Advanced MiTM Attack Framework – Evilginx 2

Introduction

Evilginx 2 is a MiTM Attack Framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. It’s a standalone application, fully written in GO, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

For usage examples check: Evilginx Phishing Examples (v2.x: linkedin, facebook, custom)

Evilginx: Advanced MiTM Attack Framework with 2-factor Authentication Bypass

Evilginx is a MiTM attack framework that can steal user credentials through phishing, but instead of serving of sign-in templates pages, it becomes a relay between the real website and the phished user. So, during the interaction between phished user and real website, Evilginx is able to collect all transmitted data, such as usernames and passwords, authentication tokens (cookies), etc.

Since it’s able to steal authentication tokens sent as cookies, it’s also capable to bypass any form of 2FA and to remotely take over user’s account or similar.

Evilginx Install

• Required: external server where you’ll host your evilginx2 installation

Installing from source

If you want to install from source, you need to make sure that you’ve installed GO 1.10.0+ (download) and that you’ve set up  $GOPATHenvironment variable properly. After proper installation, add the following to your ~/.profile:

$ export GOPATH=$HOME/go
$ export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

And then load it with source ~/.profiles.

$ make: dep: Command not found
$ Makefile:8: recipe for target 'deps' failed
$ make: *** [deps] Error 127

$ apt install go-dep

or go with (RedHat):

$ go get -u github.com/golang/dep/cmd/dep

To install evilginx2, run the following:

$ sudo apt-get install git make
$ go get -u github.com/kgretzky/evilginx2
$ cd $GOPATH/src/github.com/kgretzky/evilginx2
$ make

Run evilginx2 from local directory:

$ sudo ./bin/evilginx -p ./phishlets/

or install it globally:

$ sudo make install
$ sudo evilginx

Installing with Docker

First step is to build the container:

$ docker build . -t evilginx2

Then you can run it:

$ docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2

Installing from precompiled binary packages

Download the desired package here, and then unzip it:

$ unzip <package_name>.zip -d <package_name>
$ cd <package_name>

Use the install script with root privileges:

$ chmod 700 ./install.sh
$ sudo ./install.sh
$ sudo evilginx

Or just launch evilginx2 from the current directory, also with root privilegies:

$ chmod 700 ./evilginx
$ sudo ./evilginx

Usage

By default, phishlets are located in ./phishlets/ directory. But if you want to specify a custom path, you can always use -p <phishlets_dir_path> parametar when you launching tool.

Usage of ./evilginx:
  -debug
        Enable debug output
  -developer
        Enable developer mode (generates self-signed certificates for all hostnames)
  -p string
        Phishlets directory path

To see all available commands, just type help or help <command>.

$ sudo service systemd-resolved stop

nameserver 127.0.0.1
or 
nameserver 127.0.0.53

nameserver 192.168.1.1

[02:53:57] [!!!] certdb: get directory at 'https://acme-v01.api.letsencrypt.org/directory': failed to get json "https://acme-v01.api.letsencrypt.org/directory": Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 127.0.0.53:53: read udp 127.0.0.1:51845->127.0.0.53:53: i/o time

Phishlets: