SSL Certificate from letsencrypt.org – Setup Guide
I’m sure many of you have heard of the new free service from letsencrypt.org which essentially offers a valid SSL Certificate for everyone. The goal of the project is to run the entire internet over HTTPS without any excuses.
I’ve been using the service since early this year when they launched the beta, and I have to tell you that it is legit and something you really should be incorporating into your e-mail phishing process. Since we are going to provide professional phishing services for our clients, doing it over HTTPS and with a valid SSL Certificate is a must whenever we harvest sensitive info.
Obtaining An SSL Certificate From letsencrypt.org
Take this a step further; HTTPS should be implemented on all your phishing sites regardless if they harvest sensitive data or not. You’ve got a much better chance of bypassing any web proxy servers in place by running a full encrypted stream.
Phishing Frenzy now supports using an SSL Certificate and hosting your websites over HTTPS. Since Phishing Frenzy is essentially a front end for the Apache web service, you can upload your SSL certificate, activate the campaign and watch it all come to life over HTTPS. Now that’s legit.
How it Works
Let’s Encrypt has a nifty command line tool that we can run from our phishing server to quickly obtain our valid SSL certificate. The command line tool has now been renamed to “certbot” and can be downloaded off github here:
Once you’ve downloaded the script onto your server, it’s really a one-liner to get the SSL certificate in your possession.
The first item to note is that Apache cannot be running while you run certbot. In order for Let’s Encrypt to validate that you own the domain, it will resolve the FQDN to an IP address of the server you are currently on. Certbot will then start up a mini web service hosting a token which proves to Let’s Encrypt that you’re authoritative over this domain name.
This means that if you have any active phishing campaigns they would be disabled temporarily while you obtain the SSL certificate. Keep this in mind to make sure you’re not disrupting an active campaign of yours or a colleague.
If you try to invoke the certbot script with Apache running you’ll be notified with a nice little warning like below:
So once you’ve properly disabled your active web server, you can then run the “certbot” command similar to below. Make sure to tweak this for the domain name that you’re configuring.
./certbot-auto certonly –standalone –d www.pentestgeek.com
The standalone flag is used to tell the “certbot” tool that you want it to run a mini web service to properly authenticate with Let’s Encrypt by hosting a web page temporarily. The “certonly” flag is used to tell “certbot” that you don’t want the tool to automatically configure Apache with the SSL certificate. Just provide us the certificate, and we’ll deploy them to Apache ourselves through the Phishing Frenzy Web UI.
Once you’ve invoked this successfully, you are the new proud owner of some valid SSL certificates; Congratulations. By default all of the certificates will be dropped to the /etc/letsencrypt/live/:fqdn which is really a symbolic link to the /etc/letsencrypt/archive/:fqdn directory as seen below:
Configuring Phishing Frenzy
Now that we have all of the SSL files required to host our phishing site over HTTPS. Let’s start Apache back up and jump back over to our campaign within Phishing Frenzy. All we need to do is upload the SSL certificate as seen below and save. Make sure to assign the proper cert, key and chain properly using the dropdowns on the right.
Once this data has been uploaded and saved to the campaign properly, you can then activate the campaign and your phishing site is now live over HTTPS. Anyone who tries to hit the phishing site over HTTP will be automatically redirected to HTTPS by default.
If you’re not leveraging HTTPS for all your phishing engagements you should be. Letsencrypt.org is a great service and is changing the world of SSL certificate authorities. It’s no cost to you, and the tools are really slick to auto-magically configure your Nginx or Apache web server with a couple added flags.
In the future we may incorporate Let’s Encrypt into the Web UI itself so that it communicates with the Let’s Encrypt API to pull down the SSL certificate and apply it to the current campaign.
Hope you enjoyed, and enjoy phishing all the things over HTTPS.
Share this article
Follow Pentest Geek
Subscribe to Pentest Geek
- How To Install Metasploit Framework Ubuntu 14.04
- How to Install Nmap From Source
- Another Lap Around Microsoft LAPS
- Credential Harvesting via MiTM – Burp Suite Tutorial
- SSL Certificate from letsencrypt.org – Setup Guide
- Forensics and Incident Response
- Information Gathering
- Penetration Testing Tutorials
- Web Applications