I have always manually setup phishing campaigns. I’d create servers, configure domains, copy web applications, setup TLS certificates and everything else that goes with a phish, all by myself. I never used phishing frameworks because I wanted to make sure everything I was doing would meet my expectations.
I recently looked at phishing frameworks and came across Evilginx2. Wow, this tool is awesome and so user friendly! A lot of the manual work is really not necessary when using this tool, and thus, here’s a blog.
To start with, you really want a new server and public IP for this, rather than using your own IP address within a LAN, which may cause NAT issues. The easiest way to get up and running is by using a cloud provider like AWS or Digital Ocean.
I use Digital Ocean because it has a very simple ‘one click’ style install for Linux servers. If you want to try Digital Ocean for the first time, use this code for $100 credit! https://m.do.co/c/5da97520eb3e
You won’t need a huge amount of resources for this, so feel free to chose a $10 package. It really depends on how many users you expect to be processing though your host. Once you have the infrastructure bought, you will need a domain to pair with it, more on this later.
Before we get into using Evilginx2, you will want to install it onto your server. You can download the tool from the following URL: https://github.com/kgretzky/evilginx2. The installation instructions on GitHub are pretty straight forward, but I found they don’t cover everything you need to install on Ubuntu, so here you go:
Step 0: Ensure DNS will not conflict with Evilginx2
Firstly, edit the nameserver in “/etc/resolv.conf” to a DNS provider of your choosing. I used Google which is 18.104.22.168, shown below.
Now run the following command:
systemctl stop systemd-resolved
Step 1: Install GoLang with the following commands:
apt install golang-go
Step 2: Download Evilginx2 with the following GO command:
go get -u github.com/kgretzky/evilginx2
Step 3: Add GO to your PATH with the following commands:
Step 4: Build Evilginx2 with the following commands:
You should now be able to type “evilginx” and have it execute:
Evilginx2 Commands and Phrases
There are a few simple commands that you will want to understand before using Evilginx2:
The config command is used to configure several options within the framework, such as your domain URL and server IP address.
Phishlets are .YAML templates which are used to make the framework aware of different entities within a website you would like to use to phish. For example, which forms are used to send username and password data, which cookies are used for authentication and so forth.
Lures are essentially session handlers which can be used to create phishing URLs using your domain, and provide different options based on a user or group of users you are sending the URL too. For example, you may want to redirect different users to different URLs upon authentication.
Sessions are common throughout frameworks, although in simple terms, they handle the data being sent from a user and allow you to interact with it. In terms of this framework, once you have a user authenticate to your Phish link, their session will hold their username, password and authenticated cookies.
Buying a Domain
When it comes to using a website for phishing, you really need to get yourself a good domain name. Ideally you will want something representative of the original domain you are trying to phish. For example, if you are phishing with “linkedin.com”, you might want to try and buy “linkedin.org.uk” or “linkediin.com”
You can buy this in various places, such as GoDaddy.
Once you buy your domain, point the Nameservers to your server IP Address. You might be able to do this within the Domain settings, but with GoDaddy, you need to do a bit more. You will need to make hostnames within the domain management settings, such as ns1.domain.com and ns2.domain.com, then point them to your servers IP address.
Add these hostnames as the Nameservers:
Now the domain is pointing to your server, and Evilginx2 will be able to configure the rest of the DNS.
Now to the good stuff, lets setup the phishing campaign. We are going to be phishing Linkedin users. But firstly, a quick note to say that Evilginx2 comes with several phishing templates already:
You can also go ahead and find other templates that other users have written or you can build your own templates. To recap, these templates tell the framework which cookies are used for authentication and which forms send a users username and password. The below are two useful links regarding this:
- YAML files – https://github.com/hash3liZer/phishlets
- YAML Docs – https://github.com/kgretzky/evilginx2/wiki/Phishlet-File-Format-(2.3.0)
Lets configure Evilginx2 with a domain and IP Address. Execute Evilginx2 and use the following commands:
config IP [your servers external IP address]
config domain [domain you bought]
Now we need to setup and enable the phishlet that we are going to use. As I previously mentioned, I will be using the Linkedin phishlet. I firstly need to configure a good hostname to use with my domain, one that will trick our targeted users. The command for this is:
phishlets hostname [phishlet name] [subdomain.subdomain.domainyouown.com]
So my command would look something like this (yes, this would be obvious to anyone)
phishlets hostname linkedin linkedin.tryhack.me
You can then enable the phishlet with the following command:
phishlets enable linkedin
When this command has been entered, a TLS certificate will be setup using LetsEncrypt. This saves you going and buying a certificate, which is great!
Now we need to create a lure, which again, is essentially a session handler. Use the following command:
lures create linkedin
After this command is executed, you will see the lure has been given an ID number. You can make multiple lures for different use cases, but we only need one for this example. Next up is the final step, we have to edit the just created lure and input a redirection URL so a phished user is sent somewhere after successful authentication. We also need to change the path, so the URL looks more legitimate. You can do this like so:
lures edit path [ID] [path name]
lures edit redirect_url [ID] [URL]
In my scenario, the commands might look like this:
lures edit path 0 /login
lures edit redirect_url 0 https://linkedin.com
Now when you enter ‘lures’ into the command line, you will see your lure:
To see the full URL which will be used to phish, enter the command:
lures get-url 0
You can now send off this URL to your victims, once they click on it, the page will look like the below image.
Notice the URL in the image below is your domain, but the actual page is Linkedin. This is because the user is proxying through your Evilginx server and that is how the username, password and cookies are retrieved.
When users have entered in their credentials and even 2FA code, they will be presented with an authenticated cookie. This cookie will be stored within Evilginx and once you have this cookie, you can use it and bypass their 2FA. To view the successful phishes, you can use the following commands:
Go into a session ID and you will see the login credentials, as well as the authenticated cookie!
How easy was that? Very! If you want to see Evilginx2 in action, I have a video for you, link below: