Updates and Fixes

Author: Ralph

.gitignore

@@ -43,6 +43,7 @@ builds/**/images/*
 *.ogg
 *.mp3
 *.mp4
+*.io
 TODO.txt
 
 # security / ssl
@@ -62,3 +63,7 @@ digital_ocean_phish
 
 # keys
 keys/*
+
+# vars
+vars/all.yml
+vars/phish.yml

README.md

@@ -30,6 +30,7 @@ Build a Phish consist of a Ansible playbook to deploy a phishing engagement in t
 |  <img src='https://raw.githubusercontent.com/kgretzky/evilginx2/master/media/img/evilginx2-logo-512.png' width='40'>                                                                                                                         | Evilginx2  | [warhorse/evilginx2](https://github.com/warhorse/docker-evilginx2)|
 | <img src='https://github.com/gophish/gophish/raw/master/static/images/logo_purple.png' width='40'>                                                                                                                             | Gophish     | [gophish/gophish](https://github.com/gophish/gophish)|
 | <img src='https://d1q6f0aelx0por.cloudfront.net/product-logos/library-nginx-logo.png' width='40'>                                                                                                                             | Nginx    | [nginx](https://hub.docker.com/_/nginx)|
+| <img src='https://avatars.githubusercontent.com/u/4652787?s=280&v=4' width='40'>                                                                                                                             | Mitmproxy    | [mitmproxy](https://hub.docker.com/r/mitmproxy/mitmproxy/)|
 
 ## Supported Cloud Providers
 
@@ -63,31 +64,36 @@ Coming Soon
 You will need a managment domain. This domian can be the same domian used for phishing emails. After you buy a domain set the name server records to Digital Ocean.
 
 
-1. Install Ansible & Terraform
+### 1. Install Ansible & Terraform
+#### Ansible
+- OSX 
+  
+  `brew install ansible`
+
+- Linux 
+  
+  `pip install ansible`
 
-    Ansible
-    - OSX `brew install ansible`
-    - Linux `pip install ansible`
-    - Install Ansible General Modules 
+- Install Ansible General Modules 
 
-        `ansible-galaxy collection install community.general`
+`ansible-galaxy collection install community.general`
 
-    Terraform
-    - OSX `brew install terraform`
-    - Linux https://learn.hashicorp.com/tutorials/terraform/install-cli
+#### Terraform
+- OSX `brew install terraform`
+- Linux https://learn.hashicorp.com/tutorials/terraform/install-cli
 
-2. Git clone this repo 
+### 2. Git clone this repo 
 
-    `git clone https://github.com/ralphte/build_a_phish`
+`git clone https://github.com/ralphte/build_a_phish`
 
-3. Customize the variables inside the vars folder.
+### 3. Customize the variables inside the vars folder.
 
 
-4. Create API keys for both Digital Ocean & Azure.
+### 4. Create API keys for both Digital Ocean & Azure.
 
-    - Digital Ocean API Key https://www.digitalocean.com/docs/apis-clis/api/create-personal-access-token/#:~:text=To%20generate%20a%20personal%20access,the%20Generate%20New%20Token%20button.
+- Digital Ocean API Key https://www.digitalocean.com/docs/apis-clis/api/create-personal-access-token/#:~:text=To%20generate%20a%20personal%20access,the%20Generate%20New%20Token%20button.
 
-    - Azure CLI https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
+- Azure CLI https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
 
 ## Usage
 
@@ -127,6 +133,12 @@ To get the password on first login check the docker logs
 
 `docker logs gophish`
 
+### Mitmproxy
+
+You can access Mitmproxy via the hostname set for "mitmproxy_hostname"
+
+The mitmproxy web interface allows you to see the RAW traffic between evilginx2 and your target server. You can use this to check for problems and remove any IOC's. Mitmproxy is a dignostic tool to inspect https traffic.
+
 ## Development
 
 Does none of this work for you? Submit a issue and I will see what the problem is.
@@ -139,6 +151,8 @@ Gophish https://getgophish.com/
 
 Evilginx https://github.com/kgretzky/evilginx2
 
+Mitmproxy https://github.com/mitmproxy/mitmproxy
+
 Ansible roles from https://github.com/geerlingguy
 
 

playbooks/phish_deploy.yml

@@ -83,6 +83,7 @@
     - ../vars/phish.yml
   roles:
     - { role: nginx-docker }
-    - { role: gophish-docker, gophish }
-    - { role: evilginx2-docker, evilginx2 }
-  tags: [ never, phish, gophish, evilginx2 ]
+    - { role: gophish-docker, tags: gophish }
+    - { role: evilginx2-docker, tags: evilginx2 }
+    - { role: mitmproxy-docker, tags: mitmproxy }
+  tags: [ never, phish ]

playbooks/phish_destroy.yml

@@ -1,20 +1,4 @@
 ---
-- name: Deploy Terraform
-  hosts: localhost
-  gather_facts: true
-  connection: local
-  vars_files:
-    - ../vars/all.yml
-    - ../vars/phish.yml
-  vars: 
-  - deploy: true
-  tasks:
-  - name: Create a keys directory 
-    ansible.builtin.file:
-      path: ../keys
-      state: absent
-  tags: [ never, phish ]
-
 - name: Destroy Terraform
   hosts: localhost
   gather_facts: true
@@ -34,4 +18,20 @@
       # - mailgun
     loop_control:
       loop_var: roleinputvar
-    tags: [ never, phish ]
+    tags: [ never, phish ]
+  
+- name: Destroy SSH Key
+  hosts: localhost
+  gather_facts: true
+  connection: local
+  vars_files:
+    - ../vars/all.yml
+    - ../vars/phish.yml
+  vars: 
+  - deploy: false
+  tasks:
+  - name: remove keys directory 
+    ansible.builtin.file:
+      path: ../keys
+      state: absent
+  tags: [ never, phish ]

roles/digitalocean/tasks/dns_deploy.yml

@@ -8,11 +8,13 @@
       - digitalocean_record.gophish_hostname
       - digitalocean_record.gpadmin_hostname
       - digitalocean_record.gpredirect_hostname
+      - digitalocean_record.mitmproxy_hostname
       - digitalocean_domain.domain
     variables:
       do_token: "{{ digitalocean_token }}"
       gophish_hostname: "{{ gophish_site_hostname }}"
       gpadmin_hostname: "{{ gophish_admin_hostname }}"
+      mitmproxy_hostname: "{{ mitmproxy_hostname }}"
       tl_domain: "{{ domain_name }}"
       do_img: "ubuntu-20-04-x64"
       do_name: "{{ user_tag }}-{{ op_number }}-phish"

roles/digitalocean/tasks/dns_destroy.yml

@@ -8,11 +8,13 @@
       - digitalocean_record.gophish_hostname
       - digitalocean_record.gpadmin_hostname
       - digitalocean_record.gpredirect_hostname
+      - digitalocean_record.mitmproxy_hostname
       - digitalocean_domain.domain
     variables:
       do_token: "{{ digitalocean_token }}"
       gophish_hostname: "{{ gophish_site_hostname }}"
       gpadmin_hostname: "{{ gophish_admin_hostname }}"
+      mitmproxy_hostname: "{{ mitmproxy_hostname }}"
       tl_domain: "{{ domain_name }}"
       do_img: "ubuntu-20-04-x64"
       do_name: "{{ user_tag }}-{{ op_number }}-phish"

roles/evilginx2-docker/templates/config.yaml.j2

@@ -1,4 +1,8 @@
 ip: 0.0.0.0
+proxy_enabled: true
+proxy_type: http
+proxy_address: mitmproxy
+proxy_port: 8080
 lures:
 - info: "test"
   og_desc: ""
@@ -17,4 +21,4 @@ site_domains:
 sites_enabled:
 - o365
 verification_key: cj
-verification_token: 3ee7
+verification_token: 3ee7

roles/mitmproxy-docker/defaults/main.yml

@@ -0,0 +1,2 @@
+mitmproxy_dir: '{{docker_home_dir}}/mitmproxy'
+mitmproxy_hostname: 'mitmproxy'

roles/mitmproxy-docker/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Restart docker_mitmproxy
+  docker_container:
+    name: mitmproxy
+    hostname: 'mitmproxy'
+    interactive: yes
+    image: mitmproxy/mitmproxy:4.0.3
+    pull: yes
+    state: started
+    command: "mitmweb --web-iface 0.0.0.0 --no-web-open-browser --ssl-insecure -v"
+    restart_policy: always
+    restart: yes
+    volumes:
+      - "{{ mitmproxy_dir }}/config:/home/mitmproxy/.mitmproxy"
+    networks:
+      - name: "{{ dockernet }}"

roles/mitmproxy-docker/tasks/install.yml

@@ -0,0 +1,5 @@
+---
+- name: Setting containers
+  include_tasks: "{{ item }}.yml"
+  with_items:
+    - mitmproxy

roles/mitmproxy-docker/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+- include: install.yml

roles/mitmproxy-docker/tasks/mitmproxy.yml

@@ -0,0 +1,23 @@
+---
+- name: Ensures mitmproxy dir exists
+  file:
+    path: '{{ item }}'
+    state: directory
+  with_items:
+  - '{{ mitmproxy_dir }}'
+  - '{{ mitmproxy_dir }}/config'
+
+- name: Mitmproxy
+  docker_container:
+    name: mitmproxy
+    hostname: 'mitmproxy'
+    interactive: yes
+    image: mitmproxy/mitmproxy:4.0.3
+    pull: yes
+    state: started
+    command: "mitmweb --web-iface 0.0.0.0 --no-web-open-browser --ssl-insecure --set block_global=false" 
+    restart_policy: always
+    volumes:
+      - "{{ mitmproxy_dir }}/config:/home/mitmproxy/.mitmproxy"
+    networks:
+      - name: "{{ dockernet }}"

roles/mitmproxy-docker/vars/main.yml

@@ -0,0 +1 @@
+---

roles/nginx-docker/templates/nginx_phish.conf.j2

@@ -53,6 +53,26 @@ server {
     }
   }
 
+server {
+    server_name {{ mitmproxy_hostname }}.{{ domain_name }};
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
+    include /etc/nginx/options-ssl-nginx.conf;
+
+    location / {
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "Upgrade";
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_pass http://mitmproxy:8081;
+      allow {{ white_list_ip }};
+      deny all;
+    }
+  }
+
   server {
     server_name {{ gophish_site_hostname }}.{{ domain_name }};
     listen 443 ssl;
@@ -81,9 +101,19 @@ server {
       proxy_ssl_server_name on;
       proxy_ssl_name $host;
       proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+      proxy_set_header X-Real-IP "";
+      proxy_set_header X-Forwarded-For "";
+      proxy_set_header X-Forwarded-Proto "";
+      proxy_set_header X-Forwarded-Host "";
+      proxy_set_header X-Azure-Socketip "";
+      proxy_set_header X-Azure-Requestchain "";
+      proxy_set_header X-Azure-Ref "";
+      proxy_set_header X-Azure-Ipdetection "";
+      proxy_set_header X-Azure-Fdid "";
+      proxy_set_header X-Azure-Clientip "";
+      proxy_set_header Via "";
+      proxy_set_header X-Msedge-Ignoreratelimits "";
+      proxy_ssl_protocols  TLSv1 TLSv1.1 TLSv1.2; 
       proxy_ssl_verify off;
       proxy_pass https://evilginx:443;
     }

terraform/digitalocean/main.tf

@@ -24,6 +24,13 @@ resource "digitalocean_record" "gpadmin_hostname" {
   value  = digitalocean_droplet.phish_droplet.ipv4_address
 }
 
+resource "digitalocean_record" "mitmproxy_hostname" {
+  domain = digitalocean_domain.domain.name
+  type   = "A"
+  name   = var.mitmproxy_hostname
+  value  = digitalocean_droplet.phish_droplet.ipv4_address
+}
+
 resource "digitalocean_ssh_key" "ansible_ssh_key" {
   name       = "Ansible SSH Key ${var.op}"
   public_key = var.ansible_ssh_key

terraform/digitalocean/variables.tf

@@ -10,4 +10,5 @@ variable "ansible_ssh_key" { default = "" }
 variable "gophish_hostname" { default = "" }
 variable "gpadmin_hostname" { default = "" }
 variable "gpredirect_hostname" { default = "" }
+variable "mitmproxy_hostname" { default = "" }
 variable "ansible_ssh_key_private" { default = "" }

terraform/mailgun/mailgun_dns.tmpl

@@ -0,0 +1,2 @@
+[phish]
+${phish-dns} ansible_host=${phish-ip} # ${phish-id}