I Stole a Microsoft 365 Account. Here's How.
HTML-код
- Опубликовано: 31 окт 2023
- jh.live/evilginx || Get phishing into your next red team assessment or penetration test, and make it a breeze with Evilginx! Use my link for 20% the Evilginx Mastery course: jh.live/evilginx
PS, I'll be presenting for the CloudSec 360 webinar with Wiz on the MOVEit Transfer exploitation -- tune in on November 8th! jh.live/wiz360
Free Cybersecurity Education and Ethical Hacking with John Hammond
📧 JOIN MY NEWSLETTER ➡ jh.live/email
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥 RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
Thanks for this. Now my concerns are real. Pushing the anti-phishing filters to a new level to all my clients
How do you plan to do this?
I believe it's all about real time monitoring of incoming emails and end user education
We've even hacked banks with this -ethically-
Will still get through regardless. Need to use hardware key mfa or Conditional Access policies..
@@trackker16 Conditional Access based on Device identity and location or fido keys :)
@@ryanfrank4834which specific conditional access policies do you recommend to combat this?
Right. There should be a phishing network card interface designed to simply 'be dumb' override by default to allow the 'script kiddy' into a honey pot. Give them all sorts of useless information using Bot Framework Composer. ;/
I've only casually followed you over the years, but your last few videos have been superb and unlike what other content creators are producing, you are now to the top of my viewing list. Excellent job!
Cool demo!
This is why admin folks should be configured for eligible role assignments where another MFA prompt is required to elevate privileges to admin.
I wonder if a proper domain would be used (domain flipping), whether zScaler or Menlo (or any other modern proxy) would detect and prevent Evilginx.
This along with BitB attacks, are mad scary. I recently started building out infrastructure for both and they are a slam dunk. Great video John!
I have never seen BitB attacks outside of Steam - but im guessing its only going to grow :/
But if mails already mark in junk then what will be the use 😂
@@pravinsingh4184 Bypassing email filters is a separate thing- not as hard as you'd think if you are spearphishing/whaleing
I tried the phishlets but every time I use evilnginx “Google Safe browser” marks it as insecure domain even before doing anything. Do guys have any idea why this getting got caught?
@@pravinsingh4184Ma boy got a point
Love the video as usual but the amount of times the word “ultimately” was said was astounding 😅
well ultimately it's to make a point 🤪
I love these videos. Now I can grab a copy of the tool, use it, and look for any generated IOCs from default usage. Another easy win for low hanging fruit!
Well, there's nothing on the targets machine, for this. I think maybe you could figure out something by checking the traffic, though, maybe?
@@nordgaren2358 the url generator has default values, like the random string at the end has a certain amount of characters and do not spell a word. So scanning for urls with that at the end might be a start
Am I correct in stating that even if we used stronger forms of device authentication or a FIDO token the fact that you gain access to the session tokens to an extent nullifies those controls as the user session was still proxied?
where did u get that template? I only see 1 working GIT project for 3.0 the rest are outdated & broken...
Could the session/token be stolen if the end user is already signed in (ie. outlook web mail) or will he need to create a new access token to steal a valid cookie?
We just started rolling out conditional access policies because of rampant phishing attacks and vulnerabilities in Microsoft's MFA apps. Now only registered and compliant devices can access company resources. It's cat and mouse but that's the game!
Hey john, thanks for the knowledge sharing again! But why not include the ip address of the user in the auth-tokens?? On the server-side just block the request if the auth-token's ip doesn't match the requester's (for instance the attacker). It also doesn't matter if the victim himself is behind a proxy, at least the token is only valid within that LAN. right?? 🤔🤔🤔🤔
Some people are connecting with a dynamic IP address which is changing from time to time, when your connection renews (and it can be forced as well, just restart your modem). So logging an IP address and only whitelisting that will lock you out from your account. Not to mention if you use VPNs for privacy reasons.
@@CZghostThey dynamic thing u said is fine I guess, cuz as long as you are connected (and even if you get disconnected for few minutes you will most likely get the same ip) you will have the same IP. Its more like a comprise for security rather than user experience which in something like banking web apps is good? IDK this whole thing was actually just a question.
Nicely done showcasing Evilginx and its possibilities.
Would be nice if you would have mentioned that there are measures to tackle this sort of threat.
Like FIDO2 security keys or even Microsoft Authenticator Phone Sign-In paired with the Conditional Access grant control of a compliant device.
Maybe something for a new video to follow up with.
but they are saying even fido2 can be hacked if they steal the token
Haha follow up? Maybe if the front page of tech sites bring it up again, these videos are nothing but repackaged video versions of headlines from any computer security news site, super basic demonstrations that are obviously following an already written tutorial. Look elsewhere if you want real content
@@cryptoafc7655 do you mean the hardware token or the access token?
Basically FIDO2 auth methods tie the auth factor to the online service and therefore you won’t be able to authenticate to the phishing site spun up by the evilginx reverse proxy.
@@cryptoafc7655 Pretty sure Fido2 is resistant to this.
@@_ppl I have a Yubi key 5, and without touching the button on it. I can't log on anywhere
Is this a sponsored video or just you covering a course and tool you thought was sick? Because this DOES seem sick. I’m just curious as to how the video came to be!
This seems a good time to point out that since a capability designates the resource that it operates on, it's largely not vulnerable to this class of attack.
Awesome John, thank you so much for the time on your videos, u the best I have learned a lot with u and like how quick u explain and speak, keep it up Master
Hello Brother please tell me how to perform evilginx on over internet.
Thanks! I will use that for Educational Purposes Only!
It would be interesting to see how features such as Continuous Access Evaluation, from Conditional Access and Smart Links, from Defender for Office 365 would deal with this attack, as Microsoft says token replay is detected and blocked. Very good video anyway
Good points, Token machine binding in preview too
Nice try John, we all know that your discount link in the description is an evilginx lure link 😉😉
Kidding mate, awesome video as always.
Thanks, I will use this video to further prove my argument to improve phishing defence.
Speaking from the defender side, orgs are implementing conditional access policies that will block sign ins not coming from company owned IP address spaces, and there are a lot of security mitigations in place to stop such phishing attacks. Although the large majority of users are never gonna click shady links like these, there will be a portion of users whom will, and there will be a tiny portion of those users whom will get phished all the way. User training and awareness is the number one security counter measure against such attacks.
How can you restrict remote logins to only company owned IP space? Force all remote users to use a Full-Tunnel VPN that sends all traffic through the office? What if the company network is down? Then no one can sign in.
@@iRyan230 You divide users in various subsets, for example, users that will always work on site have no reason to log in from foreign IPs. On the other end, there will always be a set of users who will need to use company resources on the go, and for those MFA and managed device policies are strictly enforced, alerting policies are more sensitive, raising alerts wherever any unfamiliar sign in activity is observed.
As for the VPN, you can deploy enterprise grade VPN solutions with no downtime (in theory), you can get company specific IP spaces and those can be whitelisted in your IDP. This is by no means a perfect solution, but carefully designing these can mitigate a large portion of the threats, the rest can be easily handled by the incident response team.
And regarding the example in this video, admin access is usually deferred to separate accounts that have even stricter access policies.
@@iRyan230conditional access policies will usually be based on location. If a user logins in from California at 8 am and then an hour later tries authenticating from Florida that sign in attempt will most likely be blocked.
He was asking more-so about the fact that if you do this, how do you handle your remote users (full-tunnel VPN?), or how do folks work when the network is down?@@Slickjitz
@@kylewolf5706 that’s why any good network engineer has built out redundancy so the network never truly goes down.
It would be amazing to see a demo of this tool with things like ubikey and passkeys to demonstrate how they aren't vulnerable to these kinds of attacks.
Unfortunately even they would not be immune since the attack is targeting the active session cookie
@@OrionsArm They would be immune because they'd simply fail to work due to the different domain name. The same as the password not being memorised in the browser.
@@OrionsArm The key exchange would fail with the different domain name, meaning no session cookie would be generated. I was disappointed that wasn't covered in this video.
@@mountainslopes Not a different domain name he is reverse proxying and using the actual domain name
@@OrionsArm there is a different domain in the browser and yubikey check domain from the browser, you need to educate yourself
Nice video John. Can you make one that shows how FIDO2 keys are not vulnerable to this type of attack? Also, maybe detailing what steps admins can follow to try to mitigate this attack as much as possible?
Can you explain how FIDO2 keys protect from session hijacking?
Isn't it just like 2FA?
I’m not sure, but fido2 would be the same. Ultimately what your doing is stealing the cookies.
So as long as websites uses cookies or auth tokens, you can do this
@@greyshopleskin2315 If you have malware on the client’s machine or have some other way of stealing the session cookie from their browser, then yes, it’s the same.
However, if we’re just talking about preventing phishing, then FIDO2 and certificate based auth will never authenticate you on a malicious site to begin with thus no session cookie to steal.
@@greyshopleskin2315FIDO2 will not authenticate through a different domain (the phishing domain used in this video for example), no authentication, no cookie
@@sapuseven in my opinion FIDO2 would not work as it is tied to the actual domain name cryptographically. So as the phishing site is not using the correct domain name, the FIDO2 token will not work to log in. However still, if the user is able to use some fallback mechanism instead of FIDO2 then it can still be successful.
Seems like a really good time since an auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn
Yeah that's why I blocked .zip domain at my dns level😅 btw nice tool
Wait, When you used the victim page, you used your own ip-adress. When you used the session 3 and copied in firefox (cookie plugin) , did you still use your own ip-adress ? Because in Azure (not sure in M365) every logon is check from which ip-adress it comes from. When you have a session from IP-adres A , and you come with the same session with IP-adres B then this shouldn't work at Microsoft. It should detect and ask to do a MFA again. This is called conditional access in Azure AD. I think this exploit can be done on websites that don't cross check sessions with different ip-adresses. Thank you for the learning John
That was my line of thinking as well. What CA (conditional access) rule can we create to harden a tenant's configuration against this attack? Also great question about IP address usage, how would this behave when Microsoft detects this the session token from a different IP. Is this a default behavior or should we setup a CA rule to harden against it?
Word. When I tried it against office365 it worked, but in the azure portal it didn't. it'd keep me asking for mfa codd
This was not configured with conditional access from the looks of it.
Atypical travel CA rule could do the trick here. For example trigger another MFA prompt when attacker attempts to signin instead of blocking the account, this alone could help, but not necessarily prevent the attack as the attacker might be connecting from a similar geographical location.
@@azountsu conditional access could be it has to be an Entra registered device (registered on your network talking to your domain controller/Active Directory so they'd have to be in your network to register) and it has to be a compliant device (which could be whatever parameters you set). Could also block all IPs from countries you know you'd never have users in or are known threats like Ukraine, Russia, China, etc.
Wish you’d use Google as an example for a phish involving the .zip domain
Hehe, that would be ironic. :D
seems quite cool the guy behind this program is polish and has cybersecurity companies using this exact tool
If a conditional access is set (let's say it requires company device for employees to actually successfully log in), will that prevent the attacker from getting the access even with the session credentials stolen?
Super content Brother, keep it up!!!!!!!
@_JohnHammond Do you know why companies like Microsoft are not mitigating this threat with the Security Hardening techniques you mentioned at 9:10 like "Security Token Validation". Is there a downside to implementing this?
They are dragging their feet with this attack which is seriously frustrating. This has got to be one of the largest security concerns organizations face today and they are practically silent in it(minus a blog post or two…)
Seems like a really good time since a auth user designates the resource that it operates on it's largely not as vulnerable to this class of infiltration as of the current state rn. Just an FYI
That's the coolest evilginx presentation I've seen.
PS. FIDO2 (crypto keys, local biometric authenticators, passkeys) to the rescue :)
Excellent content as always.
have programmed a HTML+CSS phishing website for my business. and I want to know how to get what user are typing on the login page so I can se if they are given out sensitive information
cookies must be verifying the client-agent & change in location.
Hope the sign in from different location & device is notified to user & immediately changed the paswd. 🙄
I dont get how evilginx is able to grab the token after the login. Is there not a anti CSRF or CORS ???
I am getting this error: "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid." I don't have that on my yaml file. Any comment on this?
How does evilginx generate a tls certificate signed by a trusted ca? Which ca is it using?
It uses letsencrypt to generate the certificate
Most likely Let’s Encrypt.
Nice video.
How to prevent:
Block sign in to 365 apps on unmanaged devices.
But I wonder if you could make this test while user is logged in passwordless.
Option 1 with Microsoft authenticator registered for passwordless sign in.
Option 2 with WHfB passwordless authetication.
Is there a cheaper course ???? Ima broke college student atm
Jhon i was wondering if you could help me.
I got blocked out of my own account because i cleared my cookies everytime i close my browser.
Because i follow privacy online as a religion Microsoft AI got confused and locked my account because of "Suspiscious acitivity"
Now there is a chain reaction that is triggerd and i lost most of my accounts because i have 30+ emails..
Can you please help me?
Can you deep deeper into the part where the phishing email went into junk mailbox? Guessing it didnt pass spf/dkim/dmarc? Is there a way we can import a forged certificate?
Email going to spam shouldn’t matter at all since this is just demo purposes. These attacks very often come from senders the recipients already trust such as already comprised colleagues, or partner organizations, etc.
Am I seeing this right, if we’d use a password manager to autofill the username/password, it wouldn’t suggest us the Microsoft password since the domain in the browser is not actually the Microsoft login?
As a user that happens all the time. You get conditioned to having to paste the password in sometimes when the account creation address doesn't match.
Correct.
Which software would you guys recommend that is best for recovering files from Android phones. I use windows btw
Where do you host your websites or files to say the least
Question: Just asking, why would you show someone how to do this.
Can you do it with Google tho. I always like to think Google does web better than Microsoft.
Do zip domains have any use other than phishing?
This is the response im getting, im on evilginx v2.4.2. We're unable to complete your request
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
evilginx professional masterclass is what u should be
so M365 added the feature to show the geo location of the number matching request, would that still come from the victims geo IP since this is man in the middle ?
Since it operates as a proxy, I would suspect it would show the location of the server running evilginx. HTTPS alone would stop it somehow passing the victim's IP to Microsoft.
We had a recent BEC that had MFA, we couldn't determine how but suspected token theft in this method.
Another thing we tend to do is customize the login screen to hopefully give the end user a slight pause when they get the default theme.
@@dyerseve3001 good call on changing the theme of the login page, thank you
@@dyerseve3001I’m all for changing the default theme but how would that offer protection here? The phishing site is still pulling from Microsoft in real time so the user would see the custom theme for your organization anyway.
More videos like this please, great video
even if you outsmart user to giveup their credentials, Microsoft still detect a new device login and notify the user. User can deny the usage of that new device and your access to the website will be gone in no time.
Insightful ! Thanks for sharing this man.
What I don’t understand from this video is how he gets his URL to display the Microsoft site. Anybody able to explain?
Update: I re-watched the whole thing. Need to configure it in the phislets yaml file.
Nice explanation!
so how do we avoid the mail going to the junk emails ?
Awesome video. thanks for sharing!
Why don't electrics just use Torx bits? Yes, I know you need to select the right size, but they just work so well, with no cam out.
Is there a cheaper course ???? Ima poorcollege student atm
Link for 20 percent off, takes me to register for the moveit event.. i think its the same link
man please try this with adfs for steal Microsoft 365(obviously for educating purpose)...i still have a problem with him for my thesis
John, that thumbnail is killing me. 😂
The available phishlets (And the one shown in the video) are not working btw. However, after many hours of tweaking you can get it to work - but password will not be displayed - you will have to know some java script. And it will not prompt user to login unless they are activly logged out (if already logged in you just get the token straight up - even better!).
Huh? How would it retrieve the token then? The sign in is coming from a new device so surely it would require a new sign in.
I have phishlet google available for 3.2, capture user + password + cookie
Hey bro.. I lost contact of my best friend.. have just gmail and don't know whether it's using currently or not....
Is it possible to get the contact details by name and location 😔?
Amazing video! Good to know what’s possible
but how the token is valid if is a fake site m365?
Hey i want that Microsoft yaml file too. How can I get it
I followed everything correctly but when i search the lure url on my browser the response i get is, 'Server not found'
It`s unbelievable how simple and powerful it is
Can you provide the phishlet used for 365 ?
A video on how to prevent this would be great, other than user education of phishing emails.
Pretty self explanatory, you just do the opposite of the attack lol
Você tem um incrível potencial criativo
I am surprised this video has not taken down
Why do you use sudo when you are already logged in as root?
Thanks for this great video John…appreciate you.
Would Yubikey prevent this?
It should, as long as other methods are not also enabled.
thank you federal agent! I shall do this immediately!
thanks, John super content keep...
Bro we k ow this technique but can you guide how we can avoid to land our phish email which contains lures id in spam/junk one.. why it not land inbox
Would recommend sending an email from Azure Cloud Shell, so it's from Microsoft. Probably just coming from Gmail it didn't look "business -y" enough. (Or could swap the contents of the email so it's not as clearly spammy)
Great video as always. 👍
Great Video
I will Try to do for Netflix now.
Well done John!
You can mitigate this with conditional access and using certificates and domain join status. Not all mfa is created equal
i thought you would even provide a link to the 365 phishlet
Does it still work?
Does azure ATP see it as a risky login out of curiosity?
Sometimes, but not all the time. Recent one I dealt with somehow did not get flagged as risky, but I would say a good majority of them do.
Would this work for victims on mobile?
It will not working with Google account 😩
That is actually terrifying
What can i do to revoke the stolen Cookie?
I recently got an email using this, it evens pulls the tenant branding on the login screen
Yes also seen a Tenant branding one at the end of last week however surely that's not a surprise as the Reverse proxy will do whatever the tenant would have shown.
@@robinbarlow7619yup… I also worked with one that forwarded to another iDP too (Microsoft login page forwarding to Okta).
This is such a mess and really frustrating that Microsoft is dragging their feet here. I know it’s complicated to resolve this at a large scale but it’s got to be one of the worst security threat’s organizations have faced in a long time.
Was this the method used to hack LTT?
PLEASE Is there a cheaper course ???? Ima broke college student atm
What happens if the victim already has an active session?
Did I miss the part where he set the TLS cert for evilginx?
Nice video john
Sounds like Seth Rogan giving a phishing lesson.... great content love the video 🎉
Live your content
I am one of the victims of getting phished and the hacker hacked my Clash of Clash account and changed my gmail that's linked into the acc to his. I need help