7MS #583: Cred-Capturing Phishing with Caddy Server
7 Minute Security4 Elo 2023

7MS #583: Cred-Capturing Phishing with Caddy Server

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y

Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile:

domain.com

Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal:














User Name:

Password:



Unauthorized use is prohibited!

This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher:

from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000)

If you don't have Flask installed, do this:

sudo apt install python3-pip -y sudo pip install Flask

Run this file in one session, then in your index.html file make a small tweak in the form action directive:

Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

Jaksot(719)

7MS #647: How to Succeed in Business Without Really Crying – Part 19

7MS #647: How to Succeed in Business Without Really Crying – Part 19

Today we're talkin' business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

25 Loka 202422min

7MS #646: Baby's First Incident Response with Velociraptor

7MS #646: Baby's First Incident Response with Velociraptor

Hey friends, today I'm putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment. Perhaps even...

18 Loka 202416min

7MS #645: How to Succeed in Business Without Really Crying - Part 18

7MS #645: How to Succeed in Business Without Really Crying - Part 18

Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some tho...

14 Loka 202431min

7MS #644: Tales of Pentest Pwnage – Part 64

7MS #644: Tales of Pentest Pwnage – Part 64

Hey! I'm speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester! Today's tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!...

4 Loka 202441min

7MS #643: DIY Pentest Dropbox Tips – Part 11

7MS #643: DIY Pentest Dropbox Tips – Part 11

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Acti...

27 Syys 202426min

7MS #642: Interview with Ron Cole of Immersive Labs

7MS #642: Interview with Ron Cole of Immersive Labs

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your se...

23 Syys 202442min

7MS #641: DIY Pentest Dropbox Tips – Part 10

7MS #641: DIY Pentest Dropbox Tips – Part 10

Today we're revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level. Plus, a tease about how all this talk about automation is getting us excited for a long-...

13 Syys 202427min

7MS #640: Tales of Pentest Pwnage – Part 63

7MS #640: Tales of Pentest Pwnage – Part 63

This was my favorite pentest tale of pwnage to date! There's a lot to cover in this episode so I'm going to try and bullet out the TLDR version here: Sprinkled farmer files around the environment Fo...

7 Syys 202443min

Suosittua kategoriassa Politiikka ja uutiset

uutiscast
aikalisa
politiikan-puskaradio
ootsa-kuullut-tasta-2
rss-ootsa-kuullut-tasta
tervo-halme
rss-podme-livebox
rss-vaalirankkurit-podcast
rss-pinnalla
aihe
otetaan-yhdet
the-ulkopolitist
rss-asiastudio
rss-ulkopoditiikkaa
rss-raha-talous-ja-politiikka
rss-girls-finish-f1rst
viisupodi
et-sa-noin-voi-sanoo-esittaa
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-vain-talouselamaa