So #evilginx is a MITM attack that is used to steal login credentials and highjack the session cookie. How can this be mitigated outside of providing users with a physical token? #MFA #MITM #FIDO2
#Evilginx
Die Einrichtung der MFA halte ich weiterhin für wichtig, um das Risiko der Account-Übernahme zu reduzieren, auch wenn es inzwischen Tools wie Evilginx gibt, die den zweiten Faktor "umgehen". #cybercrime #hackerangriff #zac #evilginx #mfa
Life has felt a bit less hectic these last few months and I feel at peace with some things I won’t go into. With that, I’ve been able to restructure what I want to focus on with a more narrow scope without my mind feeling as chaotic.
Some things I’m starting / want to start soon:
Read the Psychology of Intelligence Analysis
Revisit learning #Go mainly for HTTP utilities
Learn #Evilginx and #GoPhish (apply Golang knowledge here) to get a deeper understanding of #phishing threats on both offensive and defensive side.
Read more in general— this #cti paper was very insightful https://www.tandfonline.com/doi/full/10.1080/08850607.2020.1780062
This still appears to be somewhat broad scoped but it helps build a structure.
In this article I describe a potential attack against many Webauthn (i.e. passkeys or hardware security keys) implementations, that I'm calling an Authentication Method Redaction (AMR) attack.
https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
#passkeys #webauthn #authentication #evilginx #phishing #mfa
Happy to see Kuba Gretzky kicking it off with one of my favorite topics and what can indeed be labeled as one of the biggest elephants in the cybersecurity community's room. How to prevent bad guys from using red teaming tools?
For sure there are no easy cures but we should at least acknowledge the issue and work towards solutions.
Phishing Like a Pro: A Guide for Pentesters to Add SPF, DMARC, DKIM and MX records to Evilginx - https://fortbridge.co.uk/research/add-spf-dmarc-dkim-mx-records-evilginx/ #phishing #evilginx
A Bit of Security for Jan 30, 2024
How can you prove you are who you say you are when you’re talking to a computer? Listen to this -
https://youtu.be/HBHs191WD08
Let me know what you think at wjmailk@noc.social
A new approach to Browser In The Browser (#BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like #Microsoft and the use with #Evilginx. : https://github.com/waelmas/frameless-bitb?fbclid=IwAR1UGSiByeRZWUtxXkSb-zrNRTgmyXtbcp7s0dxZsThyeDPLmsLC5pOFiV8
is #evilginx still a thing to phish outlook.com credentials / token? #evilginx2
Protecting your Evilginx from detection using CloudFlare
https://www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation
How to protect against modern phishing attacks like Evilginx: https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks
Great post about current #Microsoft #Azure / #M365 attack tooling including #evilginx and #roadtools.
The posting also describes the automation from capturing tokens to exfiltrate data - good luck defenders when not automating the defense …
Kuba @mrgretzky is building an awesome community around Evilginx at Breakdev Red.
I 😍 the hilarious response I received for my whoami post 😂
It's crazy how even multi-factor authentication can be bypassed by stealing the Auth Cookie for a session with #evilginx. Being more vigilant of domain names is a must nowadays, especially when landing pages can be made nearly similar to the official pages from sites you visit.
I have mixed feelings about #evilginx being #OpenSource. On one hand, it's good that it's open source and knowledge of such #exploit methods is thoroughly known, but on the other hand it also makes it easier for more people to have a chance at doing sophisticated #phishing attacks by presenting it as an easy to install binary with an accompanying course on how to set up the configs properly.
https://youtu.be/sZ22YulJwao
https://github.com/kgretzky/evilginx2
Looking at the Github issues on #evilginx, the progressive changes to `ISSUE_TEMPLATE.md` and how the vast majority of issues still fully ignore it, has convinced me that I never, ever want any red-team tool I ever write to reach any kind of notoriety or visibility in the public consciousness.
I think the inclusion of any tool I write into a release of #Kali would probably have me remove the damn thing from github 🙃
I feel for the author 🫠
For anyone at @BlueTeamCon who wants to understand why many forms of MFA are not phishing-resistant and why passkeys/FIDO2 are, tomorrow at 12:20pm during lunch in the #unconference room I’ll be delivering an impromptu session on #phishing resistant authentication, including a live demo of #evilginx.
How Much Is The Phish? Evolving Defences Against Evilginx Reverse Proxy - https://www.youtube.com/watch?v=C-Fh4sIdY8c #phishing #evilginx
Hook, Line, and Phishlet: Conquering AD FS with Evilginx - https://research.aurainfosec.io/pentest/hook-line-and-phishlet/ #phishing #evilginx
https://sidb.in/2021/08/03/Phishing-0-to-100.html
The Ultimate Guide to Phishing
Learn how to Phish using EvilGinx2 and GoPhish
Posted by Siddharth Balyan on August 03, 2021 · 15 mins read
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst