Mirrors/muraena
1
0
Fork 0
mirror of https://github.com/muraenateam/muraena.git synced 2026-01-23 02:24:05 +00:00
Code Issues Projects Releases Wiki Activity

Add basic documentation 📖 🎉

Browse source
This commit is contained in:
Ohpe 2024-03-08 15:57:34 +01:00
parent 1cbd95dcea
commit f67b12f807
No known key found for this signature in database
22 changed files with 1553 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -6,3 +6,4 @@ muraena
build/
static/
vendor/
/docs/_site/

25
docs/404.html Normal file
View file

@ -0,0 +1,25 @@
---
permalink: /404.html
layout: default
---
<style type="text/css" media="screen">
.container {
margin: 10px auto;
max-width: 600px;
text-align: center;
}
h1 {
margin: 30px 0;
font-size: 4em;
line-height: 1;
letter-spacing: -1px;
}
</style>
<div class="container">
<h1>404</h1>
<p><strong>Page not found :(</strong></p>
<p>The requested page could not be found.</p>
</div>

36
docs/Gemfile Normal file
View file

@ -0,0 +1,36 @@
source "https://rubygems.org"
# Hello! This is where you manage which Jekyll version is used to run.
# When you want to use a different version, change it below, save the
# file and run `bundle install`. Run Jekyll with `bundle exec`, like so:
#
# bundle exec jekyll serve
#
# This will help ensure the proper Jekyll version is running.
# Happy Jekylling!
# gem "jekyll", "~> 4.3.3"
# This is the default theme for new Jekyll sites. You may change this to anything you like.
gem "minima", "~> 2.5"
# If you want to use GitHub Pages, remove the "gem "jekyll"" above and
# uncomment the line below. To upgrade, run `bundle update github-pages`.
gem "github-pages", group: :jekyll_plugins
# gem "github-pages", "~> 231", group: :jekyll_plugins
# If you have any plugins, put them here!
group :jekyll_plugins do
gem "jekyll-feed", "~> 0.12"
end
# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem
# and associated library.
platforms :mingw, :x64_mingw, :mswin, :jruby do
gem "tzinfo", ">= 1", "< 3"
gem "tzinfo-data"
end
# Performance-booster for watching directories on Windows
gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem
# do not have a Java counterpart.
gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
gem "webrick", "~> 1.8"

293
docs/Gemfile.lock Normal file
View file

@ -0,0 +1,293 @@
GEM
remote: https://rubygems.org/
specs:
activesupport (7.1.3.2)
base64
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
connection_pool (>= 2.2.5)
drb
i18n (>= 1.6, < 2)
minitest (>= 5.1)
mutex_m
tzinfo (~> 2.0)
addressable (2.8.6)
public_suffix (>= 2.0.2, < 6.0)
base64 (0.2.0)
bigdecimal (3.1.6)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.12.2)
colorator (1.1.0)
commonmarker (0.23.10)
concurrent-ruby (1.2.3)
connection_pool (2.4.1)
dnsruby (1.70.0)
simpleidn (~> 0.2.1)
drb (2.2.1)
em-websocket (0.5.3)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0)
ethon (0.16.0)
ffi (>= 1.15.0)
eventmachine (1.2.7)
execjs (2.9.1)
faraday (2.9.0)
faraday-net_http (>= 2.0, < 3.2)
faraday-net_http (3.1.0)
net-http
ffi (1.16.3)
forwardable-extended (2.6.0)
gemoji (4.1.0)
github-pages (231)
github-pages-health-check (= 1.18.2)
jekyll (= 3.9.5)
jekyll-avatar (= 0.8.0)
jekyll-coffeescript (= 1.2.2)
jekyll-commonmark-ghpages (= 0.4.0)
jekyll-default-layout (= 0.1.5)
jekyll-feed (= 0.17.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.16.1)
jekyll-include-cache (= 0.2.1)
jekyll-mentions (= 1.6.0)
jekyll-optional-front-matter (= 0.3.2)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.3.0)
jekyll-redirect-from (= 0.16.0)
jekyll-relative-links (= 0.6.1)
jekyll-remote-theme (= 0.4.3)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.8.0)
jekyll-sitemap (= 1.4.0)
jekyll-swiss (= 1.0.0)
jekyll-theme-architect (= 0.2.0)
jekyll-theme-cayman (= 0.2.0)
jekyll-theme-dinky (= 0.2.0)
jekyll-theme-hacker (= 0.2.0)
jekyll-theme-leap-day (= 0.2.0)
jekyll-theme-merlot (= 0.2.0)
jekyll-theme-midnight (= 0.2.0)
jekyll-theme-minimal (= 0.2.0)
jekyll-theme-modernist (= 0.2.0)
jekyll-theme-primer (= 0.6.0)
jekyll-theme-slate (= 0.2.0)
jekyll-theme-tactile (= 0.2.0)
jekyll-theme-time-machine (= 0.2.0)
jekyll-titles-from-headings (= 0.5.3)
jemoji (= 0.13.0)
kramdown (= 2.4.0)
kramdown-parser-gfm (= 1.1.0)
liquid (= 4.0.4)
mercenary (~> 0.3)
minima (= 2.5.1)
nokogiri (>= 1.13.6, < 2.0)
rouge (= 3.30.0)
terminal-table (~> 1.4)
github-pages-health-check (1.18.2)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (>= 4, < 8)
public_suffix (>= 3.0, < 6.0)
typhoeus (~> 1.3)
html-pipeline (2.14.3)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.8.0)
i18n (1.14.4)
concurrent-ruby (~> 1.0)
jekyll (3.9.5)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (>= 0.7, < 2)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (>= 1.17, < 3)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.8.0)
jekyll (>= 3.0, < 5.0)
jekyll-coffeescript (1.2.2)
coffee-script (~> 2.2)
coffee-script-source (~> 1.12)
jekyll-commonmark (1.4.0)
commonmarker (~> 0.22)
jekyll-commonmark-ghpages (0.4.0)
commonmarker (~> 0.23.7)
jekyll (~> 3.9.0)
jekyll-commonmark (~> 1.4.0)
rouge (>= 2.0, < 5.0)
jekyll-default-layout (0.1.5)
jekyll (>= 3.0, < 5.0)
jekyll-feed (0.17.0)
jekyll (>= 3.7, < 5.0)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.16.1)
jekyll (>= 3.4, < 5.0)
octokit (>= 4, < 7, != 4.4.0)
jekyll-include-cache (0.2.1)
jekyll (>= 3.7, < 5.0)
jekyll-mentions (1.6.0)
html-pipeline (~> 2.3)
jekyll (>= 3.7, < 5.0)
jekyll-optional-front-matter (0.3.2)
jekyll (>= 3.0, < 5.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.3.0)
jekyll (>= 3.0, < 5.0)
jekyll-redirect-from (0.16.0)
jekyll (>= 3.3, < 5.0)
jekyll-relative-links (0.6.1)
jekyll (>= 3.3, < 5.0)
jekyll-remote-theme (0.4.3)
addressable (~> 2.0)
jekyll (>= 3.5, < 5.0)
jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
rubyzip (>= 1.3.0, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.8.0)
jekyll (>= 3.8, < 5.0)
jekyll-sitemap (1.4.0)
jekyll (>= 3.7, < 5.0)
jekyll-swiss (1.0.0)
jekyll-theme-architect (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.6.0)
jekyll (> 3.5, < 5.0)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.3)
jekyll (>= 3.3, < 5.0)
jekyll-watch (2.2.1)
listen (~> 3.0)
jemoji (0.13.0)
gemoji (>= 3, < 5)
html-pipeline (~> 2.2)
jekyll (>= 3.0, < 5.0)
kramdown (2.4.0)
rexml
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
liquid (4.0.4)
listen (3.9.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.3.6)
minima (2.5.1)
jekyll (>= 3.5, < 5.0)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.22.2)
mutex_m (0.2.0)
net-http (0.4.1)
uri
nokogiri (1.16.2-aarch64-linux)
racc (~> 1.4)
nokogiri (1.16.2-arm-linux)
racc (~> 1.4)
nokogiri (1.16.2-arm64-darwin)
racc (~> 1.4)
nokogiri (1.16.2-x86-linux)
racc (~> 1.4)
nokogiri (1.16.2-x86_64-darwin)
racc (~> 1.4)
nokogiri (1.16.2-x86_64-linux)
racc (~> 1.4)
octokit (4.25.1)
faraday (>= 1, < 3)
sawyer (~> 0.9)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (5.0.4)
racc (1.7.3)
rb-fsevent (0.11.2)
rb-inotify (0.10.1)
ffi (~> 1.0)
rexml (3.2.6)
rouge (3.30.0)
rubyzip (2.3.2)
safe_yaml (1.0.5)
sass (3.7.4)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.9.2)
addressable (>= 2.3.5)
faraday (>= 0.17.3, < 3)
simpleidn (0.2.1)
unf (~> 0.1.4)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
typhoeus (1.4.1)
ethon (>= 0.9.0)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.9.1)
unicode-display_width (1.8.0)
uri (0.13.0)
webrick (1.8.1)
PLATFORMS
aarch64-linux
arm-linux
arm64-darwin
x86-linux
x86_64-darwin
x86_64-linux
DEPENDENCIES
github-pages
http_parser.rb (~> 0.6.0)
jekyll-feed (~> 0.12)
minima (~> 2.5)
tzinfo (>= 1, < 3)
tzinfo-data
wdm (~> 0.1.1)
webrick (~> 1.8)
BUNDLED WITH
2.5.6

157
docs/README.md
View file

@ -1,157 +0,0 @@
# Muraena Reverse Proxy
# Intro
Muraena implements a custom Reverse Proxy usingn Golang standard library.
# Requirements
In order to run Muraena in proper way, there is a couple of pre-requisite that
you have to set.
- Generate a wildcard certificate for your phishing domain
- Change or add some settings on the Operating System where Muraena will be run
- Customise your Muraena config file
## Wildcard certificate
Valid wildcard certificate for the domain you want tho use for phishing. A good free option is LetsEncrypt:
```bash
certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.phishing.click -d phishing.click
```
LetsEncrypt will need web and DNS challenges:
* **web challenge**: start apache and create the required file in `/var/www/html` with the required file content
* **DNS challenge**: add the right `TXT` record
## System
Muraena needs at least 2x cores and 2x GB RAM.
If running on AWS, a `t2.medium` (2x vCPU, 2GB ram) is advised for standard campaigns with less than 1K targets.
For the Disk, always use SSD for better performance.
With plenty of simultaneous connections the Reverse Proxy will need mostly CPU and I/O.
If you plan to run large campaigns, in the order of more than 2K people emailed at the same time, expecting hundreds of simultaneous clicks, then a `c5.xlarge` (4x vCPU, 8GB ram) instance will be better.
The VPS performance depends also on the complexity of the site being reverse proxied.
Heavy sites like Atlassian portals or GSuite have more traffic to be handled than a bogus login portal on PHP ;-)
### `Ulimit` increase
If a lot of victims connect at the same time, the default open files settings are not enough. It is recommended to increase to max the following:
```bash
$ sudo vim /etc/sysctl.conf
# add the following line to it
fs.file-max = 65535
$ sudo vim /etc/security/limits.conf
# add following lines to it
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
root soft nproc 65535
root hard nproc 65535
root soft nofile 65535
root hard nofile 65535
$ sudo vim /etc/pam.d/common-session
# add this line to it
session required pam_limits.so
```
Reboot the machine.
> **NOTE**: for the Muraena Reverse Proxy is good to assign an Elastic IP to it, so it never changes, and less DNS changes are needed, so the domain looks less suspicious.
Test with `ulimit -n` if you get > 65K files.
### Redis installation
Muraena use Redis as a database.
Nothing specific is required for Redis, just follow instruction from
[Redis](https://redis.io/topics/quickstart) for the installation.
```bash
$ sudo apt-get install redis-server
$ sudo systemctl enable redis-server.service
$ sudo vim /etc/redis/redis.conf
maxmemory 256mb
maxmemory-policy allkeys-lru
$ sudo systemctl restart redis-server.service
```
Verify Redis works
```bash
$ redis-cli ping
PONG
```
> **NOTE**: Don't change the TCP port and keep port **6379**.
## Proxy TOML configuration
Main things to be changed are:
* proxy.phishing = yourphishingdomain.com
* proxy.destination = therealdomain.com
* tls.key/certificate = need to be updated with the LetsEncrypt data
* drop.path/redirectTo = prevent logout or redirect
* tracking.enabled = true
* tracking.identified = Victim UUID param name choosen when creating a Victim Group in Muraena Portal
* tracking.urls/patterns = needs to be updated depending on what you want to harvest
If you want to use also NecroBrowser, you have set:
* necrobrowser.enabled = true
* necrobrowser.endpoint = the host where NecroBrowser is runninng
* necrobrowser.profile = config to forward to NecroBrowser
# How to run Muraena Proxy
At this point the proxy can be started, and the victim can land on the phishing lures:
It's recommended to run muraena in a terminal multiplexer like GNU Screen or
Tmux.
```bash
$ screen -S muraena
$ sudo ./muraena -config config.toml
```
or
```bash
$ tmux -S muraena
$ sudo ./muraena -config config.toml
```
Harvested credentials/data and authenticated sessions will be logged to STDOUT
but also in Redis.
If NecroBrowser is enabled, authenticated session will be passed with the right profile to be instrumented with NecroBrowser.
# How to debug Muraena Proxy
If you are running the proxy for the first time on a new target, enable the crawler in a clean basic config.toml (from the public Muraena GitHub repo), and see how the target is crawled.
For complex targets, it happens that the crawler will not be able to automatically identify all the FQDNs that need to be translated during proxying.
This will result in `crawler.externalOrigins` missing some entries, and errors thrown in the browser when you try to proxy.
The best thing to fix this is to compare the `externalOrigins` with the list from Burp Proxy when you proxy the target domain you are trying to proxy with Muraena.
> **NOTE** `externalOrigins` entries support wildcard, so if you see plenty of `a.target.com`, `b.target.com`, etc. you can just use a single entry as **`*.target.com`**.
Another important point for advanced usage is using Muraena to patch requests or responses, removing JavaScript checks or additional bespoke controls that prevent the proxy from working.
There are example of these for GSuite and other portals in the config files in the public Muraena Proxy repo on GitHub.
------------

78
docs/_config.yml Normal file
View file

@ -0,0 +1,78 @@
title: Muraena docs
plugins:
- jekyll-relative-links
relative_links:
enabled: true
collections: true
remote_theme: just-the-docs/just-the-docs
markdown: kramdown
enable_copy_code_button: true
search_enabled: true
heading_anchors: true
color_scheme: dark
permalink: pretty
aux_links_new_tab: false
aux_links:
"Muraena on GitHub":
- "https://github.com/muraenateam/muraena"
nav_external_links:
- title: Muraena on GitHub
url: https://github.com/muraenateam/muraena
back_to_top: true
back_to_top_text: "Back to top"
kramdown:
syntax_highlighter_opts:
block:
line_numbers: false
search:
# Split pages into sections that can be searched individually
# Supports 1 - 6, default: 2
heading_level: 2
# Maximum amount of previews per search result
# Default: 3
previews: 3
# Maximum amount of words to display before a matched word in the preview
# Default: 5
preview_words_before: 5
# Maximum amount of words to display after a matched word in the preview
# Default: 10
preview_words_after: 10
# Set the search token separator
# Default: /[\s\-/]+/
# Example: enable support for hyphenated search words
tokenizer_separator: /[\s/]+/
# Display the relative url in search results
# Supports true (default) or false
rel_url: true
# Enable or disable the search button that appears in the bottom right corner of every page
# Supports true or false (default)
button: false
# Focus the search input by pressing `ctrl + focus_shortcut_key` (or `cmd + focus_shortcut_key` on macOS)
focus_shortcut_key: 'k'
exclude:
# from https://github.com/jekyll/jekyll/blob/master/lib/site_template/_config.yml:
- .sass-cache/
- .jekyll-cache/
- gemfiles/
- Gemfile
- Gemfile.lock
- node_modules/
- vendor/bundle/
- vendor/cache/
- vendor/gems/
- vendor/ruby/
# specific to the theme website:
- bin/
- lib/
- "*.gemspec"
- "*.gem"
- LICENSE.txt
- package.json
- package-lock.json
- Rakefile
- README.md
- CODE_OF_CONDUCT.md
- docker-compose.yml
- Dockerfile
# theme test code
- fixtures/

9
docs/about.md Normal file
View file

@ -0,0 +1,9 @@
---
layout: page
title: About
permalink: /about/
---
The Muraena team is composed of seasoned cybersecurity professionals, ethical hackers, and educators dedicated
to advancing the field of cybersecurity. Our team brings together a diverse range of skills, from deep technical
knowledge of network security and software development to expertise in ethical hacking and cybersecurity education.

27
docs/config/index.md Normal file
View file

@ -0,0 +1,27 @@
---
layout: default
title: Configuring Muraena
permalink: /config
nav_order: 2
has_children: true
has_toc: false
---
# Configuration Guide
This guide provides detailed documentation on configuring Muraena to suit your specific requirements.
## Configuration Sections
- [Proxy](./proxy)
- [Origins](./origins)
- [Transforming Rules](./transform)
- [Redirect](./redirect)
- [TLS](./tls)
- [Redis](./redis)
- [Logging](./log)
## Modules
Modules are described in the [Modules](/modules) section.

28
docs/config/log.md Normal file
View file

@ -0,0 +1,28 @@
---
title: Log
permalink: /docs/log
nav_order: 6
parent: Configuring Muraena
---
# Log
The `log` section is used to configure the Muraena logging settings.
## Settings
### Enabled
When `enabled` is set to `true`, Muraena will log application events to the specified log file.
### File path
The `filePath` field specifies the path to the log file. If not specified, it defaults to `muraena.log` in the current
working directory.
## Example
```toml
[log]
enabled = true
filePath = "/var/log/muraena.log"
```

113
docs/config/origins.md Normal file
View file

@ -0,0 +1,113 @@
---
title: Origins
permalink: /docs/origin
nav_order: 2
parent: Configuring Muraena
---
# Origins
During a phishing operation, Muraena can impersonate multiple domains, and it can proxy traffic to multiple legitimate domains.
Muraena maps the phishing domain to the legitimate domain, and it can also map subdomains between the phishing site and
the legitimate site. For example, if the phishing domain is `phishing.click` and the legitimate domain is `poor.victim`,
Muraena will map the phishing domain to the legitimate domain.
Additionally, all subdomains of `phishing.click` will be mapped to the corresponding subdomains of `poor.victim`,
ensuring that the phishing site can mimic the legitimate site as closely as possible.
This means that the following mappings will be created automatically:
- `www.phishing.click` -> `www.poor.victim`
- `admin.phishing.click` -> `admin.poor.victim`
- `api.phishing.click` -> `api.poor.victim`
- ...
In addition to the legitimate domain, Muraena can also proxy traffic to other external origins, such as third-party
services, APIs, or other legitimate domains. This is useful when the phishing site needs to interact with external
services, such as fetching resources from a CDN or submitting data to a third-party service.
Each external origin is internally numbered and mapped to a subdomain of the phishing domain, allowing the phishing site
to interact with the external origin as if it were the legitimate site.
The subdomain prefix is defined in the `ExternalOriginPrefix` setting, and the external origins are defined in the
`ExternalOrigins` setting.
For example, if the `ExternalOriginPrefix` is set to `ext`, and the `ExternalOrigins` to map are:
`api.external.com`, `cdn.external.com` and `cdn.anotherexternal.com`, Muraena will map the phishing domain to the
external origins as follows:
- `ext-1.phishing.click` -> `api.external.com`
- `ext-2.phishing.click` -> `cdn.external.com`
- `ext-3.phishing.click` -> `cdn.anotherexternal.com`
Muraena can also handle wildcard external origins, so you can use `*.external.com` to match all subdomains of `external.com`.
In addition to the origins, Muraena can also map subdomains between the phishing site and the target site.
This is useful when the phishing site wants to further mimic the legitimate site by using the different subdomains.
This can be achieved using the `SubdomainMap` setting.
## Settings
### External Origin Prefix
The `externalOriginPrefix` setting defines the prefix used to identify the external origins, i.e.,
the legitimate domains you're proxying traffic to.
The prefix must be a valid subdomain name, without any dot, and must respect the following regex pattern:
`^[a-zA-Z0-9-]+$`.
### External Origins
The `externalOrigins` setting is a list of legitimate domains you're proxying traffic to, in addition to the legitimate domain
you're impersonating. The domains are specified as a list of strings, and each domain is mapped to a subdomain of the
phishing domain, using the `externalOriginPrefix` as a prefix.
Domains can be also specified as wildcard domains, using `*` as a prefix, to match all subdomains of the domain.
> **NOTE:** There is no need to specify subdomains of the target domain, the one specified in the `proxy.Destination`
> setting, as Muraena will automatically map all subdomains of the phishing domain to the corresponding subdomains of
> the target domain.
#### Example
```toml
[origins]
externalOriginPrefix = "ext"
externalOrigins = [
"*.external.com",
"cdn.anotherexternal.com"
]
```
### Subdomain Map
The `subdomainMap` is a list of subdomain pairs, where the first element is the phishing subdomain,
and the second element is the legitimate subdomain.
`subdomainMap` allows custom mapping of subdomains between the phishing site and the legitimate site.
This is useful when the phishing site wants to further mimic the legitimate site by using the different subdomains.
```toml
[origins]
subdomainMap = [
# phishing subdomain -> legitimate subdomain
["www", "admin"]
]
```
> **NOTE:** This mapping applies only to the subdomains of the target domain, not to other external origins
## Examples
```toml
[origins]
externalOriginPrefix = "ext"
externalOrigins = [
"*.external.com",
"cdn.anotherexternal.com"
]
subdomainMap = [
["www", "www2"]
]
```

97
docs/config/proxy.md Normal file
View file

@ -0,0 +1,97 @@
---
title: Proxy
layout: default
permalink: /config/proxy
nav_order: 1
parent: Configuring Muraena
---
# Proxy
The proxy configuration controls how Muraena handles traffic routing between the phishing target and the
legitimate destination.
## Settings
### Phishing
The phishing domain you're proxying traffic from, i.e., the domain you're using to lure victims.
### Destination
The legitimate domain you're proxying traffic to, i.e., the domain you're impersonating.
### IP
The IP address Muraena listens on. Defaults to all interfaces (`0.0.0.0`).
### Listener
You could specify the network listener type. The supported listener types are:
- `tcp`
- `tcp4`
- `tcp6`
### Port
The port Muraena listens on, when not specified, it defaults to:
- `80` for HTTP
- `443` for HTTPS, when TLS is enabled
### Port Mapping
If Muraena is running behind a reverse proxy, you can specify the port mapping using the `portMapping` setting.
This is useful when Muraena is running behind a reverse proxy that forwards traffic to a different port.
The mapping format is `source:destination`, where `source` is the port Muraena listens on,
and `destination` is the port the reverse proxy forwards traffic to.
> For example, if Muraena listens on non-standard port `55443`, but the target domain is configured to listen on port `443`,
you can specify `55443:443` to map the traffic to the correct port.
>
> Respectively, if Muraena listens on port `443`, but the target domain is configured to listen on non-standard port
> `55443`, you can specify `443:55443` to map the traffic to the correct port.
### HTTP to HTTPS Redirect
When Muraena is configured to listen on HTTPS, HTTP traffic won't be handled by default.
Enabling `HTTPtoHTTPS`, upon receiving an HTTP request, Muraena will redirect the request to the HTTPS equivalent URL,
by replacing the `http` scheme with `https`, patching the port if necessary and returning a `301 Moved Permanently`
status code.
#### Parameters
- **`enabled`**: (default `false`) Enable or disable the HTTP to HTTPS redirect
- **`port`**: (default `80`) The port to listen for HTTP traffic before redirecting to HTTPS
## Examples
### Basic Example
This example sets up Muraena to listen on port 80 for HTTP traffic, redirecting to HTTPS,
and to proxy traffic from `phishing.click` to `poor.victim`.
All other settings are left to their default values.
```toml
[proxy]
phishing = "phishing.click"
destination = "poor.victim"
```
### Advanced Example
The following example sets up Muraena to listen on IP `192.168.1.1` only in IPv4 mode.
It listens on port `55443` for HTTPS traffic and on port `55080` for HTTP traffic.
However, it's permanently redirecting all HTTP traffic to HTTPS.
The phishing domain is `phishing.click`, and the legitimate domain is `poor.victim`.
```toml
[proxy]
phishing = "phishing.click"
destination = "poor.victim"
IP = "192.168.1.1"
listener = "tcp4"
port = 55443
portmapping = "55443:443"
[proxy.HTTPtoHTTPS]
enabled = true
port = 55080
```

66
docs/config/redirect.md Normal file
View file

@ -0,0 +1,66 @@
---
title: Redirect
layout: default
permalink: /docs/redirect
nav_order: 4
parent: Configuring Muraena
---
# Redirect
The `redirect` section of the configuration file allows you to specify rules to redirect unwanted traffic to a different URL.
When a rule matches the request, the request will be redirected to the specified URL with the specified HTTP status code
without reaching the legitimate site.
`Hostname`, `Path`, and `Query` are used to match the request, while `RedirectTo` and `HTTPCode` are used to specify
the redirection.
## Settings
### Hostname
The `hostname` field specifies the hostname to match against the request.
### Path
The `path` field specifies the path to match against the request.
### Query
The `query` field specifies the query string to match against the request.
The query string is the part of the URL that comes after the `?` character, and it contains a list of key-value pairs
separated by `&` characters.
### Redirect to
The `redirectTo` field specifies the URL to redirect the request to. If the request matches the specified values, it will be redirected to the specified URL.
### HTTP Status Code
The `httpStatusCode` field specifies the HTTP status code to use for the redirection. If not specified, it defaults to `301 Moved Permanently`.
## Example
```toml
[drop]
[[drop]]
hostname = "phishing.click"
path = "/login"
query = "id=123"
redirectTo = "https://poor.victim/login"
httpStatusCode = 301
[[drop]]
hostname = "phishing.click"
path = "/admin"
redirectTo = "https://poor.victim/admin"
httpStatusCode = 301
[[drop]]
hostname = "analytics.local"
redirectTo = "https://poor.victim"
httpStatusCode = 301
```

46
docs/config/redis.md Normal file
View file

@ -0,0 +1,46 @@
---
title: Redis
layout: default
permalink: /docs/redis
parent: Configuring Muraena
---
# Redis
Muraena uses Redis as a caching backend for the tracking module. This section is used to configure the Redis settings.
## Settings
### `Host`
The `host` field specifies the hostname of the Redis server.
Default: `127.0.0.1`
### `Port`
The `port` field specifies the port of the Redis server.
Default: `6379`
### `Password`
The `password` field specifies the password of the Redis server. If not specified, it defaults to an empty string.
Default: ``
## Useful commands
### Reset the Redis cache
This command will reset the Redis cache, removing all the keys and their values, effectively clearing the cache.
> **NOTE**: This operation is irreversible and will remove all the data Muraena has stored in the cache,
including tracking data and other useful information. Use with caution.
```bash
redis-cli FLUSHALL
```

144
docs/config/tls.md Normal file
View file

@ -0,0 +1,144 @@
---
title: TLS
layout: default
permalink: /docs/tls
nav_order: 5
parent: Configuring Muraena
---
# TLS
This section guides you through configuring TLS for your Muraena setup,
detailing how to enable HTTPS, manage certificate paths, and adjust SSL/TLS parameters.
By meticulously configuring these settings, you create a secure and authentic-looking façade
that effectively masks the malicious nature of the phishing server,
thereby increasing the likelihood of successful credential capture.
## Settings
### `Enabled`
When enabled, Muraena listens for incoming connections over HTTPS.
### <s>`Expand`</s>
> **NOTE**: This is a deprecated option and will be removed in future versions.
When enabled, Muraena will expand store the certificates content directly in the configuration file.
### `Certificate`
Path to the TLS certificate file.
### `Key`
Path to the TLS private key file.
### `Root`
Path to the root CA certificate file, if needed for chain verification.
### `SSLKeyLog`
If set, Muraena will log the SSL keys to the specified file, which can be useful for debugging encrypted traffic.
This option is particularly useful when you need to decrypt SSL/TLS traffic using Wireshark or similar tools.
You could use [tshark](https://www.wireshark.org/docs/man-pages/tshark.html) to dump all the incoming traffic to a file
and then use Wireshark to decrypt the traffic using the SSL keys log file.
```bash
# Dump all the incoming traffic on:
# -i any: listen on all interfaces, you should replace this with the interface used by Muraena
# -f "port 443": filter traffic on port 443, you should replace this with the port listened by Muraena
# -w muraena_$(date +%y_%m_%d_%H_%M_%S).pcapng: write the traffic to a file
# -v: verbose mode
tshark -i any -f "port 443" -w muraena_$(date +%y_%m_%d_%H_%M_%S).pcapng -v
```
// Minimum supported TLS version: SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3
MinVersion string `toml:"minVersion"`
MaxVersion string `toml:"maxVersion"`
PreferServerCipherSuites bool `toml:"preferServerCipherSuites"`
SessionTicketsDisabled bool `toml:"SessionTicketsDisabled"`
InsecureSkipVerify bool `toml:"insecureSkipVerify"`
RenegotiationSupport string `toml:"renegotiationSupport"`
### `MinVersion`
The minimum supported TLS version. Supported values are:
- `SSL3`
- `TLS1` (default)
- `TLS1.1`
- `TLS1.2`
- `TLS1.3`
### `MaxVersion`
The maximum supported TLS version. Supported values are:
- `SSL3`
- `TLS1`
- `TLS1.1`
- `TLS1.2`
- `TLS1.3` (default)
### `RenegotiationSupport`
Defines the TLS renegotiation support mode. Supported values are:
- `NEVER` (default): Disables renegotiation.
- `ONCE`: Allows renegotiation once per connection.
- `FREELY`: Allows renegotiation at any time.
The renegotiation options might be useful in specific scenarios,
such as when you need to support legacy clients or servers that require renegotiation support.
### <s>`PreferServerCipherSuites`</s>
> **NOTE:** PreferServerCipherSuites is a legacy field and has no effect.
It used to control whether the server would follow the client's or the
server's preference. Servers now select the best mutually supported
cipher suite based on logic that takes into account inferred client
hardware, server hardware, and security.
### `SessionTicketsDisabled`
`SessionTicketsDisabled` may be set to `true` to disable session ticket and
PSK (resumption) support. Note that on clients, session ticket support is
also disabled if ClientSessionCache is nil.
### `InsecureSkipVerify`
InsecureSkipVerify defines whether Muraena verifies the server's certificate chain and host name.
`InsecureSkipVerify` in Muraena is set to `false` by default, which means that the server certificate verification is enabled.
However, you can set it to `true` to skip the server certificate verification,
in the case of self-signed certificates or other scenarios where the target server's certificate cannot be verified.
## Examples
### Basic Example
This example enables Muraena to listen for incoming connections over HTTPS, using the specified certificate and key files.
All other settings are left to their default values.
```toml
[tls]
enabled = true
certificate = "./config/cert.pem"
key = "./config/key.pem"
root = "./rootCA.pem"
```
### Advanced Example
The following example enables TLS and sets the minimum and maximum TLS versions to `TLS1.2` and `TLS1.3`
respectively. It also disables the server certificate verification and logs the SSL keys to `./log/sslkey.log`.
```toml
[tls]
enabled = true
certificate = "./config/cert.pem"
key = "./config/key.pem"
root = "./config/rootCA.pem"
sslKeyLog = "./log/sslkey.log"
minVersion = "TLS1.2"
maxVersion = "TLS1.3"
insecureSkipVerify = true
```

281
docs/config/transform.md Normal file
View file

@ -0,0 +1,281 @@
---
title: Transform
layout: default
permalink: /docs/transform
nav_order: 3
parent: Configuring Muraena
---
# Transform
In phishing operations, effectively altering the HTTP traffic between the victim and the legitimate site is essential
for maintaining the authenticity of the phishing site.
The Transform section in Muraena's configuration provides the necessary settings for detailed manipulation of HTTP
requests and responses.
This capability ensures that the phishing site not only mirrors the appearance of the genuine site but also replicates
its behavior, enhancing the credibility of the phishing campaign.
This section will guide you through the configuration of transformation rules, focusing on the technical aspects of how
to intercept and modify traffic. You'll learn how to encode content, manage MIME types, customize user agents,
map subdomains, and transform headers and content, all of which are pivotal in crafting a convincing phishing site.
## Settings
### `base64`
By enabling `base64` Muraena will try to transform any content, both request and response, that is Base64 encoded.
This is useful when the target site uses Base64 encoding for specific data elements, such as tokens or cookies,
and you want to ensure that the phishing site can handle these elements correctly.
#### Parameters
- **`enabled`** (default `false`): Toggles Base64 encoding for parts of the communication.
- **`padding`** (default `["=", "."]`): Specifies the padding characters used in Base64 encoding, which can be adjusted
to match the encoding specifications of the target site.
### Request
The Request section specifies where the transformation rules should be applied to the requests sent from the phishing
server to the legitimate site.
#### `userAgent`
You can specify a custom User-Agent string to be used in the requests sent from the phishing server to the legitimate site.
#### `headers`
`headers` defines a list of HTTP headers to be transformed during the request phase.
HTTP headers usually contain metadata about the request, and modifying them can help in bypassing certain security
controls as well as avoid leaking information about the phishing server.
For example, `Referer` headers can be modified to ensure that the phishing site's URL is not leaked to the legitimate site.
Commonly headers to transform include:
- `Cookie`
- `Referer`
- `Origin`
- `X-Forwarded-For`
#### `remove`
##### `headers`
`headers` defines a list of HTTP headers to be removed during the request phase.
HTTP headers usually contain metadata about the request, and removing them can help in bypassing certain security
controls as well as avoid leaking information about the phishing server.
For example, if Muraena is running behind a reverse proxy, you might want to remove the `X-Forwarded-For` header to avoid
leaking the real client's IP address to the legitimate site.
Or if you're using a custom header to track requests, you might want to remove it to avoid leaking information about the
phishing server.
Commonly headers to transform include:
- `X-Forwarded-For`
#### `add`
##### `headers`
`headers` defines a list of pairs of HTTP headers to be added during the request phase.
The first element is the header name and the second element is the header value.
For example, you might want to add a custom header to track requests, or to add a header to bypass security controls on
the legitimate site.
```toml
[transform.request]
add = [
{name = "X-Phishing-Header", value = "Phishing"}
]
```
### Response
The Response section specifies where the transformation rules should be applied to the responses sent from the legitimate
site to the phishing server.
Transforming the response from the legitimate site is key to maintaining the phishing site's facade.
This includes modifying both HTTP headers and body to ensure they point back to the phishing domain.
#### `skipContentType`
Muraena will try to transform any response content. However, certain content-types might not need transformation,
either for performance considerations or to maintain functionality (like binary data or certain scripts), see for
example the `font/*` and `image/*` content types.
By specifying `skipContentType`, you can define a list of MIME types that should not be transformed or encoded,
ensuring proper handling of non-text content.
The `skipContentType` is a list of MIME types that should not be transformed or encoded, ensuring proper handling of
non-text content. You could use wildcards to match multiple content types, for example, `image/*` would match all image
types, and `font/*` would match all font types.
If `skipContentType` is not specified, Muraena will skip transformation for the following content types:
- `font/*`
- `image/*`
##### Example
The following example skips transformation for `image/jpeg` and all font types.
```toml
[transform]
skipContentType = ["image/jpeg", "font/*"]
```
#### `headers`
`headers` defines a list of HTTP headers to be transformed during the response phase.
HTTP headers usually contain metadata about the response, and modifying them can help in bypassing certain security
controls as well as avoid leaking information about the legitimate site.
For example, `Location` headers can be modified to ensure that the real site's URL is changed to the phishing site's URL.
Commonly headers to transform include:
- `Location`
- `WWW-Authenticate`
- `Origin`
- `Set-Cookie`
- `Access-Control-Allow-Origin`
#### `customContent`
`customContent` defines a list of content transformation rules to be applied to both response headers and body.
The rules are defined as a list of pairs, where the first element is the search string and the second element is the
replacement string. `customContent` works by searching for the `search` string in the response content and replacing it
with the `replace` string.
##### Example
This rule modifies all occurrences of `integrity=` to `integrify=` within the response content.
Such a modification aids in circumventing the `integrity` attribute found within `<script>` tags, which serves to verify
the script content's integrity.
By substituting `integrity` with an alternate attribute, namely `integrify`, the phishing site is enabled to execute
altered scripts unimpeded by integrity verification mechanisms. The browser overlooks the script content's integrity
check in this scenario, as it perceives `integrify` as an unrelated attribute and consequently disregards it.
```toml
[transform.response]
customContent = [
# search -> replace
["integrity=", "integrify="]
]
```
#### `cookie`
`cookie` defines a list of cookie transformation rules to be applied to the response cookies.
##### Parameters
- **`sameSite`**: Sets the cookie's `SameSite` attribute to `None`, `Lax`, or `Strict`.
If not specified, it is left unchanged.
#### `remove`
##### `headers`
`headers` defines a list of HTTP headers to be removed during the response phase.
HTTP headers usually contain metadata about the response, and remove them can help in bypassing certain security
controls as well as avoid leaking information about the legitimate site.
Removing headers can also help weaken security controls on the legitimate site, such as removing `Content-Security-Policy`
headers to allow for more flexible content injection.
Commonly headers to transform include:
- `Content-Security-Policy`
- `Content-Security-Policy-Report-Only`
- `Report-To`
- `X-Content-Type-Options`
- `X-Frame-Options`
- `Referrer-Policy`
#### `add`
##### `headers`
`headers` defines a list of pairs of HTTP headers to be added during the response phase.
The first element is the header name and the second element is the header value.
For example, you might want to add a custom header to track responses, or to add a header to bypass security controls on
the legitimate site.
```toml
[transform.request]
add = [
{name = "X-Phishing-Header", value = "Phishing"}
]
```
## Examples
### Basic Transform Example
```toml
[transform]
[transform.request]
headers = [
"Cookie",
"Referer",
"Origin",
"X-Forwarded-For"
]
[transform.response]
headers = [
"Location",
"Origin",
"Set-Cookie",
"Access-Control-Allow-Origin",
]
```
### Advanced Transform Example
```toml
[transform]
[transform.base64]
enabled = true
[transform.request]
userAgent = "Mozilla/5.0 (PhishingBot)"
headers = [
"Cookie",
"Referer",
"Origin",
"X-Forwarded-For"
]
remove = [
"X-Forwarded-For"
]
add = [
{name = "X-Phishing-Header", value = "Phishing"}
]
[transform.response]
skipContentType = ["image/jpeg", "font/*", "application/*"]
headers = [
"Location",
"Origin",
"Set-Cookie",
"Access-Control-Allow-Origin",
]
customContent = [
["integrity=", "integrify="]
]
remove = [
"Content-Security-Policy",
"Content-Security-Policy-Report-Only",
"Report-To",
"X-Content-Type-Options",
"X-Frame-Options",
"Referrer-Policy"
]
add = [
{name = "X-Phishing-Header", value = "Phishing"}
]
```

11
docs/debug.md Normal file
View file

@ -0,0 +1,11 @@
---
layout: default
title: Debugging Muraena
permalink: /debug
nav_order: 1
has_toc: true
---
# Debugging Muraena
TODO

BIN
docs/images/logo.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 440 KiB

33
docs/index.md Normal file
View file

@ -0,0 +1,33 @@
---
layout: home
title: Home
permalink: /
nav_order: 1
---
<img src="images/logo.png" alt="drawing" style="width:300px; display:block; margin-left:auto; margin-right:auto"/>
# Muraena
{: .fs-9 }
An almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
{: .fs-6 .fw-300 }
[Get started now](docs){: .btn .btn-primary .fs-5 .mb-4 .mb-md-0 .mr-2 }
[View it on GitHub](https://github.com/muraenateam/muraena){: .btn .fs-5 .mb-4 .mb-md-0 }
---
# Introduction
Welcome to the official documentation for Muraena, an automated, dynamic phishing kit designed to enhance and streamline
phishing simulations and security testing.
Developed by the Muraena Team, this tool is part of our commitment to advancing cybersecurity measures and understanding
through innovative solutions.
## About Muraena
Muraena is a cutting-edge tool that automates the process of phishing campaign deployment, making it simpler and more
efficient for security professionals to conduct sophisticated simulations. Unlike traditional phishing kits, Muraena
operates as a reverse proxy, intercepting and manipulating traffic between the victim and the legitimate website in
real-time, which allows for seamless and convincing phishing scenarios.

97
docs/infra/index.md Normal file
View file

@ -0,0 +1,97 @@
---
layout: default
title: Running Muraena
permalink: /infra/run
nav_order: 1
has_toc: true
---
# Running Muraena
## Requirements
In order to run Muraena in proper way, there is a couple of pre-requisite that
you have to set.
- Generate a wildcard certificate for your phishing domain
- Change or add some settings on the Operating System where Muraena will be run
- Customise your Muraena config file
**Wildcard certificate**
Valid wildcard certificate for the domain you want tho use for phishing. A good free option is LetsEncrypt:
```bash
certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.phishing.click -d phishing.click
```
LetsEncrypt will need web and DNS challenges:
* **web challenge**: start apache and create the required file in `/var/www/html` with the required file content
* **DNS challenge**: add the right `TXT` record
## System
Muraena needs at least 2x cores and 2x GB RAM.
If running on AWS, a `t2.medium` (2x vCPU, 2GB ram) is advised for standard campaigns with less than 1K targets.
For the Disk, always use SSD for better performance.
With plenty of simultaneous connections the Reverse Proxy will need mostly CPU and I/O.
If you plan to run large campaigns, in the order of more than 2K people emailed at the same time, expecting hundreds of
simultaneous clicks, then a `c5.xlarge` (4x vCPU, 8GB ram) instance will be better.
The VPS performance depends also on the complexity of the site being reverse proxied.
### `Ulimit` increase
If a lot of victims connect at the same time, the default open files settings are not enough.
It is recommended to increase to max the following:
```bash
$ sudo vim /etc/sysctl.conf
# add the following line to it
fs.file-max = 65535
$ sudo vim /etc/security/limits.conf
# add following lines to it
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
root soft nproc 65535
root hard nproc 65535
root soft nofile 65535
root hard nofile 65535
$ sudo vim /etc/pam.d/common-session
# add this line to it
session required pam_limits.so
# Reboot the machine!
```
Test with `ulimit -n` if you get > 65K files.
### Redis installation
Muraena uses Redis as a database to store the harvested credentials and sessions.
Nothing specific is required for Redis, just follow instruction from [Redis](https://redis.io/topics/quickstart) for the installation.
```bash
sudo apt-get install redis-server
sudo systemctl enable redis-server.service
sudo vim /etc/redis/redis.conf
````
Change the following settings in the Redis configuration file:
```text
maxmemory 256mb
maxmemory-policy allkeys-lru
```
Restart Redis after the changes and enable it to start on boot:
```bash
sudo systemctl restart redis-server.service
sudo systemctl enable redis-server.service
redis-cli ping
```

17
docs/modules/index.md Normal file
View file

@ -0,0 +1,17 @@
---
layout: default
title: Supported Modules
permalink: /modules
nav_order: 2
has_children: true
has_toc: false
---
# Supported Modules
Muraena supports the following modules:
- [Tracker](./tracker.md)
- [Static Server](./staticserver.md)

56
docs/modules/staticserver.md Normal file
View file

@ -0,0 +1,56 @@
---
title: Static Server
layout: default
permalink: /modules/staticserver
nav_order: 2
parent: Supported Modules
---
# Static Server
Muraena incorporates the capability to host and serve static files, such as custom JavaScript, CSS, images, or
downloadable content, directly from a designated local directory.
This feature is particularly useful for enriching the phishing site with additional resources that enhance its
resemblance to the legitimate target site or for distributing files intended for the victim.
The Static Server functionality is straightforward: it establishes a direct mapping between a specific URL path on the
phishing site and a folder on the local file system. When a request is made to this URL path,
Muraena responds by serving the corresponding file from the mapped local directory, seamlessly integrating it into
the phishing site's content.
## Configuration Options
### Local Path
Defines the file system path (`localPath`) from which static files will be served. This path should contain the static
resources you wish to make available through the phishing site.
### URL Path
Specifies the URL path (`urlPath`) that will be used to access the static files from the phishing site.
Setting this to `/static`, for example, would make the static files accessible via `http(s)://<phishing.site>/static/`.
### Listening Host
Determines the network interface (`listeningHost`) Muraena listens on for requests to the Static Server.
By default, it listens on all available interfaces, but it can be set to a specific IP address if needed.
Considering that the static server is "fronted" behind Muraena, this setting could be ignored, unless
you have a specific requirement to bind the static server to a specific IP address, maybe for a multi-homed server.
### Listening Port
Defines the port (`listeningPort`) on which the Static Server will listen for incoming requests. While this can be set
to a specific port, leaving it unspecified allows Muraena to select a port at random, which might be useful for
avoiding conflicts with other local services.
Similarly to the `listeningHost` setting, this setting could be ignored, unless you have a specific requirement to
bind the static server to a specific port.
## Example
The following example demonstrates how to configure the Static Server to serve files from the `/var/www/static`
directory on the phishing site under the `/static` URL path:
```toml
[staticServer]
enable = true
localPath = "/var/www/static"
urlPath = "/static"
```

95
docs/modules/tracker.md Normal file
View file

@ -0,0 +1,95 @@
---
title: Tracking Configuration
layout: default
permalink: /modules/tracker
nav_order: 1
parent: Supported Modules
---
# Tracking Configuration
The Tracking module in Muraena is an essential tool for monitoring user interactions and capturing sensitive information
during a phishing campaign. It provides a detailed framework for tracking user activities, from initial landing to
sensitive data capture, enhancing the operational effectiveness of the campaign.
## Settings Overview
### Enable
Enables or disables the entire tracking functionality. When `enable` is set to `true`, tracking features are activated,
allowing for the monitoring of user interactions and data capture.
### Track RequestCookies
`trackRequestCookies` flag is used to enable or disable the tracking of cookies in user requests.
When enabled, this feature allows Muraena to keep track of cookies in user requests.
This is useful for tracking client-side state and user sessions that are maintained through cookies.
### Trace
This section is dedicated to tracing user navigation within the phishing site, allowing for the identification and
redirection of users based on specific criteria.
- **`identifier`**: A unique identifier for tracking purposes, this string is used to track requests and identify users.
- **`header`**: Specifies an HTTP header used as part of the tracking mechanism, enabling the capture of custom header
values. (Default: `If-Range`)
- **`domain`** (optional): Tells Muraena to create tracking cookies for the specified domain. This is required if you want
to specify a domain different from the phishing site's domain.
- **`validator`**: A regular expression used to validate the victim's identifier. (Default: it must be a valid UUIDv4)
#### Landing
Configures how Muraena identifies and handles user landings on the phishing site.
- **`type`**: Determines the method of landing detection (`path` or `query`), allowing for flexibility in how landing
pages are recognized.
- **`header`**: An HTTP header that signals a landing event, useful for tracking landings through header analysis.
(Default: `If-LandingHeader-Redirect`)
- **`redirectTo`**: Specifies a URL to redirect users to after a landing is detected. This setting is applicable only
when the landing type is set to `path`.
### Secrets
Focuses on capturing sensitive information, such as credentials or personal data, through specified paths and pattern
matching.
#### Paths
`paths` is defines the list of URL paths monitored for sensitive information.
Paths can be specified as regular expressions to match multiple paths, or as exact paths to match a single path.
In order to consider a path as a regular expression, it must start with `^` and end with `$`.
For example, to match all paths that start with `/login` you can use the following regular expression: `^/login.*$`.
#### `Patterns`
Defines specific patterns for data capture, enhancing the precision of sensitive information extraction.
- **`label`**: A descriptive name for the pattern, aiding in the identification and categorization of captured data.
- **`matching`** (optional): The string used to identify sensitive information within the monitored traffic.
- **`start`** and **`end`**: Once the `matching` string is found, `start` and `end` are used to define the bounds of the
data to be extracted, ensuring accurate and efficient data capture.
## Examples
Below is an example configuration demonstrating the setup for user tracing and sensitive data capture:
```toml
[tracking]
enable = true
trackRequestCookies = true
[tracking.trace]
identifier = "user_id"
header = "X-Tracking-ID"
validator = "[a-zA-Z0-9]{5}"
[tracking.trace.landing]
type = "path"
header = "Landing-Detected"
redirectTo = "https://phishing.site/welcome"
[tracking.secrets]
paths = ["/login", "/submit"]
[[tracking.secrets.patterns]]
label = "Credential Capture - Username"
start = "username="
end = "&"
```