Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All seems to be working - but getting this error #6

Open
ontinternet opened this issue May 27, 2022 · 7 comments
Open

All seems to be working - but getting this error #6

ontinternet opened this issue May 27, 2022 · 7 comments

Comments

@ontinternet
Copy link

ontinternet commented May 27, 2022

Hi - all seems to be working now - but in testing - when the "victim" clicks the phishing URL they get re-directed correctly - but in the humble_chameleon server the following error appears:

<victimIP>:POST:https://<Phishing URL>/sockjs/843/niacqzxw/xhr problem with:https://<target1-safe URL>/images/manifest.json (node:24319) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'rawBody' of undefined at humble_proxy (/root/tools/humble_chameleon/index.js:249:41) at process._tickCallback (internal/process/next_tick.js:68:7) (node:24319) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1) (node:24319) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

What does this error mean - does it mean that the 'safe site' (target1) is not accessible (possibly due to a sub domain used in the phishing link)?

Thanks for any response.

@fkasler
Copy link
Owner

fkasler commented May 27, 2022

Can you share your config? Make sure you only use domains as targets. Not subdomains or URLs

@fkasler
Copy link
Owner

fkasler commented May 27, 2022

Also, can you share what your link looks like?

@ontinternet
Copy link
Author

Hi - this is my config (redacted information):
{ "phishingurl.com": { "primary_target": "safesite.com", "secondary_target": "reltarget.com", "search_string": "https://blog.phishingurl.com/home?id=", "wwwroot": "Login2", "tracking_cookie": "cla_cookie", "replacements": { "string_to_be_replaced": "replacement_string" }, "custom_headers": {}, "snitch": { "snitch_string": "Logoff", "redirect_url": "https://blog.realtarget.com/home/" }, "logging_endpoint": { "host": "phishmongerserver.com", "url": "/create_event", "auth_cookie": "admin_cookie=secretcookie" } } }

This is what my link looks like:
https://blog.phishingdomain.com/home/

id= whatever gets added after /home

@fkasler
Copy link
Owner

fkasler commented May 29, 2022

Your search string should just be a GET parameter, and not a URL. In this case "id", however, I would normally go for something that is less likely to randomly be included somewhere in a URL, like "user_id".

@ontinternet
Copy link
Author

ontinternet commented May 29, 2022

ok - I have changed the search string in config to just id(in this instance). getting the following error when I click on the phishing link in a test email:

problem with:https://blog.safeurl.com/images/manifest.json (node:34761) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'rawBody' of undefined at humble_proxy (/root/tools/humble_chameleon/index.js:249:41) at process._tickCallback (internal/process/next_tick.js:68:7) (node:34761) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1) (node:34761) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Is this expected (I see the error references "id:1" The 'safe url' I have used does not have a 'blog.' subdomain - is this the issue? - do I need a 'safe' url that has the same subdomains as the real target?

@fkasler
Copy link
Owner

fkasler commented May 29, 2022

That is the "issue" in this case, yes. But it is still keeping your domain safe from crawlers checking out the domain. So the attack is working just fine?

@ontinternet
Copy link
Author

Yes - everything is working how it should - I just wondered about the error, but it looks like all unauthenticated access gets blocked :).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants