phishing

Gone KingPhishin’ Part 3 – Basic Auth over TLS

9226661_orig

!!UPDATED INSTRUCTIONS FOR RELEASE 1.5.1 here !!

Phishing is easy. Effective target phishing isn’t so easy. While there’s a good chance you can get someone somewhere to click a link, it’s harder to get them to enter credentials – sometimes you might be up against a savvy user who won’t take a bite of a hosted piece of phishy bait that’s presented to them in a web form.

Enter basic authentication.

A typical basic auth prompt displays itself to users via a native dialog box – a legitimate-looking authentication request that corporate users are very familiar with thanks to their prevalence within internal networks (even small ones). When basic auth is integrated into a carefully prepared phishing campaign, your changes of convincing a victim to dump their creds can increase by a respectable level. And by having your king-phisher infrastructure all set up and TLS-protected, you can rest assured that when your victim does release their username and password to the native basic auth prompt hosted on your cloud server, the transaction is protected from any eavesdroppers in between.

It only takes a few minutes to configure, so let’s get started.

Pre-requisites 

You’ll need a fully functional king-phisher setup to continue. Check out my updated king-phisher set-up guide here, or head over to the official king-phisher doc repository. I’m using Kali Rolling 2016.1 for the client and a Digital Ocean Ubuntu 16.04 VPS for the server, but it all works swimmingly on the latest version of Kali Rolling too.

Once you’ve got that sorted, you’re ready to go.

Configuring basic auth

Presenting basic auth functionality with king-phisher is really simple – in this example, we’ll just create a new file called ‘meeting-login’ in /var/www/ on box running the king-phisher server:

{% set require_basic_auth = True %}
{% set basic_auth_realm = ‘Login details required’ %}
<html>
<body>
<img src=”img/meeting.jpg”>
<br><br>
<font face=”arial” size=”2″ color=”gray”>
Your meeting will start shortly.
</font>
</body>

</html>

Obviously the key elements in this code are the first two lines:

{% set require_basic_auth = True %} tells the king-phisher web server to demand basic auth from the visitor before displaying the page content.
{% set basic_auth_realm = ‘Login’ %} sets realm value which really will only be of use if you’re integrating multiple realms (maybe if you’re running several separate campaigns from the one box).

I’ve also created a directory /var/www/img and popped a pretty picture (meeting.jpg) in there to make the HTML presented to the victim post-authentication a little more believable. You can see this r eferenced in the code above.

Drafting your email

1779261_orig
Same process followed as in the original tutorial, but this time we’ll use a calendar invite template. The timing options are configurable under the Calendar Invite Settings section at the bottom of the Configuration tab, and they’ll automatically pop up when you choose the Calender Invite message type. Choose your victim(s) and you’re ready to draft the content of your calendar invite, accessible under the Edit tab.Here’s my slightly modified version in raw:

kp3-2
…and in Preview mode:

kp3-3

Play around with your meeting timings and when you’re ready to send, click the Send tab.

Firing off your campaign

Again, detailed steps for initiating your campaign can be found in my previous king-phisher post. We’ve now sent our fake calendar item to our victim, which looks like the below when displayed on a mobile device:

kp3-4
and  when they click the meeting link, they are presented with a basic auth dialog prompt over TLS:

kp3-5
Once they authenticate, they get put through to the pretty waiting page we created earlier – captured creds are stored in king-phisher’s database for further use. That’s pretty much it!

Remember

  • Test, test, test! The more testing you do, the better your campaign will be. Test all elements of your attack, infrastructure and campaign flow. Then test them again. And again. Worth it.
  • Once your victim enters their creds once via basic auth, that’s it. Unless they open an incognito window or a browser session with a different local account, they won’t get a second chance to enter their creds. Remember this when testing too.

Thanks SecureState

There are a number of phishing frameworks out there, but not all are created equals. In terms of reliability, customisation, features and (most importantly) active development and community support, the team at SecureState really lead the way IMHO. King-phisher is clean, fast and powerful.

A special thanks to zeroSteiner who has continued to put up with my stupid questions in the #king-phisher IRC channel on Freenode.

sw1tch

Leave a Reply

Your email address will not be published. Required fields are marked *