Phishing with a reverse proxy in Go
DISCLAIMER: This post is for educational purposes only. Cybercrime is stupid and will probably have you wasting your talents in prison.
Phishing is hard work. You have to clone your target’s website, capture victim credentials and avoid tipping them off that they’re not on their bank’s website. To avoid the hard work, why not automate this all with Go?
Want to cut to the chase? The full code and usage instructions is on Github at https://github.com/JonCooperWorks/judas
See it in action
Phishing with a proxy
Our proxy needs to accept requests from the victim and rewrite them before sending them on to the target website. Since Go makes concurrency easy with goroutines and channels, we set up a simple TCP listener that spawns a new goroutine to handle each incoming connection and a worker goroutine that processes requests and responses. Results are passed from the request handling goroutine to the worker via a channel.
The request handling is pretty succinct thanks to Go’s great standard library. The http package provides the ReadRequest method that parses a request from the data read from the connection.
After parsing everything into a Golang http.Request, we pass it on to the target. The proxy needs to rewrite the HTTP headers from the victim so the target site doesn’t break, specifically the Host header and the URL.
Using the HTTP client on the proxy, we make the request and ensure it completed successfully.
Once we get a response, we transform it using the ResponseTransformers passed to the proxy (more on this later), turn the response into bytes using the standard library httputil.DumpResponse function and send the request and response to the worker goroutine for later processing.
We pass the HTTP transaction via a channel to the worker to prevent slow operations like logging the data to a file from blocking the response to the client. The request-response cycle needs to happen as quickly as possible to avoid tipping off the victim that something is wrong.
Pointing this proxy at a website will return a perfect copy of the target website.
A ResponseTransformer allows you to modify a response. It can be used to do anything we want, like inject custom JavaScript into the page, or replace Bitcoin addresses with our own. It’s also useful for solving problems in websites that don’t work 100% in the default proxy.
Extra Credit
The JavaScriptInjectionTransformer uses GoQuery to parse HTML responses into a DOM tree and injects a script tag with the URL we passed to the transformer in it. We could use this to inject a BeEF hook or bypass a website’s defenses against this attack.
How do I defend myself against this?
Since the attack uses a proxy, it creates an exact clone of the target website. However, all is not lost. You can defend yourself with the following steps:
- Bookmark websites you log in to and only use that bookmark to access the website
- Always double check the URL of the website before logging in, even if you see the green padlock
- Double check any links sent to you by email from a service you log into
The full code is on GitHub.
In the next post, I show how to make the proxy stealthier: https://medium.com/@cooperthecoder/go-phishing-making-the-proxy-sneakier-3814fd085fb3
Liked this post and want to leave a tip?
BTC: 3AubYUbbzEZ1ETnFWVjBHzXio47cdVERSj
ETH: 0x2D687E2234c2e9A7cC9Ef3CCD1eD4AC249EA6aCd
✉️ Subscribe to CodeBurst’s once-weekly Email Blast, 🐦 Follow CodeBurst on Twitter, view 🗺️ The 2018 Web Developer Roadmap, and 🕸️ Learn Full Stack Web Development.
