mindmap
  root((PHISHING))
	  Domain Setup
		  Setup DNS
		  Setup for categorization
		  
	  Infrastructure setup
			  Firewall setup
			  E-Mail/SMS service setup
			  Redirector setup

<aside> <img src="/icons/light-bulb_gray.svg" alt="/icons/light-bulb_gray.svg" width="40px" />

Checkout the methodology on right menu

</aside>

<aside> <img src="/icons/fireworks_gray.svg" alt="/icons/fireworks_gray.svg" width="40px" />

If OSINT was not done yet, checkout OSINT methodology

OSINT Approach

</aside>

THE SECOND PHASE: PHISHING & TRUST

<aside> <img src="/icons/fireworks_gray.svg" alt="/icons/fireworks_gray.svg" width="40px" />

The goal is to setup the domain & infrastructure in a way that won’t be suspicious too much.

</aside>

graph LR
    A[Setup domain] --> B[Domain categorization]
    B --> C[Domain fronting]
    C --> D[Infrastructure setup]
    D --> E[Final service integration]

<aside> <img src="/icons/skull_gray.svg" alt="/icons/skull_gray.svg" width="40px" />

REMINDER

Remember when we did DNS enumeration? We should also check there the DMARC & SPF policy. You can ask why…

DMARC & SPF settings in the targeted company can make phishing very easy - if DMARC p or sp parameter is set to none - we are able to spoof the domain name in the phishing email.

DMARC Summary:

When after enumerating DMARC we see that:

• p parameter is not set - we are able to spoof main domain.
• p parameter is set to none - we are able to spoof main domain.
• sp parameter is set to none - we are able to spoof the subdomain.

But, I mentioned also the SPF before right? SPF can be tricky too. Even if DMARC is set up correctly but our target has the SPF set up like this: v=spf1 include:someserver.net -all. This means that anyone that is using the same SMTP server can spoof targeted domain 😇

</aside>

Domain setup

At first we need to buy an domain that we gonna use during the phishing campaign. Due to restrictions of the email gateways we need also to think about domain categorization. For that you can follow the Domain & Domain categorization setup info page - it’s very simple.

Domain Fronting

Now when we have already our categorized domain, we can setup some domain fronting. What is domain fronting?

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

Checkout the Domain fronting for some support while setting up.

Infrastructure setup

As phishing framework I mainly use the https://getgophish.com/. Very useful & easy to setup, but annoying at times that is why I modified it a bit on forked Github repo. I’ve added the capability to detect if the sandbox visited the website, reporting feature & fixed some displaying associated stuff.

https://github.com/h4mr3r/jellyphish

You can help yourself with the Infrastructure setup & integrate the gophish or other software with the E-Mail service.

RT& OS OSINT Methodology

@Krzysztof Greś to modify