Nice. In addition to FIDO2 hardware keys, filtering policies to block newly registered or unknown domains can stop this, and any password manager will stop this as well.
Yep. One of the reasons why I use KeePassXC as it will only populate the credentials on a known URL. Also, ALWAYS log off NOT close the browser when you're done with the website, the server will revoke the session cookie so it can't be reused elsewhere when stolen.
Awesome explanation and ease of use showing. This essentially blows away the MFA security blanket if someone just hit the "yes" button when they think they are logging in to a legitimate session.
Great demonstration. The weakest link is cybersecurity continues to be the user. It is becoming very difficult for normal users to identify phishing and MITM attacks.
I got myself a Yubikey. I love it, not only is it great for security but its so much nicer then typing codes all time. I really do wish more site’s supported it.
There are solutions. The idea behind this whole attack is that it makes a standard MITM attack but there are Auth systems like Zalter Identity which are impossible to break in this way. The idea behind their authentication is that they exchange a signature key on both sides and eventually instead of using tokens to maintain the identity, full message (request) signatures are used to authenticate the user is who they claim they are. Take a look at their product and see whether you're finding it better. Now in regards to the Client Hello fingerprinting that would be fine if the client fingerprint would be fixed. With TLS 3 that's basically not the case for the client. Would, however fulfill the same exact purpose as a user signature key. There are issues with the way you can trust the files in the browser which is basically the main problem. In that regard HSTS and certificate pinning have done something to alleviate the problem but not completely. If the user is fished for though... then nothing can protect them really.
Yes I have. First thing I checked. Guardio does collect telemetry to help end consumers improve their experience. Guardio does claim they do not collect user data and sell it. And they are GDPR compliant. I do say this with a caution. I do think Gardio is a great service for the average user.
Just earned a sub, good content. I liked the defensive strategy option at the end. If you're gona expose a problem, better provide a solution (if able to) Most channels dont really do this or its so damn convoluted and drawn out if they do.
how do you typically decide what projects to do and where do you often source your research from? I'm a bit more advanced in my IT and cybersecurity career but am always itching to learn a new skill. I could use some insights on finding new and interesting things to trial and experiment with myself.
I don't have any particular process. Projects randomly come to my mind. Typically, I think of something while reading the security news on a daily basis or researching concepts I do not know of. I do have this page here which lists out some project ideas, but these are more beginner friendly: cybercademy.org/project-ideas/
great video @collinsinfosec. Do you think that some sort of server+client side validation of the fqdn through javascript (obv. in a secure way) would prevent users from falling on this kind of trap?
@@paulus9660 so is it Microsoft that suffers the most from this or does google suffer from this too? I’ve not heard anyone mention google with this attack.
I guess you mean cookies. And the answer is yes. Many people on the internet use dynamic IP addresses, or simply move their devices between multiple networks (like laptops or phones). The main idea of a cookie is to be able to prove your identity without having to login each time. So making the cookie tied to a specific source IP address totally defeats its purpose.
@@helshabini Yep, which is why I make a habit to always "log off" the session before closing the browser. This invalidates the cookie forcing me to sign on again which is fine.
Yes it can. Once the victim approves access on the app the attacker can use the session cookie. Microsoft is making this way too easy as I've often opened up my browser and behold I'm already logged into Office 365 even I haven't used the session for days. Although Microsoft does prompt you if you want to save your session for 60 days which is a bad idea from security standpoint.
This depends on the user clicking on a link to the fake login site, correct? I hate it when Chrome and other browsers do not show the actual URL in the status bar. Also, the URL address bar just shows the title of the page.
hello, i am having issues with the certificate part. its not installing, its showing "acme: error: 403 :: urn:ietf:params:acme:error:unauthorized" . Please how do i fix it?
Second defence I do out of habit is sign into a website with a horrible to remember unique password and allow the browser to remember it. Then change the password by adding second unique password to the end of the first. When I log in I let the browser auto fill in the first half of the password and then type the second part of the password and decline the option for the browser to update its password. Such an attack with spoofed login screen form an untrusted domain should not be auto filled by the browser, and would prevent me providing the complete password.
Not quite the same - they got his credentials on the dark web, actually tried to login, which gave the MFA prompt, which he denied. Then they posed as a coworker on WhatsApp (or maybe some other ephemeral service) and said they were trying to login. Then he approved. Idk how they’d prove that… maybe it was just fatigue. I can’t imagine someone at his level succumbing to MFA fatigue… the average user, especially non-IT, sure.. a technical contractor??
@@Bboyd88 MFA fatigue is real. Like those stupid notifications on my cell phone. So many notifications I just swipe them to trash. Eventually I went in and adjusted the notifications in the apps.
how did you managed to get that certificate ? You mentioned about lets encrypt cert which In my knowledge shows a Exclamation(!) sign in the website lockpad
Disable Javascript by default and then allow it on a site by site basis stops a number of attacks. When you visit a site such as youtube or webmail login the site has a red x. Enable javascript for this site (if you trust it) and you are protected a number of unknown zero days sitting on other sites you may visit. Man in the Middle also breaks as its javascript is not trusted and not run, unless they have the server's private key for a domain you trust. After you've trusted your most commonly visited sites, you should have little or no problems on them.
That would be correct. However, once reverse proxy captures the cookie then MFA won't have any affect on the attacker long as the cookie session remains valid.
@@Darkk6969 we are still not bypassing MFA. We have completed a full and genuine (all be it from a bad actor) authentication. The oAuth access token is genuine and as you say will be used to access the service for which it was issued. MFA is not in the loop when accessing the service with an access token. We are not bypassing MFA. I'm debating the security issue, it's the Bypassing term I have a problem with
@@paulrobinson270 Perhaps your problem lies upon the lack of understanding of the term "bypass", which is a synonym for circumvent. "The act of circumventing; the act of outwitting or overreaching; deception; fraud; stratagem." Wouldn't you agree that while it doesn't attack MFA directly it rendered it's purpose obsolete? Seems fitting to the above description to me, is it not for you?
Doesn´t Microsoft check source parameters (source IP, type of Browser, etc) of sessions? For exapmle if i would catch sombodys login data and user session and copy it into a different browser / source ip, Microsoft should ask for 2FA Auth. Would be great if someone could elaborate if my thought process is right and that this attack shouldn´t work in the real world.
I have the same issue. Seems some phishlets will need different DNS record but its very unstabble for me so Im not sure what Im messing up.. got two working but most have errors
@@lslamichub. Got most of them working, you have to edit the custom domain servers to match those that the error will return. It'll be phislet dependent, and youll need to let it populate but usually you can troubleshoot the missing DNS records one by one within a minute or so.. However make sure that you have reverse proxy setup as upon my first attempt where I got rid of the DNS errors I got my domain and droplet banned for phishing ( my own credential). Was there a phislet in particular you wanted to get working?
A more pleasant future for the web would have no user authentication step at all, rather your device would store the cryptographic equivalent of object capabilities. ocaps have an elegant mathematical formalism that opens up completely new ways of working on the web. Of course, while you can build sites this way on the web today, the browser is somewhat hostile toward putting secrets in URLs because it will happily display secret url components to anyone who can see your screen.
Great teaching. Just some few setbacks I'm experiencing and I would need your guidance. I'm done setting the lures and a link was generated for me . But i cant access the website cos the server cant be found. is there something I'm not doing right?
That's fair. However, a reverse-proxy can sit in between and intercept different types besides SMS codes, such as OTP codes and push notifications. I used SMS for this showcase since it was already enabled on this device.
Typically, businesses use push notifications for the second factor of authentication, meaning users must have these turned on when authenticating into the corporate network. Although simple and rather dumb, this technique works well. Take a look at the most recent Uber attack. One way the MFA vendors are thwarting this attack is through rate limiting the amount of push notifications.
Nice. In addition to FIDO2 hardware keys, filtering policies to block newly registered or unknown domains can stop this, and any password manager will stop this as well.
Using a password manager totally slipped my mind while. Great point.
Yep. One of the reasons why I use KeePassXC as it will only populate the credentials on a known URL. Also, ALWAYS log off NOT close the browser when you're done with the website, the server will revoke the session cookie so it can't be reused elsewhere when stolen.
@dul_h4ck he actually helped me spy on my wife's
phone and social messages, he saved me a lot of
relationship stress
Awesome explanation and ease of use showing. This essentially blows away the MFA security blanket if someone just hit the "yes" button when they think they are logging in to a legitimate session.
Great demonstration. The weakest link is cybersecurity continues to be the user. It is becoming very difficult for normal users to identify phishing and MITM attacks.
I got myself a Yubikey. I love it, not only is it great for security but its so much nicer then typing codes all time. I really do wish more site’s supported it.
I think over time as more people become aware of it websites will have an incentive to support it.
I also have a Yubikey, but the support is limited to major companies
There are solutions. The idea behind this whole attack is that it makes a standard MITM attack but there are Auth systems like Zalter Identity which are impossible to break in this way. The idea behind their authentication is that they exchange a signature key on both sides and eventually instead of using tokens to maintain the identity, full message (request) signatures are used to authenticate the user is who they claim they are. Take a look at their product and see whether you're finding it better. Now in regards to the Client Hello fingerprinting that would be fine if the client fingerprint would be fixed. With TLS 3 that's basically not the case for the client. Would, however fulfill the same exact purpose as a user signature key. There are issues with the way you can trust the files in the browser which is basically the main problem. In that regard HSTS and certificate pinning have done something to alleviate the problem but not completely. If the user is fished for though... then nothing can protect them really.
P
Great video, but about guardio did you check their privacy policy & ToS ?
💀💀💀💀
Yes I have. First thing I checked. Guardio does collect telemetry to help end consumers improve their experience. Guardio does claim they do not collect user data and sell it. And they are GDPR compliant. I do say this with a caution. I do think Gardio is a great service for the average user.
@@collinsinfosec 🤣🤣🤣
Good for thee but not for me lol
@@internallyinteral 😂😂😂
Just earned a sub, good content. I liked the defensive strategy option at the end. If you're gona expose a problem, better provide a solution (if able to) Most channels dont really do this or its so damn convoluted and drawn out if they do.
+1
Great video, thanks Grant!
how do you typically decide what projects to do and where do you often source your research from? I'm a bit more advanced in my IT and cybersecurity career but am always itching to learn a new skill. I could use some insights on finding new and interesting things to trial and experiment with myself.
I don't have any particular process. Projects randomly come to my mind. Typically, I think of something while reading the security news on a daily basis or researching concepts I do not know of. I do have this page here which lists out some project ideas, but these are more beginner friendly: cybercademy.org/project-ideas/
Great video man
Great video sir :)
Awesome work
Great Content Boss 😎
Great video!
Very cool video man. Ty!!
great video @collinsinfosec. Do you think that some sort of server+client side validation of the fqdn through javascript (obv. in a secure way) would prevent users from falling on this kind of trap?
HOLY FUCK! lol I’ve analyzed these phishing emails everyday but didn’t know the mfa bypass capabilities… cant wait to go to work lol.. Thanks so much
Thank you so much! !!
May I ask how do you know what DNS record to add for each phishlet? They would need to be different wouldnt they?
Great video!
Not sure if the email address is correct but if it is, you missed some blurring around 3:54 in the link preview at the bottom of the screen
does it still works until nowadays?
I heard microsoft has implemented a way to prevent this, but I'm just wondering is it still working nowadays
thanks
@@paulus9660 so is it Microsoft that suffers the most from this or does google suffer from this too? I’ve not heard anyone mention google with this attack.
Is the token still valid if the attacker’s connection comes from a different source IP address than the legitimate user?
I guess you mean cookies. And the answer is yes. Many people on the internet use dynamic IP addresses, or simply move their devices between multiple networks (like laptops or phones). The main idea of a cookie is to be able to prove your identity without having to login each time. So making the cookie tied to a specific source IP address totally defeats its purpose.
@@helshabini Yep, which is why I make a habit to always "log off" the session before closing the browser. This invalidates the cookie forcing me to sign on again which is fine.
Still It needs a successful Phishing right? Call me old fashion, but I use google authenticator, no pop up notification 🙂
Microsoft have a version of fido2 passwordless using their Authenticator app and ‘enter the on-screen number’ prompts. Could this be replayed too?
Yes it can. Once the victim approves access on the app the attacker can use the session cookie. Microsoft is making this way too easy as I've often opened up my browser and behold I'm already logged into Office 365 even I haven't used the session for days. Although Microsoft does prompt you if you want to save your session for 60 days which is a bad idea from security standpoint.
I don't know how i find you? 😇
But really I'm quietly loving your videos ♥
Best of the best
This depends on the user clicking on a link to the fake login site, correct? I hate it when Chrome and other browsers do not show the actual URL in the status bar. Also, the URL address bar just shows the title of the page.
hello, i am having issues with the certificate part. its not installing, its showing "acme: error: 403 :: urn:ietf:params:acme:error:unauthorized" . Please how do i fix it?
Second defence I do out of habit is sign into a website with a horrible to remember unique password and allow the browser to remember it. Then change the password by adding second unique password to the end of the first. When I log in I let the browser auto fill in the first half of the password and then type the second part of the password and decline the option for the browser to update its password. Such an attack with spoofed login screen form an untrusted domain should not be auto filled by the browser, and would prevent me providing the complete password.
That's called salting, if you wish to use less words to explain it in the future.
Wow, man, you rock 😎👍
good video! deee booo dahhhh
How can something similar be accomplished on a mobile device? Is it possible through the same/similar method?
Pretty sure this is exactly how MFA was bypassed at Uber
Not quite the same - they got his credentials on the dark web, actually tried to login, which gave the MFA prompt, which he denied. Then they posed as a coworker on WhatsApp (or maybe some other ephemeral service) and said they were trying to login. Then he approved. Idk how they’d prove that… maybe it was just fatigue.
I can’t imagine someone at his level succumbing to MFA fatigue… the average user, especially non-IT, sure.. a technical contractor??
@@Bboyd88 Might have been wrong info in one of the articles, thanks this was informative.
@@Bboyd88 MFA fatigue is real. Like those stupid notifications on my cell phone. So many notifications I just swipe them to trash. Eventually I went in and adjusted the notifications in the apps.
how did you managed to get that certificate ? You mentioned about lets encrypt cert which In my knowledge shows a Exclamation(!) sign in the website lockpad
pay for an ssl certificate
Does this only apply to o365. Are session cookies treated differently for each website? All the tutorials i have seen has been only around office 365
Disable Javascript by default and then allow it on a site by site basis stops a number of attacks. When you visit a site such as youtube or webmail login the site has a red x. Enable javascript for this site (if you trust it) and you are protected a number of unknown zero days sitting on other sites you may visit. Man in the Middle also breaks as its javascript is not trusted and not run, unless they have the server's private key for a domain you trust. After you've trusted your most commonly visited sites, you should have little or no problems on them.
Java anything needs to go away, period.
Please how do I update my office 365 phish to grab tokens ?
Sir please upload how to start cyber security career in 2022
Impressive
Do you know tool that can gain useful information about a given Facebook account?
why do you use windoe
heyy buddy can you make some networking content like ccna, ccnp
Nice demo, but we have not exactly "bypassed" MFA. MFA has been used every time to logon
That would be correct. However, once reverse proxy captures the cookie then MFA won't have any affect on the attacker long as the cookie session remains valid.
@@Darkk6969 we are still not bypassing MFA. We have completed a full and genuine (all be it from a bad actor) authentication. The oAuth access token is genuine and as you say will be used to access the service for which it was issued. MFA is not in the loop when accessing the service with an access token. We are not bypassing MFA. I'm debating the security issue, it's the Bypassing term I have a problem with
@@paulrobinson270 Perhaps your problem lies upon the lack of understanding of the term "bypass", which is a synonym for circumvent.
"The act of circumventing; the act of outwitting or overreaching; deception; fraud; stratagem."
Wouldn't you agree that while it doesn't attack MFA directly it rendered it's purpose obsolete? Seems fitting to the above description to me, is it not for you?
is it still working as per now februari 2023?
make video on 100% bit locker bypass
Do you use a Tower PC or a laptop ?
Right now I am on a laptop. I do plan on building a Tower PC in the next year.
@@collinsinfosec
Is there a big advantage of Tower over Laptop ? Or why have you decided to do that ?
Doesn´t Microsoft check source parameters (source IP, type of Browser, etc) of sessions? For exapmle if i would catch sombodys login data and user session and copy it into a different browser / source ip, Microsoft should ask for 2FA Auth. Would be great if someone could elaborate if my thought process is right and that this attack shouldn´t work in the real world.
Dear FBI, I am watching this video for just educational purposes
Great
Please make vd for install this tool and good work
evilginx - like nginx is engine x, replace en with evil.
facebook passwords cannot see in this tool.
Does this still work?
How are you getting it to trust the SSL cert on the website?
I have the same issue. Seems some phishlets will need different DNS record but its very unstabble for me so Im not sure what Im messing up.. got two working but most have errors
@@lslamichub. Got most of them working, you have to edit the custom domain servers to match those that the error will return. It'll be phislet dependent, and youll need to let it populate but usually you can troubleshoot the missing DNS records one by one within a minute or so..
However make sure that you have reverse proxy setup as upon my first attempt where I got rid of the DNS errors I got my domain and droplet banned for phishing ( my own credential).
Was there a phislet in particular you wanted to get working?
@@sliceoflife5812 can you help me set this up if I pay you you?
where did you put the ssl cert ?
D m vinethics he'll help you He fixed mine he has 90k followers account.
On Instagram
A more pleasant future for the web would have no user authentication step at all, rather your device would store the cryptographic equivalent of object capabilities. ocaps have an elegant mathematical formalism that opens up completely new ways of working on the web.
Of course, while you can build sites this way on the web today, the browser is somewhat hostile toward putting secrets in URLs because it will happily display secret url components to anyone who can see your screen.
Why blur everything? Just create a dummy account and test on it.
Yeah I tried that at first. Something was off about the dummy account. So I just used my old O365 account for the sake of showcasing it.
@@collinsinfosec Or create Office 365 trial account since it's just a test. Once done close the account.
Hey buddy make some vlogs ...that'll be great.... and i remember you were a great vlogger....
❤❤❤❤❤❤❤❤👍👍👍👍👍👍👍👍
Great teaching. Just some few setbacks I'm experiencing and I would need your guidance. I'm done setting the lures and a link was generated for me . But i cant access the website cos the server cant be found. is there something I'm not doing right?
bro blurs the username and password but he forgot to blur token haha
Only amateurs use SMS for MFA. This threat is no threat at all.
That's fair. However, a reverse-proxy can sit in between and intercept different types besides SMS codes, such as OTP codes and push notifications. I used SMS for this showcase since it was already enabled on this device.
@@collinsinfosec how are you getting ssl certificate? please reply me!
Thank you for your videos, If I may ask you to speak a little slowly, not all of us are English mother tongue.
Guardio is overpriced! Just use the brave Browser
lol, fatique attack. how simple is it to disable notifications? are you mad?
Typically, businesses use push notifications for the second factor of authentication, meaning users must have these turned on when authenticating into the corporate network. Although simple and rather dumb, this technique works well. Take a look at the most recent Uber attack. One way the MFA vendors are thwarting this attack is through rate limiting the amount of push notifications.
You seem upset, everythings good?