?利用Goblin搭建仿真釣魚網站/蜜罐實例
VSole2021-09-15 09:10:19
今天安利一款仿真釣魚網站和仿真蜜罐工具——Goblin,也稱哥布林。
項目地址:https://github.com/xiecat/goblin
0x01 工具效果
Goblin 可通過反向代理,在不影響用戶操作的情況下無感知的獲取用戶的信息,或者誘導用戶操作;也可以通過使用代理方式達到隱藏服務端的目的。且工具內置插件,可通過簡單的配置,快速調整網頁內容以達到更好的演練效果。該款工具可以說是減少了紅藍對抗人員對紅藍對抗中釣魚環境部署的難度。
0x02 搭建仿真釣魚網站
1. 搭建環境
以linux為例,搭建FLASH釣魚網站。
1.1 下載goblin
git clone https://github.com/xiecat/goblin.git
1.2 下載flash的demo
git clone https://github.com/xiecat/goblin-demo.git
1.3 將goblin文件放入goblin-demo文件夾下
1.4 修改goblin.yaml配置文件
因為默認demo是本地,所以這里需要配置一下代理服務器信息。
Loglevel: 5 #日志等級 1級:全部日志;2級:POST請求日志;3級:記錄轉儲登錄規則;4級:記錄錯誤日志;5級:記錄異常退出日志 Server: # 服務器一些超時設置默認值即可 IdleTimeout: 3m0s ReadTimeout: 5m0s WriteTimeout: 5m0s ReadHeaderTimeout: 30s ProxyHeader: RemoteAddr # 獲取真實 IP 默認是訪問 IP StaticDir: static #本地靜態文件目錄可以放一些工具,方便使用 StaticURI: /zz118smee/ #靜態文件服務器的訪問目錄 Proxy: # 代理一些配置默認即可 MaxIdleConns: 512 IdleConnTimeout: 2m0s TLSHandshakeTimeout: 1m0s ExpectContinueTimeout: 1s maxcontentlength: -1 # 處理響應數據最大值默認 20M,超過這個值,插件中需要讀取 body 的操作會被取消 ProxyServerAddr: "" # 設置代理,設置后通過代理進行網頁請求 ProxyCheckURL: https://myip.ipip.net/ # 訪問此地址檢查代理設置是否正確 PluginDir: plugins #插件目錄 Site: 127.0.0.1:8083: #需要修改的監聽地址,可以是域名:port;IP:port Listen: 0.0.0.0 #不需要動 StaticPrefix: czjv8kmton # 這個是 插件模塊使用。 SSL: false #ssl開關 CAKey: "" #證書key路徑 CACert: "" #證書pem路徑 ProxyPass: https://www.flash.cn/ # 要代理的地址 Plugin: "flash" # 需要使用的插件,目前只能為一個 127.0.0.1:8084: #需要修改的監聽地址,可以是域名:port;IP:port Listen: 0.0.0.0 StaticPrefix: nmnckbsfkq SSL: false CAKey: "" CACert: "" ProxyPass: https://soft.flash.cn/ # 要代理的地址 Plugin: soft.flash # 需要使用的插件,目前只能為一個 127.0.0.1:8085: #需要修改的監聽地址,可以是域名:port;IP:port Listen: 0.0.0.0 StaticPrefix: nmnckbsfkb SSL: false CAKey: "" CACert: "" ProxyPass: https://static.flash.cn/ # 要代理的地址 Plugin: static.flash #需要使用的插件,目前只能為一個 127.0.0.1:8086: #需要修改的監聽地址,可以是域名:port;IP:port Listen: 0.0.0.0 StaticPrefix: nmnckbsfkb SSL: false CAKey: "" CACert: "" ProxyPass: https://api.flash.cn/ Plugin: api.flash Notice: dingtalk: DingTalk: "" #dingding提醒key iplocation: type: qqwry # 地理位置查詢數據庫 geo_license_key: "" log_file: goblin.log cache: type: self # 可使用的緩存類型 [redis,none,self] self 緩存到本地,redis 緩存到 redis 。none 不使用緩存 expire_time: 10m0s # 緩存失效時間 redis: host: 127.0.0.1 port: 6379 password: IMrvElmuMG db: 0 CacheType: # 可緩存的路徑后綴。目前帶有參數的靜態文件不做緩存 - png - jpg - js - jpeg - css - otf - ttf CacheSize: 12582912 # 最大緩存大小
1.5 把需要修改的監聽地址改一下,然后修改插件配置。
插件配置在plugins目錄下
修改api.flash. yaml:
Name: api.flash #插件名稱 Version: 0.0.1 #插件版本號 Description: this is a description #插件描述 WriteDate: "2021-09-08" #插件生成日期 Author: goblin #作者 Rule: #規則 - url: /frontend/js/index20210429.js # 匹配的路徑 Match: prefix # 匹配方式 [word,prefix,Suffix] word 是全匹配,prefix 是匹配前綴 suffix 是匹配后綴。這里沒有使用正則 Replace: # 替換模塊 - Request: Method: # 匹配到 GET POST 方可執行替換 - GET Response:# 替換的響應內容 Header: GoblinServer: 0.0.1 #header標簽選項 Body: ReplaceStr: # 替換字符串 - Old: "#" New: "/" Count: -1 - url: /config/flashVersion Match: prefix Replace: - Request: Method: - GET Response: Header: GoblinServer: 0.0.1 Body: File: static/flashVersion
修改flash.yaml:
Name: flash Version: 0.0.1 Description: this is a description WriteDate: "2021-09-08" Author: goblin Rule: - url: / Match: prefix Replace: - Request: Method: - GET Response: Body: ReplaceStr: - Old: https://soft.flash.cn New: 127.0.0.1:8084 #修改自己的網站和端口 Count: -1 - Old: soft.flash.cn New: 127.0.0.1:8084 #修改自己的網站和端口 Count: -1 - Old: https://static.flash.cn New: 127.0.0.1:8085 #修改自己的網站和端口 Count: -1 - Old: static.flash.cn New: 127.0.0.1:8085 #修改自己的網站和端口 Count: -1 - Old: https://www.flash.cn New: http://127.0.0.1:8083 #修改自己的網站和端口 Count: -1 - Old: www.flash.cn New: 127.0.0.1:8083 #修改自己的網站和端口 Count: -1 - url: /config/flashVersion Match: prefix Replace: - Request: Method: - GET Response: Location: "http://127.0.0.1:8086/config/flashVersion #我的網站插件所在路徑,帶上域名
??注意://是根據網站走的,網站是https它就用https
修改soft插件:
Name: soft.flash
Version: 0.0.1
Description: this is a description
WriteDate: "2021-09-08"
Author: goblin
Rule:
- url: /
Match: prefix
Replace:
- Request:
Method:
- GET
- POST
Header:
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
Response:
Body:
ReplaceStr:
- Old: "#"
New: "/"
Count: -1
- Old: https://soft.flash.cn
New: 127.0.0.1:8084 #修改為自己的域名加端口
Count: -1
- Old: soft.flash.cn
New: 127.0.0.1:8084 #修改為自己的域名加端口
Count: -1
- Old: https://static.flash.cn
New: 127.0.0.1:8085 #修改為自己的域名加端口
Count: -1
- Old: static.flash.cn
New: 127.0.0.1:8085 #修改為自己的域名加端口
Count: -1
- Old: https://www.flash.cn
New: http://127.0.0.1:8083 #修改為自己的域名加端口
Count: -1
- Old: www.flash.cn
New: 127.0.0.1:8083 #修改為自己的域名加端口
Count: -1
- url: /flashcenter/js/index.js
Match: prefix
Replace:
- Request:
Method:
- GET
- POST
Header:
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
Response:
Body:
ReplaceStr:
- Old: "api.flash.cn"
New: "127.0.0.1:8086" #修改為自己的域名加端口
Count: -1
- url: /cdm/latest
Match: prefix
Replace:
- Request:
Method:
- GET
- POST
Header:
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
Response:
??注意:如果設置域名+tls模式,不需要加端口和https://,直接寫域名。
修改static插件:
Name: static.flash Version: 0.0.1 Description: this is a description WriteDate: "2021-09-08" Author: goblin Rule: - url: /frontend/js/index20210429.js Match: prefix Replace: - Request: Method: - GET Response: Header: GoblinServer: 0.0.1 Body: ReplaceStr: - Old: "#" New: "/" Count: -1 - url: /frontend/js/download.js Match: prefix Replace: - Request: Method: - GET Response: Body: ReplaceStr: - Old: "api.flash.cn" New: "127.0.0.1:8086" #修改為自己的域名和端口 Count: -1
1.6 啟動調試Goblin
www.flash.cn(首頁)
static.flash.cn
api.flash.cn
至此,我們已成功模仿Flash網站!
2. 用RedTeam手段進行紅藍對抗
2.1 在關閉Goblin時發現不能正常關閉,需要用kill命令關閉
kill -9 pid號
2.2 修改flashVersion中alert為xxx.exe或者修改alert.html內容
_flash_install_packages_({
"activex": {
"date": "2021-08-10",
"version": "34.0.0.184",
"size": "19.8MB",
"downloadURL": "{{ .Static }}alert.html", #修改alert.html文件或者替換alert.html為xxx.exe
"downloadURLForNotSource": "{{ .Static }}alert.html",
"downloadURLForWin8": "{{ .Static }}alert.html",
"downloadURLForWin8NotSource": "{{ .Static }}alert.html"
},
"ppapi": {
"date": "2021-08-10",
"version": "34.0.0.184",
"size": "20.1MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"npapi": {
"date": "2021-08-10",
"version": "34.0.0.184",
"size": "20.3MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"mac-ppapi": {
"date": "2021-08-10",
"version": "34.0.0.184",
"size": "21MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"mac-npapi": {
"date": "2021-08-10",
"version": "34.0.0.184",
"size": "21MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-64-tar-npapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "9MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-64-rpm-npapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "8.6MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-32-rpm-npapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "8.1MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-64-tar-ppapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "9MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-32-tar-ppapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "8.2MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-64-rpm-ppapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "9MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-32-rpm-ppapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "8.1MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"linux-32-tar-npapi": {
"date": "2021-04-13",
"version": "34.0.0.137",
"size": "8.1MB",
"downloadURL": "{{ .Static }}alert.html",
"downloadURLForNotSource": "{{ .Static }}alert.html"
},
"fc-ppapi": {
"date": "2021-08-10",
"downloadURL": "{{ .Static }}alert.html"
},
"fc-activex": {
"date": "2021-08-10",
"downloadURL": "{{ .Static }}alert.html"
},
"fc-npapi": {
"date": "2021-08-10",
"downloadURL": "{{ .Static }}alert.html"
},
"fc-activeX": {
"date": "2021-08-10",
"downloadURL": "{{ .Static }}alert.html"
},
"fc-ppax": {
"date": "2021-08-10",
"downloadURL": "{{ .Static }}alert.html"
}
});
以上就是搭建仿真釣魚網站的方式和方法(僅供學習,禁止侵權!)。
0x03 搭建仿真蜜罐
1. 替換想要偽裝的目標網站
修改flash.yaml文件:
Loglevel: 1 Server: IdleTimeout: 3m0s ReadTimeout: 5m0s WriteTimeout: 5m0s ReadHeaderTimeout: 30s ProxyHeader: RemoteAddr StaticDir: static StaticURI: /zz118smee/ Proxy: MaxIdleConns: 512 IdleConnTimeout: 2m0s TLSHandshakeTimeout: 1m0s ExpectContinueTimeout: 1s maxcontentlength: -1 ProxyServerAddr: "" ProxyCheckURL: https://myip.ipip.net/ PluginDir: plugins Site: 127.0.0.1:8083: Listen: 0.0.0.0 StaticPrefix: czjv8kmton SSL: false CAKey: "" CACert: "" ProxyPass: https://www.flash.cn/ #修改需要偽造的網站 Plugin: "flash" 127.0.0.1:8084: Listen: 0.0.0.0 StaticPrefix: nmnckbsfkq SSL: false CAKey: "" CACert: "" ProxyPass: https://soft.flash.cn/ #修改需要偽造的網站 Plugin: soft.flash 127.0.0.1:8085: Listen: 0.0.0.0 StaticPrefix: nmnckbsfkb SSL: false CAKey: "" CACert: "" ProxyPass: https://static.flash.cn/ #修改需要偽造的網站 Plugin: static.flash 127.0.0.1:8086: Listen: 0.0.0.0 StaticPrefix: nmnckbsfkb SSL: false CAKey: "" CACert: "" ProxyPass: https://api.flash.cn/ #修改需要偽造的網站 Plugin: api.flash Notice: dingtalk: DingTalk: "" iplocation: type: qqwry geo_license_key: "" log_file: goblin.log cache: type: self expire_time: 10m0s redis: host: 127.0.0.1 port: 6379 password: IMrvElmuMG db: 0 CacheType: - png - jpg - js - jpeg - css - otf - ttf CacheSize: 12582912
??注意:建議把日志等級調整為1級,收集全部日志變化,通過dingding可實時查看別人訪問web蜜罐的信息。
2. 修改日志文件存放路徑
geo_license_key: ""log_file: goblin.logcache:type: self
3. 啟動調試
訪問日志收集結果:
這款工具由@金色錢江_becivells @金色錢江_Vanilla等編寫,該軟件僅供學習,既可以當紅隊釣魚工具,又可以當藍隊的防守蜜罐,濫用出事,后果自負!
如果師傅們想加入Goblin群進行指導和交流,請加微信Becivells,留言goblin。
end
VSole
網絡安全專家