evilginx2 v3.0 releases: MITM attack framework that allow to bypass 2-factor authentication
evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of the nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. The present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
Disclaimer
I am very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attack. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
Changelog v3.0
- Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
- Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by
certmagic
library. - Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
- Feature: Phishing pages can now be embedded inside of iframes.
- Feature: Changed redirection after successful session capture from
Location
header redirection to injected Javascript redirection. - Feature: Changed config file from
config.yaml
toconfig.json
, permanently changing the configuration format to JSON. - Feature: Changed open-source license from GPL to BSD-3.
- Feature: Added
always
modifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time. - Feature: Added
phishlet <phishlet>
command to show details of a specific phishlet. - Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as
{param_name}
and every occurence will be replaced with pre-configured parameter values of the created child phishlet. - Feature: Added
phishlet create
command to create child phishlets from template phishlets. - Feature: Renamed lure
templates
to lureredirectors
due to name conflict with phishlet templates. - Feature: Added
{orig_hostname}
and{orig_domain}
support forsub_filters
phishlet setting. - Feature: Added
{basedomain}
and{basedomain_regexp}
support forsub_filters
phishlet setting. - Fixed: One target can now have multiple phishing sessions active for several different phishlets.
- Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing
opt
cookies, when all authentication cookies are already captured. - Fixed:
trigger_paths
regexp will now match a full string instead of triggering true when just part of it is detected in URL path. - Fixed: Phishlet table rows are now sorted alphabetically.
- Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
- Fixed: WebSocket connections are now properly proxied.
Installation
Usage
IMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.
By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.
Usage of ./evilginx: -debug Enable debug output -p string Phishlets directory path
You should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.
Copyright (C) 2023 Kuba Gretzky (@mrgretzky)
Source: https://github.com/kgretzky/