Judas: Phishing Resurrected

What is Judas?

Judas is a reverse proxy for red team phishing engagements based on Go’s httputil.ReverseProxy. Simply point it at the target website, give it a domain for the SSL certificate and you’re on your way.

Judas cloning targetpractice.network on localhost:9000. (I own targetpractice.network, don’t use Judas on websites you don’t have permission to attack).

Stealth Goodies

Judas comes with some features to help us hide from the target server and victims. We want to stay hidden from the blue team as long as possible.

Automatic Let’s Encrypt

We’ve spent the last few years conditioning people to trust that padlock in their URL bar. Thanks to Let’s Encrypt, we can get free SSL certificates automatically. Simply tell Judas your phishing site’s domain and it’ll do the rest.

Proxy Support

I’ve added several features to make Judas stealthier and deadlier. Judas is able to use a HTTP or SOCKS5 proxy. You can hide requests from your target using a proxy, log them in case a client wants to see what exactly you took, get an IP address close to the target and much more. You can do multiple of these at once with proxychains.

HTTP Request Header Rewriting

Judas automatically rewrites HTTP request headers before sending them to the target website. It replaces the our phishing site in the Referer and Origin headers with an appropriate value and removes the user agent if the user didn’t send one to prevent Go’s default User Agent from showing up in logs and giving us away.

HTTP Response Header Rewriting

Judas automatically rewrites HTTP responses before they come back to the client. It removes any Content-Security Policy and anti-XSS headers on the response to prevent them from catching the phishing proxy and sending it to a report-URI (sorry blue team). It also rewrites the Location header to stop redirects with the full URL from sending the victim back to the original site.

Plugins

Real life is complicated. Maybe you need to phish a lot of people, or maybe you want to do something on behalf of a phished user because they have 2-Factor authentication enabled. Judas lets you use Go plugins to:

  • Modify requests after they’ve been sent by the victim to enable attacks like replacing an admin’s request with a request to upgrade our user to an admin
  • Modify responses before they’re received by the victim so we can hide the results of attacks or hit victims with an exploit kit.
  • Process request — response HTTP exchanges from victims in real time to programmatically extract sensitive information or store them in Azure CosmosDB to look at later.

RequestTransformers

A RequestTransformer is a function in a Go plugin named “RequestTransformer” that modifies an http.Request from a victim in place before it’s sent to the target. It should be fast so users don’t get suspicious or turned off by delays. You can use them to hijack legitimate requests. For example, a RequestTransformer could replace an admin users’s request with one that creates a user for us to gain access to protected systems.

ResponseTransformers

A ResponseTransformer is a function in a Go plugin named “ResponseTransformer” that modifies an http.Response from a target in place before it’s received by the victim. You can use them to hide what you’ve done from a target, or hit victims with an exploit kit.

Listeners

A listener runs in its own goroutine and receives request — response HTTP exchanges from victims in real time to allow us to extract sensitive information. The plugin loader looks for a function called “New” that returns a Judas Listener in a Go plugin.

Using Plugins

Once you’ve made a plugin, compile it and load it using command line arguments. Multiple plugins can be loaded be separating the plugin file paths with colons (“:”). There’s an example plugin with all 3 types of plugin implemented on the Github.

Get Judas on Github

Judas’s source code is on Github. It’s MIT licensed, so feel free to modify it, fork it or whatever you see fit to do with it. Just don’t use it for crime. I’m not responsible for anything illegal you do with Judas, and I will laugh at you when cybercrime authorities in your country break your door down. Use your skills to make the world a better place instead of spreading misery.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

Jonathan Cooper

264 Followers

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.