Target Audience: Offense

Short Abstract: redlure can be described as a distributed phishing platform. There is a centralized API (redlure-console) where you can create the different aspects of your phishing campaigns. This console controls secondary servers running a more basic API (redlure-workers) that do the actual hosting of your phishing sites/files and communicate results back to the main server. Obviously there are existing tools that can accomplish phishing, but here are a few features to this tool that differentiate it and will be described in the abstract.

Detailed Explanation of Tool:
redlure is a new open-source phishing framework, built from the ground up to advance pentest and red team phishing. It can also be utilized by defenders to simulate realistic internal phishing campaigns and train employees. redlure differs itself from existing frameworks through its distributed architecture, so that operators can manage many campaigns concurrently, and its attention to detail, allowing you to customize granular options like URL paths.
Redlure allows for operators to create realistic, multi-page, phishing scenarios, whether you are looking to harvest credentials or catch shells. Its distributed architecture allows for multiple campaigns to be run on different ports and/or servers, while results are aggregated in a singular interface. This allows you to generate phishing templates, target lists, start/stop campaigns, change domains, change ports and generate LetsEncrypt certs on multiple workers all from one interface.
There are three components in the redlure ecosystem:

1. redlure-console – The central backend API written in Python and Flask that the operator interacts with. The console allows for the creation of your phishing modules and stores your templates and data in a partially encrypted database. Manages your redlure-workers and phishing domains. Only one redlure-console is needed for your phishing infrastructure.
2. redlure-worker – A skeletal API written in Python and Flask that communicates with the redlure-console. Workers do the actual web hosting of your phishing pages and notify the console as targets open your emails, click links, download payloads and submit credentials. Your phishing infrastructure can consist of multiple redlure-workers.
3. redlure-client – The web interface utilizing Angular7 that allows interaction with the redlure-console. Your phishing infrastructure only needs one redlure-client.

The idea behind redlure was initially born out of a need to use multiple webpages in phishing campaigns (think phishing Office365 or Gmail creds, where users are accustomed to entering usernames and passwords on successive webpages). redlure allows you to chain up to four of your webpage templates together to allow your phishing targets to interact with your scenario in a manner that feels realistic. Four is often more than needed but allows for some additional creativity in your phishing. Templates are still created and stored individually but can be selected for use in succession when creating your campaign, using variables placed in your templates’ HTML.

Another core feature of redlure is payload delivery. Each redlure-worker has a configurable upload directory where you can upload payloads (or resource files) from the redlure-client. All files in your upload directory will then be copied at runtime to the static folder of the webserver that hosts your phishing campaign. When starting a campaign, one of these files can be hosted at a custom URL path and automatically downloaded when a page is browsed to, downloaded with buttons in your webpage template, or directly hyperlinked through a variable in your phishing email. Downloads are even tracked and differentiated from clicks.

redlure also helps track your phishing domains and how each relates to your set of redlure-workers. Cross-reference the IP addresses your domains resolve to against the IPs of your redlure-workers and use LetsEncrypt to generate SSL certificates for your domains, all from the web interface. If you do not use LetsEncrypt, redlure has the option to specify certificate file paths from other CAs, such as GoDaddy or Namecheap.

Short Developer Bio: Matt has been a member of the Schneider Downs cybersecurity practice since 2017 where he helps provide clients with penetration testing, red teaming and incident response services. One of Matt's focuses is offensive tool development, notably password spraying and phishing tools. Matt has served clients in manufacturing, healthcare, automotive, financial and higher education industries.