Advanced MiTM Attack Framework – Evilginx 2

Last Release: 01/22/2019     Last Commit: 10/22/2019

Advanced MiTM Attack Framework – Evilginx 2

Introduction

Evilginx 2 is a MiTM Attack Framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. It’s a standalone application, fully written in GO, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

For usage examples check: Evilginx Phishing Examples (v2.x: linkedin, facebook, custom)

Evilginx 2 banner

Disclaimer: Evilginx project is released for educational purposes and should be used only in demonstrations or legitimate penetration testing assignments with written permission from to-be-phished parties.

Evilginx: Advanced MiTM Attack Framework with 2-factor Authentication Bypass

Evilginx is a MiTM attack framework that can steal user credentials through phishing, but instead of serving of sign-in templates pages, it becomes a relay between the real website and the phished user. So, during the interaction between phished user and real website, Evilginx is able to collect all transmitted data, such as usernames and passwords, authentication tokens (cookies), etc.

Since it’s able to steal authentication tokens sent as cookies, it’s also capable to bypass any form of 2FA and to remotely take over user’s account or similar.

Evilginx 2.1 released

Evilginx Install

  • Required: external server where you’ll host your evilginx2 installation

Installing from source

If you want to install from source, you need to make sure that you’ve installed GO 1.10.0+ (download) and that you’ve set up  $GOPATHenvironment variable properly. After proper installation, add the following to your ~/.profile:

$ export GOPATH=$HOME/go
$ export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

And then load it with source ~/.profiles.

Note: If you’re hitting something like:

$ make: dep: Command not found
$ Makefile:8: recipe for target 'deps' failed
$ make: *** [deps] Error 127

On Debian systems install:

$ apt install go-dep

or go with (RedHat):

$ go get -u github.com/golang/dep/cmd/dep

To install evilginx2, run the following:

$ sudo apt-get install git make
$ go get -u github.com/kgretzky/evilginx2
$ cd $GOPATH/src/github.com/kgretzky/evilginx2
$ make

Run evilginx2 from local directory:

$ sudo ./bin/evilginx -p ./phishlets/

or install it globally:

$ sudo make install
$ sudo evilginx

Installing with Docker

First step is to build the container:

$ docker build . -t evilginx2

Then you can run it:

$ docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2

Installing from precompiled binary packages

Download the desired package here, and then unzip it:

$ unzip <package_name>.zip -d <package_name>
$ cd <package_name>

Use the install script with root privileges:

$ chmod 700 ./install.sh
$ sudo ./install.sh
$ sudo evilginx

Or just launch evilginx2 from the current directory, also with root privilegies:

$ chmod 700 ./evilginx
$ sudo ./evilginx

Evilginx Launch Phislets

Usage

By default, phishlets are located in ./phishlets/ directory. But if you want to specify a custom path, you can always use -p <phishlets_dir_path> parametar when you launching tool.

Usage of ./evilginx:
  -debug
        Enable debug output
  -developer
        Enable developer mode (generates self-signed certificates for all hostnames)
  -p string
        Phishlets directory path

To see all available commands, just type help or help <command>.

IMPORTANT: Make sure that there is no service listening on ports TCP 443TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running.
On Ubuntu:

$ sudo service systemd-resolved stop

If you experimenting with domain/LAN/DMZ and your /etc/resolv.conf has a nameserver set to:

nameserver 127.0.0.1
or 
nameserver 127.0.0.53

Change that to your router/DNS:

nameserver 192.168.1.1

Or you’ll end up with error:

[02:53:57] [!!!] certdb: get directory at 'https://acme-v01.api.letsencrypt.org/directory': failed to get json "https://acme-v01.api.letsencrypt.org/directory": Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 127.0.0.53:53: read udp 127.0.0.1:51845->127.0.0.53:53: i/o time

Phishlets:

  • phishlet: facebook
    • author: @mrgretzky
    • active: disabled
    • status: available
  • phishlet: linkedin
    • author: @mrgretzky
    • active: enabled
    • status: available
  • phishlet: outlook
    • author: @mrgretzky
    • active: disabled
    • status: available
  • phishlet: reddit
    • author: @customsync
    • active: disabled
    • status: available
  • phishlet: twitter
    • author: @white_fi
    • active: disabled
    • status: available
  • phishlet: amazon
    • author: @customsync
    • active: disabled
    • status: available
Documentation Box
Download Box