How do you plan to do this? I believe it's all about real time monitoring of incoming emails and end user education We've even hacked banks with this -ethically-
Right. There should be a phishing network card interface designed to simply 'be dumb' override by default to allow the 'script kiddy' into a honey pot. Give them all sorts of useless information using Bot Framework Composer. ;/
I've only casually followed you over the years, but your last few videos have been superb and unlike what other content creators are producing, you are now to the top of my viewing list. Excellent job!
Cool demo! This is why admin folks should be configured for eligible role assignments where another MFA prompt is required to elevate privileges to admin. I wonder if a proper domain would be used (domain flipping), whether zScaler or Menlo (or any other modern proxy) would detect and prevent Evilginx.
We just started rolling out conditional access policies because of rampant phishing attacks and vulnerabilities in Microsoft's MFA apps. Now only registered and compliant devices can access company resources. It's cat and mouse but that's the game!
I tried the phishlets but every time I use evilnginx “Google Safe browser” marks it as insecure domain even before doing anything. Do guys have any idea why this getting got caught?
I only want to this within a small company I work at cause our oversight clearly has information they should not have. They made it so obvious that I set very specific traps that only a person who had access to my account would know.. they didn't just fall into one but just about all of them. Ironically it led to illuminating their pet aka my co-worker who has been leaking information (over their long tenure, being this snakey gets them no benefit but they are the equivalent of a head house slave) lol. The deceptive, invasive, and unethical tactics they use have led me here which hacking is something I always frowned upon BUT I 100% condone punching back
Nicely done showcasing Evilginx and its possibilities. Would be nice if you would have mentioned that there are measures to tackle this sort of threat. Like FIDO2 security keys or even Microsoft Authenticator Phone Sign-In paired with the Conditional Access grant control of a compliant device. Maybe something for a new video to follow up with.
Haha follow up? Maybe if the front page of tech sites bring it up again, these videos are nothing but repackaged video versions of headlines from any computer security news site, super basic demonstrations that are obviously following an already written tutorial. Look elsewhere if you want real content
@@cryptoafc7655 do you mean the hardware token or the access token? Basically FIDO2 auth methods tie the auth factor to the online service and therefore you won’t be able to authenticate to the phishing site spun up by the evilginx reverse proxy.
It would be amazing to see a demo of this tool with things like ubikey and passkeys to demonstrate how they aren't vulnerable to these kinds of attacks.
@@OrionsArm They would be immune because they'd simply fail to work due to the different domain name. The same as the password not being memorised in the browser.
@@OrionsArm The key exchange would fail with the different domain name, meaning no session cookie would be generated. I was disappointed that wasn't covered in this video.
Wait, When you used the victim page, you used your own ip-adress. When you used the session 3 and copied in firefox (cookie plugin) , did you still use your own ip-adress ? Because in Azure (not sure in M365) every logon is check from which ip-adress it comes from. When you have a session from IP-adres A , and you come with the same session with IP-adres B then this shouldn't work at Microsoft. It should detect and ask to do a MFA again. This is called conditional access in Azure AD. I think this exploit can be done on websites that don't cross check sessions with different ip-adresses. Thank you for the learning John
That was my line of thinking as well. What CA (conditional access) rule can we create to harden a tenant's configuration against this attack? Also great question about IP address usage, how would this behave when Microsoft detects this the session token from a different IP. Is this a default behavior or should we setup a CA rule to harden against it?
Atypical travel CA rule could do the trick here. For example trigger another MFA prompt when attacker attempts to signin instead of blocking the account, this alone could help, but not necessarily prevent the attack as the attacker might be connecting from a similar geographical location.
@@azountsu conditional access could be it has to be an Entra registered device (registered on your network talking to your domain controller/Active Directory so they'd have to be in your network to register) and it has to be a compliant device (which could be whatever parameters you set). Could also block all IPs from countries you know you'd never have users in or are known threats like Ukraine, Russia, China, etc.
@@dyerseve3001 No. Cause the hacker has the session. You can access the account without entering any password. Yubikey is just a better secure 2FA. But once the hacker has your account session. You can't do anything except to log out to end the session.
This seems a good time to point out that since a capability designates the resource that it operates on, it's largely not vulnerable to this class of attack.
Hey john, thanks for the knowledge sharing again! But why not include the ip address of the user in the auth-tokens?? On the server-side just block the request if the auth-token's ip doesn't match the requester's (for instance the attacker). It also doesn't matter if the victim himself is behind a proxy, at least the token is only valid within that LAN. right?? 🤔🤔🤔🤔
Some people are connecting with a dynamic IP address which is changing from time to time, when your connection renews (and it can be forced as well, just restart your modem). So logging an IP address and only whitelisting that will lock you out from your account. Not to mention if you use VPNs for privacy reasons.
@@CZghostThey dynamic thing u said is fine I guess, cuz as long as you are connected (and even if you get disconnected for few minutes you will most likely get the same ip) you will have the same IP. Its more like a comprise for security rather than user experience which in something like banking web apps is good? IDK this whole thing was actually just a question.
Nice video John. Can you make one that shows how FIDO2 keys are not vulnerable to this type of attack? Also, maybe detailing what steps admins can follow to try to mitigate this attack as much as possible?
I’m not sure, but fido2 would be the same. Ultimately what your doing is stealing the cookies. So as long as websites uses cookies or auth tokens, you can do this
@@greyshopleskin2315 If you have malware on the client’s machine or have some other way of stealing the session cookie from their browser, then yes, it’s the same. However, if we’re just talking about preventing phishing, then FIDO2 and certificate based auth will never authenticate you on a malicious site to begin with thus no session cookie to steal.
@@greyshopleskin2315FIDO2 will not authenticate through a different domain (the phishing domain used in this video for example), no authentication, no cookie
@@sapuseven in my opinion FIDO2 would not work as it is tied to the actual domain name cryptographically. So as the phishing site is not using the correct domain name, the FIDO2 token will not work to log in. However still, if the user is able to use some fallback mechanism instead of FIDO2 then it can still be successful.
cookies must be verifying the client-agent & change in location. Hope the sign in from different location & device is notified to user & immediately changed the paswd. 🙄
Am I seeing this right, if we’d use a password manager to autofill the username/password, it wouldn’t suggest us the Microsoft password since the domain in the browser is not actually the Microsoft login?
Speaking from the defender side, orgs are implementing conditional access policies that will block sign ins not coming from company owned IP address spaces, and there are a lot of security mitigations in place to stop such phishing attacks. Although the large majority of users are never gonna click shady links like these, there will be a portion of users whom will, and there will be a tiny portion of those users whom will get phished all the way. User training and awareness is the number one security counter measure against such attacks.
How can you restrict remote logins to only company owned IP space? Force all remote users to use a Full-Tunnel VPN that sends all traffic through the office? What if the company network is down? Then no one can sign in.
@@iRyan230 You divide users in various subsets, for example, users that will always work on site have no reason to log in from foreign IPs. On the other end, there will always be a set of users who will need to use company resources on the go, and for those MFA and managed device policies are strictly enforced, alerting policies are more sensitive, raising alerts wherever any unfamiliar sign in activity is observed. As for the VPN, you can deploy enterprise grade VPN solutions with no downtime (in theory), you can get company specific IP spaces and those can be whitelisted in your IDP. This is by no means a perfect solution, but carefully designing these can mitigate a large portion of the threats, the rest can be easily handled by the incident response team. And regarding the example in this video, admin access is usually deferred to separate accounts that have even stricter access policies.
@@iRyan230conditional access policies will usually be based on location. If a user logins in from California at 8 am and then an hour later tries authenticating from Florida that sign in attempt will most likely be blocked.
He was asking more-so about the fact that if you do this, how do you handle your remote users (full-tunnel VPN?), or how do folks work when the network is down?@@Slickjitz
Am I correct in stating that even if we used stronger forms of device authentication or a FIDO token the fact that you gain access to the session tokens to an extent nullifies those controls as the user session was still proxied?
It would be interesting to see how features such as Continuous Access Evaluation, from Conditional Access and Smart Links, from Defender for Office 365 would deal with this attack, as Microsoft says token replay is detected and blocked. Very good video anyway
I love these videos. Now I can grab a copy of the tool, use it, and look for any generated IOCs from default usage. Another easy win for low hanging fruit!
@@nordgaren2358 the url generator has default values, like the random string at the end has a certain amount of characters and do not spell a word. So scanning for urls with that at the end might be a start
Only true way to stop is Fido 2 hardware token (stops token stealing)...User training, but that is it or Conditional Access grant control of a compliant device
I wouldn't focus so much on the simple example for social engineering in this video. The methodology around reverse proxies is the takeaway here. There are many examples of visually identical domains using Punycode for example which have successfully tricked admins. That being said, physical security keys resist this method since the domain doesn't match during the key exchange.
The available phishlets (And the one shown in the video) are not working btw. However, after many hours of tweaking you can get it to work - but password will not be displayed - you will have to know some java script. And it will not prompt user to login unless they are activly logged out (if already logged in you just get the token straight up - even better!).
Yes also seen a Tenant branding one at the end of last week however surely that's not a surprise as the Reverse proxy will do whatever the tenant would have shown.
@@devonsurfer7619yup… I also worked with one that forwarded to another iDP too (Microsoft login page forwarding to Okta). This is such a mess and really frustrating that Microsoft is dragging their feet here. I know it’s complicated to resolve this at a large scale but it’s got to be one of the worst security threat’s organizations have faced in a long time.
Could the session/token be stolen if the end user is already signed in (ie. outlook web mail) or will he need to create a new access token to steal a valid cookie?
The lure is not the hook - lol The lure is the bait on the hook. The hook is the last thing they want. You can tell you're not a fisherman, neither am I. 🤣 (ha ha)
Is this a sponsored video or just you covering a course and tool you thought was sick? Because this DOES seem sick. I’m just curious as to how the video came to be!
Hey bro.. I lost contact of my best friend.. have just gmail and don't know whether it's using currently or not.... Is it possible to get the contact details by name and location 😔?
Because the tool is publicly available and the average individual such as yourself wouldn’t know about it, making you a target. The ‘bad guys’ already know about it and the more awareness generated towards the tool will push companies to strengthen their security architecture also making you aware of the tool.
@_JohnHammond Do you know why companies like Microsoft are not mitigating this threat with the Security Hardening techniques you mentioned at 9:10 like "Security Token Validation". Is there a downside to implementing this?
They are dragging their feet with this attack which is seriously frustrating. This has got to be one of the largest security concerns organizations face today and they are practically silent in it(minus a blog post or two…)
I am 9 years old and I’ve managed to hack inside of 10 Microsoft accounts, Look you can call me a stupid young kid But I just might be the smartest kid on earth
John, I love your work and your content, I come here all the time, but RU-vid are making it almost impossible to follow along and pay attention. Ive just watched this and had adverts injects every 60-90 seconds. I really appreciate the work you do here. Please try to reduce the ads so i can watch and make notes (or tell me how I can subscribe to YOUR content without paying Google even more)
Interesting idea for sure to reverse proxy all the traffic seamlessly. But again, at the end of the day, don't click dodgy links and verify which links you visit.
This is the response im getting, im on evilginx v2.4.2. We're unable to complete your request invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Some people are absolute beginners. I have a question John, How did you connect your name and the server together? I mean digital ocean and your domain?
Jhon i was wondering if you could help me. I got blocked out of my own account because i cleared my cookies everytime i close my browser. Because i follow privacy online as a religion Microsoft AI got confused and locked my account because of "Suspiscious acitivity" Now there is a chain reaction that is triggerd and i lost most of my accounts because i have 30+ emails.. Can you please help me?
You must be new to the field or just stumbled upon this video by accident. These demonstrations show us how to defend against these sort of attacks. It gives us new perspective. "You are now straight offering people ways to hack more people!" But this video is showing the importance of not blindly clicking on malicious links, and not blindly putting in your credentials into said malicious link. I understand your concerns when you stumble upon something like this, but I promise it's for the better.
unless your in college and schools than it be bad because they don`t really seen to use anything else than Microsoft they Forced less security than they should