TL;DR: I’ll shine a light on Gophish and how to modify it to change behavior or introduce/remove functionality. At the end of this post, you’ll know how to host custom 404 pages in Gophish and how to abuse HTTP basic auth instead of login forms embedded on the landing page to obtain juicy creds.
A few days ago I tweeted one of my modifications to Gophish:
After low click rates in my last phishing campaign due to staff being extremely well trained for this kind of attack, I modded gophish to show an HTTP Basic auth request instead of a phishing site. Once data is entered, users are redirected to a legit site: pic.twitter.com/LncsgT8OSE
[Read More]