OBTAINING AN SSL CERTIFICATE FROM LETSENCRYPT.ORG
Take this a step further; HTTPS should be implemented on all your phishing sites regardless if harvested sensitive data or not You’ve got a better chance of bypassing any web proxy servers in place by running a full encrypted stream.
Phishing Frenzy now supports an SSL certificate and hosting your websites over HTTPS. Since Phishing Frenzy is essentially a front end for the Apache web service, you can upload your SSL certificate, activate the campaign and watch it HTTPS. Now that’s legit,
- What is HTTP HTTPS and SSL Web Security ? HTTP vs HTTPS
- Is UC Browser Safe ? Some interesting information related to this
How it Works
Let’s Encrypt has a valid nofty command line tool that we can run from our phishing server. The command line tool has now been renamed to “certbot” and can be downloaded off.
Once you’ve downloaded the script on your server, it’s really a one-liner to get your possession.
The first item to note is that Apache can not be running while you run certbot In order for Let’s Encrypt to validate that you own the domain, it will resolve the FQDN to an IP address of the server you are currently on. Certbot will then start a mini web service hosting a token which proves to Let’s Encrypt that you’re authoritative over this domain name.
This means that if you have any active phishing campaigns they would be disabled temporarily while you obtain the SSL certificate. Keep this in mind to make sure you’re not disrupting an active campaign of yours or a colleague.
If you try to run the certbot script with Apache running you will be notified with a nice little warning like below:
If you have correctly disabled your active web server, you can then run the “certbot” command similar to below. Make sure to tweak this domain name that you’re configuring.
|./certbot-auto certonly -standalone -d www.pentestgeek.com|
The standalone flag is used to tell the “certbot” tool which can be used to properly validate with Let’s Encrypt a webpage. The “certonly” flag used to tell “certbot” that you want to do is automatically configure Apache with the SSL certificate. Just provide us the certificate, and we’ll deploy them to the Apache self through the Fishing Frenzy Web UI.
Once you’ve successfully added some valid SSL certificates; Congratulations By default all of the certificates will be dropped to the / etc / letencrypt / live /: fqdn which is really a symbolic link to the / etc / letencrypt / archive /: fqdn directory as seen below:
Configuring Phishing Frenzy
Now that we have all the SSL files required to host our phishing site over HTTPS. Let’s start Apache back up and phishing frenzy. All you need to do is upload the SSL certificate as seen below and save. Make sure that the dropdowns on the right
Once the data has been uploaded and saved properly, you can then activate the campaign and your fishing site is now live on HTTPS. Anyone who tries to hit the phishing site over HTTP will automatically redirect to HTTPS by default.
If you’re not leveraging HTTPS for all your phishing engagements you should be Letsencrypt.org is a great service provider It’s no cost to you, and the tools are really slick to auto-magically configure your Nginx or Apache web server with a couple added flags.
In the future we may incorporate Let’s Encrypt in the Web UI itself so that it’s Let’s Encrypt API with SSL certificate down and current campaign to apply it.
Hope you enjoy, and enjoy phishing all the things over HTTPS.