How do you plan to do this? I believe it's all about real time monitoring of incoming emails and end user education We've even hacked banks with this -ethically-
Right. There should be a phishing network card interface designed to simply 'be dumb' override by default to allow the 'script kiddy' into a honey pot. Give them all sorts of useless information using Bot Framework Composer. ;/
I've only casually followed you over the years, but your last few videos have been superb and unlike what other content creators are producing, you are now to the top of my viewing list. Excellent job!
I tried the phishlets but every time I use evilnginx “Google Safe browser” marks it as insecure domain even before doing anything. Do guys have any idea why this getting got caught?
Cool demo! This is why admin folks should be configured for eligible role assignments where another MFA prompt is required to elevate privileges to admin. I wonder if a proper domain would be used (domain flipping), whether zScaler or Menlo (or any other modern proxy) would detect and prevent Evilginx.
We just started rolling out conditional access policies because of rampant phishing attacks and vulnerabilities in Microsoft's MFA apps. Now only registered and compliant devices can access company resources. It's cat and mouse but that's the game!
This seems a good time to point out that since a capability designates the resource that it operates on, it's largely not vulnerable to this class of attack.
Nicely done showcasing Evilginx and its possibilities. Would be nice if you would have mentioned that there are measures to tackle this sort of threat. Like FIDO2 security keys or even Microsoft Authenticator Phone Sign-In paired with the Conditional Access grant control of a compliant device. Maybe something for a new video to follow up with.
Haha follow up? Maybe if the front page of tech sites bring it up again, these videos are nothing but repackaged video versions of headlines from any computer security news site, super basic demonstrations that are obviously following an already written tutorial. Look elsewhere if you want real content
@@cryptoafc7655 do you mean the hardware token or the access token? Basically FIDO2 auth methods tie the auth factor to the online service and therefore you won’t be able to authenticate to the phishing site spun up by the evilginx reverse proxy.
Speaking from the defender side, orgs are implementing conditional access policies that will block sign ins not coming from company owned IP address spaces, and there are a lot of security mitigations in place to stop such phishing attacks. Although the large majority of users are never gonna click shady links like these, there will be a portion of users whom will, and there will be a tiny portion of those users whom will get phished all the way. User training and awareness is the number one security counter measure against such attacks.
How can you restrict remote logins to only company owned IP space? Force all remote users to use a Full-Tunnel VPN that sends all traffic through the office? What if the company network is down? Then no one can sign in.
@@iRyan230 You divide users in various subsets, for example, users that will always work on site have no reason to log in from foreign IPs. On the other end, there will always be a set of users who will need to use company resources on the go, and for those MFA and managed device policies are strictly enforced, alerting policies are more sensitive, raising alerts wherever any unfamiliar sign in activity is observed. As for the VPN, you can deploy enterprise grade VPN solutions with no downtime (in theory), you can get company specific IP spaces and those can be whitelisted in your IDP. This is by no means a perfect solution, but carefully designing these can mitigate a large portion of the threats, the rest can be easily handled by the incident response team. And regarding the example in this video, admin access is usually deferred to separate accounts that have even stricter access policies.
@@iRyan230conditional access policies will usually be based on location. If a user logins in from California at 8 am and then an hour later tries authenticating from Florida that sign in attempt will most likely be blocked.
He was asking more-so about the fact that if you do this, how do you handle your remote users (full-tunnel VPN?), or how do folks work when the network is down?@@Slickjitz
It would be amazing to see a demo of this tool with things like ubikey and passkeys to demonstrate how they aren't vulnerable to these kinds of attacks.
@@OrionsArm They would be immune because they'd simply fail to work due to the different domain name. The same as the password not being memorised in the browser.
@@OrionsArm The key exchange would fail with the different domain name, meaning no session cookie would be generated. I was disappointed that wasn't covered in this video.
Wait, When you used the victim page, you used your own ip-adress. When you used the session 3 and copied in firefox (cookie plugin) , did you still use your own ip-adress ? Because in Azure (not sure in M365) every logon is check from which ip-adress it comes from. When you have a session from IP-adres A , and you come with the same session with IP-adres B then this shouldn't work at Microsoft. It should detect and ask to do a MFA again. This is called conditional access in Azure AD. I think this exploit can be done on websites that don't cross check sessions with different ip-adresses. Thank you for the learning John
That was my line of thinking as well. What CA (conditional access) rule can we create to harden a tenant's configuration against this attack? Also great question about IP address usage, how would this behave when Microsoft detects this the session token from a different IP. Is this a default behavior or should we setup a CA rule to harden against it?
Atypical travel CA rule could do the trick here. For example trigger another MFA prompt when attacker attempts to signin instead of blocking the account, this alone could help, but not necessarily prevent the attack as the attacker might be connecting from a similar geographical location.
@@azountsu conditional access could be it has to be an Entra registered device (registered on your network talking to your domain controller/Active Directory so they'd have to be in your network to register) and it has to be a compliant device (which could be whatever parameters you set). Could also block all IPs from countries you know you'd never have users in or are known threats like Ukraine, Russia, China, etc.
John, I love your work and your content, I come here all the time, but UA-cam are making it almost impossible to follow along and pay attention. Ive just watched this and had adverts injects every 60-90 seconds. I really appreciate the work you do here. Please try to reduce the ads so i can watch and make notes (or tell me how I can subscribe to YOUR content without paying Google even more)
Only true way to stop is Fido 2 hardware token (stops token stealing)...User training, but that is it or Conditional Access grant control of a compliant device
Nice video John. Can you make one that shows how FIDO2 keys are not vulnerable to this type of attack? Also, maybe detailing what steps admins can follow to try to mitigate this attack as much as possible?
I’m not sure, but fido2 would be the same. Ultimately what your doing is stealing the cookies. So as long as websites uses cookies or auth tokens, you can do this
@@greyshopleskin2315 If you have malware on the client’s machine or have some other way of stealing the session cookie from their browser, then yes, it’s the same. However, if we’re just talking about preventing phishing, then FIDO2 and certificate based auth will never authenticate you on a malicious site to begin with thus no session cookie to steal.
@@greyshopleskin2315FIDO2 will not authenticate through a different domain (the phishing domain used in this video for example), no authentication, no cookie
@@sapuseven in my opinion FIDO2 would not work as it is tied to the actual domain name cryptographically. So as the phishing site is not using the correct domain name, the FIDO2 token will not work to log in. However still, if the user is able to use some fallback mechanism instead of FIDO2 then it can still be successful.
I love these videos. Now I can grab a copy of the tool, use it, and look for any generated IOCs from default usage. Another easy win for low hanging fruit!
@@nordgaren2358 the url generator has default values, like the random string at the end has a certain amount of characters and do not spell a word. So scanning for urls with that at the end might be a start
Hey john, thanks for the knowledge sharing again! But why not include the ip address of the user in the auth-tokens?? On the server-side just block the request if the auth-token's ip doesn't match the requester's (for instance the attacker). It also doesn't matter if the victim himself is behind a proxy, at least the token is only valid within that LAN. right?? 🤔🤔🤔🤔
Some people are connecting with a dynamic IP address which is changing from time to time, when your connection renews (and it can be forced as well, just restart your modem). So logging an IP address and only whitelisting that will lock you out from your account. Not to mention if you use VPNs for privacy reasons.
@@CZghostThey dynamic thing u said is fine I guess, cuz as long as you are connected (and even if you get disconnected for few minutes you will most likely get the same ip) you will have the same IP. Its more like a comprise for security rather than user experience which in something like banking web apps is good? IDK this whole thing was actually just a question.
Seems like a really good time since an auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn
It would be interesting to see how features such as Continuous Access Evaluation, from Conditional Access and Smart Links, from Defender for Office 365 would deal with this attack, as Microsoft says token replay is detected and blocked. Very good video anyway
Am I seeing this right, if we’d use a password manager to autofill the username/password, it wouldn’t suggest us the Microsoft password since the domain in the browser is not actually the Microsoft login?
Could the session/token be stolen if the end user is already signed in (ie. outlook web mail) or will he need to create a new access token to steal a valid cookie?
The available phishlets (And the one shown in the video) are not working btw. However, after many hours of tweaking you can get it to work - but password will not be displayed - you will have to know some java script. And it will not prompt user to login unless they are activly logged out (if already logged in you just get the token straight up - even better!).
Am I correct in stating that even if we used stronger forms of device authentication or a FIDO token the fact that you gain access to the session tokens to an extent nullifies those controls as the user session was still proxied?
I only want to this within a small company I work at cause our oversight clearly has information they should not have. They made it so obvious that I set very specific traps that only a person who had access to my account would know.. they didn't just fall into one but just about all of them. Ironically it led to illuminating their pet aka my co-worker who has been leaking information (over their long tenure, being this snakey gets them no benefit but they are the equivalent of a head house slave) lol. The deceptive, invasive, and unethical tactics they use have led me here which hacking is something I always frowned upon BUT I 100% condone punching back
Interesting idea for sure to reverse proxy all the traffic seamlessly. But again, at the end of the day, don't click dodgy links and verify which links you visit.
@@dyerseve3001 No. Cause the hacker has the session. You can access the account without entering any password. Yubikey is just a better secure 2FA. But once the hacker has your account session. You can't do anything except to log out to end the session.
Is this a sponsored video or just you covering a course and tool you thought was sick? Because this DOES seem sick. I’m just curious as to how the video came to be!
Seems like a really good time since a auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn. Just an FYI
even if you outsmart user to giveup their credentials, Microsoft still detect a new device login and notify the user. User can deny the usage of that new device and your access to the website will be gone in no time.
cookies must be verifying the client-agent & change in location. Hope the sign in from different location & device is notified to user & immediately changed the paswd. 🙄
I wouldn't focus so much on the simple example for social engineering in this video. The methodology around reverse proxies is the takeaway here. There are many examples of visually identical domains using Punycode for example which have successfully tricked admins. That being said, physical security keys resist this method since the domain doesn't match during the key exchange.
Nice video. How to prevent: Block sign in to 365 apps on unmanaged devices. But I wonder if you could make this test while user is logged in passwordless. Option 1 with Microsoft authenticator registered for passwordless sign in. Option 2 with WHfB passwordless authetication.
Yes also seen a Tenant branding one at the end of last week however surely that's not a surprise as the Reverse proxy will do whatever the tenant would have shown.
@@devonsurfer7619yup… I also worked with one that forwarded to another iDP too (Microsoft login page forwarding to Okta). This is such a mess and really frustrating that Microsoft is dragging their feet here. I know it’s complicated to resolve this at a large scale but it’s got to be one of the worst security threat’s organizations have faced in a long time.
Some people are absolute beginners. I have a question John, How did you connect your name and the server together? I mean digital ocean and your domain?
Awesome John, thank you so much for the time on your videos, u the best I have learned a lot with u and like how quick u explain and speak, keep it up Master
@_JohnHammond Do you know why companies like Microsoft are not mitigating this threat with the Security Hardening techniques you mentioned at 9:10 like "Security Token Validation". Is there a downside to implementing this?
They are dragging their feet with this attack which is seriously frustrating. This has got to be one of the largest security concerns organizations face today and they are practically silent in it(minus a blog post or two…)
Thanks for the demo, But my question is in reality who assigned global admin role to someone in a company who has not have a single idea about junk email accessibility. Microsoft builds a superb email security that protect this kind of attacks (Ratio 99.9%). Appreciate your time & effort. But this is twenty century. People are much aware of spamming email now. Make some hands-on attack simulation tutorial that really make sense.
There is one simple solution. Tradermarked names like onedrive or microsoft should not be allowed to be used in domains. This would solve 99% of phishing. Does stolen cookie leave login ip trace? I wonder if checking login history based on ip is secure enough or not anymore.
so M365 added the feature to show the geo location of the number matching request, would that still come from the victims geo IP since this is man in the middle ?
Since it operates as a proxy, I would suspect it would show the location of the server running evilginx. HTTPS alone would stop it somehow passing the victim's IP to Microsoft. We had a recent BEC that had MFA, we couldn't determine how but suspected token theft in this method. Another thing we tend to do is customize the login screen to hopefully give the end user a slight pause when they get the default theme.
@@dyerseve3001I’m all for changing the default theme but how would that offer protection here? The phishing site is still pulling from Microsoft in real time so the user would see the custom theme for your organization anyway.
If a conditional access is set (let's say it requires company device for employees to actually successfully log in), will that prevent the attacker from getting the access even with the session credentials stolen?
have programmed a HTML+CSS phishing website for my business. and I want to know how to get what user are typing on the login page so I can se if they are given out sensitive information
The lure is not the hook - lol The lure is the bait on the hook. The hook is the last thing they want. You can tell you're not a fisherman, neither am I. 🤣 (ha ha)
Because the tool is publicly available and the average individual such as yourself wouldn’t know about it, making you a target. The ‘bad guys’ already know about it and the more awareness generated towards the tool will push companies to strengthen their security architecture also making you aware of the tool.
This is the response im getting, im on evilginx v2.4.2. We're unable to complete your request invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Can one change the format of receiving the login and tokens so that it is sent out to a discord Web hook or any other place instead of having to open evilginx to be listening?
Can you deep deeper into the part where the phishing email went into junk mailbox? Guessing it didnt pass spf/dkim/dmarc? Is there a way we can import a forged certificate?
Email going to spam shouldn’t matter at all since this is just demo purposes. These attacks very often come from senders the recipients already trust such as already comprised colleagues, or partner organizations, etc.
Jhon i was wondering if you could help me. I got blocked out of my own account because i cleared my cookies everytime i close my browser. Because i follow privacy online as a religion Microsoft AI got confused and locked my account because of "Suspiscious acitivity" Now there is a chain reaction that is triggerd and i lost most of my accounts because i have 30+ emails.. Can you please help me?
I am getting this error: "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid." I don't have that on my yaml file. Any comment on this?
Thanks for this. Now my concerns are real. Pushing the anti-phishing filters to a new level to all my clients
How do you plan to do this?
I believe it's all about real time monitoring of incoming emails and end user education
We've even hacked banks with this -ethically-
Will still get through regardless. Need to use hardware key mfa or Conditional Access policies..
@@trackker16 Conditional Access based on Device identity and location or fido keys :)
@@ryanfrank4834which specific conditional access policies do you recommend to combat this?
Right. There should be a phishing network card interface designed to simply 'be dumb' override by default to allow the 'script kiddy' into a honey pot. Give them all sorts of useless information using Bot Framework Composer. ;/
I've only casually followed you over the years, but your last few videos have been superb and unlike what other content creators are producing, you are now to the top of my viewing list. Excellent job!
This along with BitB attacks, are mad scary. I recently started building out infrastructure for both and they are a slam dunk. Great video John!
I have never seen BitB attacks outside of Steam - but im guessing its only going to grow :/
But if mails already mark in junk then what will be the use 😂
@@pravinsingh4184 Bypassing email filters is a separate thing- not as hard as you'd think if you are spearphishing/whaleing
I tried the phishlets but every time I use evilnginx “Google Safe browser” marks it as insecure domain even before doing anything. Do guys have any idea why this getting got caught?
@@pravinsingh4184Ma boy got a point
Cool demo!
This is why admin folks should be configured for eligible role assignments where another MFA prompt is required to elevate privileges to admin.
I wonder if a proper domain would be used (domain flipping), whether zScaler or Menlo (or any other modern proxy) would detect and prevent Evilginx.
We just started rolling out conditional access policies because of rampant phishing attacks and vulnerabilities in Microsoft's MFA apps. Now only registered and compliant devices can access company resources. It's cat and mouse but that's the game!
This seems a good time to point out that since a capability designates the resource that it operates on, it's largely not vulnerable to this class of attack.
Love the video as usual but the amount of times the word “ultimately” was said was astounding 😅
well ultimately it's to make a point 🤪
evilginx professional masterclass is what u should be
Nicely done showcasing Evilginx and its possibilities.
Would be nice if you would have mentioned that there are measures to tackle this sort of threat.
Like FIDO2 security keys or even Microsoft Authenticator Phone Sign-In paired with the Conditional Access grant control of a compliant device.
Maybe something for a new video to follow up with.
but they are saying even fido2 can be hacked if they steal the token
Haha follow up? Maybe if the front page of tech sites bring it up again, these videos are nothing but repackaged video versions of headlines from any computer security news site, super basic demonstrations that are obviously following an already written tutorial. Look elsewhere if you want real content
@@cryptoafc7655 do you mean the hardware token or the access token?
Basically FIDO2 auth methods tie the auth factor to the online service and therefore you won’t be able to authenticate to the phishing site spun up by the evilginx reverse proxy.
@@cryptoafc7655 Pretty sure Fido2 is resistant to this.
@@psclplg I have a Yubi key 5, and without touching the button on it. I can't log on anywhere
Yeah that's why I blocked .zip domain at my dns level😅 btw nice tool
Speaking from the defender side, orgs are implementing conditional access policies that will block sign ins not coming from company owned IP address spaces, and there are a lot of security mitigations in place to stop such phishing attacks. Although the large majority of users are never gonna click shady links like these, there will be a portion of users whom will, and there will be a tiny portion of those users whom will get phished all the way. User training and awareness is the number one security counter measure against such attacks.
How can you restrict remote logins to only company owned IP space? Force all remote users to use a Full-Tunnel VPN that sends all traffic through the office? What if the company network is down? Then no one can sign in.
@@iRyan230 You divide users in various subsets, for example, users that will always work on site have no reason to log in from foreign IPs. On the other end, there will always be a set of users who will need to use company resources on the go, and for those MFA and managed device policies are strictly enforced, alerting policies are more sensitive, raising alerts wherever any unfamiliar sign in activity is observed.
As for the VPN, you can deploy enterprise grade VPN solutions with no downtime (in theory), you can get company specific IP spaces and those can be whitelisted in your IDP. This is by no means a perfect solution, but carefully designing these can mitigate a large portion of the threats, the rest can be easily handled by the incident response team.
And regarding the example in this video, admin access is usually deferred to separate accounts that have even stricter access policies.
@@iRyan230conditional access policies will usually be based on location. If a user logins in from California at 8 am and then an hour later tries authenticating from Florida that sign in attempt will most likely be blocked.
He was asking more-so about the fact that if you do this, how do you handle your remote users (full-tunnel VPN?), or how do folks work when the network is down?@@Slickjitz
@@kylewolf5706 that’s why any good network engineer has built out redundancy so the network never truly goes down.
It would be amazing to see a demo of this tool with things like ubikey and passkeys to demonstrate how they aren't vulnerable to these kinds of attacks.
Unfortunately even they would not be immune since the attack is targeting the active session cookie
@@OrionsArm They would be immune because they'd simply fail to work due to the different domain name. The same as the password not being memorised in the browser.
@@OrionsArm The key exchange would fail with the different domain name, meaning no session cookie would be generated. I was disappointed that wasn't covered in this video.
@@mountainslopes Not a different domain name he is reverse proxying and using the actual domain name
@@OrionsArm there is a different domain in the browser and yubikey check domain from the browser, you need to educate yourself
Wait, When you used the victim page, you used your own ip-adress. When you used the session 3 and copied in firefox (cookie plugin) , did you still use your own ip-adress ? Because in Azure (not sure in M365) every logon is check from which ip-adress it comes from. When you have a session from IP-adres A , and you come with the same session with IP-adres B then this shouldn't work at Microsoft. It should detect and ask to do a MFA again. This is called conditional access in Azure AD. I think this exploit can be done on websites that don't cross check sessions with different ip-adresses. Thank you for the learning John
That was my line of thinking as well. What CA (conditional access) rule can we create to harden a tenant's configuration against this attack? Also great question about IP address usage, how would this behave when Microsoft detects this the session token from a different IP. Is this a default behavior or should we setup a CA rule to harden against it?
Word. When I tried it against office365 it worked, but in the azure portal it didn't. it'd keep me asking for mfa codd
This was not configured with conditional access from the looks of it.
Atypical travel CA rule could do the trick here. For example trigger another MFA prompt when attacker attempts to signin instead of blocking the account, this alone could help, but not necessarily prevent the attack as the attacker might be connecting from a similar geographical location.
@@azountsu conditional access could be it has to be an Entra registered device (registered on your network talking to your domain controller/Active Directory so they'd have to be in your network to register) and it has to be a compliant device (which could be whatever parameters you set). Could also block all IPs from countries you know you'd never have users in or are known threats like Ukraine, Russia, China, etc.
John, I love your work and your content, I come here all the time, but UA-cam are making it almost impossible to follow along and pay attention. Ive just watched this and had adverts injects every 60-90 seconds.
I really appreciate the work you do here. Please try to reduce the ads so i can watch and make notes (or tell me how I can subscribe to YOUR content without paying Google even more)
Wish you’d use Google as an example for a phish involving the .zip domain
Hehe, that would be ironic. :D
That's the coolest evilginx presentation I've seen.
PS. FIDO2 (crypto keys, local biometric authenticators, passkeys) to the rescue :)
This is scary. The question now is -- What is Microsoft and other companies doing to prevent this?
Only true way to stop is Fido 2 hardware token (stops token stealing)...User training, but that is it or Conditional Access grant control of a compliant device
@@jarredpow fido2 or smart card certificate authentication
@@jarredpow The video actually says that this bypasses 2fa.
@@exxon47_you cannot bypass a hardware key as it will not function unless it is at the correct site…
@@exxon47_ Not Fido 2 hardware tokens. They only work on the real domain
seems quite cool the guy behind this program is polish and has cybersecurity companies using this exact tool
Nice video John. Can you make one that shows how FIDO2 keys are not vulnerable to this type of attack? Also, maybe detailing what steps admins can follow to try to mitigate this attack as much as possible?
Can you explain how FIDO2 keys protect from session hijacking?
Isn't it just like 2FA?
I’m not sure, but fido2 would be the same. Ultimately what your doing is stealing the cookies.
So as long as websites uses cookies or auth tokens, you can do this
@@greyshopleskin2315 If you have malware on the client’s machine or have some other way of stealing the session cookie from their browser, then yes, it’s the same.
However, if we’re just talking about preventing phishing, then FIDO2 and certificate based auth will never authenticate you on a malicious site to begin with thus no session cookie to steal.
@@greyshopleskin2315FIDO2 will not authenticate through a different domain (the phishing domain used in this video for example), no authentication, no cookie
@@sapuseven in my opinion FIDO2 would not work as it is tied to the actual domain name cryptographically. So as the phishing site is not using the correct domain name, the FIDO2 token will not work to log in. However still, if the user is able to use some fallback mechanism instead of FIDO2 then it can still be successful.
It`s unbelievable how simple and powerful it is
I love these videos. Now I can grab a copy of the tool, use it, and look for any generated IOCs from default usage. Another easy win for low hanging fruit!
Well, there's nothing on the targets machine, for this. I think maybe you could figure out something by checking the traffic, though, maybe?
@@nordgaren2358 the url generator has default values, like the random string at the end has a certain amount of characters and do not spell a word. So scanning for urls with that at the end might be a start
A video on how to prevent this would be great, other than user education of phishing emails.
Pretty self explanatory, you just do the opposite of the attack lol
Hey john, thanks for the knowledge sharing again! But why not include the ip address of the user in the auth-tokens?? On the server-side just block the request if the auth-token's ip doesn't match the requester's (for instance the attacker). It also doesn't matter if the victim himself is behind a proxy, at least the token is only valid within that LAN. right?? 🤔🤔🤔🤔
Some people are connecting with a dynamic IP address which is changing from time to time, when your connection renews (and it can be forced as well, just restart your modem). So logging an IP address and only whitelisting that will lock you out from your account. Not to mention if you use VPNs for privacy reasons.
@@CZghostThey dynamic thing u said is fine I guess, cuz as long as you are connected (and even if you get disconnected for few minutes you will most likely get the same ip) you will have the same IP. Its more like a comprise for security rather than user experience which in something like banking web apps is good? IDK this whole thing was actually just a question.
Seems like a really good time since an auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn
It would be interesting to see how features such as Continuous Access Evaluation, from Conditional Access and Smart Links, from Defender for Office 365 would deal with this attack, as Microsoft says token replay is detected and blocked. Very good video anyway
Good points, Token machine binding in preview too
Am I seeing this right, if we’d use a password manager to autofill the username/password, it wouldn’t suggest us the Microsoft password since the domain in the browser is not actually the Microsoft login?
As a user that happens all the time. You get conditioned to having to paste the password in sometimes when the account creation address doesn't match.
Correct.
Could the session/token be stolen if the end user is already signed in (ie. outlook web mail) or will he need to create a new access token to steal a valid cookie?
The available phishlets (And the one shown in the video) are not working btw. However, after many hours of tweaking you can get it to work - but password will not be displayed - you will have to know some java script. And it will not prompt user to login unless they are activly logged out (if already logged in you just get the token straight up - even better!).
Huh? How would it retrieve the token then? The sign in is coming from a new device so surely it would require a new sign in.
I have phishlet google available for 3.2, capture user + password + cookie
Am I correct in stating that even if we used stronger forms of device authentication or a FIDO token the fact that you gain access to the session tokens to an extent nullifies those controls as the user session was still proxied?
I only want to this within a small company I work at cause our oversight clearly has information they should not have. They made it so obvious that I set very specific traps that only a person who had access to my account would know.. they didn't just fall into one but just about all of them.
Ironically it led to illuminating their pet aka my co-worker who has been leaking information (over their long tenure, being this snakey gets them no benefit but they are the equivalent of a head house slave) lol. The deceptive, invasive, and unethical tactics they use have led me here which hacking is something I always frowned upon BUT I 100% condone punching back
Interesting idea for sure to reverse proxy all the traffic seamlessly. But again, at the end of the day, don't click dodgy links and verify which links you visit.
Would Yubikey prevent this?
It should, as long as other methods are not also enabled.
@@dyerseve3001 No. Cause the hacker has the session. You can access the account without entering any password. Yubikey is just a better secure 2FA. But once the hacker has your account session. You can't do anything except to log out to end the session.
where did u get that template? I only see 1 working GIT project for 3.0 the rest are outdated & broken...
Nice try John, we all know that your discount link in the description is an evilginx lure link 😉😉
Kidding mate, awesome video as always.
Is this a sponsored video or just you covering a course and tool you thought was sick? Because this DOES seem sick. I’m just curious as to how the video came to be!
STOL >>> My situate = my personal movement! You joined - the "Red Dragon's Brigade - Frankenstein!"
Zen Buddist!
Thanks! I will use that for Educational Purposes Only!
Seems like a really good time since a auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn. Just an FYI
I am surprised this video has not taken down
How does evilginx generate a tls certificate signed by a trusted ca? Which ca is it using?
It uses letsencrypt to generate the certificate
Most likely Let’s Encrypt.
even if you outsmart user to giveup their credentials, Microsoft still detect a new device login and notify the user. User can deny the usage of that new device and your access to the website will be gone in no time.
Can you do it with Google tho. I always like to think Google does web better than Microsoft.
cookies must be verifying the client-agent & change in location.
Hope the sign in from different location & device is notified to user & immediately changed the paswd. 🙄
Is there a cheaper course ???? Ima broke college student atm
How does this look in the signin logs in the m365. are there any tips on catching behavior in the user's sign in logs
If an admin clicks on a .zip URL and really thinks its from Microsoft and logs in, its really his own fault.
I wouldn't focus so much on the simple example for social engineering in this video. The methodology around reverse proxies is the takeaway here. There are many examples of visually identical domains using Punycode for example which have successfully tricked admins. That being said, physical security keys resist this method since the domain doesn't match during the key exchange.
This is scary but the phishing email came from a Gmail account. Even the least technical users I have will not be fooled by this.
That is actually terrifying
Nice video.
How to prevent:
Block sign in to 365 apps on unmanaged devices.
But I wonder if you could make this test while user is logged in passwordless.
Option 1 with Microsoft authenticator registered for passwordless sign in.
Option 2 with WHfB passwordless authetication.
Holy sh*t! This guy's taking Roy off the grid! This guy doesn't have a social security number for Roy!
John, that thumbnail is killing me. 😂
Next week: incorporating ransomware into EvilGinx phishlets, sponsored by Bitcoin
evilginx pro course??
I recently got an email using this, it evens pulls the tenant branding on the login screen
Yes also seen a Tenant branding one at the end of last week however surely that's not a surprise as the Reverse proxy will do whatever the tenant would have shown.
@@devonsurfer7619yup… I also worked with one that forwarded to another iDP too (Microsoft login page forwarding to Okta).
This is such a mess and really frustrating that Microsoft is dragging their feet here. I know it’s complicated to resolve this at a large scale but it’s got to be one of the worst security threat’s organizations have faced in a long time.
Some people are absolute beginners. I have a question John, How did you connect your name and the server together? I mean digital ocean and your domain?
thank you federal agent! I shall do this immediately!
Sounds like Seth Rogan giving a phishing lesson.... great content love the video 🎉
Awesome John, thank you so much for the time on your videos, u the best I have learned a lot with u and like how quick u explain and speak, keep it up Master
Hello Brother please tell me how to perform evilginx on over internet.
Hitting inbox is more important than the set up
@_JohnHammond Do you know why companies like Microsoft are not mitigating this threat with the Security Hardening techniques you mentioned at 9:10 like "Security Token Validation". Is there a downside to implementing this?
They are dragging their feet with this attack which is seriously frustrating. This has got to be one of the largest security concerns organizations face today and they are practically silent in it(minus a blog post or two…)
Thanks for the demo,
But my question is in reality who assigned global admin role to someone in a company who has not have a single idea about junk email accessibility. Microsoft builds a superb email security that protect this kind of attacks (Ratio 99.9%).
Appreciate your time & effort. But this is twenty century. People are much aware of spamming email now. Make some hands-on attack simulation tutorial that really make sense.
Does the course teach one how to create their own personal man in the middle attack without using evilginx?
There is one simple solution. Tradermarked names like onedrive or microsoft should not be allowed to be used in domains. This would solve 99% of phishing. Does stolen cookie leave login ip trace? I wonder if checking login history based on ip is secure enough or not anymore.
Mitnick would be so proud 🥺
Do zip domains have any use other than phishing?
so M365 added the feature to show the geo location of the number matching request, would that still come from the victims geo IP since this is man in the middle ?
Since it operates as a proxy, I would suspect it would show the location of the server running evilginx. HTTPS alone would stop it somehow passing the victim's IP to Microsoft.
We had a recent BEC that had MFA, we couldn't determine how but suspected token theft in this method.
Another thing we tend to do is customize the login screen to hopefully give the end user a slight pause when they get the default theme.
@@dyerseve3001 good call on changing the theme of the login page, thank you
@@dyerseve3001I’m all for changing the default theme but how would that offer protection here? The phishing site is still pulling from Microsoft in real time so the user would see the custom theme for your organization anyway.
This video is for educational purposes only btw
If a conditional access is set (let's say it requires company device for employees to actually successfully log in), will that prevent the attacker from getting the access even with the session credentials stolen?
I worry that this information will end up being used by bad actors instead of pen testers :(
I'm glad I'm not a webdev. Imagine having to deal with stuff like this
I have never seen someone so excited over promoting illegal activity :D
have programmed a HTML+CSS phishing website for my business. and I want to know how to get what user are typing on the login page so I can se if they are given out sensitive information
You will be hearing from lawyers of Microsoft and that client.
Why don't electrics just use Torx bits? Yes, I know you need to select the right size, but they just work so well, with no cam out.
The lure is not the hook - lol
The lure is the bait on the hook.
The hook is the last thing they want.
You can tell you're not a fisherman, neither am I. 🤣 (ha ha)
Super content Brother, keep it up!!!!!!!
Question: Just asking, why would you show someone how to do this.
Because the tool is publicly available and the average individual such as yourself wouldn’t know about it, making you a target. The ‘bad guys’ already know about it and the more awareness generated towards the tool will push companies to strengthen their security architecture also making you aware of the tool.
Chill 😂😂😂guys
This is the response im getting, im on evilginx v2.4.2. We're unable to complete your request
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Where do you host your websites or files to say the least
Você tem um incrível potencial criativo
Does this thing reverts the authentic user to home page of M 365 or redirects him/her to logged in page
At 16:28 you revealed a public IP from Santa Clara and your phone weather notification revealed your location Alameda
He might have on a vpn, but still worth noting
How would you use ngrok or serveo instead of digital ocean?
Can one change the format of receiving the login and tokens so that it is sent out to a discord Web hook or any other place instead of having to open evilginx to be listening?
Can you deep deeper into the part where the phishing email went into junk mailbox? Guessing it didnt pass spf/dkim/dmarc? Is there a way we can import a forged certificate?
Email going to spam shouldn’t matter at all since this is just demo purposes. These attacks very often come from senders the recipients already trust such as already comprised colleagues, or partner organizations, etc.
Jhon i was wondering if you could help me.
I got blocked out of my own account because i cleared my cookies everytime i close my browser.
Because i follow privacy online as a religion Microsoft AI got confused and locked my account because of "Suspiscious acitivity"
Now there is a chain reaction that is triggerd and i lost most of my accounts because i have 30+ emails..
Can you please help me?
Really a nice thing. Nevertheless, this thing only caught people who dont know anything about URL.
Creating a .zip TLD was a horrible idea. It's just begging to be abused by attackers.
When did they create this? I've never heard of it till just now
man please try this with adfs for steal Microsoft 365(obviously for educating purpose)...i still have a problem with him for my thesis
I dont get how evilginx is able to grab the token after the login. Is there not a anti CSRF or CORS ???
so how do we avoid the mail going to the junk emails ?
Remember kids this is for educational purposes only.
not like they may mistake it as a way to built for your haters
next video: how to ddos a random innocent grandma who has 5 months to live and their grandson is learning them how to use microsoft 365
Which software would you guys recommend that is best for recovering files from Android phones. I use windows btw
June 2024 UPDATE: this Office 365 phishlet doesn't work anymore
Or more like, it works but there is a strange redirection loop bug that happens once all the tokens are intercepted
More videos like this please, great video
Why do you use sudo when you are already logged in as root?
Is there a cheaper course ???? Ima poorcollege student atm
I am getting this error: "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid." I don't have that on my yaml file. Any comment on this?
CONAN'S BACK