muraena: almost-transparent reverse proxy aimed at automating phishing and post-phishing activities

by ddos ·

Muraena

Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.

The tool re-implements the 15-years old idea of using a custom reverse proxy to dynamically interact with the origin to be targeted, rather than maintaining and serving static pages.

Written in Go, Muraena does not use slow-regexes to do replacement magic and embeds a crawler (Colly) that helps to determine in advance which resource should be proxied.

 

Muraena does the bare minimum to grep/replace origins in request/responses: this means that for complex origins extra manual analysis might be required to tune the auto-generated JSON configuration file. Hence, do not expect the reverse proxy to work straight out of the box for complex origins.

The config folder has some examples of custom replacements needed on complex origins likes GSuite, Dropbox, GitHub, and others.

This tool showcased in HITB Secconf 2019 ARMS.

Supported Modules

Tracking Configuration

The Tracking module in Muraena is an essential tool for monitoring user interactions and capturing sensitive information during a phishing campaign. It provides a detailed framework for tracking user activities, from initial landing to sensitive data capture, enhancing the operational effectiveness of the campaign.

NecroBrowser

NecroBrowser is a module that allows Muraena to interact with the NecroBrowser to automate the post-exploitation phase of a phishing campaign.

Static Server

Muraena incorporates the capability to host and serve static files, such as custom JavaScript, CSS, images, or downloadable content, directly from a designated local directory. This feature is particularly useful for enriching the phishing site with additional resources that enhance its resemblance to the legitimate target site or for distributing files intended for the victim.

The Static Server functionality is straightforward: it establishes a direct mapping between a specific URL path on the phishing site and a folder on the local file system. When a request is made to this URL path, Muraena responds by serving the corresponding file from the mapped local directory, seamlessly integrating it into the phishing site’s content.

Install && Use

Copyright (c) 2024, antisnatchor & ohpe. All rights reserved.

Tags: Muraena