search

kgretzky / evilginx

PLEASE USE NEW VERSION: https://github.com/kgretzky/evilginx2
MIT License
1.06k stars 260 forks source link

CloudFlare Restriction #66

Open timretzlaff opened 6 years ago

timretzlaff commented 6 years ago

Hey! Thanks for this amazing system, it has helped our company tackle several security issues related to 2FA.

We were wondering if Evilginx was capable of capturing credentials from websites that use CloudFlare? So far, we've been unsuccessful using Evilginx to hack into our website since we use CloudFlare. Just wanted to see if there was any vulnerability we should look out for.

Thanks! Tim

kgretzky commented 6 years ago

Hey Tim.

Thanks a lot.

I haven't tried personally, but if you have such website, please contact me via email and I will be most happy to give it a try.

On Sat, 16 Jun 2018, 07:42 timretzlaff, notifications@github.com wrote:

Hey! Thanks for this amazing system, it has helped our company tackle several security issues related to 2FA.

We were wondering if Evilginx was capable of capturing credentials from websites that use CloudFlare? So far, we've been unsuccessful using Evilginx to hack into our website since we use CloudFlare. Just wanted to see if there was any vulnerability we should look out for.

Thanks! Tim

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx/issues/66, or mute the thread https://github.com/notifications/unsubscribe-auth/ASXmJ9wopcLmKtsQYzLOWf4kFcgcSU5jks5t9JrJgaJpZM4UqXhd .

timretzlaff commented 6 years ago

Hi Kuba,

Wow, I did not expect someone with your prestige and abilities to get back to us so quickly! Thank you so much for your time.

The site we are building is called BitKido, and we want to set it up similarly to other popular digital wallet sites (and bitcoin trading sites) like Blockchain.info, Coinbase.com or Bitgo.com. We are going with CloudFlare to protect our servers, but wanted someone of your expertise to help ensure that our servers are truly impenetrable from MITM attacks.

Are you able to penetrate CloudFlare servers for either Blockchain.info or Bitgo.com? We are able to get session tokens but not login credentials, which is great! If you are also not able to get credentials, then we can feel more secure in our decision to go with CloudFlare. However, if your attacks succeed at penetrating either blockchain or bitgo, could you help us understand how in detail, and also, can you suggest any alternatives that might be better at keeping our servers protected?

Thanks! Tim

On Sat, Jun 16, 2018 at 2:15 AM, Kuba Gretzky notifications@github.com wrote:

Hey Tim.

Thanks a lot.

I haven't tried personally, but if you have such website, please contact me via email and I will be most happy to give it a try.

On Sat, 16 Jun 2018, 07:42 timretzlaff, notifications@github.com wrote:

Hey! Thanks for this amazing system, it has helped our company tackle several security issues related to 2FA.

We were wondering if Evilginx was capable of capturing credentials from websites that use CloudFlare? So far, we've been unsuccessful using Evilginx to hack into our website since we use CloudFlare. Just wanted to see if there was any vulnerability we should look out for.

Thanks! Tim

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx/issues/66, or mute the thread https://github.com/notifications/unsubscribe-auth/ ASXmJ9wopcLmKtsQYzLOWf4kFcgcSU5jks5t9JrJgaJpZM4UqXhd .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx/issues/66#issuecomment-397793378, or mute the thread https://github.com/notifications/unsubscribe-auth/AmcdthHVorT-jmikNzkDILTnhBt6jvVLks5t9LB3gaJpZM4UqXhd .

kgretzky commented 6 years ago

Hey Tim,

Thanks for the kind words. I'm flattered too much :)

I will most likely look into these. I'm currently trying to push Evilginx2 for release as soon as possible, so I plan to make this happen as the first priority.

After that I will for sure use the new version to look closer into CloudFlare sites and let you know what I'm able to find.

timretzlaff commented 6 years ago

Thank you Kuba.

That's awesome news regarding Evilginx2! When do you expect it's release?

Regarding Cloudflare, what we've noticed is that we can capture the user session token from the CloudFlare proxy server (Set-Cookie: "__cfduid"), but the user's credentials are not logged. Instead, the .token file in /etc/evilginx/logs states that the username is "unknown" and the password field is left blank.

We attempted another potential workaround, and also were curious if you know of any vulnerabilities in this. On the website BitFlyer, there are no CloudFlare proxies setup, but any access of their main webserver through a reverse proxy is immediately redirected to port 444 (error). Any idea of how a hacker could get around this? This seems like a much more simple and cost-effective method than CloudFlare to prevent unauthorized access to our server using a penetration attack like Evilginx. Our security budget is limited, so we want to make the most intelligent decision that we can afford currently.

What do you think?

Best, Tim

P.S. My kind words are nothing compared to the wonderful knowledge you've provided for our company, Kuba. We've been able to pre-emptively avoid so many potential attacks from hackers all over the world due to the extensive knowledgebase you've constructed through Evilginx. We understand so much more now about the vulnerabilities in such systems. Thank you again from all of us!

We'd love to be able to chat with you live and ask some follow-up questions if you were at all willing or available in the next couple weeks? Anonymously, of course, as I'm sure this would be your preference.

On Mon, Jun 18, 2018 at 5:31 AM, Kuba Gretzky notifications@github.com wrote:

Hey Tim,

Thanks for the kind words. I'm flattered too much :)

I will most likely look into these. I'm currently trying to push Evilginx2 for release as soon as possible, so I plan to make this happen as the first priority.

After that I will for sure use the new version to look closer into CloudFlare sites and let you know what I'm able to find.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx/issues/66#issuecomment-398011715, or mute the thread https://github.com/notifications/unsubscribe-auth/AmcdtmKx-XBfZDCrEpiZN3IgZtO_bwJPks5t94GDgaJpZM4UqXhd .

timretzlaff commented 6 years ago

Hi Kuba,

I'm so sorry to bother you while you're finishing up Evilginx 2.0, but I think we might've found the most cost-effective way for us to avoid penetration and MITM attacks.

We set up a test template for the crypto exchange Jostpay.com since they don't use CloudFlare or reCaptcha (both of which seem to be rather impenetrable). They cleverly require Email 2-FA on EVERY login. So, importing the previous session token doesn't seem to make a difference, right? If so, I think we may go with that method. Please when you have a second to give it some thought, we'd love to know what you think!

Thank you again for your advice and time, Mr. Gretzky. We truly appreciate it.

Best regards, Tim

On Mon, Jun 18, 2018 at 12:40 PM, Timothy Retzlaff < timothy.retzlaff67@gmail.com> wrote:

Thank you Kuba.

That's awesome news regarding Evilginx2! When do you expect it's release?

Regarding Cloudflare, what we've noticed is that we can capture the user session token from the CloudFlare proxy server (Set-Cookie: "__cfduid"), but the user's credentials are not logged. Instead, the .token file in /etc/evilginx/logs states that the username is "unknown" and the password field is left blank.

We attempted another potential workaround, and also were curious if you know of any vulnerabilities in this. On the website BitFlyer, there are no CloudFlare proxies setup, but any access of their main webserver through a reverse proxy is immediately redirected to port 444 (error). Any idea of how a hacker could get around this? This seems like a much more simple and cost-effective method than CloudFlare to prevent unauthorized access to our server using a penetration attack like Evilginx. Our security budget is limited, so we want to make the most intelligent decision that we can afford currently.

What do you think?

Best, Tim

P.S. My kind words are nothing compared to the wonderful knowledge you've provided for our company, Kuba. We've been able to pre-emptively avoid so many potential attacks from hackers all over the world due to the extensive knowledgebase you've constructed through Evilginx. We understand so much more now about the vulnerabilities in such systems. Thank you again from all of us!

We'd love to be able to chat with you live and ask some follow-up questions if you were at all willing or available in the next couple weeks? Anonymously, of course, as I'm sure this would be your preference.

On Mon, Jun 18, 2018 at 5:31 AM, Kuba Gretzky notifications@github.com wrote:

Hey Tim,

Thanks for the kind words. I'm flattered too much :)

I will most likely look into these. I'm currently trying to push Evilginx2 for release as soon as possible, so I plan to make this happen as the first priority.

After that I will for sure use the new version to look closer into CloudFlare sites and let you know what I'm able to find.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx/issues/66#issuecomment-398011715, or mute the thread https://github.com/notifications/unsubscribe-auth/AmcdtmKx-XBfZDCrEpiZN3IgZtO_bwJPks5t94GDgaJpZM4UqXhd .

kgretzky commented 6 years ago

Hi Tim,

I'm very sorry to get back to you that late. Very happy to hear you learned something from what I wrote about 2FA.

I'm not sure about an answer to your question about BitFlyer as I did not test it yet myself. As for CloudFlare and reCaptcha, I'm pretty sure it has to be properly proxied with proper packet modifications and I may make it a weekend project to see for myself.

You mentioned that Jostpay requires an email 2FA on every login, but the thing is that after a successful login it must be saving the authentication cookie in the browser, so that it does not need to re-authenticate the user every time they refresh the page. If you take this cookie (intercept it with Evilginx for example) and import it into another browser, you may bypass the login screen entirely.

What you may try for your service as an extra defense is binding authentication tokens generated by your website to IP addresses. That way if at any time an attacker uses captured authentication tokens by hijacking the cookies, they will very likely login from a different IP address than the legitimate user (or the Evilginx proxy server).

Anyway, Evilginx 2 has finally been released! https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/

Drop me an email and let me know of any web services that you know are using CloudFlare and/or reCaptcha. If there account registration is open on these websites I'd like to take a look myself eventually.