Phishlulz Tutorial

This post explains how to setup and run a Phishlulz campaign for free using Amazon AWS. Phishlulz is a Ruby toolset aimed at automating phishing campaigns. The developer of Phishlulz has created an Amazon EC2 instance that combines the two popular phishing frameworks:

As there is limited documentation on the developers site, this guide is going to give a step by step process for getting this great tool up and running.

NOTE: A Linux machine is needed to run the Phishlulz scripts. If you only have a Windows machine then you can create an Ubuntu VM for free by following this guide.

Step 1: Create your free Amazon AWS account

This section assumes you already have a normal Amazon account, however don’t have an AWS account.

  1. Head on over to the AWS homepage and click Create a free account.
  2. Assuming you’re an existing Amazon user, login with your Amazon credentials now, otherwise sign up for a new account.
  3. Fill in your contact details on the next page.
  4. Fill in your payment details on the next page. (Note: your card will only be charged if you exceed the limitations of the free tier. We will create an alarm later to prevent this happening.)
  5. Fill in your mobile number and wait for Amazon to ring. Once on the call, enter your 4 digit pin to confirm your identity. The page will automatically refresh.
  6. Keep the Basic support plan selected and and click Continue.
  7. Once successful, click the Complete Sign Up button in the top right hand side and login again if prompted.

You should now be in the AWS Management Console that looks something like this.

Step 2: Create Billing Alarm

Source: Here

Before starting, follow this link and confirm you see the Phishlulz EC2 public image available for use. If you don’t then you should not continue with the guide as it will not work.

Even if you’re careful to stay within the free tier, it’s a good idea to create a billing alarm to notify you if you exceed the limits of the free tier. Billing alarms can help to protect you against unknowingly accruing charges if you inadvertently use a service outside of the free tier or if traffic exceeds your expectations.

Before you create a billing alarm, you must enable billing alerts. You need to do this only once. After you enable billing alerts, you can’t turn them off.

  1. Open the Billing and Cost Management console.
  2. On the navigation pane, choose Preferences.
  3. Select the Receive Billing Alerts check box.
  4. Choose Save preferences.

Once you have enabled billing alerts, you can create a CloudWatch billing alarm.

  1. Open the CloudWatch Console.
  2. If necessary, change the region on the navigation bar to US East (N. Virginia). The billing metric data is stored in this region, even for resources in other regions.
  3. On the navigation pane, under Metrics, choose Billing.
  4. In the list of billing metrics, select the check box next to Currency USD, for the metric named EstimatedCharges, as shown in the following image.
    Choose Create alarm.
  5. Choose Create Alarm.
  6. Define the alarm as follows.
    1. Set total AWS charges for the month exceed: to $.01.
    2. Choose the New list link next to the send a notification to box.
    3. When prompted, enter your email address
    4. Choose Create Alarm.
  7. In the Confirm new email addresses dialog box, confirm the email address (or it won’t send an alarm!). To view the status of your alarm, choose Alarms in the navigation pane.
    View your alarm.

Step 3: Prepare EC2

We now need to set up access keys to enable remote start up of our EC2 instances.

  1. Open the Management Console and select US West (Oregon) from the drop down at the top.
  2. From your name drop down, select My Security Credentials and when prompted select Continue to Security Credentials.
  3. On the AWS Security Credentials page, expand the Access Keys section.
  4. Choose Create New Access Key. You can have a maximum of two access keys (active or inactive) at a time.
  5. Choose Download Key File to save a .csv file. After you close the dialog box, you can’t retrieve this secret access key again.

You should now have a CSV file downloaded to your machine. In this CSV file should be your AWSAccessKeyId and your AWSSecretKey, both of which will be needed in the later sections.

The next step is to generate SSH keypairs so that Phishlulz can configure our EC2 instance.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Key Pairs.
  3. Choose Create Key Pair and enter a name, then choose Create.

The private key file is automatically downloaded by your browser.Save that file somewhere safe as you will need this file again in the later sections.

The final step is to customise the default security group that tells our instance what inbound/outbound ports to allow.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Network & Security, choose Security Groups.
  3. Select the default security group and click on the Inbound tab.
  4. Add 3 rules for: SSH, HTTP, and HTTPS, making sure you set the source to Anywhere
  5. Click Save
  6. Make a note of the Group ID as you will need this in the later sections.

Step 4: Preparing your host machine

Phishlulz has a number of external dependencies and so we must first install all the packages that it needs. For the purposes of this tutorial I am using Ubuntu 16.04 LTS, however these commands should be consistent across other versions as well.

  1. Login to your Ubuntu machine as a user with sudo privileges
  2. Run these commands to install RVM
    sudo apt-add-repository -y ppa:rael-gc/rvm
    sudo apt-get update
    sudo apt-get install rvm
  3. Restart your machine and log back in
  4. Run these commands to load RVM and install Ruby
    source /etc/profile.d/rvm.sh
    rvm install ruby
  5.  Run this command to install the dependencies
    gem install sinatra thin watir-webdriver headless colorize datamapper dm-sqlite-adapter dm-timestamps dm-migrations fog nokogiri mail net-ssh --no-rdoc --no-ri

Assuming these commands have worked we should now be in a position to download and edit the Phishlulz framework.

Step 5: Customise the Phishlulz codebase

Download the master branch from the Phishlulz Git repository by running this command:

cd
wget https://github.com/antisnatchor/phishlulz/archive/master.zip -O phishlulz
unzip phishlulz
cd phishlulz-master

Using WinSCP or similar, copy the .pem generated in Step 3 to the new phishlulz-master folder

Open up the config.yaml file with vim or similar and make the following changes:

  1. Change m1.medium to  t1.micro
  2. Replace your_key with the AWSAccessKey from the rootkey.csv file generated earlier
  3. Replace access_key with the AWSSecretKey from the rootkey.csv file generated
  4. Replace ssh_key_name_on_aws with the key pair name you set above
  5. Replace full_path_ssh_private_key with the path to your SSH private key .pem file on your machine
  6. Replace sesl with admin
  7. Replace sg-c0a142a4 with the name of your default security group from the previous section
  8. Save and close vim

Step 6: Create free phishing domain

We’re going to create 2 free domains, one for our Phishlulz admin portal and one for the actual phishing link itself. In the real world, you’d most likely put a lot thought into your phishing URLs to make them as realistic as possible, and would most likely be buying them instead.

  1. Head over to FreeDNS and create a new account
  2. Go to the domain registry and find an appropriate domain. I have chosen linked-data.eu because it looks close enough to LinkedIn for this article.
  3. Create 2 subdomains, and put a random IP address in for the moment
  4. Go to your subdomains and confirm you see 2 subdomains pointing to your random IP

Step 7: Clone the Phishlulz AMI

So that the Ruby scripts can automatically login we need to add our SSH key to the Phishlulz image.

  1. Go to the AMI library, select the PhishLulz_1.0 AMI and click Launch
  2. Ensure the t1.micro type is select and click Review and Launch
  3. Ignore security group warning and click Launch
  4. In the drop down menu, select the key pair you generated earlier and click Create
  5. Go back to Instances and wait until the state turns to Running
  6. Select the instance, click Connect, and copy the example SSH command displayed, changing root to admin
  7. Back in your Ubuntu dev machine run that command from the phishlulz-master directory where your .pem file is and you be logged into your new instance
  8. Run this command
     sudo bash -c "cat /home/admin/.ssh/authorized_keys >> /home/sesl/.ssh/authorized_keys" && exit
  9. Back in your AWS console, stop the instance and wait for the state to say Stopped
  10. Go to Actions -> Image -> Create Image, give it the name Phishlulz, click Create Image and then follow the link to view your pending image. If nothing shows up, make sure the dropdown says Owned by me
  11. In the config.yaml file in phishlulz-master directory, replace the AMI ID with the AMI ID now displayed in your Amazon console

Step 8: Create a new Phishlulz AWS Instance

Back in theUbuntu development machine we’re now going to spawn a new Phishlulz instance based on the cloned AMI from above.

  1. Run this command to create a new phishlulz instance
    cd && cd phishlulz-master
    source /etc/profile.d/rvm.sh
    ruby phish_lulz.rb -a create
  2. When prompted, enter a name for this instance i.e. test1
  3. Enter your phishlulz admin portal address from FreeDNS
  4. Enter your phishlulz phishing address from FreeDNS
  5. The Ruby script will now go off and create your AWS instance, taking up to 2 minutes to fully configure the instance.
  6. All being well, you should be presented with this message once completed
  7. If you see the error TXT_DB error number 2, this is because you have already generated a self signed certificate with that common name. Run this command, replacing PHISHROOT with the location of your phishlulz-branch directory, and run go from Step 1 again
    cd PHISHROOT/certification-authority/intermediate/
    sudo rm index.txt
    sudo touch index.txt && chmod 644 index.txt && chown root:root index.txt

Now go back to FreeDNS and update your subdomains with the real IP address of your new AWS instance.

Once your changes take effect (~10 mins) you’ll be able to visit your Phishing Frenzy UI in your web browser by browsing to https://<IP above> and logging in with the username admin and password phishlulz_frenzy.

Step 9: Create a new Gmail account

In order for us to send our Phishing emails we first need to create an email account to send them from. I’m using a fake name generator to create a profile, however in a real campaign you would want to create an email that fits your cover profile, and would most likely be an email address associated with your purchased phishing domain.

  1. Visit Google and Create Your Account, making sure the DOB makes you less than 16 years old so that you don’t need to enter a phone number
  2. Once signed it, change your security settings to allow Phishlulz to login

Step 10: Create a new Phishlulz Campaign

First we must customise the LinkedIn template that we plan to use.

  1. Login to your AWS instance from your Ubuntu machine using the SSH command displayed at the end of the Phishlulz setup
  2. Run this command, replacing FIRSTNAME with the first name of the profile you’re pretending to be i.e. Hillary
    sudo sed -i 's/__CONNECT-FROM-NAME__/FIRSTNAME/g' /var/www/phishing-frenzy/public/uploads/attachment/file/18/linkedin_phishing.html.erb
  3. Run this command, replacing FULLNAME with the first name of the profile you’re pretending to be i.e. Hillary Clinton
    sudo sed -i 's/__CONNECT-FROM__/FULLNAME/g' /var/www/phishing-frenzy/public/uploads/attachment/file/18/linkedin_phishing.html.erb
  4. Run this command, replacing JOBTITLE with the first name of the profile you’re pretending to be i.e. 2016 Presidential Candidate
    sudo sed -i 's/__CONNECT-FROM-JOB-TITLE__/JOBTITLE/g' /var/www/phishing-frenzy/public/uploads/attachment/file/18/linkedin_phishing.html.erb
  5. Login to your Phishing Frenzy UI and go to the Templates tab
  6. Edit the LinkedIn template and:
    1. Choose File for the connect_from_photo.png and attach a picture of the profile you’re pretending to be, making sure it is a .png file and it’s called connect_from_photo
  7. Click Update Template
  8. Go to the Campaigns tab, select New Campaign, enter a Name and Description, and then click Create Campaign
  9. Under the Campaign Settings section:
    1. Tick Active
    2. Head on over to 10 Minute Mail , grab a temporary email address, and enter this into the Testing Target box, or alternatively use your personal email account
    3. Leave the target box empty for now, until we’ve confirmed the framework has been configured correctly
  10. Under the Template Settings section select the LinkedIn template.
  11. Under the SMTP Settings section:
    1. Pre-populate with Gmail
    2. Enter your new Gmail address and password into the username and password field
  12. Under the Email Settings section you can configure how you want your email to look. The two that are important are:
    1. Phishing URL: Must be http://<your phishing domain from freedns>
    2. FQDN: Must be your phishing domain from freedns
  13. Under the Phishing Options section:
    1. Tick Use BeEF?
    2. From your AWS SSH session type
      screen -r BeEF
    3. This reconnects you to the BeEF startup session
    4. Copy the Hook URL into the BeEF Hook URL box and the RESTful API Key into the BeEF RESTful API key box back on the Campaign editor
    5. Press Ctrl+A then Ctrl+D to exit the screen session and leave it running
  14. Click Save Settings

You should now be able to press Test and wait for your phishing email to be received at your 10 minute mail address. Here is the email as it appears before opening:

When it’s opened:

Clicking any of the links takes me to our phishing page

Step 11: Running our Campaign

Now that we’ve got a template that we’re happy with, populate your campaign with target data in this form: firstname, lastname, email

For example

Click Save Settings, then click Launch

Your target should now have received their email. To look at the stats for your campaign visit the Reports tab and go into your campaign. From there you can see an overview of your campaign so far.

And clicking More Options and selecting View All Passwords Harvested shows you the successful passwords.

You can also use the BeEF control panel by going to http://YOURFQDN/beef_secret_console/panel and logging in with beef and phishlulz_beef

 

Leave a Reply

Your email address will not be published. Required fields are marked *