OBTAINING AN SSL CERTIFICATE FROM LETSENCRYPT.ORG

Take this a step further; HTTPS should be implemented on all your phishing sites regardless if harvested sensitive data or not You’ve got a better chance of bypassing any web proxy servers in place by running a full encrypted stream.

Phishing Frenzy now supports an SSL certificate and hosting your websites over HTTPS. Since Phishing Frenzy is essentially a front end for the Apache web service, you can upload your SSL certificate, activate the campaign and watch it HTTPS. Now that’s legit,

How it Works

Let’s Encrypt has a valid nofty command line tool that we can run from our phishing server. The command line tool has now been renamed to “certbot” and can be downloaded off.

Once you’ve downloaded the script on your server, it’s really a one-liner to get your possession.

The first item to note is that Apache can not be running while you run certbot In order for Let’s Encrypt to validate that you own the domain, it will resolve the FQDN to an IP address of the server you are currently on. Certbot will then start a mini web service hosting a token which proves to Let’s Encrypt that you’re authoritative over this domain name.

This means that if you have any active phishing campaigns they would be disabled temporarily while you obtain the SSL certificate. Keep this in mind to make sure you’re not disrupting an active campaign of yours or a colleague.

Configuring APACHE

If you try to run the certbot script with Apache running you will be notified with a nice little warning like below:

SSL Certificate

If you have correctly disabled your active web server, you can then run the “certbot” command similar to below. Make sure to tweak this domain name that you’re configuring.

./certbot-auto certonly -standalone -d www.pentestgeek.com

 

The standalone flag is used to tell the “certbot” tool which can be used to properly validate with Let’s Encrypt a webpage. The “certonly” flag used to tell “certbot” that you want to do is automatically configure Apache with the SSL certificate. Just provide us the certificate, and we’ll deploy them to the Apache self through the Fishing Frenzy Web UI.

Once you’ve successfully added some valid SSL certificates; Congratulations By default all of the certificates will be dropped to the / etc / letencrypt / live /: fqdn which is really a symbolic link to the / etc / letencrypt / archive /: fqdn directory as seen below:

SSL Certificate

Configuring Phishing Frenzy

Now that we have all the SSL files required to host our phishing site over HTTPS. Let’s start Apache back up and phishing frenzy. All you need to do is upload the SSL certificate as seen below and save. Make sure that the dropdowns on the right

SSL Certificate

Once the data has been uploaded and saved properly, you can then activate the campaign and your fishing site is now live on HTTPS. Anyone who tries to hit the phishing site over HTTP will automatically redirect to HTTPS by default.

SSL Certificate

Conclusion

If you’re not leveraging HTTPS for all your phishing engagements you should be Letsencrypt.org is a great service provider It’s no cost to you, and the tools are really slick to auto-magically configure your Nginx or Apache web server with a couple added flags.

In the future we may incorporate Let’s Encrypt in the Web UI itself so that it’s Let’s Encrypt API with SSL certificate down and current campaign to apply it.

Hope you enjoy, and enjoy phishing all the things over HTTPS.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.