Evil Nginx Setup: An Introductory Tutorial

By /

Okay, here is the detailed introductory tutorial on setting up Evilginx.

Article: Evilginx Setup: An Introductory Tutorial for Security Professionals

Word Count: Approximately 5200 words

(IMPORTANT NOTE: READ THIS FIRST)

Disclaimer: This article provides a detailed tutorial on setting up and using Evilginx, a powerful phishing framework. This information is intended strictly for educational purposes, security research, and authorized penetration testing activities conducted within legal and ethical boundaries. Understanding tools like Evilginx is crucial for security professionals to develop better defenses against modern phishing attacks. Unauthorized use of Evilginx to target individuals or organizations is illegal and unethical. The author and publisher of this article assume no liability for any misuse of the information provided herein. Always ensure you have explicit, written permission before conducting any security testing activities against any system or network you do not own or operate. Respect privacy and adhere to all applicable laws and regulations in your jurisdiction. If you intend to use this information for malicious purposes, stop reading now.

Table of Contents

  1. Introduction: The Evolving Threat of Phishing
    • What is Phishing?
    • The Limitations of Traditional Phishing
    • Enter Evilginx: Phishing 2.0
    • Purpose of this Tutorial
  2. Crucial Ethical Considerations and Legal Warnings
    • Legality
    • Ethics
    • Responsibility
  3. Understanding the Core Concepts Behind Evilginx
    • Reverse Proxies Explained
    • Man-in-the-Middle (MitM) Attacks
    • Session Hijacking via Cookie Theft
    • How Evilginx Orchestrates the Attack
    • The Role of HTTPS and Certificates
  4. Prerequisites: Gearing Up for Setup
    • Hardware & Infrastructure
      • VPS (Virtual Private Server)
      • Domain Name
    • Software
      • Linux Operating System (Debian/Ubuntu Recommended)
      • Go Language Environment
      • Evilginx Software
    • Knowledge
      • Basic Linux Command Line
      • Networking Fundamentals (DNS, IP, Ports)
      • Understanding of Web Concepts (HTTP/S, Cookies, Sessions)
  5. Phase 1: Setting Up the Infrastructure
    • Choosing and Configuring a VPS
      • Provider Selection Considerations
      • Initial Server Setup (OS, Updates, User)
    • Acquiring and Configuring a Domain Name
      • Domain Registrar Selection
      • Choosing a Suitable Domain
      • Configuring DNS Records (A Records, NS Records)
    • Configuring Server Firewall
      • Allowing Necessary Ports (HTTP, HTTPS, SSH)
      • Using ufw (Uncomplicated Firewall) Example
  6. Phase 2: Installing Evilginx
    • Installing Go Language
      • Using Package Manager
      • Manual Installation (Optional)
      • Setting Environment Variables (GOPATH, PATH)
    • Downloading and Compiling Evilginx
      • Cloning the Repository (git clone)
      • Building the Executable (make)
      • Verifying the Installation
  7. Phase 3: Configuring Evilginx
    • Understanding the Evilginx Shell Interface
    • Core Configuration Commands
      • config domain <your_domain.com>
      • config ip <your_vps_ip>
      • setup (Interactive Setup)
    • Understanding Phishlets
      • What are Phishlets?
      • Structure of a Phishlet (YAML)
      • Key Sections: proxy_hosts, sub_filters, auth_tokens, login, creds
      • Finding and Enabling Phishlets
      • phishlets hostname <phishlet_name> <your_phishing_subdomain>
      • phishlets enable <phishlet_name>
    • Obtaining SSL/TLS Certificates (Let’s Encrypt Integration)
      • Automatic Certificate Generation
      • Troubleshooting Certificate Issues
  8. Phase 4: Launching a Simulated Attack Scenario
    • Setting Up the Lure
      • lures create <phishlet_name>
      • lures edit <lure_id> redirect_url <legitimate_redirect_url>
      • lures get-url <lure_id>
    • The Victim Interaction (Conceptual Walkthrough)
      • Delivering the Phishing Link (Out of Scope – Requires Social Engineering)
      • Victim Clicks Link and Sees Familiar Login Page
      • Victim Enters Credentials
      • Victim Completes MFA (if applicable)
      • Victim is Redirected
    • Capturing Credentials and Session Tokens
      • Monitoring the Evilginx Console
      • The sessions Command
      • Identifying Captured Data
    • Accessing Hijacked Sessions (The Payoff)
      • Understanding Session Cookies
      • Using Browser Developer Tools (Cookie Editor)
      • Importing Cookies
      • Accessing the Victim’s Account (Within the Authorized Test Scope!)
  9. Detection and Mitigation Strategies
    • For Users
      • URL Scrutiny (Domain Name, HTTPS)
      • Browser Warnings (Certificate Issues, Suspicious Site Flags)
      • Password Manager Behavior
      • Multi-Factor Authentication (MFA) – Not a Silver Bullet!
      • Phishing Awareness Training
    • For Organizations
      • Email Security Gateways (Link Scanning, Sandboxing)
      • Web Application Firewalls (WAFs)
      • Endpoint Detection and Response (EDR)
      • Network Monitoring (DNS Lookups, Traffic Analysis)
      • Security Information and Event Management (SIEM) Systems
      • Implementing Strong Authentication Policies (FIDO2/WebAuthn)
      • Regular Security Audits and Penetration Testing
  10. Advanced Techniques and Further Learning (Brief Overview)
    • Custom Phishlet Development
    • Obfuscation Techniques
    • Integration with Other Tools (e.g., GoPhish)
    • Evading Detection Mechanisms
  11. Conclusion: The Double-Edged Sword
    • Recap of Evilginx Capabilities
    • The Importance of Ethical Use
    • Continuous Learning and Defense

1. Introduction: The Evolving Threat of Phishing

Phishing remains one of the most pervasive and effective cyber threats faced by individuals and organizations worldwide. At its core, it’s a form of social engineering designed to deceive users into revealing sensitive information, such as login credentials, credit card numbers, or personal identification details.

What is Phishing?

Traditional phishing attacks often involve sending emails or messages that appear to originate from legitimate sources (banks, social media platforms, online retailers, IT departments). These messages typically create a sense of urgency or curiosity, prompting the recipient to click a malicious link or open an infected attachment. The link often leads to a fake login page, visually identical to the real one, where the victim unknowingly enters their credentials, handing them directly to the attacker.

The Limitations of Traditional Phishing

While effective against unsuspecting users, traditional phishing methods face a significant hurdle: Multi-Factor Authentication (MFA). MFA adds a layer of security by requiring users to provide two or more verification factors to gain access to a resource. Common factors include:

  • Something you know: Password, PIN
  • Something you have: Mobile device (for OTPs, push notifications), hardware token
  • Something you are: Fingerprint, facial recognition

Even if an attacker steals a user’s password via a traditional phishing page, they cannot log in without the second factor. This has significantly reduced the success rate of simple credential harvesting attacks against accounts protected by MFA.

Enter Evilginx: Phishing 2.0

Evilginx (specifically Evilginx2, the version commonly used today) represents a significant evolution in phishing techniques. Developed by Kuba Gretzky (@mrgretzky), it’s not just a static fake login page; it’s a powerful man-in-the-middle reverse proxy framework. Instead of merely mimicking a website, Evilginx sits between the victim and the actual legitimate website.

Here’s the crucial difference:

  1. The victim visits a phishing URL controlled by the attacker (e.g., login.microsaft-online.com instead of login.microsoftonline.com).
  2. Evilginx, running on the attacker’s server, receives the victim’s request.
  3. Evilginx forwards this request to the real website (e.g., login.microsoftonline.com).
  4. The real website responds with the legitimate login page content.
  5. Evilginx intercepts this response, potentially modifying it slightly (e.g., rewriting URLs), and forwards it to the victim.
  6. To the victim, the site looks and functions exactly like the real thing because, for the most part, it is the real content being proxied.
  7. When the victim enters their username and password, they are sending it to Evilginx. Evilginx logs these credentials.
  8. Evilginx forwards the credentials to the real website for authentication.
  9. If MFA is required, the real website prompts for the second factor (e.g., sends an OTP to the user’s phone).
  10. The victim receives the MFA prompt and enters it into the page served by Evilginx.
  11. Evilginx captures the MFA code/response and forwards it to the real website.
  12. The real website validates the credentials and MFA, establishing an authenticated session. It sends back a session cookie (or token) to confirm the successful login.
  13. Crucially, Evilginx intercepts this session cookie. It logs the cookie and then forwards it to the victim’s browser.
  14. The victim is now logged into the legitimate site (often redirected seamlessly), potentially unaware that their credentials and their authenticated session cookie have been stolen.

The attacker can now use the captured session cookie to impersonate the victim and access their account without needing the password or MFA again, at least until the session expires or is invalidated. This ability to bypass MFA makes Evilginx a significantly more dangerous tool than traditional phishing kits.

Purpose of this Tutorial

This tutorial aims to provide a comprehensive, step-by-step guide to setting up Evilginx in a controlled environment for educational and authorized security testing purposes only. Understanding how attackers use such tools is paramount for cybersecurity professionals tasked with defending against them. By walking through the setup and operation, defenders can better appreciate the attack vector, identify indicators of compromise, and implement more robust mitigation strategies.

2. Crucial Ethical Considerations and Legal Warnings

Before proceeding, it is absolutely essential to internalize the ethical and legal implications of using a tool like Evilginx.

  • Legality: Using Evilginx to intercept credentials or session tokens from individuals or systems without explicit, prior, written authorization is illegal in most jurisdictions worldwide. This constitutes unauthorized access, wiretapping, or fraud, carrying severe penalties, including hefty fines and imprisonment. Ignorance is not a defense.
  • Ethics: Beyond legality, using this tool against unsuspecting individuals is a profound violation of privacy and trust. It can lead to significant personal and financial damage for victims. Ethical hacking requires adherence to strict codes of conduct, focusing on improving security, not causing harm.
  • Responsibility: As a security professional or researcher, you hold a position of trust. Understanding powerful attack tools comes with the responsibility to use that knowledge ethically. This tutorial is provided with the assumption that you will act responsibly, legally, and ethically, using the information solely for learning, research, and authorized testing within confined, controlled environments or against systems you have explicit permission to target.

Do NOT use Evilginx:

  • Against any person, company, or system without their express written consent.
  • For any form of harassment, fraud, or malicious activity.
  • On public or shared networks where you might inadvertently affect others.

Failure to adhere to these principles can have severe legal consequences and damage your professional reputation irreparably. If you are unsure about the legality or ethics of a potential use case, do not proceed. Consult legal counsel or your organization’s ethics committee.

3. Understanding the Core Concepts Behind Evilginx

To effectively use and defend against Evilginx, you need to grasp the underlying technologies it leverages.

Reverse Proxies Explained

A standard proxy (or forward proxy) acts on behalf of a client requesting resources from a server. A reverse proxy, conversely, sits in front of one or more web servers and acts on behalf of the server(s). Clients connect to the reverse proxy, which then forwards requests to the appropriate backend server.

Common uses for reverse proxies include:

  • Load Balancing: Distributing client requests across multiple backend servers.
  • SSL/TLS Encryption/Decryption: Handling the HTTPS workload, freeing up backend servers.
  • Caching: Storing frequently requested content to serve clients faster.
  • Compression: Compressing server responses to reduce bandwidth usage.
  • Security: Acting as a single point of access control, filtering malicious requests (like a Web Application Firewall – WAF).

Evilginx uses the reverse proxy concept maliciously. It positions itself as the “server” the victim connects to, while secretly proxying all traffic to and from the real target website.

Man-in-the-Middle (MitM) Attacks

A MitM attack occurs when an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly. In the context of Evilginx:

  • The Victim (Client) intends to connect to the Legitimate Website (Server).
  • Evilginx (Attacker) positions itself between them.
  • The Victim connects to Evilginx, thinking it’s the Legitimate Website.
  • Evilginx connects to the Legitimate Website, pretending to be the Victim.

This central position allows Evilginx to see, log, and potentially modify all traffic flowing in both directions.

Session Hijacking via Cookie Theft

When you log into most websites, the server doesn’t ask for your password with every single click. Instead, after successful authentication, it sends your browser a small piece of data called a session cookie (or sometimes a session token, like a JWT). Your browser then includes this cookie with subsequent requests to that website. The server recognizes the valid cookie and grants access without re-prompting for credentials.

Session hijacking involves an attacker stealing a victim’s valid session cookie. By importing this cookie into their own browser (or using it in other tools like curl), the attacker can trick the website into thinking their requests are coming from the already authenticated victim. Evilginx is specifically designed to intercept and steal these session cookies after the victim successfully authenticates (including passing MFA).

How Evilginx Orchestrates the Attack

Evilginx combines these concepts:

  1. Acts as a Reverse Proxy: It impersonates the target website to the victim.
  2. Performs a MitM Attack: It intercepts traffic between the victim and the real site.
  3. Proxies Legitimacy: It fetches real content from the target site, making the phishing page look authentic and functional.
  4. Injects Hooks (via Phishlets): It uses configuration files (phishlets) to know where in the proxied HTML/JavaScript to look for username and password fields and which cookies constitute the session.
  5. Captures Credentials: It logs the username and password as they pass through.
  6. Captures Session Cookies: It intercepts and logs the crucial session cookies sent by the server after successful login (including MFA).

The Role of HTTPS and Certificates

Modern websites use HTTPS to encrypt communication between the client and server, preventing eavesdropping. For Evilginx to work effectively, the phishing site it presents to the victim must also use HTTPS. If it used HTTP, browsers would display prominent warnings, alerting the victim.

Evilginx integrates with Let’s Encrypt (a free certificate authority) to automatically obtain valid SSL/TLS certificates for the phishing domains/subdomains you configure. When the victim visits the Evilginx URL (e.g., https://your.phishing.domain.com), their browser sees a valid HTTPS connection (the padlock icon), increasing the deception’s effectiveness. The browser establishes a secure connection to Evilginx, and Evilginx establishes a separate secure connection to the real website. The MitM interception happens within Evilginx itself, after decryption and before re-encryption.

4. Prerequisites: Gearing Up for Setup

Before diving into the installation, ensure you have the necessary resources and knowledge.

Hardware & Infrastructure

  • VPS (Virtual Private Server):
    • Why? Running Evilginx requires a publicly accessible server with a static IP address. Using your local machine is generally not feasible or advisable for realistic testing scenarios. A VPS provides the necessary public exposure and stability.
    • Specifications: A basic VPS is usually sufficient. 1 CPU core, 1-2 GB RAM, and 20-30 GB SSD storage are typically adequate. Key requirements are root access and a dedicated public IPv4 address.
    • Location: Consider the geographic location of your target audience if running an authorized test; latency can matter. For purely educational setup, any location is fine.
  • Domain Name:
    • Why? Evilginx needs a domain name to host the phishing site and for which it can obtain SSL certificates. You cannot simply use an IP address, as browsers will flag it, and SSL certificates are tied to domain names.
    • Type: A cheap domain from any reputable registrar will work. Consider names that might look plausible or typosquatted versions of legitimate domains for realistic (authorized) tests (e.g., service-portal.com, login-microsft.com). Avoid using trademarked names directly as registrars might suspend them.

Software

  • Linux Operating System:
    • Recommendation: Debian or Ubuntu LTS (Long Term Support) versions are highly recommended as they are well-supported and commonly used. This tutorial will primarily use commands suitable for these distributions. Other distributions might require slightly different commands (e.g., yum/dnf instead of apt).
    • Access: You’ll need sudo or root access to install software and configure the system.
  • Go Language Environment:
    • Why? Evilginx is written in Go. You need the Go compiler and tools installed to build it from the source or run pre-compiled binaries.
    • Version: Check the Evilginx repository for recommended or required Go versions (usually a recent stable version).
  • Evilginx Software:
    • The source code or pre-compiled binary from the official GitHub repository.

Knowledge

  • Basic Linux Command Line: Navigating directories (cd), listing files (ls), editing text files (e.g., nano, vim), managing services (systemctl), installing packages (apt), and understanding permissions.
  • Networking Fundamentals: Understanding IP addresses, DNS (A records, NS records), TCP/IP ports (specifically 80 for HTTP, 443 for HTTPS, 22 for SSH), and firewalls.
  • Web Concepts: Basic understanding of how websites work: HTTP vs. HTTPS, what cookies are, the concept of user sessions.

5. Phase 1: Setting Up the Infrastructure

This phase involves preparing the server and domain name that will host Evilginx.

Choosing and Configuring a VPS

  • Provider Selection Considerations: Popular VPS providers include DigitalOcean, Vultr, Linode, AWS EC2, Google Cloud Compute Engine, Hetzner, etc. Choose based on factors like cost, ease of use, server locations, and support. For this educational purpose, a low-cost provider is perfectly fine.
  • Initial Server Setup:
    1. Provision: Create a new VPS instance, selecting your preferred Linux distribution (e.g., Ubuntu 22.04 LTS). Ensure you get a public IPv4 address. Note this IP address down.
    2. Connect: Connect to your new server via SSH using the provided credentials (usually root password or SSH key).
      bash
      ssh root@<your_vps_ip>
    3. Update System: Immediately update the package list and upgrade installed packages.
      bash
      sudo apt update
      sudo apt upgrade -y
    4. Create User (Recommended): It’s good practice not to run everything as root. Create a non-root user with sudo privileges.
      bash
      adduser <your_username>
      usermod -aG sudo <your_username>
      # Log out and log back in as the new user
      ssh <your_username>@<your_vps_ip>
      (From now on, commands assume you are logged in as this sudo-enabled user, using sudo where necessary).

Acquiring and Configuring a Domain Name

  • Domain Registrar Selection: Choose a registrar like Namecheap, GoDaddy, Google Domains, Porkbun, etc.
  • Choosing a Suitable Domain: Select and purchase a domain name. For educational purposes, anything cheap and available works (e.g., my-evilginx-lab.xyz). For authorized tests, consider plausibility.
  • Configuring DNS Records: This is critical. You need to point your domain (and relevant subdomains) to your VPS’s IP address. You’ll typically configure this through your domain registrar’s DNS management portal.
    1. Nameservers: Ensure your domain is using the registrar’s default nameservers OR custom nameservers if you prefer (like Cloudflare – though this can sometimes add complexity or detection layers). For simplicity, using the registrar’s nameservers is often easiest initially.
    2. A Records: Create A records to point hostnames to your VPS IP address. You will need at least two:
      • One for the main domain (used potentially for redirects or base configuration).
      • One (or more) for the subdomain(s) you intend to use for the actual phishing pages. Evilginx often uses subdomains defined in phishlets.
      • Example Records:
        • Type: A, Host/Name: @, Value/Points to: <your_vps_ip>, TTL: Auto or 3600
        • Type: A, Host/Name: ns1, Value/Points to: <your_vps_ip>, TTL: Auto or 3600
        • Type: A, Host/Name: ns2, Value/Points to: <your_vps_ip>, TTL: Auto or 3600
        • Type: A, Host/Name: auth, Value/Points to: <your_vps_ip>, TTL: Auto or 3600 (Example subdomain)
        • Type: A, Host/Name: login, Value/Points to: <your_vps_ip>, TTL: Auto or 3600 (Another example)
          (Note: The @ symbol usually represents the root domain itself, e.g., my-evilginx-lab.xyz)
    3. NS Records (IMPORTANT for Let’s Encrypt DNS Challenge): Evilginx uses the DNS-01 challenge with Let’s Encrypt for automatic certificate generation. This requires Evilginx to temporarily create TXT records. To allow this, you must delegate the DNS authority for your domain (or at least specific subdomains) to Evilginx itself, which means pointing NS records for your domain to your VPS. This step is often missed and causes SSL certificate issues.
      • Go to your domain registrar’s DNS settings.
      • Find the section for Nameservers (NS records).
      • Change the authoritative nameservers for your domain to point to hostnames that resolve to your VPS IP. Typically, you’ll use ns1.your_domain.com and ns2.your_domain.com.
      • Example Records (at the Registrar):
        • Nameserver 1: ns1.your_domain.com
        • Nameserver 2: ns2.your_domain.com
      • Crucially, you already created the A records for ns1 and ns2 in the previous step, pointing them to your VPS IP. This allows the internet to find your VPS when looking for the authoritative nameserver for your domain.
    4. Propagation Time: DNS changes can take anywhere from a few minutes to 48 hours to propagate fully across the internet. Use tools like dig or online DNS checkers (e.g., dnschecker.org) to verify that your A and NS records are resolving correctly to your VPS IP from different locations.
      bash
      # Check A record for the root domain
      dig A your_domain.com +short
      # Check A record for a subdomain
      dig A auth.your_domain.com +short
      # Check NS records (should show ns1/ns2.your_domain.com)
      dig NS your_domain.com +short
      # Check if ns1 resolves to your IP
      dig A ns1.your_domain.com +short
      Wait until these commands show the correct IP address before proceeding.

Configuring Server Firewall

By default, a VPS firewall might block incoming traffic. You need to allow traffic on the ports Evilginx requires.

  • Necessary Ports:
    • 22/TCP: SSH (for managing your server) – You’re already using this.
    • 80/TCP: HTTP (Let’s Encrypt uses this for initial challenges, and for redirecting HTTP to HTTPS)
    • 443/TCP: HTTPS (The main port for your phishing site)
    • 53/TCP & 53/UDP: DNS (Required because you pointed NS records to your VPS; Evilginx runs its own small DNS server to handle Let’s Encrypt challenges)

  • Using ufw (Uncomplicated Firewall) Example (Ubuntu/Debian):
    “`bash
    # Check status (might be inactive initially)
    sudo ufw status verbose

    Allow SSH (important!)

    sudo ufw allow ssh # or sudo ufw allow 22/tcp

    Allow HTTP

    sudo ufw allow http # or sudo ufw allow 80/tcp

    Allow HTTPS

    sudo ufw allow https # or sudo ufw allow 443/tcp

    Allow DNS

    sudo ufw allow 53

    Enable the firewall

    sudo ufw enable

    Verify the rules

    sudo ufw status numbered
    “`

Your basic infrastructure is now ready. The domain points to the VPS, and the firewall allows the necessary traffic.

6. Phase 2: Installing Evilginx

Now, let’s install the Go language environment and the Evilginx application itself.

Installing Go Language

  • Using Package Manager (Easiest):
    “`bash
    sudo apt update
    # Install Go – check for current suitable version if needed
    sudo apt install golang-go -y

    Verify installation

    go version
    * **Manual Installation (Optional - If you need a specific version):**
    1. Visit the official Go downloads page (`https://golang.org/dl/` or `https://go.dev/dl/`).
    2. Download the appropriate Linux archive (e.g., `go1.XX.X.linux-amd64.tar.gz`).
    3. Remove any existing Go installation (`sudo apt remove golang-go`, `sudo rm -rf /usr/local/go`).
    4. Extract the downloaded archive to `/usr/local`.    bash
    wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz # Example version
    sudo tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
    rm go1.21.5.linux-amd64.tar.gz # Clean up archive
    * **Setting Environment Variables:** Regardless of the installation method, you need to ensure the Go binary path is in your system's `PATH`. You also might need to set `GOPATH`. Edit your shell profile file (e.g., `~/.bashrc`, `~/.zshrc`, or `/etc/profile` for system-wide).bash
    nano ~/.profile

    Or: nano ~/.bashrc

    Add the following lines (adjust `/usr/local/go/bin` if you installed manually elsewhere):bash
    export PATH=$PATH:/usr/local/go/bin
    export GOPATH=$HOME/go # Or another directory like /usr/local/share/go
    export PATH=$PATH:$GOPATH/bin
    Save the file and apply the changes:bash
    source ~/.profile

    Or: source ~/.bashrc

    Verify again:bash
    go version
    which go
    echo $GOPATH
    “`

Downloading and Compiling Evilginx

  1. Clone the Repository: Get the latest Evilginx source code from GitHub. It’s good practice to clone it into a specific directory, perhaps the GOPATH src directory or just your home directory.
    “`bash
    # Example: Clone into home directory
    cd ~
    git clone https://github.com/kgretzky/evilginx2.git

    Or, if using GOPATH structure (older Go versions might prefer this)

    mkdir -p $GOPATH/src/github.com/kgretzky

    cd $GOPATH/src/github.com/kgretzky

    git clone https://github.com/kgretzky/evilginx2.git

    2. **Build the Executable:** Navigate into the cloned directory and use `make` to compile the application. This process downloads necessary Go dependencies and builds the binary.bash
    cd ~/evilginx2 # Or the correct path where you cloned it
    make
    This command should run without errors. If you encounter issues, double-check your Go installation and environment variables.
    3. **Verify the Installation:** After the `make` command finishes, you should find the `evilginx` executable inside a `build` subdirectory.    bash
    ls -l build/
    You should see `evilginx` listed. You can run it directly from here (`./build/evilginx`) or install it to a system path for easier access.
    4. **(Optional) Install System-Wide:**    bash
    sudo make install

    This usually copies the binary to /usr/local/bin/evilginx

    and phishlets to /usr/local/share/evilginx/phishlets

    ``
    If you install system-wide, you can just type    evilginxto run it from any directory. If you don't, you'll need to run it using its full path (e.g.,~/evilginx2/build/evilginx) or add thebuilddirectory to yourPATH. For simplicity in this tutorial, we'll assume you either installed it system-wide or you are running it from within the~/evilginx2directory usingsudo ./build/evilginx` (sudo might be needed for binding to ports 80/443 and running the DNS server).

7. Phase 3: Configuring Evilginx

With the infrastructure and software in place, it’s time to configure Evilginx for your specific setup.

Understanding the Evilginx Shell Interface

When you run Evilginx, it drops you into its own command-line shell.

bash
sudo /path/to/your/evilginx # e.g., sudo ./build/evilginx or sudo evilginx

You’ll see the Evilginx banner and a prompt like (evilginx). All configuration and control happen through commands entered at this prompt. Type help to see available commands.

Core Configuration Commands

These commands set the global parameters for your Evilginx instance.

  • config domain <your_domain.com>: Tells Evilginx your main domain name. This is crucial for generating certificates and handling DNS. Replace your_domain.com with the domain you purchased and configured.
    (evilginx) config domain my-evilginx-lab.xyz
  • config ip <your_vps_ip>: Sets the public IP address of your VPS. Evilginx needs this to configure DNS records correctly for the Let’s Encrypt challenge.
    (evilginx) config ip 192.0.2.100 # Replace with your actual VPS IP
  • setup (Interactive Setup): Alternatively, you can use the setup command when you first run Evilginx. It will prompt you for the domain name and IP address.

These settings are saved automatically (usually in config.yaml in the directory where you run Evilginx, or in ~/.evilginx/ if installed system-wide).

Understanding Phishlets

Phishlets are the heart of Evilginx’s functionality. They are YAML configuration files that tell Evilginx how to proxy a specific website. Each phishlet is tailored to a particular target site (e.g., Google, Microsoft, Twitter).

  • What are Phishlets? They define which domains/subdomains to use, how to identify username/password fields, which cookies/headers represent the session, and how to modify requests/responses to ensure the proxying works seamlessly.
  • Structure of a Phishlet (YAML): Key sections include:
    • name: The unique name of the phishlet (e.g., o365, google).
    • author: Who created the phishlet.
    • description: What the phishlet targets.
    • proxy_hosts: Defines the mapping between the legitimate hostnames and the phishing hostnames Evilginx will use. Crucially includes phish_subdomain, which dictates the subdomain the victim visits.
    • sub_filters: Rules for substituting URLs and hostnames within the proxied content (HTML, JavaScript, HTTP headers) to replace legitimate domains with your phishing domain. This prevents the victim’s browser from being redirected away from Evilginx.
    • auth_urls: Patterns to identify URLs related to the authentication process.
    • auth_tokens: Defines how to capture credentials. Specifies patterns for username (username) and password (password) fields in POST requests.
    • creds: Defines which elements (cookies, headers, body fields) contain credentials after identification by auth_tokens.
    • login: Specifies the username and password parameters expected by the legitimate site’s login endpoint.
    • session: Defines which cookies or headers indicate a successful, authenticated session that should be captured.
    • site_urls: A list of legitimate URLs associated with the target site.
  • Finding and Enabling Phishlets: Evilginx comes with several pre-made phishlets.
    • phishlets list: Shows available phishlets (found in the phishlets directory).
    • phishlets show <phishlet_name>: Displays the content of a specific phishlet file.
    • phishlets hostname <phishlet_name> <your_phishing_subdomain>: This assigns a specific subdomain under your main domain to a phishlet. This subdomain MUST have an A record pointing to your VPS IP (as configured in Phase 1). For example, if your domain is my-evilginx-lab.xyz and you want to use the o365 phishlet, you might assign it the hostname login.my-evilginx-lab.xyz.
      # Example for a hypothetical 'o365' phishlet
      (evilginx) phishlets hostname o365 login.my-evilginx-lab.xyz
      # Ensure 'login.my-evilginx-lab.xyz' has an A record pointing to your VPS!
    • phishlets enable <phishlet_name>: Activates the specified phishlet. This triggers Evilginx to attempt obtaining an SSL certificate for the hostname you assigned using Let’s Encrypt.
      (evilginx) phishlets enable o365

Obtaining SSL/TLS Certificates (Let’s Encrypt Integration)

  • Automatic Certificate Generation: When you enable a phishlet, Evilginx will:
    1. Check if a valid certificate already exists for the configured hostname (e.g., login.my-evilginx-lab.xyz).
    2. If not, it initiates the Let’s Encrypt DNS-01 challenge.
    3. It temporarily starts its own DNS server (on port 53).
    4. It tells Let’s Encrypt to verify domain ownership by checking for specific TXT records.
    5. Because you pointed your domain’s NS records to your VPS, Let’s Encrypt’s query for the TXT record is directed to the Evilginx DNS server.
    6. Evilginx provides the correct TXT record response.
    7. Let’s Encrypt validates ownership and issues the certificate.
    8. Evilginx saves the certificate and key (usually in ~/.evilginx/crt/).
  • Troubleshooting Certificate Issues: This is where most setup problems occur.
    • DNS Propagation: Ensure your NS and A records have fully propagated. Use dig extensively.
    • Firewall: Double-check that UDP and TCP port 53 are open on your VPS firewall (sudo ufw status). Also ensure ports 80 and 443 are open.
    • Registrar Settings: Verify that your domain registrar is correctly configured to use ns1.your_domain.com and ns2.your_domain.com as nameservers.
    • Evilginx Logs: Pay close attention to the output in the Evilginx console when you run phishlets enable. It often provides clues about DNS query failures or Let’s Encrypt errors.
    • Let’s Encrypt Rate Limits: Be aware that Let’s Encrypt has rate limits. If you fail too many times, you might be temporarily blocked.

Once a phishlet is enabled and the certificate is obtained successfully, Evilginx will start listening on ports 80 and 443, ready to proxy traffic for that phishlet’s configured hostname.

8. Phase 4: Launching a Simulated Attack Scenario

With Evilginx configured and a phishlet enabled, you can create specific phishing URLs (lures) and observe the capture process. Remember to perform these steps only within your controlled lab environment or during an authorized penetration test.

Setting Up the Lure

A lure is a specific instance of a phishlet, identified by an ID and associated with a unique path. This allows you to track different phishing campaigns using the same phishlet.

  • lures create <phishlet_name>: Creates a new lure for the specified (and enabled) phishlet. Evilginx assigns it an ID and generates a default phishing URL.
    (evilginx) lures create o365
    # Output will show the created lure ID (e.g., 0) and default URL
  • lures edit <lure_id> redirect_url <legitimate_redirect_url>: (Optional but recommended) Configures where the victim is redirected after successful authentication and session capture. By default, it might redirect back to the phishlet’s base path, which can look suspicious. Redirecting to the actual legitimate application page (e.g., https://outlook.office.com/mail/) provides a more seamless experience.
    (evilginx) lures edit 0 redirect_url https://outlook.office.com/mail/
  • lures get-url <lure_id>: Displays the phishing URL associated with the lure ID. This is the link you would (in a real, authorized scenario) send to the target.
    (evilginx) lures get-url 0
    # Output: https://login.my-evilginx-lab.xyz/<some_random_path>
  • lures list: Shows all created lures and their details.

The Victim Interaction (Conceptual Walkthrough)

This describes what happens when a victim (within your test environment) interacts with the lure.

  1. Delivering the Phishing Link: This step involves social engineering (email, message, etc.) and is outside the scope of Evilginx setup itself. The attacker sends the generated lures get-url link to the victim.
  2. Victim Clicks Link: The victim clicks the link (e.g., https://login.my-evilginx-lab.xyz/<path>).
  3. Browser Connects to Evilginx: The victim’s browser resolves login.my-evilginx-lab.xyz to your VPS IP and establishes an HTTPS connection (seeing a valid padlock because of the Let’s Encrypt certificate).
  4. Evilginx Proxies Login Page: Evilginx receives the request, identifies it belongs to the o365 phishlet, and forwards the request to the real Microsoft login servers. It receives the real login page content, substitutes any necessary URLs using the sub_filters defined in the phishlet, and sends the modified page back to the victim’s browser.
  5. Victim Sees Familiar Login Page: The victim sees what appears to be the genuine Microsoft Office 365 login page.
  6. Victim Enters Credentials: The victim types their username and password into the form. When they submit, the credentials are sent to Evilginx.
  7. Evilginx Captures Credentials & Forwards: Evilginx uses the auth_tokens patterns from the phishlet to identify the username and password in the POST request. It logs them and then forwards the credentials to the real Microsoft server for validation.
  8. Victim Completes MFA (if applicable): The real Microsoft server, seeing valid credentials, prompts for MFA. This MFA prompt (e.g., “Enter code from authenticator app”) is proxied back through Evilginx to the victim. The victim enters the MFA code.
  9. Evilginx Captures MFA & Forwards: The MFA code is submitted to Evilginx, which logs it (if configured in the phishlet, though often unnecessary as the goal is the session cookie) and forwards it to the real Microsoft server.
  10. Authentication Succeeds, Session Cookie Issued: Microsoft validates the MFA code and considers the login successful. It sets a session cookie (e.g., ESTSAUTH, ESTSAUTHPERSISTENT) in the response headers and sends them back.
  11. Evilginx Captures Session Cookie: Evilginx intercepts this response before it reaches the victim’s browser. It uses the session cookie definitions in the phishlet to identify and log the crucial session cookie(s).
  12. Victim is Redirected: Evilginx forwards the session cookie(s) to the victim’s browser and performs the redirect specified by the lure’s redirect_url (e.g., to https://outlook.office.com/mail/). The victim’s browser now has the valid session cookie and loads their inbox, often completely unaware the interception occurred.

Capturing Credentials and Session Tokens

  • Monitoring the Evilginx Console: As the victim interacts with the phishing page, you will see real-time logs in the Evilginx console showing requests being proxied, credentials being detected, and session tokens being captured.
  • The sessions Command: This command is used to view the captured data.
    • sessions: Lists all captured sessions, showing the phishlet used, captured username, remote IP, user agent, and timestamp. Each session has an ID.
    • sessions <session_id>: Shows detailed information for a specific captured session, including:
      • Captured username and password.
      • All captured cookies (including the crucial session cookies).
      • User agent string.
      • Victim’s IP address.
  • Identifying Captured Data: Look for the credentials under the username and password fields and, most importantly, the session cookies listed in the detailed session view.

Accessing Hijacked Sessions (The Payoff)

WARNING: Only perform this step against accounts you own and control explicitly for testing purposes. Accessing someone else’s account is illegal and unethical.

The goal is to use the captured session cookie(s) to gain access as the victim.

  1. Understanding Session Cookies: Copy the key session cookie(s) identified by the phishlet (e.g., ESTSAUTH for Microsoft) from the sessions <session_id> output in Evilginx. Pay attention to the cookie’s domain, path, expiry, and flags (HttpOnly, Secure).
  2. Using Browser Developer Tools (Cookie Editor):
    • Open a clean browser profile or use incognito/private mode to avoid conflicts with your own sessions.
    • Install a browser extension designed for managing cookies (e.g., “Cookie Editor” for Chrome/Firefox). Be cautious about which extensions you install.
    • Navigate to the legitimate website the victim was logging into (e.g., https://login.microsoftonline.com or https://portal.office.com). Do not log in yet.
    • Open the Cookie Editor extension.
    • Manually add a new cookie or import the captured cookie(s). You need to accurately set the:
      • Name (e.g., ESTSAUTH)
      • Value (the long string copied from Evilginx)
      • Domain (e.g., .login.microsoftonline.com or the relevant domain specified in the phishlet/captured data)
      • Path (usually /)
      • Ensure Secure and HttpOnly flags match the captured cookie if possible (though HttpOnly cannot usually be set by extensions – this is a security feature).
  3. Importing Cookies: Some extensions allow importing cookies in JSON format. Evilginx can sometimes export in compatible formats, or you may need to format it manually.
  4. Accessing the Victim’s Account: After adding the essential session cookie(s), simply refresh the page or navigate to the main application page (e.g., https://outlook.office.com/mail/). If the cookie is valid and correctly imported, the website should recognize the session, and you will be logged in as the victim, bypassing the need for username, password, or MFA.

This demonstrates the power of session hijacking enabled by Evilginx. The attacker gains access without needing the credentials again, as long as the session remains valid.

9. Detection and Mitigation Strategies

Understanding how Evilginx works is the first step towards defending against it. Mitigation requires a multi-layered approach involving user awareness, technical controls, and organizational policies.

For Users

  • URL Scrutiny: This is the most crucial defense.
    • Check the Domain Name: Always carefully examine the domain name in the browser’s address bar before entering credentials. Look for subtle misspellings (microsaft vs. microsoft), extra characters, or unusual top-level domains (.xyz, .tk instead of .com). Is it exactly the domain you expect?
    • Check HTTPS: Ensure the connection uses HTTPS (the padlock icon). However, remember Evilginx uses valid HTTPS certificates, so the padlock alone is not a guarantee of safety. It only means the connection to that specific server (which could be Evilginx) is encrypted.
  • Browser Warnings: Pay attention to browser warnings about invalid certificates or suspicious sites. While Evilginx aims to avoid these, misconfigurations can trigger them.
  • Password Manager Behavior: Password managers often associate credentials with specific, exact URLs. If your password manager doesn’t auto-fill credentials on a login page that looks familiar, it’s a major red flag. The URL might be different (i.e., it’s a phishing site).
  • Multi-Factor Authentication (MFA): While Evilginx can proxy MFA challenges, some forms are more resistant than others.
    • OTP (Codes): Easily proxied.
    • SMS Codes: Easily proxied.
    • Push Notifications (Approve/Deny): Can be proxied, but might sometimes show location/source IP information that could alert a savvy user (though this isn’t guaranteed).
    • FIDO2/WebAuthn (Hardware Keys, Biometrics): This is the strongest defense. FIDO2 keys bind the authentication cryptographically to the correct domain name (origin binding). An Evilginx proxy on phishing.com cannot successfully complete a FIDO2 challenge intended for legitimate.com. This effectively stops the session hijacking aspect for FIDO2-protected logins.
  • Phishing Awareness Training: Regular training helps users recognize suspicious signs in emails, messages, and websites.

For Organizations

  • Email Security Gateways: Implement advanced email filtering solutions that scan links and attachments, use sandboxing to analyze suspicious URLs, and detect impersonation attempts.
  • Web Application Firewalls (WAFs): While primarily designed to protect web servers, some WAFs might potentially identify suspicious proxying behavior, though sophisticated attackers try to blend in.
  • Endpoint Detection and Response (EDR): EDR solutions monitor endpoint activity and can sometimes detect malicious processes or network connections initiated after a successful phish (e.g., beaconing to C2 servers).
  • Network Monitoring:
    • DNS Monitoring: Look for unusual DNS queries to newly registered or suspicious-looking domains within your network. Monitor for internal clients resolving known Evilginx phishing domains.
    • Traffic Analysis: Analyze network flows. Connections to known malicious IPs or domains associated with phishing infrastructure can be blocked or alerted upon. Certificate Transparency logs can sometimes help identify newly issued certificates for typosquatted domains.
  • Security Information and Event Management (SIEM) Systems: Correlate logs from various sources (email gateways, firewalls, endpoints, authentication systems) to identify patterns indicative of a phishing attack and successful compromise (e.g., login from an unusual location shortly after clicking a link).
  • Implementing Strong Authentication Policies:
    • Mandate MFA: Require MFA for all users, especially privileged ones.
    • Promote Phishing-Resistant MFA: Strongly encourage or mandate the use of FIDO2/WebAuthn (like YubiKeys, Windows Hello, Touch ID/Face ID) as it is highly effective against proxy-based phishing like Evilginx.
  • Regular Security Audits and Penetration Testing: Conduct authorized penetration tests, specifically including advanced phishing simulations using tools like Evilginx, to identify weaknesses in technical controls and user awareness. Use the findings to improve defenses.

No single solution is foolproof. A defense-in-depth strategy combining technical controls, robust authentication, and continuous user education is essential.

10. Advanced Techniques and Further Learning (Brief Overview)

Evilginx is a powerful base, but attackers often employ more advanced techniques:

  • Custom Phishlet Development: Creating phishlets for websites not covered by the default set requires analyzing the target site’s login flow, identifying authentication parameters, session cookies, and necessary URL substitutions. This involves deep understanding of HTTP/S, JavaScript, and web authentication mechanisms.
  • Obfuscation Techniques: Attackers may try to hide the Evilginx server IP using services like Cloudflare or other CDNs as proxies, making tracing the source harder (though this can sometimes interfere with Evilginx’s operation if not done carefully). They might also use URL shorteners or redirect chains.
  • Integration with Other Tools: Evilginx can be used alongside campaign management tools like GoPhish to track email sending, link clicks, and credential submissions in a more organized way.
  • Evading Detection Mechanisms: Modifying User-Agent strings, rotating source IPs, using “aged” domains, and tailoring traffic patterns to mimic legitimate user behavior are all tactics used to evade detection by security tools.

Further learning involves studying web application security, advanced networking, reverse engineering web protocols, and staying updated on the latest phishing tactics and defensive strategies discussed in security communities and research papers.

11. Conclusion: The Double-Edged Sword

Evilginx represents the cutting edge of credential and session phishing attacks. Its ability to act as a man-in-the-middle reverse proxy, seamlessly mirroring legitimate websites and capturing credentials and session tokens after MFA validation, makes it exceptionally dangerous.

This tutorial has provided a detailed walkthrough of setting up Evilginx in a controlled environment. The goal was not to enable malicious activity but to educate security professionals on the mechanics of such sophisticated attacks. Understanding the setup process, the reliance on DNS manipulation, the role of phishlets, and the method of session hijacking is crucial for developing effective countermeasures.

We’ve seen that while traditional defenses like basic MFA can be bypassed, stronger methods like FIDO2/WebAuthn offer significant resistance. Vigilant URL inspection by users remains a critical, albeit imperfect, line of defense. For organizations, a layered security posture encompassing advanced email filtering, network monitoring, robust authentication, endpoint security, and continuous user training is paramount.

Evilginx is a powerful tool – a double-edged sword. In the hands of malicious actors, it can cause significant harm. In the hands of ethical security professionals conducting authorized tests, it is an invaluable tool for assessing vulnerabilities and strengthening defenses. Always remember the strict legal and ethical responsibilities that come with possessing and understanding such capabilities. Use this knowledge wisely and ethically to build a more secure digital environment.

(End of Article)

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top