ReelPhish - Phishing tool for two-factor authentication in real time

ReelPhish simplifies the phishing technique in real time. The main component of the phishing tool is designed to run on the attacker's system. It consists of a Python script that listens to data from the attacker's identity spoofing site and drives a web browser installed locally using the Selenium framework. The tool can control the web browser of the attacker navigating to specific web pages, interacting with HTML objects and modifying the content.

The secondary component of ReelPhish resides in the phishing site itself. The code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool that runs on the attacker's machine. Once the phishing tool receives information, it uses Selenium to start a browser and authenticate itself on the legitimate website. All communication between the phishing web server and the attacker's system is done through an encrypted SSH tunnel.

Victims are tracked by session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the identity spoofing tool is aware of the state, it can send victim information to the legitimate web authentication portal and vice versa.

This tool has been released along with a FireEye blog post. The publication of the blog can be found at the following link: https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.html

Installation steps

1. The latest version of Python 2.7.x.
2. Install Selenium, is a dependency required to run the browser drivers.
   1. installation of pip -r requirements.txt
3. Download the browser drivers for all the web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.
   1. 1. 1. 1. Internet Explorer: www.seleniumhq.org/download/ 
               Download the Internet Explorer Driver Server for Windows IE 32-bit. Uncompress the file and change the name of the binary to: IEDriver.exe.
            2. For the Internet Explorer driver to work, make sure that protected mode is turned off. In IE11 (64-bit Windows), you must create the registry key "HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Internet Explorer \ Main \ FeatureControl \ FEATURE_BFCACHE". In this key, create a DWORD value called iexplore.exe and set the value to 0.
            3. More information about Internet Explorer requirements can be found at www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriver
            4. Firefox: www.github.com/mozilla/geckodriver/releases/
            5. Download the latest version of Firefox GeckoDriver for Windows 32 bit. Uncompress the file and change the name of the binary file to: FFDriver.exe.
            6. On Linux systems, download the Linux version of Firefox GeckoDriver and change the name of the binary file to: FFDriver.bin. Linux support is experimental.
            7. Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it in your PATH variable. Also, add firefox.exe to your PATH variable.
            8. Chrome: https://chromedriver.storage.googleapis.com/index.html?path=2.35/
            9. Download the latest version of the 32-bit Google Chrome driver for Windows. Uncompress the file and change the name of the binary to: ChromeDriver.exe.
            10. On Linux systems, download the Linux version of the Chrome Web driver and change the name of the binary to: ChromeDriver.bin. Linux support is experimental.

Running ReelPhish

ReelPhish consists of two components: the management code of the phishing site and this script. The phishing site can be designed as desired. The sample PHP code is provided in / examplesitecode. The sample code will take a username and password from an HTTP POST request and transmit it to the phishing script. 
The phishing script listens on a local port and waits for a credential packet. Once the credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will enter a user's credentials). The credentials will be sent by the web browser.
The recommended way to handle communication between the phishing site and this script is through the use of an inverse SSH tunnel. This is the reason why the PHP phishing site sample code sends credentials to localhost: 2135.

Arguments of ReelPhish

1. You must specify the browser that you will use with the -browser parameter. Supported browsers include Internet Explorer ("-browser IE"), Firefox ("-browser FF") and Chrome ("-browser Chrome"). Windows and Linux are compatible. Chrome requires the least amount of configuration steps. See the above installation instructions for more details
2. You must specify the URL. The script will navigate to this URL and send credentials in its name.
3. Other optional parameters are available.

• Set the registry parameter to debug (- record debugging) for verbose event logging
• Set the send parameter (-submit) to customize the item that the browser "clicks"
• Set the override parameter (-override) to ignore the missing form elements
• Set the numpages (-numpages) parameter to increase the number of authentication pages (see the section below)

Multiple page authentication support

ReelPhish supports multiple authentication pages. For example, in some cases, a two-factor authentication code may be requested on a second page. To implement this function, make sure that -numpages is configured for the number of authentication pages. Also make sure that the identification of the session is properly tracked on your phishing site. The session ID is used to track users as they go through each step of authentication. 
In some cases, you may need to modify specific content outside of a particular authentication page. Example of commented code is provided in ReelPhish.py to perform an operation.

Download Click Here