Browser-in-the-Middle (noVNC)
A Browser-in-the-Middle (BitM) attack involving noVNC leverages the fact that noVNC (or similar types of remote browser solutions) allows remote desktop access through a web browser.
To keep it simple, here are the steps in this type of attack:
Adversary preconfigures their noVNC server to have a browser opened and navigated to the desired login portal (e.g. login.microsoftonline.com)
Adversary provides the victim with a link to the adversary-controlled noVNC server (though phishing for example)
Victim visits the link using their browser to access the adversary-controlled remote desktop and authenticates to the legitimate login portal shown in the browser in the noVNC session.
Adversary captures session cookies stored within the browser in the noVNC session once the victim completes the authentication process.
Adversary hijacks the victim's access to the noVNC session by removing the victim's access to the noVNC session, allowing the adversary to gain access to the victim's authenticated session.
EvilnoVNC
EvilnoVNC is a tool that will set up the required infrastructure within Docker containers to simplify the process of deploying noVNC MFA bypass attacks.
The setup can be found on the EvilnoVNC Github page and is pretty easy to follow. However, do note that the default setup only allows for one noVNC session which means only one victim at a time (we don't want two victims trying to interact with the same remote session).
CuddlePhish
CuddlePhish is a tool that allows you to serve noVNC MFA bypass attacks to multiple users at once. It also has built-in functionality to request SSL/TLS certificates and serve the noVNC session(s) on a custom domain.
The README on the CuddlePhish Github page does a good job covering installation and usage of the tool. This is definitely more involved compared to EvilnoVNC but definitely has some extra perks that come with it!
Last updated