Evilginx2

Usage

Seems to need to target a set of tempaltes

Ports 53(DNS) 80(http) and 443(https)

We need to get phishlets or generate our own phishlets what do we have online.

Seems you take an entire TLD and redirect the NS records to the listening 53.. (May be a problem on cable modem site calls out digital ocean perhaps they allow 53udp?)

good is that any subdomain will get to that system. Burning a whole domain and ports 443/80/53 = challenging (again lets use Digital Ocean)

Ahh good old screen and tmux keep the interactice session going via Screen/Tmux.

airbnb.yaml

amazon.yaml booking.yaml citrix.yaml coinbase.yaml facebook.yaml github.yaml instagram.yaml linkedin.yaml o365.yaml okta.yaml onelogin.yaml outlook.yaml paypal.yaml protonmail.yaml reddit.yaml tiktok.yaml twitter-mobile.yaml twitter.yaml wordpress.org.yaml

Details https://github.com/kgretzky/evilginx2/tree/master/phishlets

Fun ones to get working would be Okta / reddit / twitter / paypal / 0365 /

Evilginx 2.0 - Release https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens Evilginx 2.1 - First Update https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens Evilginx 2.2 - Jolly Winter Update https://breakdev.org/evilginx-2-2-jolly-winter-update/ Evilginx 2.3 - Phisherman’s Dream https://breakdev.org/evilginx-2-3-phishermans-dream/ Evilginx 2.4 - Gone Phishing https://breakdev.org/evilginx-2-4-gone-phishing/

Other ways to get the cookies —

Pass the cookie ? https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ encrypted for the user via the Microsoft Data Protection API (DPAPI) https://www.slideshare.net/paulajanuszkiewicz/black-hat-europe-2017-dpapi-and-dpaping-decryption-toolkit

Benjamin Delpy has done some impressive research into this area and incorporated it into Mimikatz.

dpapi::chrome /in:"%localappdata%GoogleChromeUser DataDefaultCookies" /unprotect

mimikatz.exe privilege::debug log “dpapi::chrome /in:%localappdata%googlechromeUSERDA~1defaultcookies /unprotect” exit

Sim Swapping