gophish
gophish copied to clipboard
gophish
Support for custom events
This pull requests adds support for arbitrary campaign events. For example, you could craft an event of 'Secondary Link Clicked' or 'Word Document Opened' or 'Watched Training Video' or 'Plugged in USB drive' or anything else you like. You can also customise your events in terms of icon, color, label, and optional sub heading lines and icons. For example:
There's nothing to setup server side for creating these new events, they are dynamically created by you client side with the new /arbevent endpoint. Obviously you'd need to insert them in the appropriate places. Here are the URLs that created the events in the above screenshot:
Word Document Opened
http://localhost/arbevent?rid=aIakOWF&title=Word Document Opened&label=label-clicked&icon=fa-file-word-o&color=%23F39C12&ua=0
Breaking that URL down, we have the following parameters:
rid - the unique campaign RID title - the title of the event to display in the event list and status label - label color for the status icon - the icon to use in the event list color - color to use in the timeline graph and donuts ua - either 0 or 1, whether or not to display the user agent. Defaults to 0.
Word Macros Enabled
http://localhost/arbevent?rid=aIakOWF&title=Word Macros Emabled&label=label-danger&icon=fa-file-word-o&color=%23ff0000&sub_text=Username: Bob&sub_icon=fa fa-user&sub_text=PC Name: DESKTOP-4C&sub_icon=fa fa-desktop
Having a look at this URL, we have the extra parameters to display the text and icons under the main event heading:
sub_text - the sub text sub_icon - the sub icon
You can pass multiple values using the same parameter name, in the order you want them to appear (as is done in the above example). They are assembled into a pair of arrays server side, one for the text one for the icons.
As for the pie chart donuts, the regular 5 donuts will show, unless any arbitrary events have been submitted. Then each arbitrary event gets its own donut. For example:
The arbitrary donuts are grouped into rows of 5 to match the original 5.
Under the hood
Events are stored with a message of "Arbitrary Event" in the database to distinguish them from other events. Their URL payload is parsed to render them. For example, here's the database entry for the 'Word Document Opened' event:
1140|130|[email protected]|2020-08-08 20:30:51.377489+00:00|Arbitrary Event|{"payload":{"color":["#F39C12"],"icon":["fa-file-word-o"],"label":["label-clicked"],"rid":["aIakOWF"],"title":["Word Document Opened"],"ua":["1"]},"browser":{"address":"::1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"}}
Known Issues
- Getting the donuts to work was quite difficult. At this stage I haven't re-implemented the 'backfill' logic.
- New arbitrary events donuts aren't added to the list of donuts without a hard refresh (polling or refresh button won't add). This is because of the highcharts only being setup in the load() and not the poll(). I'll address this soon.
- I'm pondering changing the data format to have the actual event name in the
messagefield in the database (rather than 'Arbitrary Event', and in the JSON payload having a marker to indicate it's an arbitrary event. - I've done a fair bit of testing, but I'm sure there are gotchas waiting to be found. I'd appreciate any feedback.
The code is a bit rough and is a first pass, but I thought I'd share it to get feedback. It took a while to understand how everything works under the hood for events.
Finally, this was a lot of fun to build, and I hope it'll prove useful for the gophish community! 🎉
This pull request introduces 21 alerts and fixes 2 when merging f5509a56c28b834f07ea61d10dee816aa0f34d94 into 735880c398306ee2e010d51db8ecdb191a019af1 - view on LGTM.com
new alerts:
- 21 for Missing variable declaration
fixed alerts:
- 2 for Missing variable declaration
![lgtm-com[bot] avatar](https://avatars.githubusercontent.com/in/17324?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for taking the time to have a look at the code @jordan-wright ! I'll get cracking on your suggestions.
I've added some initial comments. I haven't looked through the JS yet but that, to me, is a pretty big area of attack surface with things like xss so we'll want to make sure that things are escaped appropriately- especially since this is coming completely from untrusted input.
Yeah very much agree - escape all user input, and possibly validate server side.
The JS could do with some cleaning up, I'll try get there before your eyes hit it. I just wanted to get something pushed to start getting feedback.
And more generally, I know there are concerns around having so many pie charts and I'm just about of the mind to rethink the design of some of this. I don't have the answers right now so I'll talk around and see what we might be able to come up with.
The one nice thing is that if there aren't any custom events, the pie charts won't show for them. There's also a JS boolean variable on whether or not to display the custom charts at all - I was thinking of turning that into a button that appears IFF there are custom events - 'Show Custom Events'.
You'll no doubt understand the logic I used in the JS, but just in case it helps, the basic idea is that updateArbitraryEventData() take a campaign object (from load() or poll()) and populates statuses{} and statusMapping{} with user supplied variables, as well as adding the HTML for extra pie charts (if enabled).
This pull request introduces 21 alerts and fixes 2 when merging ee2d7398a7f95a9d2ef76d04c587ff4441991f8e into 735880c398306ee2e010d51db8ecdb191a019af1 - view on LGTM.com
new alerts:
- 21 for Missing variable declaration
fixed alerts:
- 2 for Missing variable declaration
This pull request introduces 21 alerts and fixes 2 when merging 1adfc323b4f91927c0d4c81258aff333e1512ecf into 735880c398306ee2e010d51db8ecdb191a019af1 - view on LGTM.com
new alerts:
- 21 for Missing variable declaration
fixed alerts:
- 2 for Missing variable declaration
Hey @glennzw, do you want to push these changes to a Gophish branch so we can work on this collaboratively?
Hey @glennzw, do you want to push these changes to a Gophish branch so we can work on this collaboratively?
Good idea! Let me see if I can figure out how to do that
`
Hey @glennzw, do you want to push these changes to a Gophish branch so we can work on this collaboratively?
Hey @jordan-wright ! Before I get working on this I just wanted to make sure my approach to adding this branch into gophish was suitable. I created a new custom-events branch on gophish, and completed a pull request from my repo into here.
https://github.com/gophish/gophish/tree/custom-events (via https://github.com/gophish/gophish/pull/1946)
(I have a sneaking suspicion there was an easier way to do this)
I would love to see this feature added. I believe you guys have invested a lot a time into GoPhish and have a great product here, I really enjoy using it and it really "just works".
I was testing this on my end, but when I try to use the /arbevent?rid= I can see the results make into the raw events but once that happens the reporting fails and I can't see anything under the Details section. Curious if you could point me in the right direction to get it working. Thanks!
I edited the campaign_results.html to point to the /js/src/app/campaign_results.js and think I got it working. Thanks!
After some issues with this pull request (wrong endpoint or source file), I greatly thank gleenzw for developing it. Since it was based on an older version, I was able to merge this pull request into the latest version of Gophish, in addition to fixing all the problems.
You can see this new fork here: -->https://github.com/Nitraxenius/gophishLastPLUS
