search

waelmas / frameless-bitb

A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx.
BSD 3-Clause "New" or "Revised" License
338 stars 40 forks source link

Error on loading page #9

Closed adnankhanakib closed 5 months ago

adnankhanakib commented 5 months ago

I am getting page view like this. Also it redirects to login directly, no landing image

waelmas commented 5 months ago

Hey,

This seems like a misconfiguration in apache. Could you please take multiple screenshots showing the flow and the redirect you are describing? An paste here the URLs at each step?

Also can you check that Evilginx is working on it's own with the phishlet and email you are using to eliminate any possibilities that any of those might be causing this issue?

adnankhanakib commented 5 months ago

I forgot to add links in hosts, now I have configured with certbot and getting proxy error. Is it possible to have chat on telegram?

image

waelmas commented 5 months ago

Sorry no Telegram :/

This SSL handshake error means that either the certificates are not valid or their path is not correctly set for the apache server. Make sure that you change the domain and cert paths at the top of this file here: https://github.com/waelmas/frameless-bitb/blob/main/apache-configs/win-chrome-bitb.conf

Define certsPathDir /etc/ssl/localcerts/
Define domain fake.com

(Note: the expected names of the cert files are fullchain.pem and privkey.pem, otherwise you should change them in the file above to the ones you are using)

    SSLCertificateFile ${certsPathDir}${domain}/fullchain.pem
    SSLCertificateKeyFile ${certsPathDir}${domain}/privkey.pem

Could you please try to run everything as shown in the video tutorial along with the self signed certificates locally, then stat changing things step by step to your desired setup?

Once you get things running as in the video, try then to generate the local certificates for your own domain instead of fake.com, then change the domain in the apache config files along with the certs paths to know that the core SSL part works locally.

adnankhanakib commented 5 months ago

below image is configuration image image

and thats my directory files image

waelmas commented 5 months ago

Not sure if it's the screenshot not showing in full, but it looks like you have the cert files under /etc/ when you need to have them under /etc/letsencrypt/live/mydoconline.click/

So /etc/letsencrypt/live/mydoconline.click/fullchain.pem and /etc/letsencrypt/live/mydoconline.click/privkey.pem

Also please be careful to not share any sensitive information here (for example your server address and the full url of your test domain, instead try to mask some characters at least)

adnankhanakib commented 5 months ago

image I hope you see the full path now (thanks for your advice)

waelmas commented 5 months ago

Thank you.

Can you please run the following commands and paste the outputs inside codeblocks? (make sure to partially mask anything sensitive). And can you confirm that you are setting up everything as a sudo user?

sudo -l

cat ~/.evilginx/config.json

ls -la /etc/letsencrypt/live/mydoconline.click/

sudo apache2ctl configtest

tail -f /var/log/apache2/error.log

tail -f /var/log/apache2/access.log

adnankhanakib commented 5 months ago

sudo -l

Matching Defaults entries for root on server1:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User root may run the following commands on server1:
    (ALL : ALL) ALL

cat ~/.evilginx/config.json

{
  "blacklist": {
    "mode": "noadd"
  },
  "general": {
    "autocert": true,
    "bind_ipv4": "",
    "dns_port": 53,
    "domain": "mydomain.click",
    "external_ipv4": "162.XXX.XX.XXX",
    "https_port": 8443,
    "ipv4": "",
    "unauth_url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
  },
  "lures": [
    {
      "hostname": "",
      "id": "",
      "info": "",
      "og_desc": "",
      "og_image": "",
      "og_title": "",
      "og_url": "",
      "path": "/oNkVeNLf",
      "paused": 0,
      "phishlet": "O365",
      "redirect_url": "",
      "redirector": "",
      "ua_filter": ""
    }
  ],
  "phishlets": {
    "O365": {
      "hostname": "mydomain.click",
      "unauth_url": "",
      "enabled": true,
      "visible": true
    },
    "example": {
      "hostname": "",
      "unauth_url": "",
      "enabled": false,
      "visible": true
    }
  }
}

ls -la /etc/letsencrypt/live/mydoconline.click/

total 12
drwxr-xr-x 2 root root 4096 Apr 26 17:42 .
drwx------ 3 root root 4096 Apr 26 17:42 ..
lrwxrwxrwx 1 root root   41 Apr 26 17:42 cert.pem -> ../../archive/mydomain.click/cert1.pem
lrwxrwxrwx 1 root root   42 Apr 26 17:42 chain.pem -> ../../archive/mydomain.click/chain1.pem
lrwxrwxrwx 1 root root   46 Apr 26 17:42 fullchain.pem -> ../../archive/mydomain.click/fullchain1.pem
lrwxrwxrwx 1 root root   44 Apr 26 17:42 privkey.pem -> ../../archive/mydomain.click/privkey1.pem
-rw-r--r-- 1 root root  692 Apr 26 17:42 README

sudo apache2ctl configtest

Syntax OK

tail -f /var/log/apache2/error.log

[Fri Apr 26 18:16:06.524082 2024] [proxy:error] [pid 5994:tid 140393795479296] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:06.524130 2024] [proxy_http:error] [pid 5994:tid 140393795479296] [client 116.202.246.84:56490] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://www.google.com/
[Fri Apr 26 18:16:43.581345 2024] [proxy:error] [pid 5994:tid 140393622501120] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:43.581668 2024] [proxy_http:error] [pid 5994:tid 140393622501120] [client 16.171.147.13:46664] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:16:46.403305 2024] [proxy:error] [pid 5994:tid 140393614108416] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:46.403358 2024] [proxy_http:error] [pid 5994:tid 140393614108416] [client 16.171.147.13:46676] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:19:55.455763 2024] [proxy:error] [pid 5994:tid 140393580537600] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:19:55.455857 2024] [proxy_http:error] [pid 5994:tid 140393580537600] [client 165.22.231.194:54628] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:20:59.686596 2024] [proxy:error] [pid 5894:tid 140393689642752] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:20:59.686790 2024] [proxy_http:error] [pid 5894:tid 140393689642752] [client 51.81.46.212:37998] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

tail -f /var/log/apache2/access.log

94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET / HTTP/1.0" 200 11192 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET /favicon.ico HTTP/1.0" 404 468 "http://sso.otherdomain.live/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET /icons/ubuntu-logo.png HTTP/1.0" 200 3587 "http://sso.otherdomain.live/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
waelmas commented 5 months ago

The output of the command tail -f /var/log/apache2/error.log indicates that your evilginx server is unreachable.

Please try to change evilginx port back to 443 and get Evilginx to work on its own without the configs from this repo first, then switch the evilginx port back to 8443 to run with this setup.

(To let evilginx use 443 you most likely need to first stop apache on port 443 by running sudo systemctl stop apache2)

Also not sure if you replaced the domain in the evilginx configs with mydomain as part of masking the actual used domain, but make sure evilginx domain and hostname is set to the same and correct domain as the frameless-bitb setup.

adnankhanakib commented 5 months ago

I noticed that my evilginx not storing hostname, everytime I run it gets reset

waelmas commented 5 months ago

you have to keep evilginx running in a separate terminal or using a tmux session. When you start it up you have to set the hostname and IP for the phishlet explicitly. I'm sure there must be a way to make this persistent but can't remember on top of my head.

Unfortunately I can't help much with Evilginx setup as it's another topic on its own. If you manage to get Evilginx working correctly and then face an issue specifically with Frameless-BITB please open a new issue with as much logs and info as possible.

I will be closing this issue for now since the problem is on the Evilginx side of things, but feel free to create a new issue as explained above.

Best if luck!