7MS #384: Creating Kick-Butt Credential-Capturing Phishing Campaigns


Manage episode 244278602 series 1288763
By Brian Johnson. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include:

  • Consider this list of top 9 phishing simulators.
  • Check out GoPhish!
  • Then spin up a free tier Kali AWS box
  • Follow the instructions to install GoPhish and get it running on your AWS box
  • Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
  • Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
  • Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us):
  • Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
  • Have fun!!!

388 episodes