Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Setting up GoPhish
  • Reconnaissance
  • Prepare the Campaign
  • Prepare the Infrastructure
  • Testing the Campaign
  • Launch the Campaign
  • Picking a Time
  1. Pentesting
  2. Initial Access

Phishing

MITRE ATT&CK, Initial Access, Technique T1566

PreviousInitial AccessNextCreating Templates

Last updated 1 year ago

Setting up GoPhish

  1. Setting up GoPhish is extremely easy. Simply grab the binary from the official and execute it in a tmux session:

tmux new-session -d -s "GoPhish" ./gophish

Reconnaissance

  1. Identify the target domain. This is often specified in the scope of the engagement.

  2. Use OSINT to identify emails and victims to receive your phish.

    1. Publicly available tools such as , , previously pwned databases, , etc. are great for this.

  3. Enumerate the targets domain. Search for blogs, company calendars, company specific portals, enumerate subdomains. All of this information is going to assist you when creating your campaign.

Prepare the Campaign

  1. Identify and purchase an available domain to be used for your campaign.

    1. Lookalike domains can either be manually created or found with tools such as . Additionally, domains with a good reputation can be identified from sites similar to expireddomains.

  2. Create a convincing template. This involves creating the subject, sender, and content of the email. Additionally, this is where you would decide if you need to create a landing page or will be attaching a malicious document to the email.

    1. There are several repositories on my GitHub and scattered throughout the Internet with ideas for pretexts and campaigns.

    2. The best type of campaign reference are the ones you receive! Check your spam emails and see if anything can be modified, improved, and sent out!

    3. When creating a malicious document there are multiple tools avaialble such as and that can create a wide variety of documents with payloads embedded.

    4. Create a landing page. This can be based off of the company specific logan portals during the reconnaissance phase or a commonly used login portal such as Exchange.

Prepare the Infrastructure

  1. Setup the purchased domain to be used in the campaign, this is extremely easy to configure in GoPhish.

  2. Harden the GoPhish infrastructure by changing the email headers.

  3. Configure the email service to have the appropriate SPF, DMARC, and DKIM records

    1. This is mostly important if you are trying to bypass protections in place. This should not impact authorized phishing exercises where the client whitelists you.

Testing the Campaign

  1. I would advise against testing via something like your own Outlook or Gmail. If your email is flagged it is possible that your domain could be marked as spam and blacklisted.

  2. When testing your email - double check your pretexts and landing page look correct/are working as intended.

Launch the Campaign

  1. Monitor the status of your campaign. You should start seeing clicks come in. A click tells us a few different things about the victim:

    1. The email was successfully received by the victim.

    2. The email was opened.

    3. The user is active.

Picking a Time

The following is based off a few different papers and statistics gathered from various sources:

  • The best time to send a phishing email (in order): Tuesday, Thursday, Wednesday, and Friday

  • The worst times (in order): Saturday, Sunday, and Monday

  • The best times to send phishing emails are 8 to 10AM

There is quite a bit of research in this area. I have had a lot of success sending phishing emails in the middle of the week. Linked below are a few articles that discuss best times for social engineering attacks that may be interesting when thinking of a time to send:

Configure the sending profile to use an SMTP server such as SES or to bypass protections in palce.

Test the campaign by sending an email to . This site will alert you if there is anything misconfigured or give you tips on how to improve your credibility.

☠️
GoPhish GitHub
LinkedIn2Username
BridgeKeeper
Phonebook.cz
CatPhish
LuckyStrike
BoobSnail
SendGrid
mail-tester
LogoPhishing: These are the days of the week when you're most at risk | ZDNetZDNet
LogoWhat Is The Top Phishing Day Of The Week? And Why?KnowBe4
LogoDon’t like Mondays? Neither do attackersCSO Online