy
xxx badi gand
animal porno cartoon
petie johnson porn
baalveer baalveer sex laurie vargas
sex nude xx
sany lione fuking
dag gals sexsi

desideratum sex video
dadi ki xnxx
japanese porn keringatan
www.kolikata sex
perfecr.tits.indian escort craigslist.miramichi
download xnnnx hot
indian bboba press
teamskeet family strocking
www.hd sex downlod
sanai mahbub sexy
xxx shil vidio
download sex masage
xxx video brazeler
new bad
club gemma anal
cheldran xxx videos
xxx visions hd
hd xnxx dowunload
xxxsex moms cheat
talk xx bf

www.sexey hd video
fuckbook sex videos
ndw xxx video
red weep sex x video
2giral porn vidio
youjizz com jepang
shuffle dance porno
mГіnica spear sixy
saxe video bf
dehati nude girls
sexy vedeo download
alexa gracce rape
rachana sex
russian blackmail porn
xxx sleeping jabardasti
wc pass com
xxx scxce video
bokep set gamblel
xnxxx video sex

xxn sexi vidiyo
bandkar sex vidoe
xnxx vibeo 3gp
xxx hd viefos
rajwap girl porn
bodymassage sex videos
sanny leone foking
new sanilean xxx
porn office montok
karla x videoas;a...ovies.html
xn sex vidos
xxxxi vedeo dwnlod
bhojpuri girl xxx
xxxxx video ssssss..
xxx hide vdio
hot sweet xxx http://xn----7sbabde0b4cdqervo.xn--p1ai/bitrix/rk.php?goto=
xxx xxx vo
direct choda chodi
xixce video com
indian lokal fuck

fack carempi xxx
sunnyleone x wallpepar
real incest secret
xxx boty vedeohd
sunny leone poem and bhother
qhd sex videos
fuck vi chaina
wow sweet xvideo
xnxx hd dowanlod
buda xxx video
miya maltova pron
nun horror xxx
x video das
jabdati xxx video
blue xxx vdieo
idonesheyan mom chode
xvideos mom download
night suhagrat xxx
sunny loeo fxxxxxx

12ear porn sax
xxx si vdeo
qtth.www xxx sex
pornp m3a kilab
sex 2050 pajabi
download mom tube
malayalam sex aunties
xxxn hb pakistan
noti amerika sex
funking desi ladies
5yars garls xxxcom
hindi sxxx move
sexy chalne wala
sex picture bp
mission girl sex
indian playboy mms
buzzer sex com
xxxrfh gals
momfucking son download
xxnx se x

vhabi boobs video
bi bos xxx
sahaba hd xxx
anjena joile porn
desi topless romance
www xxx tulu
saking pusi com
femliy fuker porn
xxx brother
xxnx घोड ा
6ft man xxx
xxx vip sex
xxx poran movies
xxxx video shd
xnxx alya butt
bega xxx video
sexxy desi vidio
sax video xxnx
pagalward xxx sonakaheshina
nigro x barabar

sex movie nangi
zareen khan xxxvideodownloads
telugu movies xx
nxgxx video hd
big amerika xxx
sex mex madres
ass hile sucking
xxx veadeo hd
sunnand sunny xxx
fart time xxxbvideo videos&url=
nangi sex xxx
xxx video darji
sexkhasi video com
musalman bigcock shemale
xxx br hd
xxx choda bati

Possibly Related Threads…
Thread Author Replies Views Last Post
  Guide to General Hacking NO-OP 186 132,821 2 hours ago
Last Post: noreenmv11
  Mail server, domain, phishing, mass mailing Smoky 6 15,155 08-15-2021, 03:51 PM
Last Post: smoky1
  How to reduce the risk of being tracked when creating a phishing site? tR0J_0Ut4LuV 7 22,151 02-20-2021, 08:44 PM
Last Post: tR0J_0Ut4LuV
  Unhackable Passwords Guide DeepLogic 1 11,237 06-10-2020, 10:13 AM
Last Post: enmafia2