Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] incorrect domain substitution with certain yaml configs #60

Closed
audibleblink opened this issue Sep 25, 2018 · 7 comments
Closed

[bug] incorrect domain substitution with certain yaml configs #60

audibleblink opened this issue Sep 25, 2018 · 7 comments
Labels
not-a-bug It's a feature, not a bug

Comments

@audibleblink
Copy link
Contributor

Somewhat related to #57 , the wrong hostname gets substituted with the following configurations.

proxy_hosts:
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'abc.com', session: false, is_landing: true}
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'xyz.com', session: false, is_landing: false}
sub_filters:
  - {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{hostname}', mimes: ['...']}

The requests should be going to https://ssl.xyz.com.phishdomain.com, but instead show in DevTools as https://ssl.abc.com.phishdomain.com.

My current workaround is to hardcode my phish domain into the phishlet config, which prevents me from sharing the phishlet.

sub_filters:
   -  {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{subdomain}.xyz.com.phishdomain.com', mimes: ['...']}
@audibleblink
Copy link
Contributor Author

I amended open PR #59 to address this.

@kgretzky
Copy link
Owner

As mentioned in #57 this is intented behavior.
domain in the phishlet should be the same as the original domain of the phished website and it does not reflect its presence in the phishing hostname.

@kgretzky kgretzky added the not-a-bug It's a feature, not a bug label Sep 26, 2018
@audibleblink
Copy link
Contributor Author

Ok thanks for the explanation. Could you give me an example of a sub_filter that targets ssl.xyz.phishdomain.com which is being proxied as ssl2.abc.phishdomain.com according to your example in #57?

@kgretzky
Copy link
Owner

You can proxy ssl.xyz.com as ssl2.phishdomain.com with this:

  - {phish_sub: 'ssl2', orig_sub: 'ssl', domain: 'xyz.com', session: false, is_landing: false}

Depends later how you set up the hostname for the phishlet.

@audibleblink
Copy link
Contributor Author

audibleblink commented Sep 26, 2018
edited
Loading

Yes, I got that from your example in the other issue. I'm asking about sub_filter specifically.

Would it just be?:

sub_filters:
   -  {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{hostname}, mimes: ['...']}

And evilginx just knows the difference?
{hostname} in
search: ssl.xyz.com
replace: ssl2.abc.com

@kgretzky
Copy link
Owner

Yes, Evilginx will know the difference with {hostname} to look for ssl.xyz.com in HTML body and replace it with ssl2.phishdomain.com. It will then search and replace only on sites with domain oath.abc.com.

@audibleblink
Copy link
Contributor Author

audibleblink commented Sep 26, 2018
edited
Loading

Right on, thanks. I'll go ahead and close. I'm lucky in this aspect since the ssl.xyz.com traffic happens in the background with JavaScript and not in the URL bar.

@audibleblink audibleblink mentioned this issue Sep 26, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not-a-bug It's a feature, not a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@audibleblink @kgretzky