I'm a Pentester Consultant with a background in System Engineering where I managed Linux and Windows Servers. This channel is to share knowledge that I have learned over the years with others for free. Content that I will be creating will relate to scripting in Bash, Powershell, and Python along with Hacking/Pentesting related content.
My twitter is @villaroot which is where you can reach me if needed.
First 9 mins of setup is key. Penetration test(ers) need to know those key details in order to be able to fully demonstrate the technical information in any report to a client. Thank you for including that.
Thanks for the very insightful video. I've made it very close to the end but currently stuck. When I pull up a session, the username / password fields are blank. What am I missing here and where can I go to fix it? Also, will it fetch the creds even if they are incorrect? Thank you!
Excellent video, I learned this attack from this video half a year ago but I have one question that still: If the HTTP NTLM authentication would use HTTPS instead of just cleartext, how would that change this attack vector if at all?
Thanks for the support! I was digging more into the HTTPS mitigation. And it looks like just having HTTPS wont fix it, it also has to have extended protection and authentication (EPA) set to 'required'. support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Hi there. Original tool creator here. Thanks for reviewing my tool. I really love the clear instructions that you gave to set it up. I didn't really think of this as a use case with domain and such. Also I am sorry that the UI was not clear enough when it comes to uploading. I will take away 2 issues here which I will look into as a future improvement of the tool. This is a) start upload directly after drag and drop without the need to press the "X" and b) integrate with lets encrypt for automatically pulling a valid certificate. I cannot promise that I am able to resolve both of those though. Nontheless, have a good one.
Hey, an honor to have you see this review video! Those would be great additions to the tool. Thanks for creating Goshs because it's been my favorite way to transfer files, even for personal use, so I use it all the time.
You rock! Please keep sharing and producing content. Hopefully in the not too distant future RU-vid will show more of this useful content in the foreground.
Hey how to you created your own testing website and used evilginx on it as on my evilginx keep on saying tls certificate error. As i am using my website with self signed certificate
Hi. i just came across this video. you've done a really great job and will like to see more. do you have a discord channel where students come together ask questions and you help with answers ?
Thanks for the support, and I'm glad you are enjoying my videos!! I don't have a discord channel, tbh I didn't think anyone would care enough to join one from me lol.
lol well i will. i came across some phishlets on github with i downloaded. i use ssh bitvise which give me the privilege of being able to dragging any file into the server. so i dragged the phishlets into the evilginex folder in the server but when i executed the program i didnt find any of the phishlets in there what could be wrong ? also can i edit an existing phichlet for a completely different program? @@villaroot
Ya one more thing please reply. I setted my own mail server using postfix but it didn't worked, I mean I sensed email to Gmail address, it said your ip isn't in authenticated ip list contact isp. What is this all things.
Hey could you tell about domain. There is 30 day period only for domain or ssl. And how buying deleted domain. Changes the things, do it really does or not
Hi, yes buying an expired domain does make a big difference. A new domain can set off alerts on the client machine if you are downloading files from it. One of the checks is if a domain is more than 30 days old.
@@villaroot Mark me if I am wrong. But won't when we purchase a deleted domain it dns registry show the day we purchased, so won't it be called newly purchased. It actually shows the new date of the day we purchased it. Thanks a lot for your reply. Your one reply made me loyal to you. And what about new ssl certificates, I was watching a video and this fact too popped up.
Thanks for the support! And I'm honestly not too sure how much the purchased date matters. But I do know the total age does matter a lot, especially since you can see if it's already categorized.
@@villaroot Your knowledge sharing and support towards followers deserves our support. But where this total age is given. As in DNS record it will show the new date of purchase. And what's the role of categorisation and what it is.
Categorization is like a grouping of different types of websites which results in a risk rating. For example if your website is hosting malware or something like evilginx, it will eventually get detected as 'malware' and given a high risk rating. If it's a normal site that blogs about traveling. It will be put in a group related to 'traveling information' and given a 'low risk's rating. New sites that have never hosted anything are categorized as like medium or high rating I think. Then comes into play when clients have web filters or detection software. So if you buy a site that was previously a low risk, then that will probably pass detections on a target's workstation.
I just wanted to thank you for getting this information out there. You also broke it down in a very easy to understand way. Most importantly you shed light on the remediation path. Other posts have been vague to misleading when it comes to how you should fix this vulnerability. Thank YOU!!!
Hi Villaroot, I came across your videos and they’ve been helpful. Is it possible to send the login data (email, password & cookies) to email instead of checking evilginx all the time
That's an interesting idea. I haven't seen it documented anywhere, but it's probably possible to set up an SMTP server in the same network as the Evilginx server and automation check if creds were captured every 5 minutes or so. And then email it if there were new captures. I'll probably mess with that over the holidays
@@villaroot @villaroot I think I saw something like that on a post but that's not what I mean. although i am still working on it but I want to try something different like adding an ajax submit to the phishlet via js_inject to post the form data to external url.
You can eject it later on. It pretty much just needed to be there so that you can run the installation script. Once that script is ran, you are good to remove the disk.
thx bro, but i think we will require more details than this. especially for those of us who have not used burpsuite before. how do we get each params of the phishlets yaml file from burpsuite ?
Is there and easier way to do this. Are you using multiple aws ssh instances for this? If yes how are you switching between between them I don't know if I can do this with putty. If no, are you running burpsuite on a separate virtual machine like VMware?
I dont know if there's a way. I haven't messed with telegram bots to really understand how they can be set up. I have been asked that a few times though, so maybe someone has a post about it in some corner of the Internet
Dear sir i have watched and followed along with these 4 videos , i am noob in cybersecurity soo i have some questions ,,, whois lookup will disclose our identity because of this domain so are there any services which provide temporary domains also we are hosting on cloud and it is easily traceable as we put a lot of personal data while making an account so it would be easy to find us , is there any private cloud hosting service where we can pay in monero,etc and easily spin up a server ,, also for the emails i learned from your video how to hide phish url but what about the email address we are sending from like gmail , it will be linked back to us so is there any service to get temporary email or any email provider which keeps our info hidden from law enforcement. What i want to know is how this happens in real world because the method you showed is good for targeting friends and family but not for any company , i have no ill intent i just passed high school and have been learning on tryhckme and online courses so i am just curious .
a why should i need vps but it said that this tool is proxy tool and also server like apache and nginx. so let say i wont use domain, i will use ip will it work
