NGINX Setup - HackMD

# NGINX Setup ###### tags: `phishing` ## UFW Login to your server. ```bash= ssh root@<your-ip> -i ~/.ssh/workshop ``` Replace `<your-ip>`: ```bash= sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw allow from <your-ip> sudo ufw enable ``` [More information](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) This will also prevent port 3333 (admin interface GoPhish) to be exposed! ## Let's encrypt Let's use Let's Encrypt to give that shiney green 🔒! <details> <summary>Let's encrypt software is already installed, but click to expand to view command for manual installation</summary> ```bash= sudo apt -y install certbot python3-certbot-nginx ``` </details> Create a NGINX configuration for your <yourdomain.com>: ```bash= nano /etc/nginx/sites-enabled/<yourdomain.com>.conf ``` We use the config below to proxy our webserver to GoPhish and create an URL rewrite so visitors can go to `phishingsite.be/login/token` instead of `phishingsite.be/?rid=token`. The last URL is more likely to be detected and recognised. ```nginx= server { listen 80; listen [::]:80; server_name yourdomain.com www.yourdomain.com; if ($http_user_agent ~* (google) ) { return 404; } if ($http_user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"){ return 404; } location ~ ^/login/(.*)$ { proxy_pass http://127.0.0.1:8080/?rid=$1; } } ``` ```bash= sudo service nginx reload sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com sudo service nginx reload ``` ### ## Hide GoPhis' Server Banner ![GoPhish's server banner](https://i.imgur.com/mfH3Icv.png) Edit the file `/etc/nginx/nginx.conf`: ```nginx= server_tokens off; proxy_hide_header X-Server; ``` ## Google SafeBrowsing and bots measures ![Google's SafeBrowsing](https://i.imgur.com/1zRhjO7.png) Google and Microsoft have crawlers in place which crawl your URL's and mark it as a phishing site in Google Safebrowsing. The thing is that they share data with each other. So a Microsoft crawler gives data to Google's Safebrowsing and vice versa. We use an IP blocklist of all the known datacenters in the world. This is the only way at the time of writing to hold the army of bots and crawlers. ---- <details> <summary>Create new up to date Udger List (click to collapse!)</summary> With a valid Subscription: http://data.udger.com/a59896b39355af0be061b56953b37472/datacenter.txt This will be in the following format: ```= GOOGLE:4.3.2.0-4.3.2.255 GOOGLE:8.6.48.0-8.6.55.255 GOOGLE:8.8.4.0-8.8.4.255 GOOGLE:8.8.8.0-8.8.8.255 GOOGLE:8.34.208.0-8.34.215.255 GOOGLE:8.34.216.0-8.34.223.255 ``` Transform the list: ```bash= cat datacenter.txt|cut -d":" -f2 > udger_datacenters.txt awk '{system("ipcalc -rn "$1 "| tail -n +2")}' udger_datacenters.txt > udger_nginx.conf ``` Then open the udger_nginx.conf in atom and replace each new line with ```nginx= ; deny ``` Make sure the first line contains ` deny ` This will look like the NGINX deny format: ```nginx= deny 217.146.75.112/29; deny 217.146.75.128/29; deny 217.146.75.136/29; ``` Put this in the server as "udger_nginx.conf" </details> ---- Put the udger_nginx.conf inside `/etc/nginx`. This file is in the `workshop/config_files`. Then add the following config (**only what's inside the server block and the log format at the top**) in /etc/nginx/sites-enabled/<yourdomain.com>.conf: ```nginx= # Location: /etc/nginx/sites-enabled/microsoft-365-outlook.com.conf # Log format for the loot! # Todo: Find solution to forward the IP to gophish because with this config, the UI shows localhost :/ log_format phishing '$request_uri ' '$remote_addr "$http_user_agent" "$time_local"'; server { root /var/www/vincent.microsoft-365-outlook.com; # ---- [Combatting Safebrowsing] ---- # Include list of all datacenters. include udger_nginx.conf; # Present the IP's of datacenters a dummy page to fool them. # Instead of using a 403 (redirect), we just serve the response of the dummy page directly instead of # the intended content of the requested (phishing) page. error_page 403 = @deny; location @deny { rewrite ^ /landingspage.html; } # Whitelisting access to this dummy landings page. location = /landingspage.html { allow all; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; } # Blocking a very frequently used browser agent of Google safebrowsing bots. Not all of them use them. Just another layer in the onion. if ($http_user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"){ rewrite ^ /landingspage.html; } # URL rewriting to create a different URL structure to avoid fingerprinting location ~ ^/login/(.*)$ { access_log /var/log/nginx/loot.log phishing; proxy_pass http://127.0.0.1:8080/?rid=$1; } # usb dropping location ~ ^/u/(.*)$ { #access_log /var/log/nginx/loot_usb.log phishing; proxy_pass http://127.0.0.1:8888/$1$is_args$args; } # Make static resources work for gophish! location /static/ { proxy_pass http://localhost:8080/static/; #break; } } ``` Make the folders: ```bash= mkdir /var/www/<yourdomain.com> nano /var/www/<yourdomain.com>/landingspage.html #put something in it ```