I’ve updated the gophish script discussed here and here. This update includes the following features and fixes:
- Fixed an issue where redirections would occur immediately upon access
- Added option to pass in your own log file as an argument
- Smart(er) redirects
- Autocomplete Support
The original script did not expect the link being accessed by the victim to contain parameters or values. If the link accessed by the victim obtained parameters or values it assumed that a form had been submitted and would then attempt redirection. For example, if you started up the script with:
python gophish.py --phish http://www.victim.com/path/to/form.php \ --replace http://22.214.171.124
If the victim made a request to http://126.96.36.199/path/to/form.php?param1=value1¶m2=value2, then the script assumed the victim had already submitted a form, would write the parameters and values to the log file, and would then redirect to the victim form. Now, the script checks the referer flag. If the referer is not itself, then it serves up the phishing page, if it is itself, then it logs and redirects.
An argument option has been added to gophish to allow the user to select their own logfile. You can pass –logfile <filename> to the script and it will log to whatever file name you have provided.
The final update is a new feature with a new argument. The new feature is based on a post I came across here. Basically, a malicious individual can create a form that populates invisible form fields that have been saved by the victim’s browser due to autocomplete. The autofill option is called with –autofill <filename>. The filename should contain the HTML input fields, styled to make them invisible, using common autocomplete field names. I created a sample that has been uploaded here. The following resources were used to create this sample list:
Example using the new features:
python gophish.py --phish http://www.victim.com/path/to/form.php \ --replace http://188.8.131.52 --logfile /var/log/phish.log \ --autofill autofill.txt
You can grab the updated script here.
Leave a Reply