Modlishka icon indicating copy to clipboard operation
Modlishka copied to clipboard
verified publisher icon drk1wi

o365 default json directs to blank page

Open ThunderousDreamer opened this issue 6 years ago • 6 comments

Hi all - playing around with this hoping to do some internal security awareness/phishing campaigns, but can't get the o365 one to work. The Gsuite one redirects and works fine, but when using the o365 config all I get is a blank page. I've got the acme.sh cert, key and ca in the config file so it looks like the SSL part is fine.

Now I read another closed issue regarding o365 where the user just changed microsoftonline.com to login.microsoftonline.com and got the webpage to load (leaving them to just figure out the regex part) - I can't even get to that stage. When I do that I'm still stuck on the blank screen. Does anyone have a sample o365 config I could copy, or tell me what I'm doing wrong?

config:

  "proxyDomain": "phishsite.net",
  "listeningAddress": "0.0.0.0",
  "proxyAddress": "",
  "target": "login.microsoftonline.com",
  "targetResources": "",
  "targetRules": "by5zZXRBdHRyaWJ1dGUoImludGVncml0eSI=:by5zZXRBdHRyaWJ1dGUoImludGVnZHJpdHki,aW50ZWdyaXR5PQ==:aW50ZWdyaWN0eT0=,PC9oZWFkPg==:",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules":"",
  "jsReflectParam": "reflect",
  "debug": false,
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": true,
  "logPostOnly": false,
  "disableSecurity": false,
  "log": "ms.log",
  "plugins": "autocert,hijack",
  "credParams": "",
  "cert": "-----BEGIN CERTIFICATE-----\nMIIFZTCCBE2gAwIBAgISA9TDSgEOwkY6Fe0f3BmriqAMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\nExpMZXQncyBFbm$
  "certKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA6QYe29C6frWyRjuVvOBmSDGSfdsxLYNnj6wsrxz/POvqJb8i\ndN9Gekat7lPi+Oe+AplSw2Z2DIFZu/h/OzeVIPXwjytLR4RMIYXfHIuYIvx7A7ZM\nXJMyVkr$
  "certPool": "-----BEGIN CERTIFICATE-----\nMIIFZTCCBE2gAwIBAgISA9TsZgQSDqwede0f3BmriqAMA0GCSqGSIb3DQEBCwUA\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\nExpMZXQncy$
}

ThunderousDreamer avatar Jun 05 '19 14:06 ThunderousDreamer

Hi, Please remember that the proxyDomain is actually a 1:1 mapping for the target domain, so it translates all of the subdomains in such way subdomain1.phishsite.net subdomain1.target.tld and for other origins it will encode them in the subdomain part. I think you should use set the target to the one in the template and check browser errors. There's usually some JS/attributes that you have to patch to make some pages work.

drk1wi avatar Jun 05 '19 16:06 drk1wi

Thanks for the comment. It's odd, but there is nothing in the html at all. It looks like the html is empty and there are no references to any .js files. Any clue where that may be coming from? Again the o365 works fine.

Additionally, for the certpool, should I put in the fullchain or the ca in that field? I had the ca file in there previously and got rid of that to test but no luck there either. Basically I grabbed the original config from github again, just updated the target domain and the cert/certkey (which seems to be working - no SSL errors) but it's still all blank.

ThunderousDreamer avatar Jun 05 '19 18:06 ThunderousDreamer

Try again with the latest code, there was an error in the example config templates. Use 'rules' instead of 'targetRules'. Actually the certpool will be removed in the future releases, you can put the full chain in 'cert' field it will be handled properly. #142

drk1wi avatar Jun 06 '19 04:06 drk1wi

Hi Kiwi,

Thank you - that fixed the issue indeed. looks like it redirects fine now. I noticed the Google template has CredParams filled in to grab credentials, but with 2FA it's useful to also grab the cookie so you can authenticate as the user, right?

Also the google one has Target Resources - should I populate that one too like the google one has?

Are the cookies/creds captured somewhere by default - or what should I do to get those captured? Tested with a dummy o365 account and couldn't find it so far.

Thanks again!

ThunderousDreamer avatar Jun 06 '19 05:06 ThunderousDreamer

That was the proof-of-concept at that time, that's why I created a beta control plugin which will collect the session for all user_ids. You can also find cookie and typed in parameter values in the log file.

For TargetResources, not really, it's actually just tells the proxy to use a less subtle way and replace all instances of that domain. If it works, then there's no such need.

drk1wi avatar Jun 06 '19 07:06 drk1wi

Hi!

I am wondering if anyone has an luck recently with o365? I keep getting to blank page

this is my DNS config :

A record = @.domain. value = server ip

CNAME = *.DOMAIN value = domain

TXT as instructed

NS host = domain Value = ns1.domain NS host = domain Value = ns2.domain

DarknightCanada avatar Aug 10 '22 01:08 DarknightCanada