Phishing using reverse proxy Modlishka

Hello All,

Introduction

Social Engineering is one of the popular tactics because it is easier to exploit users then finding vulnerabilities in the network or application. Since humans are the weakest link in the security attacking the human factor continues to be an attractive and successful path to infiltrate the network. The most popular type of social engineering attack vector is phishing.
Phishing is very promising attack vector when it come to obtain clear text credentials of the remote user for gaining initial access in the network or gain access to some applications like email, vpn, company portal etc where we can find innocuous information which can help the attacker to conduct more sophisticated attacks or deliver the malware to the user for gaining initial access in the network.

What is Social Engineering ?

Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.

What is Phishing ?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Phishing is an example of social engineering techniques being used to deceive users.

What is 2FA authentication ?

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. A good example of two-factor authentication is to supplement a user-controlled password with a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.

In this post we will focus on Modlishka HTTP reverse proxy which can be used for phishing and capturing credentials.

What is Modlishka ?

Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client.

What is HTTP Reverse Proxy ?

A proxy server is a go‑between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.

Path of Exploration

Step 1) Installation of Modliskha Framework

Since modliskha is developed in GO language you need to install GO. I will used snap package for installing go on ubuntu system.
Commands - 
snap install go --classic



After installing the GO package download Modliskha Framework and traverse to the directory of Modliskha
Commands - 
go get -u github.com/drk1wi/Modlishka
cd go/src/github.com/drk1wi/Modlishka


Once downloaded generate SSL certificate
Commands - 
openssl genrsa -out MyCA.key 2048
openssl req -x509 -new -nodes -key MyCA.key -sha256 -days 1024 -out MyCA.pem


After generating SSL certificate the private key and the public key has to be modified in the plugin/autocert.go file.
Copy the MyCA.key file data and place into plugin/autocert.go and assign it to variable const CA_CERT_KEY



Copy the MyCA.pem file data and place into plugin/autocert.go and assign it to variable const CA_CERT



Once the certificate is pinned in the plugin/autocert.go file. Run make command to compile and build Modliskha framework


Once build you can run the proxy file with -h parameter to check the help menu. For more detail about each parameter you can refer the wiki of Modliskha
Commands - 
sudo ./dist/proxy -h


There are 2 predefined template created for gsuite and o365 located inside template directory.

For demonstration I will be using loopback.modlishka.io domain which is a dummy domain for testing and points to the 127.0.0.1 and will use gsuite template with modified parameters.

Lets view the default template. The details about all the options can be found in the wiki of Modlishka


I will modify 2 parameters in the template
  1. Will change the default value of plugin parameter to all.
  2. Will change the base64 encoded regular expression used under credParams parameter to aWRlbnRpZmllcj0oKD86XHcrW1wuXC1cX10pezAsfVx3Kykm for username and XGJudWxsLFxbIihbYS16QS1aMC05IiEiIyQlJicoKSorLC0uOjs8PT4/QF5fYHt8fX5dKykiLG51bGxcYg== for password. This will help to view the credentials directly on the control panel instead of reading the logs.
Actual regular expression (Decoded Value)
Username - identifier=((?:\w+[\.\-\_]){0,}\w+)&
Password - \bnull,\["([a-zA-Z0-9"!"#$%&'()*+,-.:;<=>?@^_`{|}~]+)",null\b


One more important point to remember that if you are sending the link to multiple people you can use trackingParam to identify which user has clicked on the link. Each user can be provided with an unique value which can help you to measure the success of the phishing campaign.

Now we are ready so lets start the proxy server and proceed with the demo.
Commands - 
sudo ./dist/proxy -config templates/google.com_gsuite.json


Since we are using self signed certificate. We will need to import the certificate in our browser. But while you perform any phishing campaign it is recommended to purchase a valid certificate for the domain.

To import certificate in browser follow the below steps
  1. Select Options and click on preference
  2. Search for Certificate in the search window.
  3. Click on View Certificate button
  4. Click on Import and select the MyCA.pem file.
  5. Check the checkbox for both the options (Trust this CA to identify websites. & Trust this CA to identify email users.)


We can now send the domain the URL to the victim with the querystring parameter ident and use the control panel url to monitor who have access the link and the credentials used by them. Default control panel handler is SayHello2Modlishka.
URL - https://loopback.modlishka.io/?ident=123
Control Panel URL - https://www.loopback.modlishka.io/SayHello2Modlishka/



Now lets try to login to gmail and capture the credentials in terminal logs and the control panel.




As we can see in the above screenshot we have successful captured the credentials and the user is still able to access the resource in our case gmail. This can be further extend to bypass 2FA by injecting the cookie into the browser and impersonating the victim.

Recommendation

It is recommended to always check the URL & validate the certificate details before login to any website.
Never click on any links or open any attachment which is received from unknown source.
Enable multi factor authentication on all your accounts if possible.

Reference

https://github.com/drk1wi/Modlishka
https://vimeo.com/308709275
https://blog.duszynski.eu/phishing-ng-bypassing-2fa-with-modlishka/

Be Alert Be Safe !

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

  1. Hey great tutorial, thanks for that. One thing to mention, the regular expression for username "identifier=((?:\w+[\.\-\_]){0,}\w+)&" did not work for me and I had to use this one "([a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+)" which is "KFthLXpBLVowLTkuXy1dK0BbYS16QS1aMC05Ll8tXStcLlthLXpBLVowLTlfLV0rKQ==" in Base64.

    ReplyDelete
  2. How do you send the link to the target because I thought there is no template

    ReplyDelete
  3. Hello can you help me? sir i have face problem RPC error from after loging With modlishka

    ReplyDelete

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I