Open in app

Sign in

Write

Sign in

How to perform Phishing Attack with 2FA bypass

Valeriy Shevchenko
6 min readMar 25, 2019

--

Information in the article is published for educational purposes only. Do not overstep the bounds set by law.

A few weeks ago I realized that it's should be interesting to learn about phishing campaign and how to perform it. I divide that story into different parts. The last part will be with a demonstration video of my results.

  1. Phishing Domain.

As you understand — visually look good — is the main things in that story.

That example is perfect as a scam attack. The receiver is legitimate. Phone location link is pretty the same as real one icloud link. And the connection is https.

Pretty few users can understand that it's not a real sms from apple.

In that part, I highly recommend using UrlCrazy tool from Kali Linux toolbox. You can also use catphish.

On that example, you can see many registered domains which used for phishing and scamming. You can use any type of domain name "Typo". It could be Character Omission, Bit Flipping, Wrong TLD or Homoglyphs.

Actually, Homoglyphs could be the most interesting in some situations.

Let's imagine that we already prepared with a domain name. And registered that in GoDaddy for example.

Also, you can register free domain here and use subdomain name in your attack scenario.

2. Protection from DMARC, DKIM, SPF.

That's strange words — are the main things for making success phishing attack via email.

DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.

I will not explain you in steps how to configure your mail server with that policies. But most of the time — it's a right configuration in the DNS management tool for your domain and your mail server.

I used a free mail server — Mail for Domain from Yandex.

After all activities with configuring your security policies, I highly recommend you to make a test email with checking your configuration score. It's required to not be in spam box with your phishing campaign.

Good score for your email message should look like this. For checking all settings with my email and mail server I used that service — Mail Tester.

3. OSINT for email addresses.

If we perform our attack to the corporate email addresses — we can reach some data leaks on that resources.

Public Database Directory - Public DB Host

Snusbase is the gold standard of database lookups. Check it out!

databases.today

Find the source of your leaks

Have you been hacked? Search hundreds of leaked databases like LinkedIn, MySpace, Dropbox, Ashley Madison and Twitter…

leakedsource.ru

We Leak Info - Data Breach Search Engine

Read Search Guide ›

weleakinfo.com

Find email addresses in seconds * Hunter (Email Hunter)

Hunter is the leading solution to find and verify professional email addresses. Start using Hunter and connect with the…

hunter.io

But don't forget about Google search with theHarvester. It's still helpful ;)

4. MITM Attack framework that bypass 2FA

Everything before that point was kinda preparing for an attack. Imagine that now everything was configured and we are ready to send to our victim something interesting inside of our email message. My main valuable thing in that story to learn is to configure 2FA MITM endpoint where I can catch sessions even if the account was protected by 2FA (github account, LinkedIn account etc)

So I decide to choose from one of those frameworks: CredSniper, ReelPhish, and Evilginx.

I choose Evilginx 2.2.0 version.

Technically it works as it is described.

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows bypassing 2-factor authentication protection.

As a virtual machine with Evilginx server, I used AWS EC2 instance with Ubuntu image.

It's easy to launch and control with SSH connection.

And next, we just need to update and install our framework

apt-get update
apt-get upgrade
wget https://github.com/kgretzky/evilginx2/releases/download/2.2.0/evilginx_linux_x86_2.2.0.zip
apt-get install unzip
unzip evilginx
cd evilginx
chmod +x install.sh
chmod +x evilginx

And make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. Evilginx will tell you on launch if it fails to open a listening socket on any of these ports.

If you will have such conflicts with ports — then you will need to run that commands on our EC2 machine.

systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm /etc/resolv.conf
echo 'nameserver 8.8.8.8' > /etc/resolv.conf

All other required instructions are in the readme documentation.

4.1 Configuration part for our Evilginx2 and Phishing Domain

For our AWS EC2 machine we have a public IP address.

In DNS Management we should have this:

Where Target — is our EC2 public IP Address.

And Name — is our subdomains which we will use. (phishing.valyaroller.tk)

After that, we need to configure Evilginx with our domain name and public IP of our AWS EC2.

Here we have a final config.

Next, we need to get an SSL/TLS certificate for our phishing domain. With right configured Evilginx, we will have it after two commands.

phishlets hostname linkedin phishing.valyaroller.tk

phishlets enable linkedin

And it's a time to make magic and demo on our test account

As you see that framework can support end-to-end validation. If we tried to log in with the wrong password — we will see validation message. And at the end when victim provides sms code — we catch valid session.

Summary

With trying to understand all phishing activities from scratch I learned a lot of interesting things. I did not perform any illegal activities. And I highly recommend you to not do that too. As you understood phishing links could look like real legitimate. They also can support https connection with the lock icon in the URL of your browser. And it doesn't matter that you have 2FA protection. The only thing that can protect you is attentiveness.

Also, there are some services to educate employees in the company with performing "training" attacks.

https://phishinsight.trendmicro.com/en/
https://ironscales.com/

References

https://emailmatrix.ru/blog/inbox-part-1-spf/
https://emailmatrix.ru/blog/inbox-part-2-dkim/
https://emailmatrix.ru/blog/what-is-dmarc/
https://blog.detectify.com/2016/06/20/misconfigured-email-servers-open-the-door-to-spoofed-emails-from-top-domains/
https://www.youtube.com/watch?v=sNuVaVtfick
https://github.com/atech/postal
https://www.cyberpunk.rs/evilginx-phishing-examples-v2-x-linkedin-facebook-custom
https://youtu.be/Qw7pvsCTank?t=8701

Security
Phishing
2fa
Hacking
Hacker

--

--

Valeriy Shevchenko
Valeriy Shevchenko

Written by Valeriy Shevchenko

1.8K Followers
150 Following

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams