Updated: Dec 6, 2022
In this blog, we will be creating & spinning up our own EC2 instance/machine, and then installing Gophish tool on that instance.
Note: A friendly reminder, if you see my instance IP being changed in the screenshots, it is because I am literally spinning my first EC2 instances, and learning things about it.
Creating up Security-Key Pair
If you are just getting started with AWS like me, or you already use AWS, we need to create a security-key pair before we proceed to spin up our EC2 instance. For that, we will be using this amazing documentation by AWS : Documentation. Now, let's create a security-key pair using the following steps in the documentation.
AWS uses public-key cryptography to secure the login information for your instance. A Linux instance has no password; you use a key pair to log in to your instance securely. You specify the name of the key pair when you launch your instance, then provide the private key when you log in using SSH.
When we log in into our AWS console, we are presented with this dashboard,
Then, we need to search for ec2 in the search bar,
We will land on an EC2 dashboard. We can see so many resources in front of ourselves, but we are currently interested in Key pairs for now,
After clicking on it, we can see that there are no pre-existing key pairs present. So we will create new one,
Here, let's enter a name of our choice, key pair type should be either RSA or ED25519, but ED25519 keys are not supported for Windows instances. So let's go with RSA for now, and the Private key file format I have chosen is .pem file.
.pem file can be used with OpenSSH and .ppk file can be used with PuTTY tool.
And finally, click on Create Key pair,
We can see here that our first key pair is generated,
Now, this is the most important step after creating a key pair. We need to create a security group. AWS says,
Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.
On the EC2 dashboard, we can see the Security Groups where the default Security group is created by-default,
From here we can start creating a security group by entering a security group name, it's description. Then, we will need to add the Inbound rules where we will create by clicking on Add rule and then picking SSH from Type along with Source that will My IP (our public IP). For Outbound rules, let's keep the default rule to allow all outbound traffic,
Then we can see that our group is created along with the Inbound and Outbound rules,
Now, we are done with all the pre-configurations. Let's get started with the real deal.
Launching & Connecting to EC2 Linux Instance
On the EC2 dashboard, we can see that there is a Launch instance box. We will click on Launch instance, and then from a drop-down option, click on Launch instance,
We will then start to fill-up the information like name, clicking on the Ubuntu in OS Images and select the Ubuntu Server 20.04 LTS (HVM), SSD Volume Type of 64bit architecture (which comes under free-tier),
Scrolling down, we can see the Instance type t2.micro (free-tier eligible) with some machine's specifications. Next, we will select a Key pair (the one we created), and editing the Network settings where we will select, Select existing security group option in Firewall (security groups). Choose the security group we created,
Our instance will be created, and we can take a look at our created instance,
Our instance is now being initialized, meaning we have to wait for the instance to get ready to connect. We can also see information like Name, Instance ID, Instance state, Status check, Availability Zone, etc.
A moment later, we can see that our instance has passed 2/2 checks. Now, we are ready to connect with it. Click on Actions, then in drop-down menu, click on Connect,
In Connect to instance window, there are 4 options we can use to connect to the instance. I am interested in connecting to the machine with SSH client, and here we are provided with how to connect to the instance. We need to perform 1 step before connecting, i.e., changing the file permission to 400 (400 ensures that our key is not publicly viewable), and then we can connect to the machine,
As an OpenSSH client, I have used MobaXterm to connect to EC2 instance. You can use any SSH client to connect to a machine. As mentioned in the Connect to instance, we will first change the file permission and then connect to the machine,
chmod 400 gophish-dummy-key.pem ssh -i "gophish-dummy-key.pem" firstname.lastname@example.org
YAYYYY! We are now in the shell. ((:
Now, the thing you were waiting for!!! The Installation of Gophish Framework. For more information, refer to the Gophish Installation.
Gophish is a powerful, easy-to-use, open-source phishing toolkit meant to help pentesters and businesses conduct real-world phishing simulations.
Now, first things first, we need to update and upgrade the Ubuntu instance (because it is a fresh installation),
sudo apt update && sudo apt upgrade
Then, we need to install Apache web server and then start the Apache web server,
sudo apt install apache2 systemctl start apache2 systemctl status apache2
Now, we can navigate to http://22.214.171.124/ (the IP used here is the instance's public IP),
but we will see that connection has been timed out. Why cannot we see the Apache2 Ubuntu Default Page? Because, we haven't configured the Inbound Rules to allow traffic to port 80 and port 443.
So, let's go back to the Instances dashboard, and select the instance. Below, next to details, there is a Security tab and there we can see that we only have 1 inbound rule that allows traffic to port 22, and nothing else. So, we have to click on the Security groups link (green box),
We will land on the Security Groups page. Click on Edit inbound rules,
Here, we need to click on Add rule and create 2 rules, HTTP and HTTPS with a source of Anywhere-IPv4,
We can see our inbound rules reflected here,
Now, if we visit http://126.96.36.199/ our webpage firmly loaded,
Now comes the part where we start to download the Gophish Framework and installing it on our machine. So let's visit the Gophish website,
There is a Download button visible on the website. Click on it, and we will be directed to GitHub page where we have gophish available to download for different platforms. We will be downloading the gophish for Linux 64bit architecture,
Now, just to make files and directories clean, I have created a directory named Downloads and inside that, I have downloaded the gophish-v0.12.0-linux-64bit.zip with wget command,
mkdir Downloads && cd Downloads wget https://github.com/gophish/gophish/releases/download/v0.12.0/gophish-v0.12.0-linux-64bit.zip
To start unzipping the zip file, we need to download the zip package first, and then we can unzip the zip file,
sudo apt install zip unzip gophish-v0.12.0-linux-64bit.zip
Then we'll navigate to the unzipped folder. We will some files and directories,
There we can see a config.json which is a configuration file of gophish framework. Here, we can see that admin_server.listen_url is IP/Port of gophish admin server, and phish_server.listen_url is IP/Port of the phishing server where landing pages are hosted,
We can edit this config.json file with any editor like vim or nano. I am using vim. Here, we need to change the IP address in admin_server.listen_url from 127.0.0.1 to 0.0.0.0,
We are changing the IP address from 127.0.0.1 to 0.0.0.0 because we want the admin server to be accessible over the Internet.
Now, let's run gophish server as sudo,
We got an error stating "listen tcp 0.0.0.0:80: bind: address already in use", meaning port 80 is already in use.
Then I remember I installed Apache web server which currently operates on port 80, so I stopped it using
sudo /etc/init.d/apache2 stop
Restarting the gophish server,
Now our server is started at https://0.0.0.0:3333. So we need to visit https://188.8.131.52:3333,
but strange, the webpage doesn't load, and instead it shows connection timed out. But why? That because we haven't added another inbound rule that allows traffic to port 3333 (port on which our admin server is running).
Again we will add the rule, but this time, a Custom TCP one with Port range of 3333 and source of Anywhere-IPv4,
saving will reflect the changes on the security groups dashboard,
Now if we visit the page again https://184.108.40.206:3333, this time it shows us warning that the page possess Potential Security Risk. Don't worry about it and click on Accept the Risks and Continue,
And there we got our landing page where we need to enter the credentials we got when starting the gophish server from terminal. After logging in, it will prompt us to change the default credentials to something else, and we will do the same,
And at last, we made it to the dashboard!!
From here, we can do so many exciting things like creating a phishing email or using an existing template, we can try to phish a user.