kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.94k stars 1.97k forks source link

Is this issue phishlet related? (Not asking for phishlet help) #1062

Closed hootyjeremy closed 6 months ago

hootyjeremy commented 6 months ago

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

I am having issues with my first install which I'm doing locally for purposes of understanding session cookie stealing to bypass MFA. I can get a page to load but there are some issues with the login process and I am just trying to figure out if it is phishlet related. I don't want help with correcting a phishlet if this is the source of the problem. I just want to check if what I'm seeing is happening because of a phishlet.

The problem: I had assumed that since all traffic is reverse-proxied, that all domains listed in the network tab of dev tools would begin with the domain name configured in evilginx. But I am seeing calls to actual servers which doesn't seem like I should be seeing this. Should this not be happening? Should all domains be pre-pended with the one configured for evilginx phishlet/lures?

image

Thanks.

hootyjeremy commented 6 months ago

I'm not trying to get involved in a Telegram chat. I just need a public comment answer if anybody can help me out here.

matejsmycka commented 6 months ago

yes, all domains should be in phishlet, otherwise it wont work. If your domain is not proxied, then it is badly configured, I have Microsoft phishlet with MFA working, however i think its against rules to post it,

hootyjeremy commented 6 months ago

Oh, I see. I was hoping this was a turnkey thing instead of "some assembly required" so that I could just learn something quick about how to mitigate against cookie theft but it sounds like I'm going to have to deep dive into phishlet tailoring and maybe even source code. At least the repository is a good running start.

gballer01 commented 6 months ago

yes, all domains should be in phishlet, otherwise it wont work. If your domain is not proxied, then it is badly configured, I have Microsoft phishlet with MFA working, however i think its against rules to post it,

Please I would love to get in touch with you!! I have issue with mfa bypass!!