Toolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.
It consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to display them on the hosted phishing pages.
Watch the demo video:
Read more about it on my blog: https://breakdev.org/evilqr-phishing
The parameters used by Evil QR are hardcoded into extension and server source code, so it is important to change them to use custom values, before you build and deploy the toolkit.
parameter | description | default value |
---|---|---|
API_TOKEN | API token used to authenticate with REST API endpoints hosted on the server | 00000000-0000-0000-0000-000000000000 |
QRCODE_ID | QR code ID used to bind the extracted QR code with the one displayed on the phishing page | 11111111-1111-1111-1111-111111111111 |
BIND_ADDRESS | IP address with port the HTTP server will be listening on | 127.0.0.1:35000 |
API_URL | External URL pointing to the server, where the phishing page will be hosted | http://127.0.0.1:35000 |
Here are all the places in the source code, where the values should be modified:
You can load the extension in Chrome, through Load unpacked
feature: https://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked
Once the extension is installed, make sure to pin its icon in Chrome's extension toolbar, so that the icon is always visible.
Make sure you have Go installed version at least 1.20.
To build go to /server
directory and run the command:
Windows:
build_run.bat
Linux:
chmod 700 build.sh
./build.sh
Built server binaries will be placed in the ./build/
directory.
./server/build/evilqr-server
https://discord.com/login
https://web.telegram.org/k/
https://whatsapp.com
https://store.steampowered.com/login/
https://accounts.binance.com/en/login
https://www.tiktok.com/login
http://127.0.0.1:35000
(default)Evil QR is made by Kuba Gretzky (@mrgretzky) and it's released under MIT license.
SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
See PhishInSuits for more details on using OAuth Device Code flow for phishing attacks.
_____ _____ _ _ _
/ ____| | __ \| | (_) | |
| (___ __ _ _ _ __ _ _ __ ___| |__) | |__ _ ___| |__
\___ \ / _` | | | |/ _` | '__/ _ \ ___/| '_ \| / __| '_ \
____) | (_| | |_| | (_| | | | __/ | | | | | \__ \ | | |
|_____/ \__, |\__,_|\__,_|_| \___|_| |_| |_|_|___/_| |_|
| |
|_|
_________
| | /(
| O |/ (
|> |\ ( v0.1.0
|_________| \(
usage: squish.py [-h] {email,server} ...
SquarePhish -- v0.1.0
optional arguments:
-h, --help show this help message and exit
modules:
{email,server}
email send a malicious QR Code ema il to a provided victim
server host a malicious server QR Codes generated via the 'email' module will
point to that will activate the malicious OAuth Device Code flow
An attacker can use the email
module of SquarePhish to send a malicious QR code email to a victim. The default pretext is that the victim is required to update their Microsoft MFA authentication to continue using mobile email. The current client ID in use is the Microsoft Authenticator App.
By sending a QR code first, the attacker can avoid prematurely starting the OAuth Device Code flow that lasts only 15 minutes.
The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker controlled server (running the server
module of SquarePhish), with a URL paramater set to their email address.
When the victim visits the malicious SquarePhish server, a background process is triggered that will start the OAuth Device Code authentication flow and email the victim a generated Device Code they are then required to enter into the legitimate Microsoft Device Code website (this will start the OAuth Device Code flow 15 minute timer).
The SquarePhish server will then continue to poll for authentication in the background.
[2022-04-08 14:31:51,962] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:31:57,185] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:02,372] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:07,516] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:12,847] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:17,993] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:23,169] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:28,492] [info] [minnow@square.phish] Polling for user authentication...
The victim will then visit the Microsoft Device Code authentication site from either the link provided in the email or via a redirect from visiting the SquarePhish URL on their mobile device.
The victim will then enter the provided Device Code and will be prompted for consent.
After the victim authenticates and consents, an authentication token is saved locally and will provide the attacker access via the defined scope of the requesting application.
[2022-04-08 14:32:28,796] [info] [minnow@square.phish] Token info saved to minnow@square.phish.tokeninfo.json
The current scope definition:
"scope": ".default offline_access profile openid"
!IMPORTANT: Before using either module, update the required information in the settings.config file noted with
Required
.
Send the target victim a generated QR code that will trigger the OAuth Device Code flow.
usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
-e EMAIL, --email EMAIL
victim email address to send initial QR code email to
Host a server that a generated QR code will be pointed to and when requested will trigger the OAuth Device Code flow.
usage: squish.py server [-h] [-c CONFIG] [--debug]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
All of the applicable settings for execution can be found and modified via the settings.config file. There are several pieces of required information that do not have a default value that must be filled out by the user: SMTP_EMAIL, SMTP_PASSWORD, and SQUAREPHISH_SERVER (only when executing the email module). All configuration options have been documented within the settings file via in-line comments.
Note: The SQUAREPHISH_
values present in the 'EMAIL' section of the configuration should match the values set when running the SquarePhish server.
Currently, the pre-defined pretexts can be found in the pretexts folder.
To write custom pretexts, use the existing template via the pretexts/iphone/ folder. An email template is required for both the initial QR code email as well as the follow up device code email.
Important: When writing a custom pretext, note the existence of %s
in both pretext templates. This exists to allow SquarePhish to populate the correct data when generating emails (QR code data and/or device code value).
There are several HTTP response headers defined in the utils.py file. These headers are defined to override any existing Flask response header values and to provide a more 'legitimate' response from the server. These header values can be modified, removed and/or additional headers can be included for better OPSEC.
{
"vary": "Accept-Encoding",
"server": "Microsoft-IIS/10.0",
"tls_version": "tls1.3",
"content-type": "text/html; charset=utf-8",
"x-appversion": "1.0.8125.42964",
"x-frame-options": "SAMEORIGIN",
"x-ua-compatible": "IE=Edge;chrome=1",
"x-xss-protection": "1; mode=block",
"x-content-type-options": "nosniff",
"strict-transport-security": "max-age=31536000",
}