Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Learning how to bypass two-factor authentication (Google Authenticator, SMS)
Message
<blockquote data-quote="Ghosthunter" data-source="post: 509" data-attributes="member: 6"><p>There are times when you need to make someone happy. It happens when the target organization has a second authentication factor configured — sms, Google authenticator, or Duo. What should I do in such cases? Hire gopniks? Cut employees ' phone numbers? No! It turns out that cunning hackers have written software that can help in this difficult situation.</p><p></p><p><a href="https://github.com/kgretzky/evilginx2" target="_blank">Evilginx2</a> is a phishing framework that acts as a proxy between the victim and the site we want to get accounts from. Previously, it used custom nginx, but now it is completely rewritten in Go. It includes mini HTTP and DNS servers, which greatly facilitates installation and deployment.</p><p></p><p>How does it work? The author of the software <a href="https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/" target="_blank">described</a> on its website, details on installation and configuration can be found on the <a href="https://github.com/kgretzky/evilginx2" target="_blank">github</a> page. Why is it possible to bypass the second factor? The trick is that we do not interfere with the process of entering the code from sms / temporary password / push from DUO. We quietly wait for the user to successfully complete all the authentication steps, catch their cookie, and then use it to log in. Along the way, just in case, we collect his username and password.</p><p></p><p>In the same article, I will talk about my experience and the pitfalls that I encountered.</p><p></p><h4>Task</h4><p>So, we need to sign up an office that actively uses <a href="https://en.wikipedia.org/wiki/Okta_(identity_management)" target="_blank">Okta</a> as a Single Sign-on. As the second factor, a <a href="https://duo.com/" target="_blank">Duo</a> solution is used, the feature of which is in the mobile client, which allows you to confirm the second factor through regular push notifications instead of entering 35-digit codes (hello Google Authenticator). Let's get started.</p><p></p><h4>Step one: register a phishing domain</h4><p>In the panel of our provider, specify the address of the server where the phishing will be located. We also register a subdomain of the formokta.<фишинговый домен>.com</p><p></p><p><img src="http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor.png" alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>Step two-configuring Evilginx</h4><p>Running Evilginx and using the commandconfig</p><p></p><p>enter the necessary settings. Specify the main domain (not a subdomain) and its IP address.</p><p></p><p>Code:</p><p>config domain <phishing domain>. com</p><p>config ip 10.0.0.1</p><p></p><p>As a result, the config looks like this:</p><p></p><p><img src="https://telegra.ph/file/13a0386b0ca79b8dd164d.png" alt="13a0386b0ca79b8dd164d.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Interesting parameter here redirect_url</p><p></p><p>- it indicates where to redirect the request when the client came to the root of our domain. Why is this done? If you send a phishing page from the root, the domain will be calculated very quickly and added to the lists of dangerous sites, browsers will swear threateningly, and users will never get to us. Therefore, we will send it via a unique link, and the root will redirect to the song Never Gonna Give You Up.</p><p></p><h4>Step three-setting up a phishing page</h4><p>This is where the fun begins. Since we don't actually host any content on our server at all, but only proxy requests, we need to "tell" Evilginx exactly what data we want to get. We write this "story" in a special format. Documentation on it is available on the project's <a href="https://github.com/kgretzky/evilginx2/wiki/Phishlet-File-Format-(2.2.0)" target="_blank">wiki</a> page. These descriptions are called phishlets. For some popular services — facebook, linkedin, amazon-they are already written and included in the distribution. We were less lucky, Okta is not supported out of the box, but good people wrote phishlet for the <a href="https://github.com/kgretzky/evilginx2/pull/82" target="_blank">старой</a> version. We take a file and start soldering.</p><p></p><p>Fill in the description, specify the phishlet name, authors, and the required version of Evilginx.</p><p></p><p>Code:</p><p>name: 'okta'</p><p>author: '@ml_siegel, updated by @hollow1'</p><p>min_ver: '2.2.0'</p><p></p><p>We specify which domain we are going to phish. In our case, we use a domain like<имя целевой компании>.okta.com</p><p></p><p>Code:</p><p>proxy_hosts:</p><p> - {phish_sub:", orig_sub: '<target company name subdomain>', domain: 'okta.com', session: true, is_landing: true}</p><p></p><p>Parameter session</p><p></p><p>indicates that it is this domain that sends the cookies we need and that credentials are passed there,is_landing</p><p></p><p>this means that this host will be used to generate phishing URLs.</p><p></p><p>The next important step is to identify all requests to the target domain so that the proxy can successfully rewrite them to the phishing domain. If this is not done, the user will send data not to us, but directly to the original domain, and we will not catch any accounts. You only need to rewrite requests that are directly involved in the user's login process.</p><p></p><p>To clearly understand what exactly is required for successful authentication, you need to carefully study this very process. Armed with Burp and a test account, we start looking for how the password is transmitted and what cookies the application uses to determine the authorized user. We are also looking for responses from the server that contain links to the original domain.</p><p></p><p>We find a request that passes your username and password. We see that it is sent to the original domain, but we need it to go to us.</p><p></p><p><img src="http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-3.png" alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-3.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Here you can see how the original domain returns links inside javascript. They need to be rewritten.</p><p></p><p><img src="http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-4.png" alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-4.png" class="fr-fic fr-dii fr-draggable " style="" /></p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 509, member: 6"] There are times when you need to make someone happy. It happens when the target organization has a second authentication factor configured — sms, Google authenticator, or Duo. What should I do in such cases? Hire gopniks? Cut employees ' phone numbers? No! It turns out that cunning hackers have written software that can help in this difficult situation. [URL='https://github.com/kgretzky/evilginx2']Evilginx2[/URL] is a phishing framework that acts as a proxy between the victim and the site we want to get accounts from. Previously, it used custom nginx, but now it is completely rewritten in Go. It includes mini HTTP and DNS servers, which greatly facilitates installation and deployment. How does it work? The author of the software [URL='https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/']described[/URL] on its website, details on installation and configuration can be found on the [URL='https://github.com/kgretzky/evilginx2']github[/URL] page. Why is it possible to bypass the second factor? The trick is that we do not interfere with the process of entering the code from sms / temporary password / push from DUO. We quietly wait for the user to successfully complete all the authentication steps, catch their cookie, and then use it to log in. Along the way, just in case, we collect his username and password. In the same article, I will talk about my experience and the pitfalls that I encountered. [HEADING=3]Task[/HEADING] So, we need to sign up an office that actively uses [URL='https://en.wikipedia.org/wiki/Okta_(identity_management)']Okta[/URL] as a Single Sign-on. As the second factor, a [URL='https://duo.com/']Duo[/URL] solution is used, the feature of which is in the mobile client, which allows you to confirm the second factor through regular push notifications instead of entering 35-digit codes (hello Google Authenticator). Let's get started. [HEADING=3]Step one: register a phishing domain[/HEADING] In the panel of our provider, specify the address of the server where the phishing will be located. We also register a subdomain of the formokta.<фишинговый домен>.com [IMG alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor.png"]http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor.png[/IMG] [HEADING=3]Step two-configuring Evilginx[/HEADING] Running Evilginx and using the commandconfig enter the necessary settings. Specify the main domain (not a subdomain) and its IP address. Code: config domain <phishing domain>. com config ip 10.0.0.1 As a result, the config looks like this: [IMG alt="13a0386b0ca79b8dd164d.png"]https://telegra.ph/file/13a0386b0ca79b8dd164d.png[/IMG] Interesting parameter here redirect_url - it indicates where to redirect the request when the client came to the root of our domain. Why is this done? If you send a phishing page from the root, the domain will be calculated very quickly and added to the lists of dangerous sites, browsers will swear threateningly, and users will never get to us. Therefore, we will send it via a unique link, and the root will redirect to the song Never Gonna Give You Up. [HEADING=3]Step three-setting up a phishing page[/HEADING] This is where the fun begins. Since we don't actually host any content on our server at all, but only proxy requests, we need to "tell" Evilginx exactly what data we want to get. We write this "story" in a special format. Documentation on it is available on the project's [URL='https://github.com/kgretzky/evilginx2/wiki/Phishlet-File-Format-(2.2.0)']wiki[/URL] page. These descriptions are called phishlets. For some popular services — facebook, linkedin, amazon-they are already written and included in the distribution. We were less lucky, Okta is not supported out of the box, but good people wrote phishlet for the [URL='https://github.com/kgretzky/evilginx2/pull/82']старой[/URL] version. We take a file and start soldering. Fill in the description, specify the phishlet name, authors, and the required version of Evilginx. Code: name: 'okta' author: '@ml_siegel, updated by @hollow1' min_ver: '2.2.0' We specify which domain we are going to phish. In our case, we use a domain like<имя целевой компании>.okta.com Code: proxy_hosts: - {phish_sub:", orig_sub: '<target company name subdomain>', domain: 'okta.com', session: true, is_landing: true} Parameter session indicates that it is this domain that sends the cookies we need and that credentials are passed there,is_landing this means that this host will be used to generate phishing URLs. The next important step is to identify all requests to the target domain so that the proxy can successfully rewrite them to the phishing domain. If this is not done, the user will send data not to us, but directly to the original domain, and we will not catch any accounts. You only need to rewrite requests that are directly involved in the user's login process. To clearly understand what exactly is required for successful authentication, you need to carefully study this very process. Armed with Burp and a test account, we start looking for how the password is transmitted and what cookies the application uses to determine the authorized user. We are also looking for responses from the server that contain links to the original domain. We find a request that passes your username and password. We see that it is sent to the original domain, but we need it to go to us. [IMG alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-3.png"]http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-3.png[/IMG] Here you can see how the original domain returns links inside javascript. They need to be rewritten. [IMG alt="shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-4.png"]http://www.pvsm.ru/images/2018/11/28/shok-novyi-soft-dlya-fishinga-pobejdaet-vtoroi-faktor-4.png[/IMG] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Learning how to bypass two-factor authentication (Google Authenticator, SMS)
Top