Thanks for the tutorial. Can you please make a video of how you deploy it on a life server and how you modify and instruct evilginx2 to fetch and use wildcard SSL.
Hey, I plan to make some automation and maybe a tutorial on that in the near future. For the time being you might wanna take a look at the details I shared here where I explain how I currently handle certs: github.com/waelmas/frameless-bitb/issues/6
Thank you! Will be working on some more code and tutorials over the coming months, but for now you might wanna take a look at this: www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation
So if you have custom company branding set up, it doesn't show up in the popup, but I notice the branding background does get requested. Do you happen to know why?
How can i apply another background other than ETech IT? I must commend this is a good educational video. I will like to get some explanation how to implement a new background and how to detect browser/os, user agent of client in real time.
anytime i set my url lure and test it out in a browser. the next page it goes to says this"Microsoft accountAccount We're unable to complete your request invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application." so what exactly is going on??
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Make sure everything works without Frameless-BITB first to see if Evilginx is working as expected.
Hello. Thanks so so much for this beautiful tutorials. I got everything working but I am unable to use js inject for the email parameters. When I configure the js inject in my phishlet, it keeps using the same email for all generated lures with email attached. Help
Hey, are you referring to a feature that is still experimental in regards to device-bound tokens? If so that is something that might or might not affect reverse-proxy phishing in general, but we are yet to see how strong it is and if it has any pitfalls that allows to bypass it. Or are you referring to something else?
I usually keep the nameservers at the domain registrar and simply add DNS records for all subdomains that my phishlet will use. All such subdomains plus the root domain should point to the IP of the instance running the setup. (Also SSL certs should be generated for the naked domain as well as a wildcard subdomain). There are many ways to approach this, but I found this approach to be the path of least resistance, and less chances of scanners fingerprinting my servers during the generation of SSL certs.
Yes it is. In fact the advanced version I am working on is a from-scratch implementation of a reverse proxy written in Go. For nginx you just have to use the equivalent of search and replace (aka substitutions in apache) and follow the same concept.
Nice tutorial, I have just subscribed to your channel 😊. Can you explain how we can change the background incase we want to pentest with a different background template.
Thank you! You will need to replace the content under pages/primary/ (which you eventually copy to /var/www/primary/ during the setup). There you can fully replace the HTML/CSS but you will need to have somewhere in your HTML the login button, and you need to have the relevant JS code tied to it in script.js The only catch is that if your page has a lot of extra JS logic you will need to replace anything that listens to DOM events to listen to the custom event you see in the script.js file. Might make another video on that topic in the future but hope this puts you in the right direction.
It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Try setting it up with without Frameless-BITB to see if everything works before you add this concept to the mix.
If you are the first one with bringing all these tricks and using the curious brain. Than bro you are seriously awesome. By the way thanks for the info.
As far as I know, this is the first BITB without the usage of s, which allows us to bypass framebusters. But the original concept of the BITB was introduced by mrd0x a few years ago: mrd0x.com/browser-in-the-browser-phishing-attack/
That is a very tough topic on its own and mainly related to Evilginx and reverse proxy phishing itself rather than Frameless-BITB. As far as I know Evilginx Pro will solve this by capturing the shadow token from a browser that runs behind the scenes then use it in the proxied page.
@@waelmas it's alright but atleast is there a way we can work on it to use all office accounts rather than just enterprise accounts...please let me know if its available else i'll be glad to join work on it
In the repo I have config files for Chrome on both Windows and Mac. Based on the POC code provided you can also customize it further for any other browser/OS you would like. In an ideal scenario you would want to detect the User Agent and load the proper config file that matches the browser/OS combo used by the client in real time.
The core approach that makes it work is that I "push" the HTML body and inject my own HTML elements that are responsible for the BITB components and the landing page behind it along with the CSS tricks for positioning. Typically, you would place an HTML element inside another to create the effect of something living inside something else. But this will not work as pages like Microsoft intentionally rely on attributes attached to their elements that would "break" if you manipulate them. So the whole trick is to place our HTML elements right next to the original HTML, then rely only on CSS tricks to "fake" the effect of one being inside the other. The core CSS attributes that do the trick are: width height top left transform z-index
@@waelmas could you please explain both approach of the html. And how the above one will break and another one won't. I read the source code,and understood that a html code that was in Apache config file was fed along with Microsoft html. And that was placed just at start of body. I have two doubt,hope you will solve and reply. 1)I found only injected div and win-scroll div present when document reached to browser where were other other than .win-scroll that were present in actual Microsoft html document. 2) First you said injecting html will break the code, but isn't what you doing too is injecting the html,you too are injecting 3 tags before Microsoft actual content. a)Won't this break b) Haven't Microsoft already have any security measure to detect this change using javascript.
@@waelmas Thanks a lot for reply. Your channel is so underrated inspite of having pure gem mine, recent three videos must have potential to gain too much views.
The legacy BITB can be simply tested using an (with Evilginx you'd have to put it in a redirector). What happens for example with Microsoft is that you will get a redirect and that will end up on the original Micorosft login page, basically breaking the whole thing. (Search "framebusters" for more details on that). Injecting HTML inside the divs used by microsoft, or moving those inside our own div breaks the flow in most cases. Injecting HTML in the body while keeping all attributes the same does not affect anything as it's simply sitting on the side. I don't think it's that easy for Microsoft to check such changes as even simple browser extensions actually inject their HTML inside the page body in a similar manner, and they use ShadowDOM. So this approach could be "seen" the same as most legit browser extensions.
@@waelmas Thanks a lot. You are genius and creative I want to use my own theory too but I can't. Could I get the references so that instead of being depended on someone else creativity I could have my own.
@Wael Masri, hey man could I message you online? I'd like to contribute / collaborate with some expansions to this methodology and pick your brain! I got you some coffees too! -- glitchdigger