Is your feature request related to a problem? Please describe.
I want to use this project for phishing simulations. However, it's currently using the PHP built in web server https://www.php.net/manual/en/features.commandline.webserver
Obviously the advantage is that this keeps the project lightweight. However, this server doesn't support using a TLS certificate. This means credentials successfully harvested in the simulation are sent in clear text between servio / localxpose / ngrok / etc. and the machine running HiddenEye. Credentials could be intercepted between the server and the machine running Hiddeneye and used by an attacker. Even if the localhost option is used with a public IP, a TLS certificate still can't be used. In addition, "The web server runs only one single-threaded process, so PHP applications will stall if a request is blocked."
Describe the solution you'd like
Use nginx instead, because it ships with Kali linux, it supports TLS, and it supports multithreading.
Describe alternatives you've considered
Use apache because it also ships with Kali, supports TLS, and supports multithreading.
Create a TLS wrapper around the socket used by the PHP server in python. See https://docs.python.org/3/library/ssl.html
Additional context
I'm not sure what the best solution is here, and it may not be any of the ones I've listed here. What I really want is end to end encryption so that this tool can be used securely for a simulation (though multithreading would be a nice plus). I'm happy to work on this if a main contributor can determine which solution is ideal.
Apologies, it looks like end-to-end encryption can in fact be accomplished using ngrok; however, this does require a paid account. Though to me it still seems worth pursuing, so that end to end encryption can be accomplished without a paid account. Or maybe the best option is just to create a menu option for adding an ngrok auth token and path to a tls key and certificate.
See "Terminating TLS Connections" on this page: https://ngrok.com/docs#http-subdomain
However, when the tls connection is terminated with ngrok the certificates provided are used to encrypt connections from a client to *.ngrok.io in addition to between *.ngrok.io and the HidenEye server.
1.) This is the case and results in a security warning
[client]<--(encrypted with self signed cert)-->[ngrok.io server]<--(still encrypted with self signed cert)-->[HiddenEye Server]
2.) This is not the case but would be ideal
[client]<--(encrypted with signed ngrok.io cert)-->[ngrok.io server]<--(encrypted with self signed cert)-->[HiddenEye Server]
Option 1 is the reality; this is ideal for security since ngrok.io never has access to decrypted traffic. However, this means that users receive a warning about the certificate being insecure. Option 2 would probably be preferable for most use cases, but unfortunately is not so. Option 2 would be preferable because the ngrok server application is already trusted (and therefore ngrok.io) with the TLS keys when using it to terminate a connection. In addition, option 2 would mean the end user does not get a certificate warning when visiting the *.ngrok.io link.
Conclusion: Even if a paid ngrok.io subscription is used, a signed TLS certificate (from somewhere like LetsEncrypt) is required to suppress the certificate warnings that appear in most browsers. Acquiring such a certificate also requires registering a domain name.
@gjhami , Your ideas are great for the Project.
We can work on your suggestions , But we don't have Enough Active Developers in Team.
It will be great if you can help us & Join us.
I personally wants to add the functionalities and at the same time some encyrption in order to protect the captured data.
@gjhami ,
It will be great if you can help achieve any of below features .
1) Add NGNIX (as Alternetive if possible) to build a server.
2) Add Support For Multiple Attack (Possible With Nginx)
3) Build a Support For Webpage Page Cloning (I personally Don't Support it)
4) Some Functionality to moniter available pages (if broken or not)
5) Also thinking to work on 2FA bypass (My own Thoughts )
6) Add support For Paid Tunnels in NGROK and other.(Will help to achieve end-to-end encryption)
Above are Some of my thoughts..
Share yours.
@An0nUD4Y,
I'd love to contribute more! The NGINX alternative web server option would be extremely helpful for me for my own use of this project so I'd be really happy to work on that. Afterwards I think being able to run multiple attacks would also be very helpful, as you said above.
According to this report (https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf) 28% of data breaches involve malware (pg 5). Of those, the top malware delivery method is email (94%) and the top attachment type is MS Office Doc(43%) (pg 13). So it seems worthwhile to have functionality for generating an office doc which will connect back to the HiddenEye server, in addition to generating links. Although technically this isn't phishing, so maybe this isn't the right place for it. This is something I intend to do either way for my own simulations, so let me know if you think it fits with HiddenEye.
Could you elaborate more on what you mean by monitoring available webpages. Are you thinking something that checks to make sure the page created by HiddenEye is still up and the server hads't crashed?
I agree that 2FA bypass would be very cool, by this I assume you mean just a secondary page which prompts for a 2FA token (please correct me if I'm mistaken). Same goes for web page cloning, though I think most of the major bases are covered by the templates already here (which are very good).
I was looking at the king-phisher project (https://github.com/securestate/king-phisher) the other day, and I wonder if there's some way we could integrate the two. King-phisher has some really cool features for campaign tracking and email spoofing, but the actual web pages are pretty shit. If we could pair that email functionality with the web server and keylogger functionality of HiddenEye, we might have an even more awesome tool. It looks like FiercePhish also does something similar.
Lastly, would you be able to explain the relationship between HiddenEye, BlackEye, ShellPhish, and FiercePhish?
@gjhami ,
One by one.
Its great , that you will share your own modified version.
And as earlier mentioned , if you ready to introduce nginx put it as alternative with PHP.
And we can add multiple attacks at once only with nginx as in PHP it may be hard to run too many attacks and generating different links each time (when their is limit for tunnel numbers in many free tunnelling options.
On the other hand with nginx we can use reverse proxy(proxy_pass) in configuration to redirect users (by defining different address in same URL domain)to different port from a single tunnel. Read This https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
(Ngrok allows only few no. Of connection for free users so we need to add a option to user PRO version of NGROK that is a Purchased account)
We can do that by receiving a token.
In place of creating and listening to the shell or malwares, We can just become the medium to drop the malware. As adding functions to create and listen malware would be too complicated, leave it to the users they will somehow generate it and listen it. It's better we only add a option to drop payload or malware files.
For that we can not simply allow popup on index file to download malware it will be suspicious, So we can use any other the popular popup types from (https://webbrowsertools.com/popup-blocker/)
Their is some really cool type of popups to try.
So we can simply add that malware file to index file, which will be downloaded from a popup as different tab after submitting login form.
@gjhami ,
By pointing monitoring pages , I mean to somehow get to know that a phishing is broken and cannot be used during phishing..
It happens many time with many pages , so we can't depend on the users to create a issue about a broken page then we will fix it.
It will be better if we can somehow check the pages on GitHub the if it's working or broken .
This can be achieved by hosting webpages on GitHub .
And adding a status option in readme somehow.
Let me know if you have any idea.
@gjhami ,
2FA It's my idea for future project.
Check https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
We can achieve that later if we somehow added nginx currently , Then it will make it possible to add 2FA later on.
And also in NGINX we have to manage configuration files for nginx for now to use a single Tunnel Url with different tokens or addresses to redirect to different localhost open at which the webpages are available.
As mentioned above.
And it can be modified to add 2FA bypass features.
Mention if I forget something..
@gjhami , Integrating with King Phisher will be a lot of tasks for now..
But the same can be achieved in long term , if you and other contributors stay with the project.
And yupp as we already have Email module added we can also create a option to make templates or using default templates of King phisher.
And I have no idea currently how we can track the campaign.
But later I will find it.
Or please give share some ideas.
@gjhami ,
I have no idea about how fiercephish came to existence , but yes that's a great project.
And talking about shellphish and blackeye , these are some projects same as HiddenEye.
Let me clear the story of HiddenEye ..
• Firstly I came to know about SocialPhish a great project which was available with NGROK integration.
• Then I created some large modification like adding the multiple tunnels and a lot more pages.(But they didn't accepted those changes)
• So I left the forked one on my GitHub repo lists.
• Then some users started showing interest in it, So myself started developing it more and after a few time some more contributors and developers joined @usama7628674 was the first .
• But The real developers was not happy with that. So our contributers Redesign and wrote the whole codes again. By adding some more functionality like keylogger and others.
• Then we moved the project to HiddenEye name under Darksec( Actually the name suggested by me , I don't know how that hit my mind by yaaa it's pretty similar as Black eye) And as far as I know Blackeye was released after many months of Hiddeneye with a lot of phishing pages as much as 30.
But with no features like multiple tunnels or keylogger or email.
• Later I took some of their pages and modified them to use with HiddenEye and fixed many pages.(Offcourse i gave credit to all the developers)
• Then the story goes on.....
These projects are not Rivals of each other, Each have their own speciality i am just trying to bring all the features in one project.
But still people argue about existence.
@gjhami
And now we are moving ahead with you.
That's How Everything Grows..
@An0nUD4Y,
That Evilnginx article is fascinating! And am I correct in saying secure cookies do nothing to prevent this, because the cookies are pulled directly from HTTP headers? This would also mean that phishing pages no longer need to be cloned / turned in to templates, since the user is being forwarded the actual login page and nginx is only acting as a MITM, correct? This is awesome and terrifying!
As far as the malware addition, you're suggesting we just allow users to provide the path to some malware file they've created, and then HiddenEye would create a page with a popup which would prompt the user to download the file? That sounds like a good middle ground to me! I think you're right that setting up a listener and shell is out of the scope of this project. That popup-blocker page is pretty sweet, I'll have to experiment with a few of those and think about which will work best.
I agree integrating with king-phisher is a big project, and maybe not the best way to go about things. It looks like king-phisher tracks email campaigns using a unique UID parameter in each URL sent out and unique request parameters, so those options may be worth considering if campaign tracking is implemented in HiddenEye. We could also just track unique visits to the phishing page using a combination of user agent, currently logged in user, and IP. As far as actually sending out the spoofed emails I would think we should implement some kind of check to verify the spoofed domain isn't using DMARC (using something like https://pypi.org/project/dmarc/). Beyond that it should be fairly simple. It looks like King-Phisher could also be used to send out spoofed emails with links to pages generated by HiddenEye without any integration, but it would disable the tracking features of King-Phisher.
I'll get started on NGROK auth tokens and then I think the next step is NGINX.
@gjhami , Sure Then I will wait For your PR.
@gjhami I created most of the phishing pages.Back than all of 'em were realistic but later i got busy and didnt update the project.I did create a PR to use apache instead of PHP but devs didnt like the idea.You can work on nginx.For tracking users we can just receive user-agent first instead of receiving later after a user is phished.
@An0nUD4Y I can work on updating phishing pages after I'm done with my finals.
@An0nUD4Y Impressive job for hosting phishing pages on githtub.Now it's easy and fast method to check broken phishing pages.
@usama7628674 , Thanks buddy.
Let me know when you will free as I wanted to work on 2FA bypass , Using NGINX we can achieve that.
That's why I requested to add NGINX for future support also.
@gjhami , Any update ...
@gjhami @usama7628674 , Closing Here.. Feel Free To reopen.
Most helpful comment
@gjhami ,
I have no idea about how fiercephish came to existence , but yes that's a great project.
And talking about shellphish and blackeye , these are some projects same as HiddenEye.
Let me clear the story of HiddenEye ..
• Firstly I came to know about SocialPhish a great project which was available with NGROK integration.
• Then I created some large modification like adding the multiple tunnels and a lot more pages.(But they didn't accepted those changes)
• So I left the forked one on my GitHub repo lists.
• Then some users started showing interest in it, So myself started developing it more and after a few time some more contributors and developers joined @usama7628674 was the first .
• But The real developers was not happy with that. So our contributers Redesign and wrote the whole codes again. By adding some more functionality like keylogger and others.
• Then we moved the project to HiddenEye name under Darksec( Actually the name suggested by me , I don't know how that hit my mind by yaaa it's pretty similar as Black eye) And as far as I know Blackeye was released after many months of Hiddeneye with a lot of phishing pages as much as 30.
But with no features like multiple tunnels or keylogger or email.
• Later I took some of their pages and modified them to use with HiddenEye and fixed many pages.(Offcourse i gave credit to all the developers)
• Then the story goes on.....
These projects are not Rivals of each other, Each have their own speciality i am just trying to bring all the features in one project.
But still people argue about existence.