Muraena: The Unexpected Phish

Two-factor authentication is considered “the solution” to prevent phishing.

In reality, only Universal Two-factor (U2F) is somehow useful once hardware keys are deployed, while the rest of 2FA solutions fail miserably, including SMS, Push, SoftwareAuthenticators, OTP and others.

If there is no HTTP Origin verification and the second factor token is sent via web, phishing can be performed pretty much transparently performing MiTM by using a reverse proxy solution.

Moreover, once valid sessions are collected, they can be impersonated via browser instrumentation with a farm of dockerized Chrome headless instances. Such instances are useful not only to keep alive the stolen sessions but also to scrape and extrude data from hijacked accounts, as well as performing any action on user behalf.

Depending on the instrumented portal, activities can be different, such as: backdooring a GitHub account by adding an SSH key, searching for credentials over an OWA webmail, chaining bugs in WordPress and automating RCE and what not.

The whole process is automated by Muraena and Necrobrowser. The first is a custom target-agnostic reverse proxy solution (written in golang). The latter, takes care of the instrumentation and session riding.

This approach minimizes the complexity of handling phishing with 2FA, while drastically reducing the time needed to perform post-phishing activities, allowing the phisherman to focus on data analysis and scenario planning.

There will be demos performing phishing and session instrumentation on a number of portals like GitHub, OWA, Google Docs, LinkedIn, protected by different authentication types.

Muraena and Necrobrowser will be released after the talk.

Location: Track 1 Date: May 10, 2019 Time: 11:30 am - 12:30 pm Michele Orru Giuseppe Trotta