CDN Phishing
ther you stumbled across this post *by accident* or you need to create a good phishing campaign, I am here to help you with all that and a bag of chips!
This article aims to teach Offensive teams how to mask their phishing infrastructure using a Content Delivery Network (CDN) in Azure. The setup itself is very easy, but understanding how it works may be more convoluted. Let me walk you through the steps of creating a virtual machine in Azure to send out a phishing email.
Disclaimer
I shall not be responsible or liable for any misuse or illegitimate use of this guide. This guide is only to be used in authorized penetration testing or red team engagements where the operator(s) has(ve) been given explicit written permission to carry out social engineering.
A word of warning! This article is not an in-depth guide on how to:
Show you the detailed networking of a CDN.
Show you how Apache2 works.
Show you how TMUX works.
Show you how to set up a phishing campaign.
How to set up an SMTP relay (i.e. Mailgun).
Throughout this, if you have ANY questions, you can contact me on Discord. I am always active there.
Setting up a Virtual Machine
First things first, we want to setup a virtual machine in Azure. The reason why we use Azure is to get an SSL certificate from Let's Encrypt using:
certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com
Let's get started:
Navigate to https://portal.azure.com and login.
Go to Virtual Machines and create a Virtual Machine.
Make sure to grab your SSH keys for this. Default user: azureuser
Go to the resource you just created and click on where it says "Public IP Address" (it should be located in the "Essentials" section of the Resource)
Ensure that port 80 (HTTP), 443 (HTTPS), and 587 (SMTP over StartTLS) are open by going to Virtual Machine just created > Networking > "Add inbound port rule"
Lastly, let's access that virtual machine you just created!
In a bash console (or PowerShell), SSH into the Virtual Machine you just created:
ssh -L 3333:localhost:3333 azureuser@[ip-address]
replacing [ip-address] with the IP Address of your virtual machineStart a tmux process
tmux new
If you are struggling with tmux usage, tmuxcheatsheet is a great resource.
Installing EvilGoPhish
Full credit for this section goes to Fin3ss3g0d for this beautiful tool! This tool automates the process of creating and making GoPhish, Evilginx2, and Apache flow together. Luckily for you, I've created a one-liner that happens to streamline this process and gives some nice prompts!
!!WARNING: THIS HAS ONLY BEEN TESTED ON DEBIAN AND UBUNTU IMAGES!!
Let's get started!
First, when in the bash shell, run
curl -sSL https://raw.githubusercontent.com/stevesec/egp_basicinstall/main/basic_install.sh | bash
Make sure you are the root user! This script will automatically detect if you are in the sudoers group!
Next, hit the "Enter" key through all of the prompt until you get to the "root domain" prompt, enter
azureedge.net
; we will be using this later!
After the root domain prompt, enter your subdomains; please use the following (ensuring there is a space in between, replacing target with your target organization):
target-login target-account
Note these for later!
Ensure that these both have "-login" and "-account" or this process will not work!
Then, enter in your redirect URL (a good rule of thumb is you want to use it based on your targets infrastructure, i.e. Office365, or Google Account Login).
Enter in the RID you want to use (this may be expanded on in the future), testing is required for Rule Engine implementation.
The next couple of prompts are user's preference.
Enabling the proxying for the root domain should be no as we do not own "azureedge.net".
Enabling the Live Feed opens up a prompt on port 1337.
Enabling the Apache Blacklist gives you a blacklist of all IP Addresses to reject from your web server.
If you're satisfied with your "User Settings", click "Yes". If not, click "Edit Settings".
If you want to use MailGun, I have included a prompt for setting that up, if not click "No"
The setup process should begin and EvilGoPhish should be installed in
/etc/.evilgophish/
Let's Encrypt Certificate
Remember that prompt for YOURDNSNAME.eastus.cloudapp.azure.com??? You're going to need it now!
In the bash shell, type
certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com
, replacingYOURDNSNAME.eastus.cloudapp.azure.com
with the one created above.Select 1 in the prompt which will spin up a temporary webserver
Follow the prompts, making sure to agree with the Terms of Service
If this prompt fails, check your listening ports:
netstat -tulpn
Apache2 might be running!
If all goes well, you should a nice, shiny, new certificate from Let's Encrypt! Copy where the certificate is placed (usually in
/etc/letsencrypt/live/[CertificateName]/
)
Let's stick that in the enabled sites:
Edit with your favorite text editor 😉
nano /etc/apache2/sites-enabled/000-default.conf
and enter in your certificate where it says:SSLCertificateFile
SSLCertificateChainFile
SSLCertificateKeyFile
If all goes well here, you should be able to type:
systemctl restart apache2.service
NOTE: Apache2 will be listening on IPv6 :::443, to change this edit:
/etc/apache2/ports.conf
and now it should be listening on IPv4 0.0.0.0:443
Setup CDN
Remember the subdomains you created with the bash one-liner? Let's grab those and get a move on with creating the CDN in Azure.
Search for and go to Front Door and CDN Profiles and follow the prompts:
Enter in to the "CDN Endpoint Name" your first subdomain (don't worry, we'll be adding the second one shortly)
CDN Endpoint Name: target-login
Origin Type: Custom Origin
Origin hostname: IP Address of Virtual Machine
Click "Review + Create"
Go to the Resource that was just created.
Click on it and click on "Origin"
Click on where it states "origin-ip-address"
Change the "Origin host header" to be the CDN Endpoint Name (i.e. target-login.azureedge.net)
Click "Save"
Navigate to "Compression", turn it off, and click "Save".
Navigate to "Caching Rules", set it to "Bypass caching for query strings", and click "Save".
Click on "+ Endpoint" to create a second endpoint.
Enter in to the "CDN Endpoint Name" your second subdomain.
CDN Endpoint Name: target-account
Origin Type: Custom Origin
Origin Hostname: IP Address of Virtual Machine
Origin Host Header: CDN Endpoint Name (i.e. target-account.azureedge.net)
Click on "Add".
Follow steps 8 & 9 for your second CDN
Edit Evilginx Phishlet
We will now be editing the phishlets for Evilginx2. This will allow us to use the two subdomains we created.
Edit with your favorite text editor 😉
nano /etc/.evilgophish/evilginx2/phishlets/o3652.yaml
Under "proxy_hosts":
Change "phish_sub: 'login'" to "phish_sub: 'target-login'", and
Change "phish_sub: 'account'" to "phish_sub: 'target-account'"
Start Up EvilGoPhish
Lastly, we will be starting up EvilGoPhish. We will utilize Evilginx2 in developer mode as this mode gives us a self-signed certificate that can be used in conjunction with the SSL certificate we obtained from Let's Encrypt.
From the
/etc/.evilgophish/
directory, navigate to the gophish directory.Start GoPhish noting the admin password (this will need to be changed later)
./gophish
This will start up the gophish.db to be used with Evilginx2
Follow GoPhish Setup to setup an email campaign.
Navigate back to the evilginx2 directory.
Start Evilginx2:
./evilginx2 -g ../gophish/gophish.db -debug -developer -p phishlets/
Ensure to ALWAYS use developer mode with a CDN in front.
This will start up evilginx2 in developer mode, not requiring an SSL certificate
Now, let's configure Evilginx2! Type in:
config domain azureedge.net
config ip [ip address of Virtual Machine]
phishlets hostname o3652 azureedge.net
phishlets enable o3652
lures create o3652
lures get-url 0
With that URL, enter that into GoPhish and you should be ready to go!
If everything worked out, you should now have a domain with azureedge.net that captures credentials
Last updated