Real-Time Two-Factor Phishing Tool: ReelPhish

2018-05-08T02:39:46
ID N0WHERE:172720
Type n0where
Reporter N0where
Modified 2018-05-08T02:39:46

Description

2FA adds an extra layer of authentication on top of the typical username and password. Two common 2FA implementations are one-time passwords and push notifications. One-time passwords are generated by a secondary device, such as a hard token, and tied to a specific user. These passwords typically expire within 30 to 60 seconds and cannot be reused. Push notifications involve sending a prompt to a user’s mobile device and requiring the user to confirm their login attempt. Both of these implementations protect users from traditional phishing campaigns that only capture username and password combinations.

While 2FA has been strongly recommended by security professionals for both personal and commercial applications, it is not an infallible solution. 2FA implementations have been successfully defeated using real-time phishing techniques. These phishing attacks involve interaction between the attacker and victims in real time.

A simple example would be a phishing website that prompts a user for their one-time password in addition to their username and password. Once a user completes authentication on the phishing website, they are presented with a generic “Login Successful” page and the one-time password remains unused but captured. At this point, the attacker has a brief window of time to reuse the victim’s credentials before expiration.

The primary component of the ReelPhish phishing tool is designed to be run on the attacker’s system. It consists of a Python script that listens for data from the attacker’s phishing site and drives a locally installed web browser using the Selenium framework. The tool is able to control the attacker’s web browser by navigating to specified web pages, interacting with HTML objects, and scraping content.

The secondary component of ReelPhish resides on the phishing site itself. Code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool running on the attacker’s machine. Once the phishing tool receives information, it uses Selenium to launch a browser and authenticate to the legitimate website. All communication between the phishing web server and the attacker’s system is performed over an encrypted SSH tunnel.

Victims are tracked via session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the phishing tool is state-aware, it is able to send information from the victim to the legitimate web authentication portal and vice versa.

ReelPhish supports multiple authentication pages. For example, in some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.

In some cases, you may need to scrape specific content (such as a challenge code) off of a particular authentication page. Example commented out code is provided in ReelPhish.py to perform a scraping operation.

Installation Steps

  1. The latest release of Python 2.7.x is required.
  2. Install Selenium, a required dependency to run the browser drivers.
    • pip install -r requirements.txt
  3. Download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.
    • Internet Explorer: www.seleniumhq.org/download/
    • Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe .
    • In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE”. In this key, create a DWORD value named _ iexplore.exe _ and set the value to 0.
    • Further information on Internet Explorer requirements can be found on www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriver
    • Firefox: www.github.com/mozilla/geckodriver/releases/
    • Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe .
      • On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin . Linux support is experimental.
    • Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.
    • Chrome: https://chromedriver.storage.googleapis.com/index.html?path=2.35/
    • Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe .
      • On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin . Linux support is experimental.

Real-Time Two-Factor Phishing Tool: ReelPhish Download