Automating 2FA phishing and post-phishing looting with Muraena and Necrobrowser

Automating 2FA phishing and post-phishing looting with Muraena and Necrobrowser
Photon Research Team
Read More From Photon Research Team
May 21, 2019 | 6 Min Read

Phishing remains one of the most pervasive threats to enterprise, the simple but effective technique of tricking unassuming users into divulging sensitive information such as usernames and passwords has remained incredibly successful. This is often achieved by redirecting a user to a site which impersonates a legitimate service and captures the victim’s credentials when entered, these credentials can then be reused by the attacker to achieve their desired goal.

Two-factor Authentication (2FA) was once a hurdle for this type of attack, but techniques to bypass many types of 2FA solutions were quickly adopted and implemented into a variety of phishing frameworks. It is important to understand how these bypasses work so defenders can push for standards, such as U2F, which remain resilient against these bypasses.

 

Muraena Team Tooling

On 15 May 2019 the Muraena Team released Muraena and Necrobrowser. Initially teased in their talk at HITB2019AMS, the Muraena / Necrobrowser tools aim to automate the phishing of credentials, 2FA tokens, and subsequent post-phishing activities. This is achieved by Muraena acting as a transparent reverse proxy solution which captures credentials and session cookies. These valid sessions are handed off to Necrobrowser, which uses the gathered sessions to impersonate the victim. Necrobrowser instruments a set of Dockerized Chrome browsers to keep alive the stolen sessions, automate the extraction of data and perform other actions on the attacker’s behalf. You can check out the slides for more information.

We configured Muraena to phish credentials from a test Google account, and used the existing Necrobrowser functionality to automate the mining of the target’s Gmail inbox using capabilities built into Necrobrowser. This can be seen in the video below:

As demonstrated in the video, because Muraena uses a reverse proxy to intercept traffic from the user to the target website, the user experience is virtually indistinguishable from the user navigating directly to the website itself (apart from the domain). This is in stark contrast to the phishing platforms of old, which often rely on serving prebaked templates which often break dynamic website content.

The Muraena and Necrobrowser projects can be found: https://github.com/muraenateam

Basic Setup – Muraena

Both Muraena and Necrobrowser are implemented using Golang, which can be installed here.  

Once installed, you can compile Muraena using the following:

 

go get github.com/muraenateam/muraena

cd $GOPATH/src/github.com/muraenateam/muraena

make build

DNS Config

Your DNS will need to be configured with a wildcard CNAME and an A record pointed at the location of your Muraena proxy. For ours this looks like:

*.redvsblue.team.         1          IN         CNAME redvsblue.team.

redvsblue.team.            1          IN         A          MURAENA_IP_ADDR

 

You will need to modify the config file for Muraena, so go ahead and change the beginning of the config file to look like below. In this example we will be using the preconfigured config/google.com.json file.

 

{

  "proxy": {

    "phishing": "redvsblue.team",

    "destination": "google.com",

    "skipContentType": [

      "font/*",

      "image/*"

    ],

...

 

Let’s Encrypt Certificates

If you wish to use a Let’s Encrypt wildcard certificate, you can follow the following steps:

 

wget https://dl.eff.org/certbot-auto

sudo mv certbot-auto /usr/local/bin/certbot-auto

sudo chown root /usr/local/bin/certbot-auto

chmod 0755 /usr/local/bin/certbot-auto

sudo chmod 0755 /usr/local/bin/certbot-auto

 

certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.redvsblue.team'

 

Then follow the prompts to validate domain ownership. This will require you to add a TXT record to your DNS config.

Once generated, your certificate will be generated and added to the following folder:

 

/etc/letsencrypt/live/redvsblue.team/

 

You will be required to update your Muraena config you are hoping to use. The TLS section should look something like:

 

"tls": {

    "enabled": true,

    "expand": false,

    "certificate": "/etc/letsencrypt/live/redvsblue.team/cert.pem",

    "key": "/etc/letsencrypt/live/redvsblue.team/privkey.pem",

    "root": "/etc/letsencrypt/live/redvsblue.team/fullchain.pem",

}

  

Run it by specifying your config file:

 

sudo ./muraena --config config/google.com.json

 

Once this is executed you should see the following

If all went well, you should now be able to navigate to your domain and your traffic will proxied through Muraena. This will allow you to capture credentials and session data, but the real magic comes into play when you configure Necrobrowser, which automates the post phishing activities for you and persist collected sessions.

 

Basic Setup – Necrobrowser

Necrobrowser uses Docker to execute the Chrome browsers used for the automation of the post exploitation task. So, let’s begin by installing Docker for your platform using the instructions found here: https://docs.docker.com/install/

Compile Necrobrowser using Go:

go get github.com/muraenateam/necrobrowser

cd $GOPATH/src/github.com/muraenateam/necrobrowser

make build

 

If you’re running Necrobrowser on the same machine as Muraena you can run this the following command, you will need to substitute the token from your Muraena config:

 

sudo ./necrobrowser --token "ada9f7b8-6e6c-4884-b2a3-ea757c1eb617"

 

If successful you should see the following:

 

With both Muraena and Necrobrowser running, once Muraena captures a valid session it will be passed to Necrobrowser, which will perform its predefined post-exploitation activities.

 

Once completed, the session is persisted within the Dockerized Chrome browser. The attacker can interact with this browser and ride the active session to have full access to the victim account.

 

Summary

2FA is often hailed as the ultimate solution to prevent phishing, but not all 2FA solutions are infallible. Muraena can bypass a variety of 2FA solutions including SMS, Push, Software Authenticators, OTP and more. Thankfully, U2F provides some respite from attacks of this nature as user logins are bound to the origin, so only the real site can authenticate with the U2F token. Widespread adoption of U2F is unfortunately still lacking, but hopefully tools such as Muraena will help to expedite the process.

We will be discussing the nuances of different 2FA solutions in more depth in our upcoming 2FA Strategic Review paper, so stay tuned.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Tags:

Related Posts

Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
Revisiting Typosquatting and the 2020 US Presidential Election

Revisiting Typosquatting and the 2020 US Presidential Election

September 2, 2020 | 11 Min Read

In October 2019, Digital Shadows’ Photon...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

July 7, 2020 | 9 Min Read

Account Takeover: Why criminals can’t...
3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
COVID-19: Risks of Third-Party Apps

COVID-19: Risks of Third-Party Apps

April 7, 2020 | 7 Min Read

As the global community continues to pursue...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
The Complete Guide to Online Brand Protection

The Complete Guide to Online Brand Protection

March 18, 2020 | 17 Min Read

  I’m not one for cheesy belief...
The Ecosystem of Phishing: From Minnows to Marlins

The Ecosystem of Phishing: From Minnows to Marlins

February 20, 2020 | 31 Min Read

YOU JUST WON $1,000. CLICK HERE TO CLAIM YOUR...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
Combatting Domain-Centric Fraud: Why Mimecast is partnering with Digital Shadows

Combatting Domain-Centric Fraud: Why Mimecast is partnering with Digital Shadows

November 7, 2019 | 3 Min Read

This is a guest blog, authored by Matthew...
Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

October 16, 2019 | 15 Min Read

Typosquatting. It’s a phrase most of us know in...
Domain Squatting: The Phisher-man’s Friend

Domain Squatting: The Phisher-man’s Friend

October 1, 2019 | 8 Min Read

In the past we have talked about the internal...
Extortion, Sale, Reconnaissance, & Impersonation: 4 Ways Your Digital Footprint Enables Attackers

Extortion, Sale, Reconnaissance, & Impersonation: 4 Ways Your Digital Footprint Enables Attackers

July 2, 2019 | 6 Min Read

Whether it’s intellectual property, proprietary...
Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

June 27, 2019 | 8 Min Read

The announcements of Facebook’s new...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
Cyber Talent Gap: How to Do More With Less

Cyber Talent Gap: How to Do More With Less

May 14, 2019 | 5 Min Read

The challenge facing us today is twofold: not...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
Easing into the extortion game

Easing into the extortion game

April 3, 2019 | 4 Min Read

One of the main ideas which flowed through...
Dark Web Typosquatting: Scammers v. Tor

Dark Web Typosquatting: Scammers v. Tor

March 21, 2019 | 7 Min Read

Time and time again, we see how the cybercriminal...
How to Secure Your Online Brand

How to Secure Your Online Brand

March 20, 2019 | 4 Min Read

What is online brand security? As we outlined in...
Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

February 21, 2019 | 3 Min Read

In our most recent research, A Tale of Epic...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
You’ve got a digital strategy, but how are you managing digital risks?

You’ve got a digital strategy, but how are you managing digital risks?

February 7, 2019 | 3 Min Read

Download a free copy of Digital Risk: The...
Security Practitioner’s Guide to Email Spoofing and Risk Reduction

Security Practitioner’s Guide to Email Spoofing and Risk Reduction

January 24, 2019 | 13 Min Read

In our previous extended blog, Tackling Phishing:...
Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

December 12, 2018 | 8 Min Read

Overall, the infosec community has done a...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
Phishing Site Impersonates Financial Services Institution

Phishing Site Impersonates Financial Services Institution

October 10, 2018 | 3 Min Read

If the infamous bank robber, Willie Sutton, were...
Business Email Compromise: When You Don’t Need to Phish

Business Email Compromise: When You Don’t Need to Phish

October 4, 2018 | 4 Min Read

According to the FBI, Business Email Compromise...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
Sextortion – When Persistent Phishing Pays Off

Sextortion – When Persistent Phishing Pays Off

September 6, 2018 | 4 Min Read

You may have heard of a recent surge in...
Five Threats to Financial Services: Phishing Campaigns

Five Threats to Financial Services: Phishing Campaigns

August 8, 2018 | 7 Min Read

In our last blog, we highlighted how banking...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
It’s Accrual World: Tax Return Fraud in 2018

It’s Accrual World: Tax Return Fraud in 2018

March 7, 2018 | 5 Min Read

With just over a month until Tax Deadline Day,...
Protecting Your Brand: Return on Investment

Protecting Your Brand: Return on Investment

February 27, 2018 | 3 Min Read

Last week I was joined by Brett Millar, Director...
Phishing for Gold: Threats to the 2018 Winter Games

Phishing for Gold: Threats to the 2018 Winter Games

February 6, 2018 | 7 Min Read

Digital Shadows has been monitoring major...
Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

January 30, 2018 | 7 Min Read

I am one of you. I have been in the marketing...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
Groupthink

Know Where to Find Your Digital Risk

November 10, 2017 | 4 Min Read

This post originally appeared on SecurityWeek....
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Mobile Threats

Monitoring the Mobile Threat Landscape

April 4, 2017 | 4 Min Read

The UK’s National Cyber Security Centre (NCSC)...
Mobile App Screen

5 Risks Posed By Mobile Applications That SearchLight Helps You Manage

March 14, 2017 | 2 Min Read

Organizations face a wide range of risks online,...
Social Media Oversharing

Overexposed and Under-Prepared; The Risks of Oversharing Online

November 8, 2016 | 4 Min Read

I have a confession to make. I know where you...
Email Security

Five Tips For Better Email Security

November 8, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Professional Services Digital Shadows

Digital Risk Monitoring Is A Service, Not a Distinct Capability

October 11, 2016 | 2 Min Read

Digital Shadows was recently recognized as a...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Forrester

Digital Risk Monitoring Can Negate ‘Indicators of Exhaustion’

September 26, 2016 | 2 Min Read

When I first joined Digital Shadows in January, I...