I Stole a Microsoft 365 Account. Here's How.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I'm going to show you how to steal a Live Microsoft 365 login we'll get their username their password credentials bypass to factor authentication and have complete access to the account we are going to fool the user we're going to deceive them it's that trick known as social engineering with a little bit of fishing but we're going to take it one step further because we're going to use some cool techniques tools and tradecraft that make us be able to do this not just for Microsoft 365 but for any website across the internet because we are going to use a very special tool called evil Jinx now if you haven't heard of evil Jinx before it is a reverse proxy fishing framework that is able to bypass multiactor authentication but that reverse proxy tidbit is like the coolest thing in the world what that means is that evil Jinx basically acts like a man in the middle so that the victim the end user entering their credentials to log into the service is really genuinely acting with the actual facebook.com or google.com Microsoft online and we as the hacker get to listen in on this trap that we've set up this fish lit that we've laid out so we can keep track of the domains the login parameters every variable part of the authentication process and we can steal their session let me show you how to set it up but here I'm online at help. evil jinx.com this is their documentation you can cruise through all of the awesome stuff for getting started with the software hey building it getting the code up and running deploying it out on a remote server and then spinning up some fishing domains so that we can social engineer the victim now I want to keep this easy but I also want to make it pretty realistic in real world so I've set up genuinely just a cloud instance out there on the internet with digital ocean and we can go use this as our fishing domain if you haven't used digital ocean before you can create an account hey run through the create section to create your own droplet it is super duper easy to do you choose whatever data section operating system version hey class credentials and you're done now it's one thing to have this Cloud instance but if we want to send a fish we want to fool or social engineer the victim we should set up some pretty decent pretense right so let's say this scenario I am going to email the victim and tell them hey there's a new update to the one drive software please use this link to go download your personalized copy for our organization now we can build out that email but we need to have a pretty legitimate looking domain right thankfully I do own the domain 1.0 which gives me basically infinite power for subdomains because I could go ahead and register o maybe a Microsoft one drive. 3.4.1 dzip so it looks like a software package for Microsoft One drive or literally anything else that I want just for the convenience I've added these subdomains log in and log on and dub dubdub which will be used by evil Jinx in just a moment let's go set that up I'm going to log in into my Cali Linux virtual machine so we have this perspective as the attack ER and let me SSH into the root user at my Microsoft one drive. 3.4.1 dzip that is literally the domain for this fishing server I've created let me hit enter on this yes we can log in and let's enter our root password for the domain that we have set up here with that we should be logged in here I am last login just rout at my temp evil Jinx box good now we can get things cruising we will want to update if you haven't done that already pseudo appt update nice and easy that will cruise through and we should install some other tooling that we're able to use evil Jinx with we want to make sure we have git installed we also want to make sure that we have goang or the go programming language so what I could do is pseudo appt install G and goang go I think is the repository name inside of Ubuntu and Cali here so let's cruise through this I do already have these installed and now we can just grab the evil Jinx repository here's the best part evil Jinx is open source and free like hey it's all put together by Kuba grety uh you can track him down online always doing incredible stuff over on the interwebs and this is evil Jinx 3.0 we can grab this repository and start to play with it but let me tell you hey evil Jinx was put together way back in 2017 but it has just gotten bigger and better now Kuba is putting together like hey a full-blown course on setting this up and getting to fish based off of any website across the internet that you want there's the evil Jinx Mastery course and he's building a whole Community between red teamers penetration testers threat ulation teams folks that are doing fishing on a daily basis for the work that they do and getting together like mindes to be able to build out fish lits and more capabilities but let's go ahead and copy and paste this URL so that we can clone it on our droplet back in C Linux on our droplet let's go ahead and get clone pasting in that evil Jinx Repository I'll it enter on that it'll pull it all down perfect now let's move into that directory and this is super duper easy all that we need to do to build this on Linux while you can just as easily do this on windows with a batch script after you have goang installed all we really need to do is just make We Run The make Command and Halle cruise through the make file set it all up here for us that's it now in the current directory we do have a build folder and I could move into that build directory where we could just simply run evil jinx let me fire it up from the build directory we can tab to autocomplete our evil Jinx binary and this is it this is evil Jinx in the community Edition version 3.2.0 from kuag Gretzky now here's the thing we need to provide the path to our fish lits and we haven't talked about fish lits just yet but let's get into it right now I've downloaded a local copy so that I can show you this with syntax highlighting and a good text editor but this is an example yaml file that is a fish lit and fish lits they are small configuration files that are used to configure evil Jinx for targeting a specific website ultimately with the goal of Performing this fishing attack you can have as many of these fish lits as you want and then ultimately you can tell evil Jinx to enable or disable them but ultimately the syntax is the most important piece so we can dig into the documentation to try and understand how these fish lits are put together what syntax do we need based off of different keys and what they really do inside of evil jinkx you can see the doc mentation has been maybe preparing some examples for like LinkedIn or OCTA or AWS or Instagram I don't know whatever website you want but let's go take a look at the fish lit format ultimately we need to Define hey what's the minimum version of evil Jinx that should work with this fish lit and then where do we go once a user had successfully logged in to the real genuine application like LinkedIn you can Define sort of parameters or like variables that can be used within other templates and other fets if you really wanted to but you'll fill them in for proxy hosts or off tokens or credentials all these things you can see on the side here but the proxy host describes all of the subdomains and domains that evil Jinx will have to handle proxying the traffic for it is again a reverse proxy sort of manin the-middle for the sessions in authentication so it needs to track all of those and all the variables all the parameters HTTP methods and things that go back and forth for the authentication process and of course to be authenticated there needs to be some kind of token something like a hello my name is badge something you can give to the server or prove and validate your identity so that you are successfully logged into a website normally that is an HTTP cookie or some session information that could be stored within local storage in your web browser so I'll be the first to say crafting fish lits is kind of an art to itself a little bit of a science to it hey trying to track down within like the developer Tools in your web browser let me show you like as an example if we were to try to log in to any web page say okay let's open up our developer tools and let's try to see what communicates over in the network tab let's say I log in with a Please Subscribe at gmail.com enter the password Here could be anything let's see what happens if I try to log in here you can see a post request to sessions and we could dig into maybe any of the cookies that are set here maybe things that are important check out the payload here is an authenticity token that we need to keep in mind maybe be able to extract that out and see it as part of the communication and the email and password of course but ultimately we need all the fields and information for a successful login so you kind of need to build out fish lits in a test bet say we wanted to build out that Microsoft 365 fish lit though thankfully Kuba has already put this all together here for us in that evil Jinx Mastery course and some great information that's now already out online take take a look at all the awesome stuff that he covers like hey maybe some Advanced fishing some JavaScript injection landing page redirectors or mass targeting with your fishing lures they even get into some of the secure hardening techniques that any website can use to try to prevent some of this reverse proxy man inthe middle techniques that's some of the defense that's some of the mitigations But ultimately hey we can beat this up for stuff like OCTA or Microsoft 365 or any website and hey don't take it for me Kuba shows you how to put this all together when creating and crafting your own fishs and how to make that process easy so you could just slap this in put it together for any website you want doesn't have to be just Microsoft 365 but man this is going to be a super cool demo here it is this is the Microsoft 365 fish lit the yaml file and configuration that we can use to tell evil Jinx to put together this reverse proxy process and fish and steal credentials and steal the whole session for a Microsoft 365 user let's get into it let's move into that fish lits directory where we knew we had the example. yml let me go ahead and put my M365 yaml file let's paste all this in I'll save and exit now let's run evil Jinx one more time but we know that we need to pass in that tacp parameter for our fish lits directory We'll add that in and fire up evil Jinx and take a look here we can see we have our fish list loaded and M365 as our new configuration is present it's currently not enabled but now we can configure that so first things first we do need to configure our domain we'll use the command config domain and then we'll specify that domain that we've set up to host our fishing link that whole page right we'll use that Microsoft one drive. 3.4.1 doz this is literally the HTTP domain the website where we're staging our fish I'll hit enter on that you can you can see that is set and now we should tell our fish lit that that is the domain that we want to use we can use fish lits host name set for our M365 fish liet here and we'll go ahead and use this exact same domain Microsoft One Drive 3.4.1 dzip let's paste that in and run it perfect but next we need to configure the IP address of evil jinx it needs to know itself its own location thankfully this is from the box that digital ocean had spun up for us so we just need to enter the IP address that digital ocean knows is out on the internet we'll do a config IP version 4 and let's just paste in the 1431 19855 53 IP address let's hit enter on that and now we're rocking finally we can enable our fish lit let's use fish lits enable M365 and that should now be set it will try to set up all the certificates that might be necessary for it and and evil Jinx handles that all for you what we could do now is just take another look at our fish lits and take a look there is our M365 fish enabled and ready for us to create a lore next a fishing lore and the lore is really the hook right like the fish hook to catch this fish this is what we'll dangle in front of the user and tease them with that that way okay now they'll log in and give us their credentials willingly thanks to this social engineering but let's build out that pretense so that we can genuinely send a fishing email to our Microsoft 365 user so I'm going to switch context here because ultimately I want to log in on a Windows host I want to make this realistic say hey I'm the user working from my workstation so let me put on the victim hat and sort of act as the fool here say I were just going about my work using Outlook hey just that Office application for me to be able to play and use and read my emails right now this is the Microsoft 360 5 account that we had just previously set up in the most recent video where we staged our own Microsoft 365 tenant and we have an M365 admin account now let's stage our fishing email let's send this to the M365 admin at that 2 NT by4 onmicrosoft.com the randomly generated Microsoft 365 tenant that we created here let's say new Microsoft One Drive update security update oh look at that nice and fancy let's just say hey admins start the download for our or cool I fixed my typo there and I think this is a mediocre pretty decent fish right so let's get back to evil Jinx and let's create that lure currently we don't have any lures created but we can just simply lures create a new one we know that M365 is enabled as a fish lit so we can simply L's create M365 I'll it enter on on that and we'll create a new lore with ID zero so we can go check it out hey do we have any new lures yes we do I'll zoom out a little bit you can see the path here just a random ending for our lure and we could just do simple lures get URL based off of id0 now this will tell me this is our fishing hook URL this is what should go in the email so let's get back to our email draft let's paste this in instead it looks a little bit wonky with P something trailing after the zip archive but that's fine maybe we can just add some Ampersand Randomness in here or an octo Thorp right that'll be a comment we could add like whatever base 64 values we want make this some big overwhelming URL now we've crafted this URL our lure is ready and we can just go send this to the victim let me put these side by side all right we are ready to hit the Go Button fishing email on the left hand side email inbox of our victim on the right let's hit send email is sent let's go take a look I don't know can we force the send and receive in our inbox here oh hey it went to my junk email all right good enough that's fine hey admins Microsoft let us know about a new one drive client all right let's see if we could fire it up with that link okay I went split screen and moved my email to the inbox so I can go ahead and click on this link here remember evil jinx our threat actor is on the left and our victim is on the right let's click to open up our login over at Microsoft One drive here and let's log PL in as the victim bear in mind I'm wearing my Victim hat right now let me enter my M365 at 2 NT by 4. onmicrosoft.com I'll it next to enter my password Here is my Victim password as I enter it in we can go ahead and sign in nice evil Jinx got it right away here's that super secret password and the victim now has their two Factor authentication prompt here it is you can see it on my phone we'll go ahead and toggle that on go go ahead and enter that code which should be 24 at the time of firing this up we'll hit enter on that approve the sign in and look over here on evil jinx it has detected the authorization URL intercepted the token and stolen the session cookie now we can just go all Hacker side now we don't even need the victim they've done their job in providing their credentials in session so let's get back to evil Jinx let's take a look at the sessions that we've captured and here it is here is our username that M3 65 admin that we've successfully fished their password that we've stolen and the captured tokens we can go ahead and say sessions based off of just that ID number three in this case and it will dump all of the tokens for us here it is this is the giant cookie Json blob that we could use to Now log in to office as that victim user so here let me open up like my web browser Firefox over on the thread actor side I'm going to grab just a super simple cookie editor for my web browser yep that's fine we can install cookie editor I don't care add to Firefox now I could try to go to office.com as if I were a logged in user I could try to sign in you can see that I don't have that access right now I don't know the username and password because I am the thread actor and hacker but we've just stolen their cookies all the session details so let me go use my edit this cookie editor we can delete all the stuff that it thinks it has maybe sessions that Microsoft had just started as if we were to log in but let me click on this import button and let's paste in everything that we just received from Evil Jinx we'll go ahead and click import and now I will refresh the page or just go right back to office.com log in can I click sign in here signing in signing in yeah we are logged in take a look we are that M365 admin user thanks to evil Jinx we have now taken over this entire account we can get into whatever ad admin section teams Microsoft Word Excel whatever if I jump over to Outlook here hey we could see the fishing email that this all started from right oh just that Dumbo little thing but hey don't forget evil Jinx is what made that possible and super duper easy because it is the reverse proxy it can man in the middle so the user is genuinely talking to like Microsoft but it's just being funneled in a space that we can listen in and steal the cookies and tokens out of so we did it we stole a Microsoft 365 account all thanks to a little social engineering a little fishing and we did that all with evil Jinx The crucial part of that though is the fish L it's the configuration on how to actually steal and swipe those tokens from that website and hey if you want to learn a little bit more about evil Jinx or even if you're already using it for like red team engagements for penetration testing look Kuba and the whole creators behind evil Jinx are putting together evil Jinx Pro it's that community of red teamers penetration testers the future of fishing here and it can do so much more cool stuff like maybe fishing with QR codes hey using that course and maybe blending together some other techniques like Mark of the web bypasses other cves and vulnerabilities that you could do a whole lot with some social engineering and some fishing and evil Jinx I hope you go take a look there is so much stuff you can do I for one thing totally agree that for cloud environments like Microsoft 365 this social engineering attack Vector is like one of the best ways in and maybe it's not M365 maybe it's Google maybe it's Google workspace maybe it's OCTA maybe it's whatever website you want you can go beat it up with evil Jinx and put together some fish lits and you can use my link below for a 20% off discount of the evil Jinx Mastery course thanks so much for watching I hope you enjoyed this video hope you learned a thing or two and I hope you go take a look at break Dev evil Jinx Pro evil Jinx Mastery this whole world of great stuff that you could do for some fishing with evil Jinx thanks again
Info
Channel: John Hammond
Views: 283,673
Rating: undefined out of 5
Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers
Id: sZ22YulJwao
Channel Id: undefined
Length: 19min 57sec (1197 seconds)
Published: Wed Nov 01 2023
Related Videos
This Cybercrime Forum Is Full Of Hackers
John Hammond
189K
EMAIL and SMS Phishing attacks | Avoid Being Hacked
Ryan John
20K
How Hackers Move Through Networks (with Ligolo)
John Hammond
50K
He tried to hack me...
John Hammond
362K
CTF: Hacking Sau
Cyber Nash
15K
Detect Hackers & Malware on your Computer (literally for free)
John Hammond
242K
Remotely Control Any Phone and PC with this Free tool!
Loi Liang Yang
348K
I Hacked Another File Upload Website
John Hammond
217K
I Gave A Hacker 28 Days To Ruin My Life
Zac Alsop
2M
Hack With SMS | SMS Spoofing like Mr. Robot!
zSecurity
782K
I Took Over a Microsoft Cloud Account. Again.
John Hammond
103K
I Put A Fake Email Server On The Internet
John Hammond
88K
Pwnagotchi — hacking WiFi networks in seconds | Real Experiment
Sumsub
353K
MFA Can Be Easily Bypassed - Here's How
Grant Collins
77K
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
John Hammond
481K
Bruteforcing MFA & Fail2ban Manipulation - TryHackMe! (Biteme)
John Hammond
90K
this Cybersecurity Platform is FREE
John Hammond
403K
Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!
The Cyber Mentor
1.1M
KOVTER Malware Analysis - Fileless Persistence in Registry
John Hammond
327K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.