evilginx2 v2.2 releases: MITM attack framework that allow to bypass 2-factor authentication

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. The present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

Disclaimer

I am very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.

Changelog v2.2

• Added option to capture custom POST arguments additionally to credentials. Check custom field under credentials.
• Added feature to inject custom POST arguments to requests. Useful for silently enabling “Remember Me” options, during authentication.
• Restructured phishlet YAML config file to be easier to understand (phishlets from previous versions need to be updated to new format).
• Removed name field from phishlets. Phishlet name is now determined solely based on the filename.
• Now when any of auth_urls is triggered, the redirection will take place AFTER response cookies for that request are captured.
• Regular expression groups working with sub_filters.
• Phishlets are now listed in a table.
• Phishlet fields are now selectively lowercased and validated upon loading to prevent surprises.
• All search fields in the phishlet are now regular expressions by default. Remember about proper escaping!
• More…

Installation

Usage

IMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.

By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.

Usage of ./evilginx:
-debug
Enable debug output
-p string
Phishlets directory path

You should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.

Tutorial

Demo

Evilginx 2 – Next Generation of Phishing 2FA Tokens from breakdev.org on Vimeo.

Copyright (C) 2018 Kuba Gretzky (@mrgretzky)

Source: https://github.com/kgretzky/