Lure redirect_url not working

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

BSD 3-Clause "New" or "Revised" License

10.22k stars 1.87k forks source link

Lure redirect_url not working #1040

Open kpomeroy1979 opened 2 months ago

kpomeroy1979 commented 2 months ago

@kgretzky The lure redirect_url option does not work. Regardless of the setting it does not redirect users after they complete the authentication and MFA flow using a Microsoft 365 Phishlet.

functionality used to work but seems like something has changed recently. Sometime after he modified the redirect code in evilginx3/core/http_proxy.go from using a Location header with a 302 code to using JavaScript the redirect_url is broken.

Each time the user authenticates, and goes through the MFA workflow the software captures credentials and session tokens, but then the whole process of logging in to MS365 starts over again, when in older versions it would redirect the user to somewhere (google, the real MS365, a custom landing page etc)

matejsmycka commented 2 months ago

Are you sure the redirect_url is not proxied (aka defined in proxy_hosts) with auto_filter=true (default), that would be feature.

kpomeroy1979 commented 2 months ago

I found it. Those settings are in the actual phishlet itself in /usr/share/evilginx/phishlets/

Are you suggesting that I add auto_filter: true somewhere in the phishlet? Sorry I don't quite understand your advice.

Here are my current settings for my o365 Phishlet

proxy_hosts:

{phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
{phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}

matejsmycka commented 2 months ago

auto_filter: true is set by default.

Whenever you redirect a user to a URL in proxy_hosts, the filter is triggered, and all legitimate URLs are replaced with phishing URLs. So, you must redirect to some URLs, not in proxy hosts.

It is bad. However, it is a feature. I hope this will be modified in the future.

matejsmycka commented 2 months ago

The workaround is using some online URL shortener, which redirects users to legitimate sites.

Just search URL shorteners, paste in redirect URL, it will yield something like this: https://shorturl.at/hklsI

Which you can use as redirect_url.

matejsmycka commented 2 months ago

Also, the final page must meet all requirements in this IF statement.

https://github.com/kgretzky/evilginx2/blob/9e32484719681892945130187ea52737b3d72051/core/http_proxy.go#L1229

It is poorly implemented, and I had to change the source code and recompile my custom version for one usecase.

roberthermanforex commented 4 days ago

@kgretzky @matejsmycka how do I address the issue where the Evilginx lure URL stops working after one successful session and requires clearing cookies?