I’ve updated the gophish script discussed here and here. This update includes the following features and fixes:
- Fixed an issue where redirections would occur immediately upon access
- Added option to pass in your own log file as an argument
- Smart(er) redirects
- Autocomplete Support
The original script did not expect the link being accessed by the victim to contain parameters or values. If the link accessed by the victim obtained parameters or values it assumed that a form had been submitted and would then attempt redirection. For example, if you started up the script with:
python gophish.py --phish http://www.victim.com/path/to/form.php \
--replace http://1.1.1.1
If the victim made a request to http://1.1.1.1/path/to/form.php?param1=value1¶m2=value2, then the script assumed the victim had already submitted a form, would write the parameters and values to the log file, and would then redirect to the victim form. Now, the script checks the referer flag. If the referer is not itself, then it serves up the phishing page, if it is itself, then it logs and redirects.
An argument option has been added to gophish to allow the user to select their own logfile. You can pass –logfile <filename> to the script and it will log to whatever file name you have provided.
I have also added in smarter redirect support. The previous version redirected to the victim site passing in whatever was submitted in a form as a GET request. This update checks the method and works differently depending on whether the submitted form used GET or POST. If the method for the form was GET, then the script works as it did in the past. If the method for the form was POST, then the script creates an HTML page that includes a form with all of the same parameters and values and set to hidden as well as JavaScript at the top that auto-submits the form using POST. I got this idea from the CSRF Tester tool from OWASP that creates form based CSRF test cases in the same manner.
The final update is a new feature with a new argument. The new feature is based on a post I came across here. Basically, a malicious individual can create a form that populates invisible form fields that have been saved by the victim’s browser due to autocomplete. The autofill option is called with –autofill <filename>. The filename should contain the HTML input fields, styled to make them invisible, using common autocomplete field names. I created a sample that has been uploaded here. The following resources were used to create this sample list:
- http://msdn.microsoft.com/en-us/library/ms533032(v=vs.85).aspx
- http://www.ietf.org/rfc/rfc3106.txt
- http://stackoverflow.com/questions/1027462/form-field-names-used-by-personal-data-auto-fill-in-browsers-safari-opera
- http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofill-field
Example using the new features:
python gophish.py --phish http://www.victim.com/path/to/form.php \
--replace http://1.1.1.1 --logfile /var/log/phish.log \
--autofill autofill.txt
You can grab the updated script here.
CodeWatch 
Leave a Reply