zerofox-oss / phishpond Goto Github PK

Building mitmproxy
[+] Building 2.3s (6/10)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 337B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/mitmproxy/mitmproxy:latest 1.9s
=> [internal] load build context 0.0s
=> => transferring context: 116B 0.0s
=> CACHED [1/6] FROM docker.io/mitmproxy/mitmproxy:latest@sha256:d904261d75663de45978ea535abad16c85b0f7d00a437195e48c 0.0s
=> ERROR [2/6] RUN apk update & apk add bash vim 0.2s

[2/6] RUN apk update & apk add bash vim:
#5 0.215 /bin/sh: 1: /bin/sh: 1: apk: not found
#5 0.215 apk: not found

Would be cool to have a single page web app that users can browse / upload kits to and get an analysis in JSON or some other form on the kit.

Potential analyses:

1. A 'collage/stitch' of all the images
2. All javascript loaded
3. Dropper addrs
4. Attribution to actors (Telegram/email/contact info for actors)
5. vulns

after issuing
docker-compose up -d
this error showed

Step 15/24 : RUN add-pkg --virtual build-dependencies curl build-base && mkdir jsonlz4 && mkdir lz4 && curl -# -L {$JSONLZ4_URL} | tar xz --strip 1 -C jsonlz4 && curl -# -L {$LZ4_URL} | tar xz --strip 1 -C lz4 && mv jsonlz4/src/ref_compress/*.c jsonlz4/src/ && cp lz4/lib/lz4.* jsonlz4/src/ && cd jsonlz4 && gcc -static -Wall -o dejsonlz4 src/dejsonlz4.c src/lz4.c && gcc -static -Wall -o jsonlz4 src/jsonlz4.c src/lz4.c && strip dejsonlz4 jsonlz4 && cp -v dejsonlz4 /usr/bin/ && cp -v jsonlz4 /usr/bin/ && cd .. && del-pkg build-dependencies && rm -rf /tmp/* /tmp/.[!.]* ---> Using cache ---> cc3312059b74 Step 16/24 : RUN add-pkg firefox=${FIREFOX_VERSION} ---> Running in 1f198365901d fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz ERROR: unable to select packages: firefox (no such package): required by: world[firefox=108.0.1-r1] ERROR: Service 'browser' failed to build: The command '/bin/sh -c add-pkg firefox=${FIREFOX_VERSION}' returned a non-zero code: 1

note => I'm using Debian

https://github.com/robocoder/rips-scanner

Would be great to have this run on kits and take the output and put it in a report!

We should have a python script to run quick IOC extraction for folks if they don't want to go deep diving in the pond :)

Found this issue during investigation of a kit and noticed it making telegram calls without it being intercepted by mitmproxy.

PoC:

<?php
function telegram($msg) {
    $url='https://api.telegram.org/';
    $options=array(
        'http'=>array(
            'method'=>'POST',
            'header'=>"Content-Type:application/x-www-form-urlencoded\r\n",
            'content'=>$msg
        )
    );

    $context=stream_context_create($options);
    
    $result=file_get_contents($url,false,$context);
    
    return $result;
}

function telegram_curl($msg) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,"https://api.telegram.org/");
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "message=$msg");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $server_output = curl_exec($ch);
    curl_close ($ch);
    return $server_output;
}

$message1 = "stream!";
$message2 = "curl!";

telegram($message);
telegram_curl($message);
?>

Running the above will show only the calls being made via curl being intercepted by mitmproxy.

file_get_contents does not respect proxy config unless declared within the options array, there are likely other functions which will have the same behaviour.

It would be nice to be able to simulate a MySQL (other dbs are available) so if a phishing kit writes victim data to a database this can be viewed in a secure way.

Having the ability to easily change the name of the database, username, and password is essential.

https://docs.mitmproxy.org/stable/concepts-modes/#reverse-proxy

We should implement reverse proxying to be triple sure that everything is routing through and being caught accordingly.

@sysgoblin My only question here would be: does apache need to be configured to send outbound traffic as well?

I started looking into Phishpond today and had an issue building the image in Docker for Windows.

The error was:

=> => extracting sha256:00eb45722879c184549e05dc998f20acdb8d1c628ffbbe1dfc68fab3c67002e5                                   0.1s
=> => extracting sha256:97bfbf48a93798d26ebd24e2ce38363db807ec1a1afb8fc852892c6716e60d1f                                   1.8s
=> => extracting sha256:5b8302d2fac67ebd00245c192f10f439ab8079104b0514f133f6e3352204a9c0                                   0.0s
=> [internal] load build context                                                                                           0.1s
=> => transferring context: 1.98kB                                                                                         0.0s
=> [2/5] RUN apk add bash vim                                                                                              5.1s
=> [3/5] RUN mkdir /home/mitmproxy/logs                                                                                    0.5s
=> ERROR [4/5] RUN chmod -R 777 /home/mitmproxy/.mitmproxy /home/mitmproxy/logs                                            0.4s
------
> [4/5] RUN chmod -R 777 /home/mitmproxy/.mitmproxy /home/mitmproxy/logs:
#7 0.376 chmod: /home/mitmproxy/.mitmproxy: No such file or directory
------
executor failed running [/bin/sh -c chmod -R 777 /home/mitmproxy/.mitmproxy /home/mitmproxy/logs]: exit code: 1
ERROR: Service 'mitmproxy' failed to build : Build failed

I was able to get the build working by adding the following line to phishpond/docker/mitmproxy/Dockerfile before line 5:

RUN mkdir /home/mitmproxy/.mitmproxy

Is there a reason this line isn't included? If not, I can submit a PR to fix this issue.

1. Load in phishpond
2. Connect via VSCode extension @sysgoblin
3. Work through intercepting traffic