Automating 2FA phishing and post-phishing looting with Muraena and Necrobrowser
May 21, 2019
Phishing remains one of the most pervasive threats to enterprise, the simple but effective technique of tricking unassuming users into divulging sensitive information such as usernames and passwords has remained incredibly successful. This is often achieved by redirecting a user to a site which impersonates a legitimate service and captures the victim’s credentials when entered, these credentials can then be reused by the attacker to achieve their desired goal.
Two-factor Authentication (2FA) was once a hurdle for this type of attack, but techniques to bypass many types of 2FA solutions were quickly adopted and implemented into a variety of phishing frameworks. It is important to understand how these bypasses work so defenders can push for standards, such as U2F, which remain resilient against these bypasses.
Muraena Team Tooling
On 15 May 2019 the Muraena Team released Muraena and Necrobrowser. Initially teased in their talk at HITB2019AMS, the Muraena / Necrobrowser tools aim to automate the phishing of credentials, 2FA tokens, and subsequent post-phishing activities. This is achieved by Muraena acting as a transparent reverse proxy solution which captures credentials and session cookies. These valid sessions are handed off to Necrobrowser, which uses the gathered sessions to impersonate the victim. Necrobrowser instruments a set of Dockerized Chrome browsers to keep alive the stolen sessions, automate the extraction of data and perform other actions on the attacker’s behalf. You can check out the slides for more information.
We configured Muraena to phish credentials from a test Google account, and used the existing Necrobrowser functionality to automate the mining of the target’s Gmail inbox using capabilities built into Necrobrowser. This can be seen in the video below:
As demonstrated in the video, because Muraena uses a reverse proxy to intercept traffic from the user to the target website, the user experience is virtually indistinguishable from the user navigating directly to the website itself (apart from the domain). This is in stark contrast to the phishing platforms of old, which often rely on serving prebaked templates which often break dynamic website content.
The Muraena and Necrobrowser projects can be found: https://github.com/muraenateam
Basic Setup – Muraena
Both Muraena and Necrobrowser are implemented using Golang, which can be installed here.
Once installed, you can compile Muraena using the following:
go get github.com/muraenateam/muraena
Your DNS will need to be configured with a wildcard CNAME and an A record pointed at the location of your Muraena proxy. For ours this looks like:
*.redvsblue.team. 1 IN CNAME redvsblue.team.
redvsblue.team. 1 IN A MURAENA_IP_ADDR
You will need to modify the config file for Muraena, so go ahead and change the beginning of the config file to look like below. In this example we will be using the preconfigured config/google.com.json file.
Let’s Encrypt Certificates
If you wish to use a Let’s Encrypt wildcard certificate, you can follow the following steps:
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.redvsblue.team'
Then follow the prompts to validate domain ownership. This will require you to add a TXT record to your DNS config.
Once generated, your certificate will be generated and added to the following folder:
You will be required to update your Muraena config you are hoping to use. The TLS section should look something like:
Run it by specifying your config file:
sudo ./muraena --config config/google.com.json
Once this is executed you should see the following
If all went well, you should now be able to navigate to your domain and your traffic will proxied through Muraena. This will allow you to capture credentials and session data, but the real magic comes into play when you configure Necrobrowser, which automates the post phishing activities for you and persist collected sessions.
Basic Setup – Necrobrowser
Necrobrowser uses Docker to execute the Chrome browsers used for the automation of the post exploitation task. So, let’s begin by installing Docker for your platform using the instructions found here: https://docs.docker.com/install/
Compile Necrobrowser using Go:
go get github.com/muraenateam/necrobrowser
If you’re running Necrobrowser on the same machine as Muraena you can run this the following command, you will need to substitute the token from your Muraena config:
sudo ./necrobrowser --token "ada9f7b8-6e6c-4884-b2a3-ea757c1eb617"
If successful you should see the following:
With both Muraena and Necrobrowser running, once Muraena captures a valid session it will be passed to Necrobrowser, which will perform its predefined post-exploitation activities.
Once completed, the session is persisted within the Dockerized Chrome browser. The attacker can interact with this browser and ride the active session to have full access to the victim account.
2FA is often hailed as the ultimate solution to prevent phishing, but not all 2FA solutions are infallible. Muraena can bypass a variety of 2FA solutions including SMS, Push, Software Authenticators, OTP and more. Thankfully, U2F provides some respite from attacks of this nature as user logins are bound to the origin, so only the real site can authenticate with the U2F token. Widespread adoption of U2F is unfortunately still lacking, but hopefully tools such as Muraena will help to expedite the process.
We will be discussing the nuances of different 2FA solutions in more depth in our upcoming 2FA Strategic Review paper, so stay tuned.