Added 3.0 compatible Instagram phishlet. #15
Conversation
There was a problem hiding this comment.
not working getting issues, www.fbsbx.com refused to connect while prompt to do challange
|
@HackerUniverse Thanks for mentioning this. I haven't had a chance to test it. But The script does looks like they asked an AI assistant like Claude 3 to update Charles Bel's old #instagram script from 2.0 to Evilginx 3.0 using a prompt then pasted it into a pull request. I don't think someone would add that complicated of a js_inject into it unless there was a specific reason to capture or avoid something. I've been working on mine for Instagram and mine looks different, but I could be wrong. Compatible and working are 2 different things ig. |
|
I captured credentials using it a few days ago. However, as it is not working for @HackerUniverse it likely needs more improvement. I'm not sure how to debug these phishlets properly and unfortunately don't have the time for it. @simplerhacking The script is not AI generated 😅. It is from an older version of Charles Bel's Instagram phishlet where it was still deobfuscated. I needed the deobfuscated variant to do some debugging. Instagrams login flow is weird, because they encode the password using Javascript before initiating the login HTTP request. This means that Evilginx would not be able to capture the plaintext password without the JS inject. The JS script simply adds the plaintext version to the request as well. |
|
@tijme Understood. I will debug it. Thank you for the time and effort put into your contribution. |
|
Instagram phishlets is knot working |
|
Can you please create a new instagram phishlets or update this one? |
|
Seems like you can't create an instagram phishlet either |
@whithey79 Please send me a screen recording that shows the phishlet does not work. Screen record either evilginx running or the phishlet in a live browser like chrome or edge. Even better would be both running side by side simultaneously. You don't need to configure MFA or anything. Just record yourself enabling phishlet Saying verbally that it doesn't work doesn't really help. Showing it live from your POV would help tremendously on moving forward if you want a solution. By doing so I can take a look at potential points of failure, if its not functional or needs updates. You can either email it to me (info@simplerhacking.com) or share a youtube private link. It's up to you. Start a screen recording, showing evilginx running in the terminal and the browser loading the phishing page. Try to capture both the terminal and browser side by side so I can see a clearer view of what’s happening. First, make sure evilginx is running properly on your VPS. Load the code, set and enable the phishlet and run evilginx as normal. Then, create a lure with: Once you have the evilginx URL, copy it and open it in an incognito or window in your browser. Keep your terminal open so I can see the evilginx logs. You should see the requests being proxied. Show me where it fails, etc. Then save the recording, send it to me or send me a url to view. |
|
@simplerhacking Glad you responded, but unfortunately, I’m away from my main laptop at the moment. I can look through the screenshots I took earlier. The problem is, it doesn’t capture cookies or credentials—it just stops loading on a blank screen. Most of the Instagram phishlets I found on GitHub don’t seem to work. I’m not sure if it’s because Instagram is too complex to create a proper phishlet. If you can correct this, I’d really appreciate it, or if you could check the error, that would mean a lot. |
|
@whithey79 Ok. Please send a screen-recording of the issue from your computer so I can see what's happening when you run the code in a live environment. Run evilginx, load up the phishlet as normal, generate lure, paste lure, show terminal and the landing page side by side, show everything as well as the point of failure. I can't diagnose or correct an error from words. I don't know what to "correct" or to "fix". The instructions are attached above. I get 100s of these in my email and hardly reply as people rarely give context or elaborate enough to help them with a complex/variable phishlet issue. You have my attention, so here is your opportunity to provide me the proper context to solve your specific issue with this instagram phishlet^ you say doesn't work and loads a blank screen. The faster you get back to your main computer, the faster I can diagnose your issue. You can email the screen-recording to my company email (info@simplerhacking.com) or share a youtube private link here. It's up to you. |
|
@whithey79 How has there been any back and forth. There has been no discussion or correspondence. You simply made a claim that says that says Instagram doesn't work. I asked you to provide evidence in video format showing that your claim is valid so I can take a look. You sent nothing. No problem be addressed without cooperation or understanding. Then you're publicly making definitive claims like what you said is correct. |
|
@simplerhacking Hello, I apologize for not following up on that earlier. I've been quite busy lately. Unfortunately, after that day, my VPS expired, and I could have accessed it using a friend's PC. However, I did test it out locally, and while it did log a user in, it didn't capture any credentials, including cookies, in Evilginx. If you still need me to create a video about it, I can do so within the next few minutes if you respond to this message. To be honest, I haven't seen any developers who have successfully set up an Instagram phishlet that actually works. They all seem to have excuses, which is disappointing. Safe to say No one can make an Instagram phishlet that actually works. |
No description provided.