When approaching phishing for either a Red Team engagement or for a Phishing Controls assessment, time is often of the essence.
In this blog post we are going to be focusing on Phishing for credentials, that could easily apply to both of the scenarios above.
In many companies the approach to Phishing is as follows:
- There is a central Gophish server where email templates and sending profiles are configured
- The Phishing site is either hosted in GoPhish (which is generally not a good idea because previous campaigns may result in the server's IP from being blacklisted) or alternatively an EC2 in AWS or similar is spun up with Nginx/Apache to host the the Phishing site
- A mailserver is configured either by using an API like Sendgrid or Mailgun with DKIM /SPF, or alternatively a lite Postfix instance with rate limiting, mail header scrubbing and similar configs again with DKIM/SPF configured.
These methods can be pretty effective in running a successful Phishing campaign but from time to time, the emails are classified as spam, and even with Ansible playbooks, by the time SSL certs, domains, some basic PHP to capture the credentials, and mail configs are all set up in can take some time.
This blog post introduces a quick way of spinning up a Phishing site using Netlify rather than hosting it yourself through AWS or GoPhish. In another post we will talk about mail deliveriability.
Netlify bills itself as a way to
Build, deploy, and manage modern web projects
We at Hunnic Cyber use Netlify a fair bit for some of our technical work, alongside our operational and sales processes too.
While the whole suite of Netlify feautures are very interesting, we are only going to use the free tier to deploy static sites from Github.
Now you maybe be asking how we would go about capturing credentials with a static site? Netlify comes with built-in form handling. Their build bots parse the HTML files at deploy time and so by adding a Netlify attribute we can capture input which is explained on their website here.
I have taken time to modify three common phishing websites, to work with Netlify's built in form handling. These can be found on our Github here.
So let's go ahead and see how easy it is to deploy a phishing site that has SSL, and can capture cerdentials.
Using Github desktop I am going to initialise a repository in the Phishing template folder:
Then deploy it and keep the code private:
Now we have a repository that we can update with a few clicks. We then need to head over to Netlify.
It is recommended that you point your nameservers over to Netlify once you've bought your domain and you can do this by adding the following NS records:
Once you have made a new account with Netlify, and have set up your NS records, it's time to create a "New Site from Git".
Once you have selected this then select Github. In my example I am presented with a number of repositories, but if this is your first time using Netlify, you will need to click on the link below: "Configure the Netlify app on Github":
Once you have selected the repo to deploy, select the branch (in this case master), and click on Deploy site:
That will then queue the build process, and in this instance publish the site in seconds. Next we can to set up a custom domain:
As we have pointed our NS records we can now use our purchased domain, in this instace I will be using blogpost.Hunniccyber.com and confirm that i am the owner.
Finally you will need to click Force HTTPS and your done:
In a matter of minutes we have deployed a Phishing site, set up SSL, and enabled form capturing which could take a while doing it manually:
If we now enter credentials in to the application, we are taken to an HTML error page, however the credentials are saved on the back end:
You can also export these to a CSV, that shows input, User Agent, and IP address (I have edited ours to 0.0.0.0):
As we can see this has been an extremely quick and painless process to set up a Phishing site that has SSL, good IP reputation, form capturing, is possible to update in seconds and does not cost anything other than the Domain purchase.
Of course there are some concerns that need to be investigated in terms of the security of the Netlify platform if it is to store client credentials, however that is to be decided on a company by company basis and i will leave that for you to investigate :)