evilginx2 v2.4 releases: MITM attack framework that allow to bypass 2-factor authentication
evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of the nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. The present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
Disclaimer
I am very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attack. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
Changelog v2.4
- Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place
{lure_url_html}
or{lure_url_js}
in code to manage redirection to the phishing page with any form of user interaction. Command:lures edit <id> template <template>
- Feature: Create customized hostnames for every phishing lure. Command:
lures edit <id> hostname <hostname>
. - Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command:
proxy
. - Feature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests. Command:
blacklist
- Feature: Custom parameters can now be embedded encrypted in the phishing url. Command:
lures get-url <id> param1=value1 param2="value2 with spaces"
. - Feature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn’t match the whitelist regular expression filter for given lure. Command:
lures edit <id> ua_filter <regexp>
- List of custom parameters can now be imported directly from file (text, csv, json). Command:
lures get-url <id> import <params_file>
. - Generated phishing urls can now be exported to file (text, csv, json). Command:
lures get-url <id> import <params_file> export <export_file> <text|csv|json>
. - Fixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would result in “No embedded JWK in JWS header” error.
- Removed setting custom parameters in lures options. Parameters will now only be sent encoded with the phishing url.
- Added
with_params
option tosub_filter
allowing to enable the sub_filter only when specific parameter was set with the phishing url. - Made command help screen easier to read.
- Improved autofill for
lures edit
commands and switched positions of<id>
and the variable name. - Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.
Installation
Usage
IMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.
By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.
Usage of ./evilginx: -debug Enable debug output -p string Phishlets directory path
You should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.
Demo
Evilginx 2 – Next Generation of Phishing 2FA Tokens from breakdev.org on Vimeo.
Copyright (C) 2018 Kuba Gretzky (@mrgretzky)
Source: https://github.com/kgretzky/