Use vncserver -list to check which ports each session is using. I’ll be keeping it simple and launching 2 instances. The solution is quite simple and can be easily automated.įirst, launch X number of instances of TigerVNC. But what if you’d like to run a large phishing campaign and require several VNC instances? Remember, you cannot send the same link to different users since they’d be sharing the same VNC session. So far what I’ve shown you will get you a single phishing page running which is good enough if you’re planning on spear phishing. But if you’re too lazy to read it here’s a TLDR of the commands you need to run: After various tests I’ve opted to use TigerVNC and you should too as it’ll save you a headache later on. I tested two VNC software: TightVNC & TigerVNC. Step 2 - Install TigerVNCįirst we need to install a VNC software. I’ll be using Ubuntu 20.04 for this demo but of course it can be any other Linux flavour you’re comfortable with. Use any cloud service provider to deploy a Linux machine. NoVNC Setup & Demo Step 1 - Deploy an Ubuntu Instance Or be creative and come up with another way (remember it’s your server).Have a keylogger running in the background.Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects.Close the VNC session when the user authenticates.Have a HTTP proxy connected to the browser that’s logging everything.The ways that this can be abused are endless: And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected. Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. Essentially, noVNC allows the web browser to act as a VNC client to remotely access a machine. noVNC runs well in any modern browser including mobile browsers (iOS and Android). NoVNC is both a VNC client JavaScript library as well as an application built on top of that library. For example, if you tried using a Gmail phishlet, you probably ran into an error similar to the one shown below.Īnd so I made it my mission to find a new way of bypassing 2FA which eventually lead to this interesting & unorthodox technique. I couldn’t help but look at some of the outstanding issues on the Github project and realizing that some websites were implementing methods to prevent Evilginx2 and other MITM phishing tools from working. I quickly setup the great Evilginx2 as I usually would. Recently I was on an engagement where all the users had 2FA enabled on their email. ![]() Although this post was purely original and did not use any of their work, I believe it is fair to reference it out of respect for the authors’ work and because it clearly goes far more in-depth than this blog post. ![]() It was recently brought to my attention that this technique was previously mentioned in a research article. Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |