Phishing Attack Guide

Last updated 1 month ago

Phishing Attack Guide

1. Introduction

Phishing is a cyber attack where an attacker tricks victims into revealing sensitive information like passwords, credit card details, or personal data by impersonating a trusted entity. This guide will cover different phishing techniques, setting up test environments, executing attacks, and defensive measures.

Disclaimer: This guide is for educational purposes only. Unauthorized phishing attacks are illegal.

2. Types of Phishing Attacks

Email Phishing – Mass emails that mimic legitimate organizations to trick users into clicking malicious links.
Spear Phishing – Targeted attacks on specific individuals or organizations using personalized content.
Whaling – Phishing attacks targeting high-profile individuals like executives or government officials.
Smishing – SMS-based phishing where fake messages lure users into revealing information.
Vishing – Voice-based phishing where attackers call victims, pretending to be trusted sources.
Clone Phishing – Copying a legitimate email, replacing links/attachments with malicious ones.
Evilginx (Adversary-in-the-Middle) – Bypassing MFA using reverse proxy phishing.

3. Setting Up a Phishing Campaign (Test Environment)

Tools Required:

Gophish – Open-source phishing framework.
Evilginx – MITM framework for stealing session tokens.
SET (Social Engineering Toolkit) – Automates phishing attacks.
Phishery – Generates Office documents for credential harvesting.
Custom Python scripts – For email automation and payloads.

Steps:

Install Gophish (For email-based phishing)
```
wget https://getgophish.com/linux/amd64/gophish.zip
unzip gophish.zip && cd gophish
./gophish
```
- Configure SMTP settings to send phishing emails.
- Create a phishing template and launch a campaign.

Set up Evilginx (For MFA bypass)

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2 && make && sudo ./bin/evilginx

Set up a fake login page.
Capture session tokens from users.

Using SET for phishing emails
```
sudo apt install setoolkit
setoolkit
```
- Navigate to "Social Engineering Attacks" → "Spear-Phishing Attack Vectors"
- Craft and send a malicious email.

4. Execution: Launching a Phishing Attack (Simulated)

Example: Email Phishing with Gophish

Create a fake login page (clone a real one with HTTrack or manually).
Embed the link in an email with a believable pretext.
Send to targets and track interactions.

Example: MFA Bypass with Evilginx

Register a lookalike domain (e.g., g00gle.com instead of google.com).
Set up Evilginx to proxy requests to the real site.
Capture session cookies and replay them to bypass MFA.

5. Post-Attack Actions

Credential Harvesting – Store stolen credentials securely for testing purposes.
Session Hijacking – Use captured tokens to access accounts without passwords.
Pivoting – Leverage compromised accounts for further attacks.
Persistence – Set up backdoors or secondary access points.

6. Detection & Defense Against Phishing

Preventative Measures:

Enable multi-factor authentication (MFA) (preferably hardware keys).
Train employees on phishing awareness.
Implement email filtering (DMARC, SPF, DKIM).
Use anti-phishing tools like PhishTank and VirusTotal.
Monitor network traffic for anomalous login attempts.

Incident Response:

Reset passwords immediately after detecting a phishing attempt.
Invalidate compromised session tokens.
Report phishing domains to authorities (Google Safe Browsing, PhishTank, etc.).
Conduct forensic analysis to trace attacker methods.

7. Practice Tasks

Set up Gophish and create a phishing email targeting a test user.
Clone a legitimate login page and host it on a local server.
Use Evilginx to intercept session cookies in a test environment.
Test detection techniques by monitoring logs and analyzing phishing attempts.
Create awareness materials or training for employees to recognize phishing.

Final Notes

Phishing remains one of the most effective attack vectors. Learning how it works strengthens both offensive and defensive cybersecurity skills. Always ensure phishing tests are conducted ethically and legally in controlled environments.

Last updated 1 month ago

1. Introduction

Disclaimer: This guide is for educational purposes only. Unauthorized phishing attacks are illegal.

2. Types of Phishing Attacks

Email Phishing – Mass emails that mimic legitimate organizations to trick users into clicking malicious links.
Spear Phishing – Targeted attacks on specific individuals or organizations using personalized content.
Whaling – Phishing attacks targeting high-profile individuals like executives or government officials.
Smishing – SMS-based phishing where fake messages lure users into revealing information.
Vishing – Voice-based phishing where attackers call victims, pretending to be trusted sources.
Clone Phishing – Copying a legitimate email, replacing links/attachments with malicious ones.
Evilginx (Adversary-in-the-Middle) – Bypassing MFA using reverse proxy phishing.

3. Setting Up a Phishing Campaign (Test Environment)

Tools Required:

Gophish – Open-source phishing framework.
Evilginx – MITM framework for stealing session tokens.
SET (Social Engineering Toolkit) – Automates phishing attacks.
Phishery – Generates Office documents for credential harvesting.
Custom Python scripts – For email automation and payloads.

Steps:

Install Gophish (For email-based phishing)
```
wget https://getgophish.com/linux/amd64/gophish.zip
unzip gophish.zip && cd gophish
./gophish
```
- Configure SMTP settings to send phishing emails.
- Create a phishing template and launch a campaign.

Set up Evilginx (For MFA bypass)

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2 && make && sudo ./bin/evilginx

Set up a fake login page.
Capture session tokens from users.

Using SET for phishing emails
```
sudo apt install setoolkit
setoolkit
```
- Navigate to "Social Engineering Attacks" → "Spear-Phishing Attack Vectors"
- Craft and send a malicious email.

4. Execution: Launching a Phishing Attack (Simulated)

Example: Email Phishing with Gophish

Create a fake login page (clone a real one with HTTrack or manually).
Embed the link in an email with a believable pretext.
Send to targets and track interactions.

Example: MFA Bypass with Evilginx

Register a lookalike domain (e.g., g00gle.com instead of google.com).
Set up Evilginx to proxy requests to the real site.
Capture session cookies and replay them to bypass MFA.

5. Post-Attack Actions

Credential Harvesting – Store stolen credentials securely for testing purposes.
Session Hijacking – Use captured tokens to access accounts without passwords.
Pivoting – Leverage compromised accounts for further attacks.
Persistence – Set up backdoors or secondary access points.

6. Detection & Defense Against Phishing

Preventative Measures:

Enable multi-factor authentication (MFA) (preferably hardware keys).
Train employees on phishing awareness.
Implement email filtering (DMARC, SPF, DKIM).
Use anti-phishing tools like PhishTank and VirusTotal.
Monitor network traffic for anomalous login attempts.

Incident Response:

Reset passwords immediately after detecting a phishing attempt.
Invalidate compromised session tokens.
Report phishing domains to authorities (Google Safe Browsing, PhishTank, etc.).
Conduct forensic analysis to trace attacker methods.

7. Practice Tasks

Set up Gophish and create a phishing email targeting a test user.
Clone a legitimate login page and host it on a local server.
Use Evilginx to intercept session cookies in a test environment.
Test detection techniques by monitoring logs and analyzing phishing attempts.
Create awareness materials or training for employees to recognize phishing.