TOR (Darknet) Phishing Server
August 15th, 2018
While playing with docker and TOR, i thought it could be fun setting up a TOR hidden server that routes all traffic to a real HTTPS server. With Compass Security, we often do phishing attacks either offline or online. Confused? Read below…
Offline Phishing
This is the lame part — offline phishing. An attacker is crawling the content from the victim site and advertises human being using the fake site instead of the origin. Mostly, the victim shall enter his login credentials into the fake site where the attacker is happily collecting credentials or other confidential information. However — the fake website may not behave 100% as the origin and this could alarm security aware people.
Online Phishing
In this attack scenario, the attacker is not copying the content from the victims server, instead the phishing server routes all traffic from the victim user to the victim application using a technique called “Reverse Proxy”. I like this scenario much more, as the victim application looks and behaves identical to the origin. Being said, the victim user is technically interacting with the origin site, but over a man in the middle.
I will not cover weather a victim user could detect such a man in the middle attack by carefully checking the ssl certificate (in case the reverse proxy runs on SSL/TLS) or by carefully checking if the service really runs on HTTPS (where I like to run my phishing servers on HTTP instead of HTTPS for obvious reasons as this will not create ssl warnings)
Online Phishing with TOR (Darknet)
It came to my mind setting up a reverse proxy in the Darknet, may I should say in the TOR or onion network — just for fun and my education. As a love to play with docker services, I thought it would be nice having a docker-based TOR hidden service that is forwarding all traffic to my reverse proxy that is finally routing all packages to the final HTTPS endpoint.
The picture below introduces the demo setup that consists of a hidden tor service (docker), an Ubuntu Apache reverse proxy (docker) and the HTTPS (victim) endpoint, the real https://www.hacking-lab.com/
For those familiar with HTTPS, cookies, secure flags, HPKP (HTTP public key pining) understand, the reverse proxy must do some request, response and content rewriting, especially the redirections, cookies, secure, HttpOnly, HPKP must be fixed. Otherwise, the victim application will not work.
And voilà (congrats if you made your reading until here), I can now talk about the onion based reverse proxy that does the magic.
Docker Compose for the TOR service and Apache Reverse Proxy
This will create an onion + Reverse Proxy service in front of the demo HTTPS victim service. The Apache reverse proxy configuration looks like this:
The configuration directive “RequestHeader set Host www.hacking-lab.com” is injecting the correct Host header to the https request between the reverse proxy and the real Hacking-Lab.
The configuration directive “Header edit Set-Cookie [Ss]secure “” “ is unsetting the secure flag from the Hacking-Lab cookie. Otherwise the browser would not send the cookie over http and it would be impossible to authenticate for victims.
The configuration directive “Header edit Set-Cookie HttpOnly “” “ removese the HttpOnly attribute from the cookie. This could be left away — but I like it that’s why I chose to remove the flag.
The configuration directive “Header unset Public_Key-Pins” is unsetting the HPKP headers from the HTTPS response. Not important in my setup as I am running the service with plain HTTP and not HTTPS. But in other phishing scenarios, this could be useful.
A short notice about my demo victim: Hacking-Lab
I have chosen Hacking-Lab as my demo target as this site belongs to Compass Security, a Swiss ethical hacking and penetration testing company (I am one of the founders). Thus, I thought I should not do the demo with a real e-banking site.
YouTube Video
If you want to see this TOR phishing setup in action, please watch the following YouTube video.
Thank you for Reading
Ivan Bütler
Founder of Compass Security & Hacking-Lab
