search

An0nUD4Y / Evilginx2-Phishlets

Evilginx3 Phishlets version (0.2.3 & above) Only For Testing/Learning Purposes
https://github.com/kgretzky/evilginx2
532 stars 236 forks source link

Paypal Phishlet unable to handshake client. #24

Closed benjibrown closed 1 year ago

benjibrown commented 1 year ago

The error I am receiving is as follows: "2023/08/11 18:18:38 [005] WARN: Cannot handshake client t.paypal.com EOF" upon my lure link being opened.

I've checked out t.paypal.com and its just a 404 page now. Is this phishlet outdated?

An0nUD4Y commented 1 year ago

Paypal has added some detections based on the domain name. Had tested it on localhost by using paypal[.]com as evilginx domain and it was working fine.

So the detection are most probably based on domain name, i am still not able to figure it out.

Check if any of the below stuff helps, this is what i was able to find in 2-3 hours of work. May help you if you wants to patch the phishlet.

# PATCH 2
## Google recaptcha 
# https://www.paypalobjects.com:443  = aHR0cHM6Ly93d3cucGF5cGFsb2JqZWN0cy5jb206NDQz

# PATCH 3
# https://www.paypalobjects.com/web/res/0a4/f8d65c4baa5f02c4e59e7ccc8f389/js/lib/modernizr-2.6.1.js
# https://www.paypalobjects.com/web/res/0a4/f8d65c4baa5f02c4e59e7ccc8f389/js/ioc.js
# https://www.paypalobjects.com/pa/js/min/pa.js

# PATCH 4 (Detecting Domain name)
# Common methods are

# document.location
# window.location
# document.domain
# location.host
# paypal\.com (regex based search in source code)
# 
# document.getElementById("btnNext").baseURI

# var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig;
# var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig; domain="www.paypal.com";

#       function isPayPalDomain(domain) {
#           var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig;
#           return paypalDomainRegex.test(domain);
#       }

# PATCH 5
# in pa.js file
# var p=window.location&&window.location.hostname||"",t="https://objects.paypal.com",e="corp",F="https://t.paypal.com/ts",s="",U=".paypal.com",M=/\.(paypal(inc|corp))\.com$/i,B=(!s&&M.test(p)&&(s=e),/\.cn$/);
# var p="www.paypal.com",t="https://www.paypalobjects.com",e="corp",F="https://t.paypal.com/ts",s="",U=".paypal.com",M=/\.(paypal(inc|corp))\.com$/i,B=(!s&&M.test(p)&&(s=e),/\.cn$/);

# function z() {
#    return !s &&
#    B.test(p)
#  }

# !function () {
  # 'use strict';
  # var p = window.location &&
  # window.location.hostname ||
  # '',
  # t = 'https://objects.paypalobjects.com',
  # e = 'corp',
  # F = 'https://t.paypal.com/ts',
  # s = '',
  # U = '.paypal.com',
  # M = /\.(paypal(inc|corp))\.com$/i,
  # B = (!s && M.test(p) && (s = e), /\.cn$/);
  # function z() {
    # return !s &&
    # B.test(p)
  # }
  # z() &&
  # (
    # t = 'https://objects.paypal.cn',
    # F = 'https://t.paypal.cn/ts',
    # U = '.paypal.cn'
  # );

# PATCH 6
# in pa.js file
# var Oe={pp:/\.paypal\.com$/,ql:Y.all,all:Q};
  # var Oe = {
    # pp: /\.paypal\.com$/,
    # ql: Y.all,
    # all: Q
  # };

# PATCH 7
# Possibly some js code is waiting for all the resources to get load before redirection
# window.onload = function() { // All resources are loaded };
# document.addEventListener('DOMContentLoaded', callback)
# document.readyState
# 

# PATCH 8
# Suspicious js files
# signin-split.js