New, Unrelated, Serious issue.

[thecityofhereafter]

Out of nowhere, a mostly working phishlet stopped letting me generate certificates for it after deleting the /root/.evilginx/crt folder.

: phishlets enable google [18:06:53] [inf] enabled phishlet 'google' [18:06:53] [inf] setting up certificates for phishlet 'google'... [18:06:53] [war] failed to load certificate files for phishlet 'google', domain 'google.com.verify.computer': open /root/.evilginx/crt/google.com.verify.computer/google.crt: no such file or directory [18:06:53] [inf] requesting SSL/TLS certificates from LetsEncrypt... [18:06:54] [err] [‘accounts’.google.com.verify.computer] acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: Invalid character in DNS name [18:06:54] [!!!] failed to obtain certificates [18:06:54] [inf] disabled phishlet 'google'

`proxy_hosts:

• {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true}
• {phish_sub: 'www', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false}
• {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: true, is_landing: false}
• {phish_sub: 'content', orig_sub: 'content', domain: 'googleapis.com', session: false, is_landing: false}
• {phish_sub: 'www', orig_sub: 'www', domain: 'gstatic.com', session: true, is_landing: false}
• {phish_sub: 'mail', orig_sub: 'mail', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'drive', orig_sub: 'drive', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'google.com', session: true, is_landing: false}
• {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'google-analytics.com', session: false, is_landing: false}
• {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: false, is_landing: false}
• {phish_sub: 'play', orig_sub: 'play', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'ogs', orig_sub: 'ogs', domain: 'google.com', session: true, is_landing: false}
• {phish_sub: 'notifications', orig_sub: 'notifications', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'apis', orig_sub: 'apis', domain: 'google.com', session: false, is_landing: false}
• {phish_sub: 'accounts', orig_sub: 'accounts', domain: ‘youtube.com', session: true, is_landing: false}
• {phish_sub: 'fonts', orig_sub: 'fonts', domain: 'gstatic.com', session: false, is_landing: false}
• {phish_sub: 'lh3', orig_sub: 'lh3', domain: 'googleusercontent.com', session: false, is_landing: false}
• {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'blogger.com', session: true, is_landing: false}
• {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'youtube.com', session: false, is_landing: false}
• {phish_sub: 'www', orig_sub: 'www', domain: 'blogger.com', session: true, is_landing: false}
• {phish_sub: 'fonts', orig_sub: 'fonts', domain: 'googleapis.com', session: false, is_landing: false}
• {phish_sub: 'www', orig_sub: 'www', domain: 'google-analytics.com', session: false, is_landing: false} sub_filters:`

[thecityofhereafter]

I'm still getting this with any google service phishlet using the domain accounts.google.com.verify.computer but everything with facebook or other phishlets using different subdomains with lets encrypt works fine? and all these phishlets didnt have this problem until a few days ago? (and I made no changes to them)? did lets encrypt block me from registering a cert for this subdomain or something?

[ewhitman1]

@thecityofhereafter can you upload the whole phishlet so that we can deeply look into the matter?

[thecityofhereafter]

https://github.com/thecityofhereafter/google.yaml/blob/master/google.yaml

@ewhitman1 it doesn't matter what phishlet I use, even a completely stripped one, if i try to use accounts.google as a subdomain in the encryption cert lets encrypt throws the same error...?

[kgretzky]

The issue is that it tries to insert quotes into subdomain name:

‘accounts’.google.com.verify.computer

This never has happened to me. Do you know why this may be the case? Do you have a log with similar error when using some of the other phishlets, like linkedin?

[thecityofhereafter]

@kgretzky

Seriously? I thought that looked WRONG at first as well, but eventually I just assumed that you put those quotes in the text output on purpose to highlight the subdomain part...

Every single phishlet I use including your STOCK phishlets have the output show up with 'quotes'.mydomain.com, it happens on the stock linkedin phishlet, facebook, all of the stock phishlets show up with quotes in the ssh session & log/output...

I am happy to send any logs or info, is there a specific log that would be more helpful?

I don't know if the quotes in the log/output are actually the problem though!!! -- because I WAS able to get the facebook phishlet pretty much working correctly about 2 weeks ago, and it still showed those 'quotes' in the output when the facebook phishlet was working...

So you're thinking that lets encrypt is giving that error because of invalid characters in the domain name when attempting to register the certificate? if so, I can assure you that is NOT the issue, because I have registered hundreds of certificates for phishlets in my testing so far and every single time it still showed those quotes around the subdomain and still succeeded in getting the certificate. :)

Any other thoughts? Thanks!

[kgretzky]

Please do provide more logs of other phishlets doing the same.