Bypassing MFA with Gophish and Evilginx2

Multi-factor authentication (MFA) is a widely used security measure that provides an additional layer of protection to user accounts. However, even with MFA in place, accounts can still be compromised through phishing attacks. Phishing attacks use social engineering techniques to trick users into revealing their login credentials, including the MFA code. In this blog post, we will discuss how to bypass MFA using Gophish and Evilginx2.

Gophish and Evilginx2 are two open-source tools that can be used to perform phishing attacks and bypass MFA. Gophish is a phishing framework that can be used to create and manage phishing campaigns, while Evilginx2 is a tool that can be used to intercept MFA codes and bypass MFA. Let's take a closer look at each of these tools.

Gophish

Gophish is an open-source phishing framework that can be used to create and manage phishing campaigns. It is a user-friendly tool that does not require advanced technical knowledge to use. With Gophish, you can create custom phishing emails and landing pages, track email opens and clicks, and even create automated follow-up emails.

Gophish works by sending phishing emails to a targeted group of users. The emails are designed to mimic legitimate emails, such as those from a bank or a social media website. When a user clicks on a link in the email, they are directed to a phishing landing page that looks like the legitimate website. The user is then prompted to enter their login credentials, which are captured by Gophish.

Once the login credentials are captured, Gophish can be used to perform further attacks, such as sending follow-up phishing emails or attempting to log in to the compromised account. With Gophish, it is possible to create a very convincing phishing campaign that can trick even the most security-conscious users.

Evilginx2

Evilginx2 is a tool that can be used to intercept MFA codes and bypass MFA. It works by creating a man-in-the-middle (MITM) attack between the user and the legitimate website. When the user enters their login credentials, including the MFA code, Evilginx2 intercepts the code and uses it to log in to the compromised account.

Evilginx2 is a powerful tool that can bypass MFA for a variety of services, including Gmail, Office 365, and many others. It is a modular tool that can be extended to support additional services.

Bypassing MFA with Gophish and Evilginx2

To bypass MFA with Gophish and Evilginx2, you will need to perform the following steps:

  1. Set up a phishing campaign in Gophish: First, you will need to set up a phishing campaign in Gophish. This involves creating a phishing email that mimics a legitimate email and a landing page that looks like the legitimate website. You will also need to set up a server to host the phishing landing page.
  2. Send the phishing email: Once the phishing campaign is set up, you can send the phishing email to a targeted group of users. The email should be designed to trick the user into clicking on a link and entering their login credentials.
  3. Intercept the login credentials: When the user enters their login credentials, Evilginx2 will intercept the credentials and log them. Evilginx2 will also intercept the MFA code and store it.
  4. Use the MFA code to log in to the compromised account: Finally, you can use the intercepted MFA code to log in to the compromised account. This will bypass MFA and give you access to the account.
  5. In addition you can configure Evilginx2 to intercept the session cookies issued upon login, and use those cookies to login to the users account directly for the length of the cookie issuance.

Mitigating MFA Bypass Attacks:

MFA can still be bypassed through phishing attacks. In this blog post, we will discuss how to mitigate MFA bypass attacks.

  1. Educate users on phishing attacks

The first step in mitigating MFA bypass attacks is to educate users on phishing attacks. Users need to be aware of the risks associated with phishing attacks and how to identify them. They should be trained to look for signs of phishing emails, such as spelling and grammar mistakes, suspicious links, and requests for sensitive information.

  1. Implement email filtering

Email filtering can help to reduce the number of phishing emails that users receive. Email filters can be set up to block known phishing domains and to flag suspicious emails. This can help to prevent users from clicking on links in phishing emails and entering their login credentials.

  1. Implement web filtering

Web filtering can also help to reduce the risk of phishing attacks. Web filters can be set up to block known phishing websites and to flag suspicious websites. This can help to prevent users from entering their login credentials on phishing websites.

  1. Use MFA with a physical token

MFA with a physical token, such as a USB key or a smart card, can be more secure than MFA with a code. Physical tokens cannot be intercepted by phishing attacks, making them more resistant to MFA bypass attacks.

  1. Implement risk-based authentication

Risk-based authentication is a security measure that assesses the risk associated with a login attempt and adjusts the authentication requirements accordingly. For example, if a login attempt is deemed high-risk, the user may be required to provide additional authentication factors, such as a physical token or a fingerprint scan.

  1. Implement behavioral analytics

Behavioral analytics is a security measure that uses machine learning algorithms to analyze user behavior and identify anomalies. This can help to detect unauthorized access attempts and alert security personnel.

  1. Monitor for MFA bypass attacks

Finally, it is important to monitor for MFA bypass attacks. This can be done by reviewing access logs for unusual login activity and by analyzing network traffic for signs of a man-in-the-middle attack. If a MFA bypass attack is detected, the affected user should be notified and their account should be locked down until the issue is resolved.