Configure your Red Team Operations Infrastructure #2

19 min readMar 26, 2024

In this article, we will detail the Red Team operations configuration process, dividing the content into two main parts. In the first part, we will focus on setting up a Phishing server, which is essential for social engineering campaigns and to capture credentials effectively. To do this, we will explore the use of tools like Evilginx and Gophish, which are widely recognized for their efficiency and flexibility in simulating fraudulent websites and capturing credentials. We’ll also cover setting up Postfix, a mail transfer agent (MTA), which is crucial for sending phishing emails effectively.

In the second part, we will move on to configuring our Command and Control (C2) without using redirectors. This set of tools and techniques are fundamental for Red Team operations and attack simulations, allowing security experts to identify vulnerabilities and assess their organizations’ defense readiness against advanced threats.

Introduction

To begin configuring our Red Team operations, the first step will be to create a project in Digital Ocean. Digital Ocean offers a cloud platform that is perfect for hosting and managing the components required for our red team operations such as phishing and command and control (C2), due to its ease of use, flexibility and scalability.

Initially, if you do not already have a Digital Ocean account, you will need to create one. After creating and verifying your account, log in to your control panel. Within the panel, locate the “Projects” section and click on “Create Project”. Give your project a name, which could be something related to your Red Team operations, such as “Red Team Operations Infrastructure”, and provide a brief description. Select the option that best describes the purpose of the project for organization and management purposes.

Evilginx3 Configuration

Dashboard Access: Log in to your Digital Ocean dashboard.
Start Creation: In the control panel, look for the “Create” button located in the upper right corner and click on it. From the drop-down menu, select “Droplets”. This will take you to the droplet configuration page.

Region Selection: Choose the region where you want your droplet to be hosted. Regions like Germany (Frankfurt), Amsterdam (Netherlands), or Singapore are popular due to their robust infrastructure and connectivity. Choosing a region can affect your server latency, so select one that is closest to you or your target audience.

Operating System Choice: Select the operating system for your droplet. Ubuntu is a popular choice due to its ease of use and extensive documentation. You will see different versions of Ubuntu available; choose the most recent one or the one that best suits your needs.

Plan Selection: Digital Ocean offers several plans, which vary in terms of CPU, memory, storage and data transfer. Select a plan that meets your current needs. Remember, you can always resize your droplet later if you need more resources.

Authentication: It is highly recommended to use an SSH Key for authentication instead of a password. The SSH key is more secure and makes it easier to log in without having to enter passwords. If you don’t already have an SSH key, you can create one by following the instructions provided by Digital Ocean. Once you’ve created your key, add it to your droplet by selecting the appropriate option and pasting your public key.

Additional Details: You can configure additional options, such as enabling backups for your droplet, adding tags for organization, and selecting advanced networking options if necessary.

Droplet Creation: After configuring all options, review your selections to ensure everything is correct. Once you’re happy with your configuration, click the “Create Droplet” button at the bottom of the page.

Droplet Access: After the droplet is created, you will be assigned a public IP address. You can use this IP address along with your SSH key to access your server through an SSH client of your choice.

Whenever booting a new system, it is a good practice to run the apt-get update command to ensure system packages are updated. This command synchronizes the list of available packages and their versions with the Ubuntu repositories, ensuring you have access to the latest updates and security fixes for your installed software. By keeping the system updated, you minimize potential vulnerabilities and ensure a more stable and secure operation of your machine.

To ensure the security and reliability of our operations, it is essential to configure an SSL certificate on our server. Therefore, we are going to install Certbot, an automatic and free tool that simplifies the process of obtaining and renewing certificates issued by Let’s Encrypt. Certbot not only facilitates the configuration of SSL certificates, but also contributes to the creation of an encrypted connection between the server and end users, ensuring the privacy and integrity of transmitted data. This step is crucial to establishing a safe and reliable operating environment, reinforcing the authenticity and security of our communications and Red Team infrastructure.

apt install certbot

We need to install GoLang, the programming language in which Evilginx2 was developed, allowing it to run in our environment.

apt install golang

To take advantage of the advanced functionality of Evilginx2, an essential tool in a Red Team’s arsenal for conducting sophisticated phishing attacks, we will need to obtain the latest version of the software. Visit the Evilginx2 releases page on GitHub, specifically at the URL https://github.com/kgretzky/evilginx2/releases/tag/v3.2.0, and download the source code available in the releases section. This action ensures that you have access to the most up-to-date version of Evilginx2, enabling you to implement the most advanced social engineering techniques.

wget "url"

After downloading, we will unzip using unzip

After unzipping, go to the evilginx folder

Let’s build evilginx

make
# or
make install

After compiling, just access the build folder and you will find the evilginx executable

To maximize the effectiveness of Evilginx2 in our social engineering operations, it is essential to acquire a variety of phishlets, which are the key components used by the tool to intercept credentials and authentication sessions. Phishlets are configured to imitate specific websites, allowing them to capture login information in a convincing and undetectable manner. To do this, we recommend downloading phishlets from the following reliable and up-to-date sources:

https://github.com/An0nUD4Y/Evilginx2-Phishlets

https://github.com/simplerhacking/Evilginx3-Phishlets

https://github.com/hash3liZer/phishlets

https://github.com/ArchonLabs/evilginx2-phishlets

https://github.com/charlesbel/Evilginx2-Phishlets

By selecting phishlets from the sources above, you will have access to the latest versions, which is crucial to avoid redirection and detection issues.

Clone the repositories inside the phishlets folder

You can add other phishlets too or create your own phishlets, I will demonstrate this step in a future article with a more detailed step by step.

After simple and quick configuration, you can start evilginx with the command:

./evilginx -p ../phishlets

To enhance your skills and understanding of advanced phishing and social engineering operations, I highly recommend participating in the “Evilginx Mastery” course, available through BreakDev Academy. This course offers an in-depth look at Evilginx, one of the most powerful and flexible tools for man-in-the-middle attack simulations. Access the course via the link: Evilginx Mastery.

Despite the existence of other reverse proxy tools like Modlishka, Evilginx stands out for its comprehensiveness and effectiveness, making it one of my favorite tools in the field of cybersecurity. The course covers everything from fundamentals to advanced techniques, teaching how to configure and operationalize Evilginx to capture credentials and session tokens.

After we run it, it will show us all the loaded phishlets

Now we need to configure our domain, if you already have a domain just do the settings below.

If you registered your domain through GoDaddy and intend to use Digital Ocean’s services to host your project, you will need to update your nameserver to ensure that your domain correctly points to Digital Ocean’s servers. This step is crucial to ensure that requests made to your domain are directed to the hosting environment where your project is located, allowing access to your website or application hosted on Digital Ocean

Access Domain/DNS settings

Add your domain to DigitalOcean

Configure these nameservers in your hosting’s domain manager

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

After changing the nameserver records in the GoDaddy control panel, the next step is to simply save the changes. Once the changes are committed, you will need to wait for a period of time for the new DNS configuration to propagate across the internet.

To modify the DNS resolution settings on your system, you will need to edit the /etc/systemd/resolved.conf file. This file is part of systemd-resolved, a system service that provides network name resolution capabilities to the operating system. Changing the settings in this file allows you to define custom DNS servers, improve privacy and DNS resolution performance, and adjust the behavior of the name resolution system as needed.

DNS=1.1.1.1: This line defines the default DNS server that the system will use for domain name resolution. In this case, 1.1.1.1 is a public DNS server offered by Cloudflare, known for its privacy and speed.

The DNSStubListener=no line in the resolved.conf configuration file means that systemd-resolved is not listening on the loopback interfaces (127.0.0.53:53 by default) for DNS queries. The “Stub Listener” is a feature that allows systemd-resolved to provide a local DNS listening point that forwards queries to the actual DNS server configured on the system.

When DNSStubListener is set to no, this is usually done to avoid conflicts with other DNS servers you may be running on your system, such as BIND or dnsmasq, which also want to listen on port 53, the default port for DNS.

Disabling DNSStubListener requires that you configure your alternate DNS server (if you are using one) to listen directly on port 53 and serve all DNS queries from the system and local applications.

Restart the resolution service using the command

systemctl restart systemd-resolved

To configure the DNS entries for your domain and subdomains, you will need to set the A records appropriately. The A record directs a domain name to an IP address, which is crucial for users to be able to access your website or service.

For the main domain, create an A record using the symbol (@), which acts as a placeholder for the root domain without any prefix. For example, if your domain is “example.com”, setting an A record with the value (@) will point directly to “example.com”.

If you want to establish subdomains, such as “login.example.com” or “console.example.com”, you will create additional A records for each. In this case, instead of using (@), you will use ‘login’, ‘console’, ‘live’, or another prefix of your choice, followed by the main domain. This links each subdomain to the specified IP address, allowing distinct services or pages to be hosted on each subdomain.

To ensure the security and encryption of communications on your domain and subdomains, we need to generate TLS/SSL certificates. Let’s do this using Certbot, an automated tool that makes it easy to obtain and renew certificates from Let’s Encrypt, a certification authority that provides free certificates to enable HTTPS (SSL/TLS).

The command we will use is:

certbot certonly --standalone -d "seudominio.com" -d "subdominio.seudominio.com" --register-unsafely-without-email

Let’s detail the command:

Certonly: This command tells Certbot to obtain the certificate, but not install it automatically.
— standalone: Tells Certbot to use its own temporary web server to perform the domain verification challenge.
-d: Used to specify the domain names for which the certificate will be valid. You should replace “yourdomain.com” and “subdomain.yourdomain.com” with your actual domains.
— register-unsafely-without-email: Opts out of providing an email address for certificate expiration notifications and Let’s Encrypt terms of service.

When executing this command, Certbot will perform validation of the specified domains and, if successful, issue the certificates.

After successfully issuing TLS/SSL certificates with Certbot, the next step is to incorporate them into Evilginx so that it can serve phishing pages with an additional layer of security. This process involves locating the certificate files generated by Certbot and moving them to the appropriate directory used by Evilginx.

Typically, Certbot stores the generated certificates in the /etc/letsencrypt/live/domain/ directory, where you will find the fullchain.pem and privkey.pem files. The fullchain.pem contains the certificate chain, including your domain’s certificate and any intermediaries, while the privkey.pem is the private key associated with your certificate.

Create a folder in the /root/.evilginx/crt/<domain or subdomain> directory

And copy the certificate that is in the /etc/letsecrnypt/live/domain/* folder into the folder created in /root/.evilginx/crt/<domain>

Make the domain and IP settings, just type the command:

config domain example.com

config ipv4 external "vps ip"

Now let’s configure our phishlets

phishlets hostname "Phishlet" example.com

phishlet enable "phishlet"

When the process of setting up your phishlet and TLS/SSL certificate is complete, a success message is usually displayed, indicating that everything is working as expected. This means your phishing environment is ready to go, with your traffic being securely encrypted.

However, if you encounter errors, it’s important to review them carefully as they may point to common issues that need to be resolved. Commonly encountered errors may include:

Missing A Record: If a required DNS A record is missing, such as login, www, live, or other relevant subdomains, your phishlet will not be able to resolve correctly. Verify that all subdomains used in the phishlet have a corresponding A record pointing to the correct IP address of your server.
Certificate Issues: If the TLS/SSL certificate was not issued for the correct domain, or there was a problem generating it, you will need to review the issuance process. Ensure that the certificate covers all required subdomains and that no errors occurred during the issuance process with Certbot.

If you are going to use the o365 phishlet, don’t forget to comment the sub_filters lines

nano phishlets/o365.yaml

To ensure that your phishlet correctly redirects users who are not authenticated, you must configure unauth_url within the phishlet configuration file. The unauth_url is the URL where users will be redirected if they do not meet the authentication criteria required by the phishlet.

The lures command is used within Evilginx2 to create and manage “lures”, which are phishing URLs that redirect victims to configured phishlets. By running this command, you can generate links that will be sent to victims, which will appear legitimate but actually go through the phishing server configured by Evilginx2.

lures create <phishlet_name>
lures get-url "id"

lures edit "id" redirect_url https://live.com

Redirection configuration is a critical step when establishing a phishlet on Evilginx2. This redirect is used to take the victim to a legitimate website after interacting with the phishing page, helping to maintain the illusion of legitimacy. In your case, you configured the redirection to the website live.com, which belongs to Microsoft.

After the redirect is set up, you are ready to distribute the phishing link. For this, a tool like Gophish can be employed to orchestrate the email campaign.

The end result of a successful phishlet setup with Evilginx2 is the creation of a fake subdomain that accurately imitates a legitimate website to collect credentials. For example, you will have a subdomain like login.yourdomain.com, which appears to be the official login page for the entity you are simulating. This subdomain will be linked to a specific authentication path configured on the phishlet.

When a user types their credentials into this phishing subdomain and tries to log in, not only are the credentials captured by Evilginx2, but also, in case of multi-factor authentication (MFA), authentication cookies are collected. These cookies can allow access to the user’s session, thus bypassing the need for the second authentication factor.

After capturing the credentials, enter the command:

sessions
sessions "id"

You can improve your evilginx settings, I highly recommend the bootcamp to learn some tricks and create your own phishlets too.

Modlishka

Let’s configure Modlishka, a very good alternative to evilginx.

apt install certbot

Install the certbot, as it is essential.

wget https://github.com/drk1wi/Modlishka/releases

Download the latest release of modlishka

chmod +x Modlishka-linux-amd64 ; ls -lah

Place the executable with execute permissions

This is an example of a modlishka.json configuration file, configure it according to your needs

{
  "proxyDomain": "yourdomain.com",
  "listeningAddress": "0.0.0.0",
  "target": "gmail.com",
  "targetResources": "",
  "targetRules":         "PC9oZWFkPg==:",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules":"",
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": false,
  "debug": true,
  "logPostOnly": false,
  "disableSecurity": false,
  "log": "requests.log",
  "plugins": "all",
  "cert": "",
  "certKey": "",
  "certPool": ""
}

Copy and paste it into the same folder as the modlishka executable

certbot certonly --standalone -d target.com -d login.target.com-d cdn.target.com --register-unsafely-without-email

Use certbot to generate digital certificates with let’s encrypt. Furthermore, I recommend that you also generate them for each domain and subdomain that the application that will be cloned and the reverse proxy uses.

awk '{printf "%s\\n", $0}' /etc/letsencrypt/live/target.com/fullchain.pem

awk '{printf "%s\\n", $0}' /etc/letsencrypt/live/target.com/privkey.pem

The command above extracts the content of the generated keys, after showing the content, paste it into the modlishka configuration file.

1) Contents of Fullchain.pem, paste into the cert function

2) Privkey content, paste into the certKey function

disclaimer: Generate a certificate for each subdomain that is part of the application and place the subdomain notes in the A record on your VPS

Now start modlishka with the settings made.

And access the URL of your phishing, after the user authenticates, it will bring the session cookies.

Now use the cookie-editor and import the session cookie

Click on Import

Paste the session cookie and click import then and finally just press F5.

Gophish Configuration

Create a new droplet to upload your gophish, separate evilginx from gophish is an OpSec tip that I give, as I have already detected exposed servers with gophish and cobalt strike completely burning the operation taking place there at that moment.

When it comes to naming your droplets or servers on Digital Ocean, or any cloud hosting provider, it’s important to consider security and discretion. Using predictable names like gophish-server or evilginx-server can make your servers easier targets for attackers who are exploiting specific vulnerabilities or looking for certain types of infrastructure.

Here are some recommendations for safely naming your droplets:

Use Random Names: Digital Ocean generates random names that can be used as a safe option, as they do not reveal the purpose or content of the server. Keeping the automatically generated name is a simple and safe practice.
Create a Unique, Non-Descriptive Pattern: If you prefer to customize the names of your droplets, develop a pattern that is unique and does not directly reveal the server’s role. For example, you can use combinations of planet names, chemical elements, or any other set that does not have a direct relationship with the server function.
Include Non-Sequential Identifiers: To facilitate internal management without revealing information, you can include non-sequential numbers or letters as part of the name. For example, srv-x7yB3 may be an option that fails to deliver on the server’s purpose and avoids predictable patterns.

After accessing SSH, download gophish from the repository and unzip it https://github.com/gophish/gophish/releases

wget "url"

Access the gophish folder and change the config.json, I recommend changing port 3333 to another port and in the ip you can put 0.0.0.0 or directly the ip of your vps.

Collect the password and log in to the gophish administrative panel, using the port you modified and don’t forget HTTPs.

On the first login you will be forced to change your password, enter a complex password, forget the famous admin/admin.

Now just set up your phishing campaign and merge evilginx with gophish for the best success in your phishing campaigns.

The biggest problem is the SMTP servers, so I recommend that you configure your own relay based on the domain you acquired to launch the campaigns.

SMTP Configuration with Postfix

I recommend that you create another droplet for this, however to make my life easier, I will use the same server where gophish is, but I do not recommend this practice, I emphasize that you place your relay and SMTP redirector on separate servers.

Let’s install postfix, just type

apt install postfix

And select the Internet Sites option

Enter the name of your email system, in this case I entered the name of the domain I have configured.

Configure the DNS entries this way, with the MX being the domain mail.yourdomain.com and the A being the mail.yourdomain.com

Now try to connect using telnet or any other tool to exit communication type: ^]

Setting up a relay in Postfix allows you to route emails through an external SMTP server, which can be useful for a number of reasons, such as bypassing IP restrictions for sending emails directly, increasing the reliability of email deliveries , or simply to use the features and security of an established email provider. Let’s detail the relay configuration process in the Postfix configuration file, main.cf.

Step 1: Access the Configuration File

Open the terminal on your server where Postfix is installed.
Enter the command sudo nano /etc/postfix/main.cf to open the main.cf configuration file in the Nano text editor. You can replace nano with another text editor of your choice if you wish.

Step 2: Configure the Destination

Look for the mydestination line. This option defines which local domains Postfix will accept emails for. You can configure it to include your own domain and subdomains if necessary. For example:

mydestination = $myhostname, yourdomain.com, sub.yourdomain.com, localhost.com, localhost

Replace yourdomain.com and sub.yourdomain.com with your actual domains and subdomains.

Step 3: Configure Relayhost

Look for the relayhost line. This option defines the external SMTP server through which Postfix will route emails. You can configure it to use a specific service, such as Gmail’s SMTP, or another SMTP server of your choice. For example:

relayhost = [smtp.gmail.com]:587

Replace [smtp.gmail.com]:587 with the address and port of your preferred external SMTP server. If you are using a custom SMTP server without authentication, simply enter the server address and port.

Step 4: Save and Exit

After making changes, press Ctrl+O to save the file and Ctrl+X to exit Nano.

Step 5: Apply Settings

To apply the changes, restart the Postfix service with the command:

Save the settings and restart the postfix service

sudo systemctl restart postfix

Let’s install mailutils to test sending

echo "Fill in some text of the email here" | mail -s "Message subject" youremail@gmail.com

If everything goes well, it will send an email to your message box, but it will end up in SPAM, so it is necessary to configure SPF, DKIM/DMARC and preferably have a good email relay.

Conclusion

After configuring evilginx, gophish and postfix, you will be ready to start your phishing campaigns.

The diagram presents a well-designed structure for a Red Team infrastructure, with segmentation into several VLANs, clearly delineating the distinct components, such as the SMTP server for phishing, the reverse proxy VLAN and the Command and Control (C2) server. It is crucial to consider operational security (OpSec) to protect the integrity of the Red Team infrastructure.

This approach not only helps organize and scale infrastructure in a logical and secure way, but also helps minimize risk and maximize the effectiveness of attack simulations. Essential components include phishing servers like GoPhish, reverse proxies like Modlishka or Evilginx2, web servers for redirection, DNS redirectors for multiple domains, and the use of CDNs for cloaking.

Detailed segregation into distinct VLANs for each function serves to limit the attack surface and keep network traffic organized and under control. Using HTTPS and DNS redirectors at strategic points, as well as the careful choice of C2 servers for short and long-term operations, are details that reinforce the efficiency and security of operations.

However, this is just the beginning. In the following article, we will detail the configurations of our C2 server — a vital element in the Red Team structure, responsible for maintaining a secure and controlled line of communication with compromised assets. The careful and strategic implementation of the C2 server is a definitive milestone for any Red Team operation, ensuring the execution of covert and efficient operations.

In the meantime, be sure to check out my other articles:

https://www.linkedin.com/pulse/configure-your-red-team-operations-infrastructure-1-joas-a-santos-a5dsf/