Phishing assessments have always been, and will continue to be, a critical part of our penetration testing and red teaming methodology, and one of the key components is a phishing tool that allows us to accurately portray real life threat actors. In the past, our team has used several different phishing tools and platforms, and with each of them we felt there must be something out there better suited for our needs. These needs drove the decision to develop redlure, our own open-source phishing platform.
Our initial goal was to develop software that provides customizable, scalable and more importantly, realistic phishing campaigns for our clients. We understand the importance of creating phishing assessment campaigns that mimic the real user experience you get when using cloud services. Examples of these cloud services include Office365 or Gmail, with each requiring your username and password to be submitted on sequential webpages. Over time, our software solution evolved to meet the following needs of our operators:
- Manage multiple phishing campaigns in parallel, since we often need multiple phishing servers and campaigns to be in use simultaneously while managing engagements.
- Chain templated webpages together in a way that allows us to accurately mimic user experiences on popular sites our targets are familiar with.
- Scale up and down quickly when we have a need for extra phishing servers or need to replace a server with a burned IP address.
- Centralize management within a single interface that allows us to control remote phishing servers and perform actions, such as remote SSL certificate generation.
- Encrypt sensitive data within the platform’s database, such as our SMTP credentials and client-submitted credentials.
- Integrate payload delivery so that we can conveniently and quickly serve payloads off our phishing infrastructure without feeling a need to needlessly expose our C2 (command and control) infrastructure for payload hosting.
- Improve metrics that allowing us to track which specific targets have opened emails, clicked links, downloaded payloads and submitted credentials.
The result was a framework consisting of three parts:
- redlure-console: A python API serving as the central backend for your phishing infrastructure. The console manages the sole database, sends emails and aggregates results. It also communicates with your redlure-workers, which we’ll get to in a moment.
- redlure-client: A web interface built on the Angular framework which allows you to interact with the API endpoints exposed by the console.
- redlure-workers: A small Python API controlled remotely by the console. Workers serve phishing webpages and communicate results and credentials back to the console.
This structure allows you to attach as many remote servers running the worker API to a single console for management. A sample environment with two workers is depicted below:
DEF CON 28 Demo Labs
We are really excited to announce that redlure will be featured as part of the DEF CON 28 Demo Labs. During the demo we will look at the tool in a test environment, walk through the core features, create several phishing campaigns and simulate the actions of unsuspecting end-users. Our live demo schedule is below:
- Friday 8/7 4:00 PM – 6:50 PM (UTC-7)
- Sunday 8/9 10:00 AM – 11:50 AM (UTC-7)
The redlure code repositories will be going public on Thursday, August 6th, 2020 at www.github.com/redlure. Please contact us if you are interested in a demo outside DEF CON.
About the Developer
Matt Creel has been a member of the Schneider Downs cybersecurity practice since 2017 where he helps clients with penetration testing, red teaming and incident response services. Matt has served clients in manufacturing, healthcare, automotive, financial and higher education industries. One of Matt’s focuses is offensive tool development, notably password spraying and phishing tools.
How Can Schneider Downs Cybersecurity Help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit our website.
In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.