I have archived this project. Please use Warhorse which is a continuation of this project.
Build a Phish consist of a Ansible playbook to deploy a phishing engagement in the cloud. The Playbook combines both Terraform & Ansible to deploy and configure virtual machines for different use cases. This playbook is highly customizable and includes operational security out of box. The design of this playbook is much more than automation. This playbook implements real world TTP’s to improve OPSEC, lower operational cost and speedup deployment time. This project is the real-world demonstration from the Black Hills Information Security Webcast “How to Build a Phishing Engagement - Coding TTP's”
- Pure Ansible playbook with low dependencies and easy modification.
- Security from the ground up
- Docker containers for each application.
- Designed around a phishing engagment
| Logo | Service | Image |
|---|---|---|
 |
Evilginx2 | warhorse/evilginx2 |
 |
Gophish | gophish/gophish |
 |
Nginx | nginx |
 |
Mitmproxy | mitmproxy |
| Logo | Provider | Services |
|---|---|---|
 |
Digital Ocean | Droplet,DNS |
 |
Azure | CDN |
https://www.youtube.com/watch?v=VglCgoIjztE
Coming Soon
- Managment Domain
- Linux or MacOS
- Ansible
- Terraform
- (optional) Secrets Provider cli
- lpass (lastpass)
- op (onepasword)
- bw (Bitwarden)
You will need a managment domain. This domain can be the same domian used for phishing emails. After you buy a domain set the name server records to Digital Ocean.
-
OSX
brew install ansible -
Linux
pip install ansible -
Install Ansible General Modules
ansible-galaxy collection install community.general
- OSX
brew install terraform - Linux https://learn.hashicorp.com/tutorials/terraform/install-cli
git clone https://github.com/ralphte/build_a_phish
-
Digital Ocean API Key https://www.digitalocean.com/docs/apis-clis/api/create-personal-access-token/#:~:text=To%20generate%20a%20personal%20access,the%20Generate%20New%20Token%20button.
-
Azure CLI https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
ansible-playbook deploy.yml --tags phish
ansible-playbook destroy.yml --tags phish
You have three choices
- Hard code (Don't do this)
- Use a Secrets CLI https://docs.ansible.com/ansible/latest/collections/community/general/lastpass_lookup.html
- Use Ansible Vaults https://docs.ansible.com/ansible/latest/user_guide/vault.html
If you would like to modify the phishlet or change lures, please edit the following files.
roles\evilginx2-docker\templates\config.yaml.j2
roles\evilginx2-docker\templates\o365.yaml.j2
You can check the evilginx logs for session data with the following command.
docker logs evilginx2
You can access gophish via the hostname set for "gophish_admin_hostname"
To get the password on first login check the docker logs
docker logs gophish
You can access Mitmproxy via the hostname set for "mitmproxy_hostname"
The mitmproxy web interface allows you to see the RAW traffic between evilginx2 and your target server. You can use this to check for problems and remove any IOC's. Mitmproxy is a dignostic tool to inspect https traffic.
Does none of this work for you? Submit a issue and I will see what the problem is.
Want to add a cool new feature shoot me that sweet pull request.
Gophish https://getgophish.com/
Evilginx https://github.com/kgretzky/evilginx2
Mitmproxy https://github.com/mitmproxy/mitmproxy
Ansible roles from https://github.com/geerlingguy
MIT.