Thanks for the tutorial. Can you please make a video of how you deploy it on a life server and how you modify and instruct evilginx2 to fetch and use wildcard SSL.
Hey, I plan to make some automation and maybe a tutorial on that in the near future. For the time being you might wanna take a look at the details I shared here where I explain how I currently handle certs: github.com/waelmas/frameless-bitb/issues/6
If you are the first one with bringing all these tricks and using the curious brain. Than bro you are seriously awesome. By the way thanks for the info.
As far as I know, this is the first BITB without the usage of s, which allows us to bypass framebusters. But the original concept of the BITB was introduced by mrd0x a few years ago: mrd0x.com/browser-in-the-browser-phishing-attack/
Thank you! Will be working on some more code and tutorials over the coming months, but for now you might wanna take a look at this: www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation
How can i apply another background other than ETech IT? I must commend this is a good educational video. I will like to get some explanation how to implement a new background and how to detect browser/os, user agent of client in real time.
So if you have custom company branding set up, it doesn't show up in the popup, but I notice the branding background does get requested. Do you happen to know why?
Hello. Thanks so so much for this beautiful tutorials. I got everything working but I am unable to use js inject for the email parameters. When I configure the js inject in my phishlet, it keeps using the same email for all generated lures with email attached. Help
Nice tutorial, I have just subscribed to your channel 😊. Can you explain how we can change the background incase we want to pentest with a different background template.
Thank you! You will need to replace the content under pages/primary/ (which you eventually copy to /var/www/primary/ during the setup). There you can fully replace the HTML/CSS but you will need to have somewhere in your HTML the login button, and you need to have the relevant JS code tied to it in script.js The only catch is that if your page has a lot of extra JS logic you will need to replace anything that listens to DOM events to listen to the custom event you see in the script.js file. Might make another video on that topic in the future but hope this puts you in the right direction.
anytime i set my url lure and test it out in a browser. the next page it goes to says this"Microsoft accountAccount We're unable to complete your request invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application." so what exactly is going on??
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Make sure everything works without Frameless-BITB first to see if Evilginx is working as expected.
I usually keep the nameservers at the domain registrar and simply add DNS records for all subdomains that my phishlet will use. All such subdomains plus the root domain should point to the IP of the instance running the setup. (Also SSL certs should be generated for the naked domain as well as a wildcard subdomain). There are many ways to approach this, but I found this approach to be the path of least resistance, and less chances of scanners fingerprinting my servers during the generation of SSL certs.
Yes it is. In fact the advanced version I am working on is a from-scratch implementation of a reverse proxy written in Go. For nginx you just have to use the equivalent of search and replace (aka substitutions in apache) and follow the same concept.
That is a very tough topic on its own and mainly related to Evilginx and reverse proxy phishing itself rather than Frameless-BITB. As far as I know Evilginx Pro will solve this by capturing the shadow token from a browser that runs behind the scenes then use it in the proxied page.
@@waelmas it's alright but atleast is there a way we can work on it to use all office accounts rather than just enterprise accounts...please let me know if its available else i'll be glad to join work on it
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Try setting it up with without Frameless-BITB to see if everything works before you add this concept to the mix.
Hey, are you referring to a feature that is still experimental in regards to device-bound tokens? If so that is something that might or might not affect reverse-proxy phishing in general, but we are yet to see how strong it is and if it has any pitfalls that allows to bypass it. Or are you referring to something else?
In the repo I have config files for Chrome on both Windows and Mac. Based on the POC code provided you can also customize it further for any other browser/OS you would like. In an ideal scenario you would want to detect the User Agent and load the proper config file that matches the browser/OS combo used by the client in real time.
The core approach that makes it work is that I "push" the HTML body and inject my own HTML elements that are responsible for the BITB components and the landing page behind it along with the CSS tricks for positioning. Typically, you would place an HTML element inside another to create the effect of something living inside something else. But this will not work as pages like Microsoft intentionally rely on attributes attached to their elements that would "break" if you manipulate them. So the whole trick is to place our HTML elements right next to the original HTML, then rely only on CSS tricks to "fake" the effect of one being inside the other. The core CSS attributes that do the trick are: width height top left transform z-index
@@waelmas could you please explain both approach of the html. And how the above one will break and another one won't. I read the source code,and understood that a html code that was in Apache config file was fed along with Microsoft html. And that was placed just at start of body. I have two doubt,hope you will solve and reply. 1)I found only injected div and win-scroll div present when document reached to browser where were other other than .win-scroll that were present in actual Microsoft html document. 2) First you said injecting html will break the code, but isn't what you doing too is injecting the html,you too are injecting 3 tags before Microsoft actual content. a)Won't this break b) Haven't Microsoft already have any security measure to detect this change using javascript.
@@waelmas Thanks a lot for reply. Your channel is so underrated inspite of having pure gem mine, recent three videos must have potential to gain too much views.
The legacy BITB can be simply tested using an (with Evilginx you'd have to put it in a redirector). What happens for example with Microsoft is that you will get a redirect and that will end up on the original Micorosft login page, basically breaking the whole thing. (Search "framebusters" for more details on that). Injecting HTML inside the divs used by microsoft, or moving those inside our own div breaks the flow in most cases. Injecting HTML in the body while keeping all attributes the same does not affect anything as it's simply sitting on the side. I don't think it's that easy for Microsoft to check such changes as even simple browser extensions actually inject their HTML inside the page body in a similar manner, and they use ShadowDOM. So this approach could be "seen" the same as most legit browser extensions.
@@waelmas Thanks a lot. You are genius and creative I want to use my own theory too but I can't. Could I get the references so that instead of being depended on someone else creativity I could have my own.
@Wael Masri, hey man could I message you online? I'd like to contribute / collaborate with some expansions to this methodology and pick your brain! I got you some coffees too! -- glitchdigger
Love it. Just great. I will prove it to show to my colleagues to be aware of this kind of phishing. Thanks!
I'm a very big fan.. You really make everything look simple with the way you break down..
bro thanks for this tuts, appreciate, please can you add phishlets that also work with office godaddy
hey have you gotten the office godaddy phishlets, i was able to code it but it wont login in when it redirected to office godaddy login page
Salam nice video, what u think about biitbiting BITB with drainer
Thanks for the tutorial. Can you please make a video of how you deploy it on a life server and how you modify and instruct evilginx2 to fetch and use wildcard SSL.
Hey, I plan to make some automation and maybe a tutorial on that in the near future. For the time being you might wanna take a look at the details I shared here where I explain how I currently handle certs:
github.com/waelmas/frameless-bitb/issues/6
If you are the first one with bringing all these tricks and using the curious brain.
Than bro you are seriously awesome.
By the way thanks for the info.
As far as I know, this is the first BITB without the usage of s, which allows us to bypass framebusters. But the original concept of the BITB was introduced by mrd0x a few years ago: mrd0x.com/browser-in-the-browser-phishing-attack/
@@waelmas Not in this way.
I already know about mrdox.
At last I want to say how you got so much creativity.
Thanks a lot for sharing.
Very very very nice bro! Thanks!
Dang man this is crazyy good!! Wael you are the GOAT for teaching us this
🙏
Awesome.keep it up. Can u give more techniques on how to bypass browser anti phishing filters like chrome safe browsing.
Thank you! Will be working on some more code and tutorials over the coming months, but for now you might wanna take a look at this: www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation
Thanks Bro
You're Awesome :)
How can i apply another background other than ETech IT? I must commend this is a good educational video. I will like to get some explanation how to implement a new background and how to detect browser/os, user agent of client in real time.
So if you have custom company branding set up, it doesn't show up in the popup, but I notice the branding background does get requested. Do you happen to know why?
Nice explanation ...
am not able to setup. it keeps getting ssl error
Hello. Thanks so so much for this beautiful tutorials. I got everything working but I am unable to use js inject for the email parameters. When I configure the js inject in my phishlet, it keeps using the same email for all generated lures with email attached. Help
Are you talking about Evilginx behaving like this only when Frameless-BITB is added? Please try to get it working without Frameless-BITB first.
Nice tutorial, I have just subscribed to your channel 😊. Can you explain how we can change the background incase we want to pentest with a different background template.
Thank you!
You will need to replace the content under pages/primary/ (which you eventually copy to /var/www/primary/ during the setup).
There you can fully replace the HTML/CSS but you will need to have somewhere in your HTML the login button, and you need to have the relevant JS code tied to it in script.js
The only catch is that if your page has a lot of extra JS logic you will need to replace anything that listens to DOM events to listen to the custom event you see in the script.js file.
Might make another video on that topic in the future but hope this puts you in the right direction.
@@waelmasthanks
anytime i set my url lure and test it out in a browser. the next page it goes to says this"Microsoft accountAccount
We're unable to complete your request
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application." so what exactly is going on??
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Make sure everything works without Frameless-BITB first to see if Evilginx is working as expected.
if u were running this live would you still change domain nameservers to point to vps or would you manage it on the registrar panel
I usually keep the nameservers at the domain registrar and simply add DNS records for all subdomains that my phishlet will use. All such subdomains plus the root domain should point to the IP of the instance running the setup. (Also SSL certs should be generated for the naked domain as well as a wildcard subdomain). There are many ways to approach this, but I found this approach to be the path of least resistance, and less chances of scanners fingerprinting my servers during the generation of SSL certs.
Apache is a reverse proxy, can you use nginx for the same purpose
Yes it is. In fact the advanced version I am working on is a from-scratch implementation of a reverse proxy written in Go.
For nginx you just have to use the equivalent of search and replace (aka substitutions in apache) and follow the same concept.
please i want to know if it also evades secret token security
That is a very tough topic on its own and mainly related to Evilginx and reverse proxy phishing itself rather than Frameless-BITB. As far as I know Evilginx Pro will solve this by capturing the shadow token from a browser that runs behind the scenes then use it in the proxied page.
@@waelmas it's alright but atleast is there a way we can work on it to use all office accounts rather than just enterprise accounts...please let me know if its available else i'll be glad to join work on it
Love it, but when I sign in, it won't take me to the next step to enter the password? any idea ?
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Try setting it up with without Frameless-BITB to see if everything works before you add this concept to the mix.
i ran into this same exact issue. any updates?
Hello. There’s a new security update by google chrome
Hey, are you referring to a feature that is still experimental in regards to device-bound tokens? If so that is something that might or might not affect reverse-proxy phishing in general, but we are yet to see how strong it is and if it has any pitfalls that allows to bypass it. Or are you referring to something else?
all good bro . the reminal font and color are horrible. cannt see clearly.
white on black or green on black should do .
Thanks for the feedback! Will keep it in mind next time!
What if the user uses a mac?
In the repo I have config files for Chrome on both Windows and Mac. Based on the POC code provided you can also customize it further for any other browser/OS you would like.
In an ideal scenario you would want to detect the User Agent and load the proper config file that matches the browser/OS combo used by the client in real time.
@@waelmas How can i detect browser/OS, user agent and load a proper config to match browser/OS used by client in real time?
But still not got how without it was made possible, trying to understand.
The core approach that makes it work is that I "push" the HTML body and inject my own HTML elements that are responsible for the BITB components and the landing page behind it along with the CSS tricks for positioning.
Typically, you would place an HTML element inside another to create the effect of something living inside something else. But this will not work as pages like Microsoft intentionally rely on attributes attached to their elements that would "break" if you manipulate them. So the whole trick is to place our HTML elements right next to the original HTML, then rely only on CSS tricks to "fake" the effect of one being inside the other.
The core CSS attributes that do the trick are:
width
height
top
left
transform
z-index
@@waelmas could you please explain both approach of the html.
And how the above one will break and another one won't.
I read the source code,and understood that a html code that was in Apache config file was fed along with Microsoft html.
And that was placed just at start of body.
I have two doubt,hope you will solve and reply.
1)I found only injected div and win-scroll div present when document reached to browser where were other other than .win-scroll that were present in actual Microsoft html document.
2) First you said injecting html will break the code, but isn't what you doing too is injecting the html,you too are injecting 3 tags before Microsoft actual content.
a)Won't this break
b) Haven't Microsoft already have any security measure to detect this change using javascript.
@@waelmas Thanks a lot for reply.
Your channel is so underrated inspite of having pure gem mine, recent three videos must have potential to gain too much views.
The legacy BITB can be simply tested using an (with Evilginx you'd have to put it in a redirector). What happens for example with Microsoft is that you will get a redirect and that will end up on the original Micorosft login page, basically breaking the whole thing. (Search "framebusters" for more details on that).
Injecting HTML inside the divs used by microsoft, or moving those inside our own div breaks the flow in most cases. Injecting HTML in the body while keeping all attributes the same does not affect anything as it's simply sitting on the side.
I don't think it's that easy for Microsoft to check such changes as even simple browser extensions actually inject their HTML inside the page body in a similar manner, and they use ShadowDOM. So this approach could be "seen" the same as most legit browser extensions.
@@waelmas Thanks a lot.
You are genius and creative I want to use my own theory too but I can't.
Could I get the references so that instead of being depended on someone else creativity I could have my own.
Hell yeah, bring that tool on steroids
@Wael Masri, hey man could I message you online? I'd like to contribute / collaborate with some expansions to this methodology and pick your brain! I got you some coffees too! -- glitchdigger
Of course! DM me on LinkedIn or Twitter!