hey have you gotten the office godaddy phishlets, i was able to code it but it wont login in when it redirected to office godaddy login page

Hey, I plan to make some automation and maybe a tutorial on that in the near future. For the time being you might wanna take a look at the details I shared here where I explain how I currently handle certs: github.com/waelmas/frameless-bitb/issues/6

As far as I know, this is the first BITB without the usage of s, which allows us to bypass framebusters. But the original concept of the BITB was introduced by mrd0x a few years ago: mrd0x.com/browser-in-the-browser-phishing-attack/

@@waelmas Not in this way. I already know about mrdox. At last I want to say how you got so much creativity. Thanks a lot for sharing.

🙏

Thank you! Will be working on some more code and tutorials over the coming months, but for now you might wanna take a look at this: www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation

Are you talking about Evilginx behaving like this only when Frameless-BITB is added? Please try to get it working without Frameless-BITB first.

I usually keep the nameservers at the domain registrar and simply add DNS records for all subdomains that my phishlet will use. All such subdomains plus the root domain should point to the IP of the instance running the setup. (Also SSL certs should be generated for the naked domain as well as a wildcard subdomain). There are many ways to approach this, but I found this approach to be the path of least resistance, and less chances of scanners fingerprinting my servers during the generation of SSL certs.

Thank you! You will need to replace the content under pages/primary/ (which you eventually copy to /var/www/primary/ during the setup). There you can fully replace the HTML/CSS but you will need to have somewhere in your HTML the login button, and you need to have the relevant JS code tied to it in script.js The only catch is that if your page has a lot of extra JS logic you will need to replace anything that listens to DOM events to listen to the custom event you see in the script.js file. Might make another video on that topic in the future but hope this puts you in the right direction.

@@waelmasthanks

It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Make sure everything works without Frameless-BITB first to see if Evilginx is working as expected.

Yes it is. In fact the advanced version I am working on is a from-scratch implementation of a reverse proxy written in Go. For nginx you just have to use the equivalent of search and replace (aka substitutions in apache) and follow the same concept.

That is a very tough topic on its own and mainly related to Evilginx and reverse proxy phishing itself rather than Frameless-BITB. As far as I know Evilginx Pro will solve this by capturing the shadow token from a browser that runs behind the scenes then use it in the proxied page.

@@waelmas it's alright but atleast is there a way we can work on it to use all office accounts rather than just enterprise accounts...please let me know if its available else i'll be glad to join work on it

It sounds like an issue with your Evilginx/phishlet setup instead of BITB. Try setting it up with without Frameless-BITB to see if everything works before you add this concept to the mix.

i ran into this same exact issue. any updates?

Hey, are you referring to a feature that is still experimental in regards to device-bound tokens? If so that is something that might or might not affect reverse-proxy phishing in general, but we are yet to see how strong it is and if it has any pitfalls that allows to bypass it. Or are you referring to something else?

In the repo I have config files for Chrome on both Windows and Mac. Based on the POC code provided you can also customize it further for any other browser/OS you would like. In an ideal scenario you would want to detect the User Agent and load the proper config file that matches the browser/OS combo used by the client in real time.

@@waelmas How can i detect browser/OS, user agent and load a proper config to match browser/OS used by client in real time?

Thanks for the feedback! Will keep it in mind next time!

The core approach that makes it work is that I "push" the HTML body and inject my own HTML elements that are responsible for the BITB components and the landing page behind it along with the CSS tricks for positioning. Typically, you would place an HTML element inside another to create the effect of something living inside something else. But this will not work as pages like Microsoft intentionally rely on attributes attached to their elements that would "break" if you manipulate them. So the whole trick is to place our HTML elements right next to the original HTML, then rely only on CSS tricks to "fake" the effect of one being inside the other. The core CSS attributes that do the trick are: width height top left transform z-index

@@waelmas could you please explain both approach of the html. And how the above one will break and another one won't. I read the source code,and understood that a html code that was in Apache config file was fed along with Microsoft html. And that was placed just at start of body. I have two doubt,hope you will solve and reply. 1)I found only injected div and win-scroll div present when document reached to browser where were other other than .win-scroll that were present in actual Microsoft html document. 2) First you said injecting html will break the code, but isn't what you doing too is injecting the html,you too are injecting 3 tags before Microsoft actual content. a)Won't this break b) Haven't Microsoft already have any security measure to detect this change using javascript.

@@waelmas Thanks a lot for reply. Your channel is so underrated inspite of having pure gem mine, recent three videos must have potential to gain too much views.

The legacy BITB can be simply tested using an (with Evilginx you'd have to put it in a redirector). What happens for example with Microsoft is that you will get a redirect and that will end up on the original Micorosft login page, basically breaking the whole thing. (Search "framebusters" for more details on that). Injecting HTML inside the divs used by microsoft, or moving those inside our own div breaks the flow in most cases. Injecting HTML in the body while keeping all attributes the same does not affect anything as it's simply sitting on the side. I don't think it's that easy for Microsoft to check such changes as even simple browser extensions actually inject their HTML inside the page body in a similar manner, and they use ShadowDOM. So this approach could be "seen" the same as most legit browser extensions.

@@waelmas Thanks a lot. You are genius and creative I want to use my own theory too but I can't. Could I get the references so that instead of being depended on someone else creativity I could have my own.

Of course! DM me on LinkedIn or Twitter!