Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Phishlet: Outlook Web Access #212

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

New Phishlet: Outlook Web Access #212

wants to merge 2 commits into from

Conversation

swarleysez
Copy link

New Phishlet: Outlook Web Access

@swarleysez
Outlook Web Access phishlet
0d32296 
Outlook Web Access phishlet.

Just substitute "subdomain" and "domain.tld" with actual target.

Regex for password was required to match only on the string "password" as OWA also has a "passwordText" parameter in the POST request that was overwriting the password capture value.
@swarleysez
Update owa.yml
3a395fa
thehappydinoa
thehappydinoa suggested changes Apr 17, 2019
View reviewed changes
Copy link
Contributor

@thehappydinoa thehappydinoa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a boilerplate phishlet with little to no changes...

@swarleysez
Copy link
Author

Correct, it is mostly boilerplate, but there 2 specific differences that would reduce troubleshooting and level of effort for others.

  1. Password - The POST request for auth has a "password" and "passwordtext" parameter. I had to regex the word "password" in a way to ensure that it didn't match on the "passwordtext" parameter and overwrite the user-input from the first parameter.

  2. Auth_urls - In order to properly capture the session information, I had to provide evilginx2 with a known post-auth location.

@thehappydinoa
Copy link
Contributor

@swarleysez Ok, I guess I just would suggest writing instructions if you aren't planning on including a domain.

@swarleysez
Copy link
Author

swarleysez commented Apr 17, 2019
edited
Loading

Ah, I see where there could be confusion with that.

For anyone reading this; the OWA domain is almost always unique to the organization's domain and subdomain (i.e. owa.github.com, mail.amazon.com, etc.), hence the ambiguous "subdomain.domain.tld" in the phishlet.

I will look at adding some comments to make the insertion points clearer.

@StratoMusic
Copy link

do you have one working for outlook as of today?

i am getting this error: #248

Repository owner deleted a comment Feb 10, 2020
@pretech86
Copy link

why i get unauthorized request after enable the phishlets

@kgretzky
Copy link
Owner

Can you add some comments with instructions in the phishlet file on how and where to modify the hostname?

@kgretzky kgretzky added the question Further information is requested label Sep 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thehappydinoa thehappydinoa thehappydinoa requested changes

Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@swarleysez @thehappydinoa @StratoMusic @pretech86 @kgretzky