phishing

Gone KingPhishin’ Part 2 – KingPhisher 1.1.0 + TLS + Creds Capture

9226661_orig

!!UPDATED INSTRUCTIONS FOR RELEASE 1.5.1 here !!

It’s been quite some time since I wrote a guide for something, and I DID say I’d follow up my original Gone KingPhishin’ post with steps to get SSL/TLS working as well as walking through the campaign creation process…so here we go.

What you’ll need to replicate this tutorial:

  • A system capable of running king-phisher server (I’m using a Digital Ocean Ubuntu VPS) and client (I’m using Kali Linux 2.0)
  • An externally accessible domain name and the ability to add a DNS record for your king-phisher server

I’ll be expecting you to do some things yourself, like register your domain and create DNS records, etc, but will go through all the king-phisher setup tasks in detail.

Configuring the king-phisher server

A few things have changed with the release of king-phisher v1.1.0, so we’ll take it from the top. The assumption is you have a server with a registered domain and DNS entry ready to go. I’ll be using the following:

Server: Digital Ocean Ubuntu VPS
Domain: leg1t.sw1tch.net

Clone the latest king-phisher repo from github and run the installer

sw1tch@leg1t:~$ cd /opt && sudo git clone https://github.com/securestate/king-phisher.git
Cloning into ‘king-phisher’…
remote: Counting objects: 8870, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 8870 (delta 0), reused 0 (delta 0), pack-reused 8864
Receiving objects: 100% (8870/8870), 2.88 MiB | 720.00 KiB/s, done.
Resolving deltas: 100% (6488/6488), done.
Checking connectivity… done.
sw1tch@leg1t:/opt$ sudo king-phisher/tools/install.sh 
Linux version detected as Ubuntu
Install and use PostgreSQL? (Highly recommended and required for upgrading) [Y/n] Y
Will install and configure PostgreSQL for the server
Project directory found at /opt/king-phisher
Installing Ubuntu dependencies
Reading package lists… Done
Building dependency tree       
Reading state information… Done
The following extra packages will be installed:
  binutils build-essential dpkg-dev fakeroot g++ g++-4.8 gcc gcc-4.8



Creating King Phisher admin group: ‘kpadmins’
Configuring the PostgreSQL server
PostgreSQL configuration file found at /etc/postgresql/9.3/main/pg_hba.conf
Installing the King Phisher upstart service file in /etc/init/
Starting the King Phisher service
king-phisher start/running, process 26601
sw1tch@leg1t:/opt$ sudo kill 26601
sw1tch@leg1t:/opt$

This may take some time…there’s a lot of packages to pull and there are typically a few large pauses during the build phase. Ignore any non-fatal errors. If you get issues with the pip install process for matplotlib, you can just apt-get install python-matplotlib yourself and then re-run the installer. As you can see, the installer sorted out our database configuration as well. If it starts, you’ll need to kill any freshly running king-phisher process, because we’ll need access to TCP port 80 to generate our TLS certificate a little later.

Clone the latest king-phisher-templates repo from github on the client

The template files are stored in a separate repository, so go and grab them:

sw1tch@leg1t:/opt$ cd /opt/king-phisher/ && sudo git clone https://github.com/securestate/king-phisher-templates.git
Cloning into ‘king-phisher-templates’…
remote: Counting objects: 317, done.
remote: Total 317 (delta 0), reused 0 (delta 0), pack-reused 317
Receiving objects: 100% (317/317), 2.60 MiB | 56.00 MiB/s, done.
Resolving deltas: 100% (88/88), done.
Checking connectivity… done.

sw1tch@leg1t:/opt/king-phisher$

Generate your web certificates using letsencrypt

 

sw1tch@leg1t:/opt/king-phisher$ cd /opt/ && sudo git clone https://github.com/letsencrypt/letsencrypt
Cloning into ‘letsencrypt’…
remote: Counting objects: 28692, done.
remote: Compressing objects: 100% (80/80), done.
remote: Total 28692 (delta 48), reused 1 (delta 1), pack-reused 28611
Receiving objects: 100% (28692/28692), 7.54 MiB | 2.79 MiB/s, done.
Resolving deltas: 100% (20195/20195), done.
Checking connectivity… done.

sw1tch@leg1t:/opt$ cd letsencrypt
sw1tch@leg1t:/opt/letsencrypt$ sudo ./letsencrypt-auto –agree-dev-preview –server https://acme-v01.api.letsencrypt.org/directory certonly
Bootstrapping dependencies for Debian-based OSes…
Get:1 http://security.ubuntu.com trusty-security InRelease [64.4 kB] Get:2 http://mirrors.digitalocean.com trusty-updates InRelease [64.4 kB] …

Thanks to letsencrypt.org, it’s super easy to get a valid TLS cert for your king-phisher server – as you can see. You’ll be asked enter a recovery email address, agree to the terms and conditions, then enter the name of the domain that you control including the host. For me, that’s leg1t.sw1tch.net:

bk01

Once verification is complete, you should see some similiar to this:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.sw1tch.net/fullchain.pem. Your cert
will expire on 2016-04-13. To obtain a new version of the
certificate in the future, simply run Let’s Encrypt again.
– If you like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

sw1tch@leg1t:/opt/letsencrypt$ 

Alrighty, we’ve got our certificates, so let’s now configure king-phisher to use them. Open the configuration file /opt/king-phisher/server_config.yml and make the following changes, using your letsencrypt path:

server:
  # Bind address information
  address:
    host: 0.0.0.0
    port: 443


  # Require an ID associated with a campaign to load pages
require_id: false



  # SSL settings
  ssl_cert:  /etc/letsencrypt/live/leg1t.sw1tch.net/fullchain.pem
ssl_key:  /etc/letsencrypt/live/leg1t.sw1tch.net/privkey.pem

UPDATE 2016-05-03: Changed  the above to use fullchain.pem instead of cert.pem – this will ensure the trust chain is valid by including cert.pem and chain.pem into a single file.

Notice we also set the require_id setting to false – this will allow us to test our configuration just before we launch the campaign. Before you launch (and assume you want to take advantage of the setting so you don’t screw up your one shot!) you should revert this value back to true. Similar to my original post, I’ll be using postfix instead of the standalone server shipped with king-phisher:

sw1tch@leg1t:/opt/letsencrypt$ sudo apt-get install mailutils postfix
Reading package lists… Done
Building dependency tree
Reading state information… Done

Select Internet Site and pick an appropriate FQDN value. Then sort out the rest of the config:


Processing triggers for libc-bin (2.19-0ubuntu6.6) …

sw1tch@leg1t:/opt/letsencrypt$ cd
sw1tch@leg1t:~$
  sudo -i

root@leg1t:~$  echo “root sw1tch@leg1t.sw1tch.net” > /etc/postfix/generic
root@leg1t:~$  postmap /etc/postfix/generic
root@leg1t:~$  exit
sw1tch@leg1t:~$  

Add an entry to smtp_generic_maps (or create one if required) and change the inet_interfaces value to 127.0.0.1 in /etc/postfix/main.cf so we don’t advertise our MTA to the world:

inet_interfaces = 127.0.0.1
smtp_generic_maps = hash:/etc/postfix/generic

Restart postfix. Ok, now we can start the king-phisher server:

sw1tch@leg1t:~$ sudo /opt/king-phisher/KingPhisherServer -L INFO -f /opt/king-phisher/server_config.yml
INFO     listening on 0.0.0.0:443
INFO     0.0.0.0:443 – ssl has been enabled
INFO     0.0.0.0:443 – serving files has been enabled
INFO     initializing database connection with driver postgresql
INFO     restored 0 valid sessions and skipped 0 expired sessions from the database
INFO     the job manager has been started
INFO     server running in process: 31123 main tid: 0x7f23168af740
INFO     dropped privileges to the nobody account

Now we’re ready to start on the client.

Configuring the king-phisher client

Time to install the client on our Kali 2.0 box. Some of the package versions may have changed slightly (for example, libgeos-dev is now at version 3.5), so modify them as you need to:

root@kali:~# apt-get install libgeos++-dev libgeos-3.4.2 libgeos-dev python-mpltoolkits.basemap python-mpltoolkits.basemap-data
Reading package lists… Done
Building dependency tree
Reading state information… Done


root@kali:~#

Time to clone the latest king-phisher and king-phisher-templates repos from github on the client. Do what you did during the first and second step when you installed the king_phisher server. If you just want to install the client components, you can use the –skip-server switch – this will jump over the postgresql database setup and all the other components used for the king-phisher server.Basemap is needed for the cool map plotting features in the king-phisher client but sometimes it doesn’t install correctly when setting up king-phisher. If you need to, sort it manually:

root@kali:~# cd /tmp && wget https://downloads.sourceforge.net/project/matplotlib/matplotlib-toolkits/basemap-1.0.7/basemap-1.0.7.tar.gz


basemap-1.0.7.tar.gz            100%[========================================================>] 123.69M  1.42MB/s   in 79s

2016-01-14 20:05:20 (1.56 MB/s) – ‘basemap-1.0.7.tar.gz’ saved [129694711/129694711]

root@kali:~# easy_install basemap-1.0.7.tar.gz 


Installed /usr/local/lib/python2.7/dist-packages/basemap-1.0.7-py2.7-linux-x86_64.egg
Processing dependencies for basemap==1.0.7
Finished processing dependencies for basemap==1.0.7

root@kali:~# 

Done. Ok, now all that’s left is to fire up the client and connect to your waiting king-phisher server:

root@kali:/opt/king-phisher$ ./KingPhisher

Enter all the details appropriate to your setup (use the below pic for reference). If you have SSH keys set up, you’ll still need to put the password in

bk02

If the king-phisher server isn’t running, you’ll get an authentication error, so make sure the server is alive!

NOTE: Connection errors that make references to SSL or CERTIFICATE are usually because the SSL/TLS libraries on your server are out of date or no longer supported. If you want a good example of this, try following this tutorial with a Ubuntu 14.04 LTS server – it won’t work. You can try to fix this by installing updated libraries, but you should probably just upgrade your distro to something a tad more modern…

Once logged in, you’ll need to create a new campaign. The wizard will present you with a number of options to choose from so you can customise the kind of campaign you want to run. When you are done, select your freshly created campaign – we’ll need to configure some final settings.

Under Edit>Preferences, you’ll need to set your SMTP settings. Enable the Tunnel Over SSH option and enter the king-phisher server name and your local username for the SSH service on that box. Don’t forget to specify the port:

bk03

Just a few more pieces to sort and we’re all set.

Configuring your phishing campaign

So now it’s time to configure your campaign. We’re going to use one of the pre-written templates we downloaded earlier and modify it slightly for our own evil intent. Our templates are located on our client machine under /opt/king-phisher/king-phisher-templates. Use the following as a guide for what you should include:

bk04

You can customise the message contents by editing the raw HTML via the Edit tab. In this case, I’m going to target a single victim, but you can specify a CSV file under the Target Information section if you have multiple targets. The format for the CSV file is:

firstname,lastname,email_address

You can check to see what your email will look like under the Preview tab. Now we need to enable the content for our fake site, which needs to be configured on the king-phisher server. SSH back into your server and soft link the web template you want to use to /var/www:

sw1tch@leg1t:~$ cd /var/www
sw1tch@leg1t:/var/www$ sudo ln -s /opt/king-phisher/king-phisher-templates/Website_Templates/Credentials/Generic_Portal/www/* .
sw1tch@leg1t:/var/www$  ls
error  images  include  login
sw1tch@leg1t:/var/www$

Alrighty. Getting there now. For some reason (at least for me) the Verify URL check on the configuration tab for king-phisher doesn’t work, so we will just browse to the fake login page manually. Open a browser and visit https://yourserver/login and you should be greeting with your fake login portal…with no certificate errors or warnings, and that lovely padlock to show us all is well…

bk05

To make your phish more legit, use custom images appropriate to your target (details available in the README.md files located under each template directory).

Now that we know all is well, we can reset the require_id setting in /opt/king-phisher/server_config.yaml back to false.This will hide the content from anyone who doesn’t arrive at the login page via a valid king_phisher parameterised link.

Restart the king_phisher server. You are ready to rock.

Firing off your campaign

Back in the king-phisher client, click the Send tab and hit Start. You’ll get a warning about a potentially invalid URL, but we checked before so we know it’s all good…carry on by clicking Yes.

Enter the SSH password for your king_phisher server and hit Connect. Your evil email has been sent and you can now play the waiting game…

Track your campaign progress from the View Campaign tab – options for the dashboard display can be found under Edit>Preferences. The credentials captured are available under the Credentials tab:

bk06

This should be more than enough to get you moving with king-phisher. Huge thanks again to zeroSteiner and the SecureState team for giving us king-phisher – it’s one of the best phishing frameworks around (in my humble opinion) 🙂

Next Time…

Next post, I’ll cover off how to use the basic auth function I begged @zeroSteiner to implement.

Negotiating basic auth is a task pretty much all corporate users are used to – typically they are happy to dump their creds because native authentication prompts tend to look very professional and secure. Not so…and now that you have TLS configured for king_phisher, capturing basic auth can be done easily and securely.

sw1tch

 

Leave a Reply

Your email address will not be published. Required fields are marked *