search

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.72k stars 1.94k forks source link

Redirect issue #14

Closed HachimanSec closed 6 years ago

HachimanSec commented 6 years ago

Hi Kuba,

First of all, pretty awesome tool. You and evilsocket made me look into Go, providing such awesome tools! Thanks for all your effort.

I just installed the binary for Kali linux (4.17.0-kali1-amd64 #1 SMP Debian 4.17.8-1kali1 (2018-07-24) x86_64 GNU/Linux)

I was playing around in a local, virtualized environment based on VirtualBox.

For the victim, a Windows 7 box, I added a manual entry for "fakebook.com", pointing towards the local IP of the evilginx server.

The evilginx server was started and I used the linkedin phishlet (I know, the domain is confusing, but just some testing for myself ;) Because everything is local I have created a self-signed cert, which seems to work.

By accessing the tokenized URL I see the LinkedIn login screen. Entering my credentials works and is intercepted as desigend. However, after that I end up in a "redirect" loop. Firefox ends with an error. IE simply hangs. On Evilginx I see constant redirects to "www.linkedin.com".

Any ideas what is going wrong here?

Cheers Tom

screen shot 2018-07-31 at 22 35 30 screen shot 2018-07-31 at 22 35 44
HachimanSec commented 6 years ago

I just tried it with the Facebook phishlet, which seems to have some redirect issues as well. This time the page is broken. However on the evilginx server nothing is visible.

screen shot 2018-07-31 at 22 54 28 screen shot 2018-07-31 at 22 55 52
kgretzky commented 6 years ago

Hey Tom!

Thanks for kind words!

Please try to not use legitimate URLs of the targeted website in the redirection URL. Evilginx tries to replace them on the fly with phishing URL and it responds with the redirect again - thus the reason for infinite loop. If you just don't want to provide the redirect URL, generate the phishing URL without the redirection parameter:

phishlets get-url linkedin ""

Regarding the Facebook phishlet, redirect may be broken as I haven't tested it properly yet.

Let me know if it helped for LinkedIn.

HachimanSec commented 6 years ago

You are welcome! I am already planning some public live hacks with evilginx2 to raise awareness for cyber security!

Thank you for the explanation. I guess I misunderstood the get-url parameter. When it is set to "" it works perfectly fine.

Just to make sure I got it, the get-url parameter is the URL that can optionally be set to redirect a user after successful authentication, right? Like I use the google phishlet and later on I forward the user to youtube.

Cheers Tom