Attacker-in-the-Middle (Evilginx)
Evilginx is a phishing toolkit designed for attacker-in-the-middle (AitM) attacks that allow an adversary to capture login credentials and session cookies. These session cookies can be injected into a browser, bypassing traditional MFA and allowing full access to the user's account.
A session cookie/token is a unique piece of data generated by a web server when a user authenticates to the server. It is stored on a user's browser as a form of identification for that specific session.
Evilginx Setup
Infrastructure
The easiest and (probably) most common place that Evilginx is hosted/set up is on a Linux-based virtual machine hosted by a cloud infrastructure provider (e.g. Azure/AWS).
Once your VM is created, ensure that there is no HTTP server on port 80 running on your VM. You can use netstat to check what ports are currently in use on your VM and use ps to kill the process using port 80.
You will then have to implement the following inbound networking rules on your Evilginx VM:
TCP
443
Reverse proxy HTTPS traffic
TCP
22
SSH port for remote access
UDP
53
DNS traffic for hostname resolution
Domain/DNS
You will need to buy/register a domain, from GoDaddy or Cloudflare for example, to be used as a top-level domain for your phishing URLs.
Once you have a domain, set your domain to use custom nameservers that point to your Evilginx VM's public IP (e.g. weelee.zip domain with Evilginx VM with a public IP of 1.2.3.4).
ns1.weelee.zip
ns2.weelee.zip
ns1
1.2.3.4
ns2
1.2.3.4
Evilginx Deployment
On your VM, install Golang for your distribution, pull down the source code for Evilginx from the Evilginx2 GitHub, and build Evilginx.
Evilginx comes with indicators of compromise headers in evliginx2/core/http_proxy.go. It is pretty standard procedure for most people to remove these headers.
There are plenty of other customization and configuration changes to help secure your phishing links, domain, and Evilginx infrastructure.
This includes things as:
User-Agent Filtering
SPF/DKIM
Domain Aging/Site Classification
Google AMP Redirects
Evilginx Usage
As with lots of tools, the help command will show you a help menu. Using the help command followed by an action command such as config or phishlets will give you the help menu for that action.
Config
If you want to quickly configure your domain to work inside Evilginx, all you have to do is set the server domain and Evilginx public IP (e.g. weelee.zip domain with Evilginx VM with a public IP of 1.2.3.4).
Changing Unauthorized URL
You can change the URL where all unauthorized requests that are sent to Evilginx are redirected to. This can be a helpful way to deter scanners or bad (or would it be good?) actors.
Pre-Configuration/Automation
If you want to automate the deployment of your domain, phishlets, and lures, you can create a custom config.json file and place it at ~/.evilginx/config.json.
Below is an example config.json file with a pre-configured LinkedIn phishlet (taken from https://help.evilginx.com/docs/guides/config):
Certificates
TLS certificates are automatically generated for the domains and subdomains you use for your phishing URLs. All generated certificates are stored in ~/.local/share/certmagic.
Phishlets
Phishlets are a core part of Evilginx, as they are used to configure Evilginx for targeting specific websites. Phishlets are written in YAML and should be placed in the phishlets directory in the root directory of Evilginx.
Creating/Enabling Phishlets
In order to enable a phishlet, you must set a hostname that will be used in the phishing URL. This hostname must always end with the top-level domain used to set up Evilginx (e.g. phishlet named m365 with root domain weelee.zip).
Hiding Phishlets
Hiding a phishlet will make Evilginx treat all requests to the valid phishing URL as unauthorized requests. If a redirect URL is not set up, Evilginx will just return a 403.
Custom Authorized Request Redirect
Although a global redirect URL can be set using the config command, it is possible to set a custom redirect URL for your specific phishlet.
Check out Phishlet Development for info on building custom phishlets!
Lures
Lures are where you can get phishing links for a configured phishlet(s).
Simply create a lure for your phishlet and get the URL that you will serve your targets (e.g. phishlet named m365 with lure ID of 0):
While the above is sufficient to serve a phishing page, there are multiple configurations and enhancements that can change the behavior of when a target visits your phishing URL.
Customizing Phishing URL
The default URL would look something like the following (e.g. phishlet named m365 with weelee.zip domain):
However, you may want to change the subdomain used in your phishing URL. This can be done for your specific lure, as long as the top-level domain is the one you used to set up Evilginx.
You can also change the path of your phishing landing page for your specific lure.
User-Agent Filter
Evilginx allows you to filter out specific User Agents received within the HTTP header of the incoming request. Doing this will redirect the visitor the same way as an invalid lure URL.
Redirect URL
After the phished user goes through the authentication process and Evilginx is able to obtain the target user's session cookies, you can redirect them to a defined URL.
Sessions
Once a user visits your phishing URL, a new session will be created for the instance to track the progress of the phishing attempt. Any credentials or session cookies generated by the target while visiting the phishing URL will be stored within a session.
Using Cookies From a Session
To import custom session cookies into your browser, you will need a browser extension that allows you to do so.
Chrome: EditThisCookie or Cookie-Editor
Firefox: Cookie-Editor
Once you have cleared any existing cookies in your browser, copy your captured session cookies and import it into your browser using one of the extensions listed above.
You should now be able to visit the website and your browser should automatically apply the imported session cookies and log you in as the phished user!
Proxy
Evilginx allows you to proxy outbound traffic, which I have found to be very useful to proxy your traffic through Burp Suite for phishlet development. Currently, only HTTP and SOCKS proxies are supported.
By default, Burp Suite has an HTTP proxy server running on 127.0.0.1 port 8080. Let's set up a proxy for Burp Suite as an example:
Restart Evilginx whenever you enable or disable the outbound proxy.
Blacklist
The blacklist feature stores all IPs that make unauthorized requests to your Evilginx server in a file located at /root/.evilginx/blacklist.txt.
Unauthorized requests include the following:
Requests made to a URL not belonging to any of the enabled lures
Requests match a lure URL, but the lure phishlet is disabled or hidden
Blacklist has multiple modes that it can operate in: all, unauth, noadd, and off.
all
Block and blacklist IP of every request, including valid ones (Useful for deterring scanners)
unauth
Block and blacklist IP of every request that doesn't point to a valid lure URL (default behavior)
noadd
Block IP of every request that doesn't point to a valid lure URL (avoids blacklisting an IP that may access a valid lure URL later)
off
Block unauthorized requests, but ignore blocking IPs already blacklisted (use case is if you've somehow added a valid target's IP to your blacklist)
Last updated