waelmas / frameless-bitb

A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx.
BSD 3-Clause "New" or "Revised" License
354 stars 44 forks source link

Adding certbot for LIVE domains #6

Open Xcertik-Realist opened 9 months ago

Xcertik-Realist commented 9 months ago

Hi thanks for this repo is it just made EvilNginx3 a whole lot better ive been trying to do something like this for a while the scope for this is wide ranging and additional lures pages can be used far and wide as bait

Im in process of trying to automate it (once done ill throw a pull request) could you offer a little advise where to put certbot into the mix or even better how to use a bought SSL into the mix somewhere for live engagements ??

Also im very interested in getting hold of the enhanced version you spoke of in your Vid how is this possible

waelmas commented 9 months ago

Thanks a lot for the nice words and glad you like it.

For live deployments, I usually use the manual acme challenge flow (not efficient but easy and quick way):

certbot certonly --manual --preferred-challenges=dns --email [info@domain.com](mailto:info@domain.com) --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d '*.domain.com' -d 'domain.com'

It will ask you to manually add 2 TXT DNS records and hit enter once you confirm the records are propagated by your DNS provider.

Then it places the generated certs in /etc/letsencrypt/live/domain.com/ which is what you need to set in the apache configs for them to be picked.

To automate this, you will either have to supply your own private key and chain and point the apache configs to pick them up from a specific directory (place them both under a directory with the domain as the name).

Here is the relevant part of the apache configs you will need to change:

Before:

Define certsPathDir /etc/ssl/localcerts/
Define domain fake.com

After:

Define certsPathDir /path/to/your/certs/
Define domain domain.com

and /path/to/your/certs/ should have a subdirectory named domain.com under which you have fullchain.pem and privkey.pem

(Just make sure that you apply the correct permissions to the private key, otherwise you will face permission issues)

Hope this helps.

(Will probably add the above to the Readme soon)

Xcertik-Realist commented 8 months ago

what about using cloudflare for SSL is this something you have looked at ?? I have a set of old aged domains for engagements im redirecting to my EVGX server with a meta refresh in encrypted JS thats behind cloudflare "under attack" mode to get the challenge from them and to stop scanners grabbing my EVGNX link the JS also kinda acts as a load balancer as it picks a server to redirect to at random from a list of 3 different EVGNX servers (depending on engagement size) , but I keep getting issues with the SSL on my EVGNX SSL set up I cant seem to get it to work for some reason with the above repo I was thinking would it be possible to just use cloudflare to handle the SSL on the evilginx domain instead of certbot ??

waelmas commented 8 months ago

I have it in my todo list, but I theoretically it should be possible. If Cloudflare allows you to get the private key and CA of the SSL certs they generate for you, you can simply add them to your server then change the paths at the very top of /etc/apache2/sites-enabled/000-default.conf to point to the new ones. (Might have to play a bit with the permissions)

To use your own SSL certs (with certbot) you will have to generate and setup the certs before adding Cloudflare to the picture. If you don't, certbot will most likely fail.

Xcertik-Realist commented 8 months ago

thanks ill see what i can come up with

Rastasau commented 5 months ago

@Xcertik-Realist @waelmas greetings champs. were you able to find an efficient way to go live with this framework? I have been trying to get my head around it. kindly assist