DISCLAIMER: This post is for educational purposes only. Cybercrime is stupid and will probably have you wasting your talents in prison.

In the last post, I showed how to make a phishing proxy to automate red team phishing engagements. While the proxy works, it does not natively support SSL and can easily be blocked if the target website blocks requests coming from the proxy’s IP address. In this installment, I’ll cover how to make the proxy compatible with SSL and add SOCKS5 proxy support so the server’s IP won’t show up in the target’s log.

The code and tool, Judas, is available on GitHub.

Hiding from the target

To evade IP blocks, some kind of proxy is needed for requests. Since Tor supports SOCKS5, we’ll add support for it. Like most other things, Go makes this dead simple. The golang.org/x/net/proxy library lets us create a net.Dialer that connects using the proxy address passed to it.

Judas supports this out of the box using the proxy argument.

./judas --target https://torwebsite.onion --cert server.crt --private-key server.key --proxy localhost:9150

Proxying https://check.torproject.org to confirm requests are routed through Tor.

Getting the green padlock

Now that we can hide the proxy from the target, it’s time to fool the victim with that green padlock. Go makes this straightforward with its TLS package in the standard library.

The code is pretty straightforward. Go provides a method for loading X509 encoded SSL certificates and private keys from a file on disk. Apart from loading the certificate, the flow is the same as listening on an unencrypted connection. We simply handle each connection on a new goroutine to avoid blocking and pass successful request-response transactions to a worker goroutine.

Judas supports this by default using the cert and private-key arguments, with an optional insecure flag to disable SSL.

./judas --target https://target-url.com --cert server.crt --private-key server.key

To disable SSL, use the insecure flag.

. /judas --target https://target-url.com --insecure

Adding a SSL certificate lulls some users into a false sense of security since the green padlock is in the address bar.

Additional stealth with CloudFlare

You can use CloudFlare to avoid casual discovery of the phishing server by the blue team. CloudFlare combined with a SOCKS5 proxy will make it very difficult to find the true location of the phishing proxy.

How do I defend my website against this?

There isn’t any way to defend against this attack 100% since requests will appear to be normal and attackers can inject JavaScript. You can make exploitation more difficult by:

Monitoring users’ IP addresses and requiring additional authentication if a user logs in from a new IP addresses, especially Tor exit nodes or other suspicious IP addresses.

Using 2-Factor Authentication (2FA) will not prevent this attack but it does limit the lifetime of a compromise, since an attacker will only be able to maintain access for the length of a session. Requiring a 2FA token to perform dangerous actions like transferring money or changing a password will force an attacker to continually steal 2FA tokens, as the first captured token will be useless.

Notifying users via email or SMS when their account has been accessed. Including the source IP address and country in the alert will let a user immediately know something is wrong if they get an email telling them that their login came from a different country.

The full code is on GitHub.

Liked this post and want to leave a tip?

BTC: 3AubYUbbzEZ1ETnFWVjBHzXio47cdVERSj

ETH: 0x2D687E2234c2e9A7cC9Ef3CCD1eD4AC249EA6aCd