Closed adnankhanakib closed 5 months ago
Hey,
This seems like a misconfiguration in apache. Could you please take multiple screenshots showing the flow and the redirect you are describing? An paste here the URLs at each step?
Also can you check that Evilginx is working on it's own with the phishlet and email you are using to eliminate any possibilities that any of those might be causing this issue?
I forgot to add links in hosts, now I have configured with certbot and getting proxy error. Is it possible to have chat on telegram?
Sorry no Telegram :/
This SSL handshake error means that either the certificates are not valid or their path is not correctly set for the apache server. Make sure that you change the domain and cert paths at the top of this file here: https://github.com/waelmas/frameless-bitb/blob/main/apache-configs/win-chrome-bitb.conf
Define certsPathDir /etc/ssl/localcerts/
Define domain fake.com
(Note: the expected names of the cert files are fullchain.pem
and privkey.pem
, otherwise you should change them in the file above to the ones you are using)
SSLCertificateFile ${certsPathDir}${domain}/fullchain.pem
SSLCertificateKeyFile ${certsPathDir}${domain}/privkey.pem
Could you please try to run everything as shown in the video tutorial along with the self signed certificates locally, then stat changing things step by step to your desired setup?
Once you get things running as in the video, try then to generate the local certificates for your own domain instead of fake.com, then change the domain in the apache config files along with the certs paths to know that the core SSL part works locally.
below image is configuration
and thats my directory files
Not sure if it's the screenshot not showing in full, but it looks like you have the cert files under /etc/
when you need to have them under /etc/letsencrypt/live/mydoconline.click/
So /etc/letsencrypt/live/mydoconline.click/fullchain.pem
and /etc/letsencrypt/live/mydoconline.click/privkey.pem
Also please be careful to not share any sensitive information here (for example your server address and the full url of your test domain, instead try to mask some characters at least)
I hope you see the full path now (thanks for your advice)
Thank you.
Can you please run the following commands and paste the outputs inside codeblocks? (make sure to partially mask anything sensitive). And can you confirm that you are setting up everything as a sudo user?
sudo -l
cat ~/.evilginx/config.json
ls -la /etc/letsencrypt/live/mydoconline.click/
sudo apache2ctl configtest
tail -f /var/log/apache2/error.log
tail -f /var/log/apache2/access.log
sudo -l
Matching Defaults entries for root on server1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User root may run the following commands on server1:
(ALL : ALL) ALL
cat ~/.evilginx/config.json
{
"blacklist": {
"mode": "noadd"
},
"general": {
"autocert": true,
"bind_ipv4": "",
"dns_port": 53,
"domain": "mydomain.click",
"external_ipv4": "162.XXX.XX.XXX",
"https_port": 8443,
"ipv4": "",
"unauth_url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
},
"lures": [
{
"hostname": "",
"id": "",
"info": "",
"og_desc": "",
"og_image": "",
"og_title": "",
"og_url": "",
"path": "/oNkVeNLf",
"paused": 0,
"phishlet": "O365",
"redirect_url": "",
"redirector": "",
"ua_filter": ""
}
],
"phishlets": {
"O365": {
"hostname": "mydomain.click",
"unauth_url": "",
"enabled": true,
"visible": true
},
"example": {
"hostname": "",
"unauth_url": "",
"enabled": false,
"visible": true
}
}
}
ls -la /etc/letsencrypt/live/mydoconline.click/
total 12
drwxr-xr-x 2 root root 4096 Apr 26 17:42 .
drwx------ 3 root root 4096 Apr 26 17:42 ..
lrwxrwxrwx 1 root root 41 Apr 26 17:42 cert.pem -> ../../archive/mydomain.click/cert1.pem
lrwxrwxrwx 1 root root 42 Apr 26 17:42 chain.pem -> ../../archive/mydomain.click/chain1.pem
lrwxrwxrwx 1 root root 46 Apr 26 17:42 fullchain.pem -> ../../archive/mydomain.click/fullchain1.pem
lrwxrwxrwx 1 root root 44 Apr 26 17:42 privkey.pem -> ../../archive/mydomain.click/privkey1.pem
-rw-r--r-- 1 root root 692 Apr 26 17:42 README
sudo apache2ctl configtest
Syntax OK
tail -f /var/log/apache2/error.log
[Fri Apr 26 18:16:06.524082 2024] [proxy:error] [pid 5994:tid 140393795479296] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:06.524130 2024] [proxy_http:error] [pid 5994:tid 140393795479296] [client 116.202.246.84:56490] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://www.google.com/
[Fri Apr 26 18:16:43.581345 2024] [proxy:error] [pid 5994:tid 140393622501120] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:43.581668 2024] [proxy_http:error] [pid 5994:tid 140393622501120] [client 16.171.147.13:46664] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:16:46.403305 2024] [proxy:error] [pid 5994:tid 140393614108416] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:16:46.403358 2024] [proxy_http:error] [pid 5994:tid 140393614108416] [client 16.171.147.13:46676] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:19:55.455763 2024] [proxy:error] [pid 5994:tid 140393580537600] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:19:55.455857 2024] [proxy_http:error] [pid 5994:tid 140393580537600] [client 165.22.231.194:54628] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Fri Apr 26 18:20:59.686596 2024] [proxy:error] [pid 5894:tid 140393689642752] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed
[Fri Apr 26 18:20:59.686790 2024] [proxy_http:error] [pid 5894:tid 140393689642752] [client 51.81.46.212:37998] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
tail -f /var/log/apache2/access.log
94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET / HTTP/1.0" 200 11192 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET /favicon.ico HTTP/1.0" 404 468 "http://sso.otherdomain.live/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
94.134.183.17 - - [26/Apr/2024:16:51:24 +0000] "GET /icons/ubuntu-logo.png HTTP/1.0" 200 3587 "http://sso.otherdomain.live/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
The output of the command tail -f /var/log/apache2/error.log
indicates that your evilginx server is unreachable.
Please try to change evilginx port back to 443 and get Evilginx to work on its own without the configs from this repo first, then switch the evilginx port back to 8443 to run with this setup.
(To let evilginx use 443 you most likely need to first stop apache on port 443 by running sudo systemctl stop apache2
)
Also not sure if you replaced the domain in the evilginx configs with mydomain
as part of masking the actual used domain, but make sure evilginx domain and hostname is set to the same and correct domain as the frameless-bitb setup.
I noticed that my evilginx not storing hostname, everytime I run it gets reset
you have to keep evilginx running in a separate terminal or using a tmux session. When you start it up you have to set the hostname and IP for the phishlet explicitly. I'm sure there must be a way to make this persistent but can't remember on top of my head.
Unfortunately I can't help much with Evilginx setup as it's another topic on its own. If you manage to get Evilginx working correctly and then face an issue specifically with Frameless-BITB please open a new issue with as much logs and info as possible.
I will be closing this issue for now since the problem is on the Evilginx side of things, but feel free to create a new issue as explained above.
Best if luck!
I am getting page view like this. Also it redirects to login directly, no landing