Warning: This article is still a work in progress, and much of the content has been generated with ChatGPT. Readers are responsible for verifying the accuracy and credibility of the information provided.

Introduction:

Reverse proxy phishing is a powerful and evolving technique that allows attackers to intercept legitimate traffic between users and websites, capturing sensitive information such as credentials and session tokens. One of the most effective tools for simulating these types of phishing attacks is Evilginx, a reverse proxy that can seamlessly intercept and replicate the login flow of legitimate websites, making it a valuable tool for security researchers and penetration testers.

How Evilginx Works https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/

While there are many guides available for setting up Evilginx, including the one from Krptyk, this tutorial will differ in a key aspect: instead of using AWS to purchase and manage the domain, as Krptyk does, I opted to use a different domain registrar and set up Evilginx to operate on a subdomain of my chosen domain. This offers greater flexibility and control over the infrastructure and provides an alternative for those who prefer not to use AWS.

Additionally, I’ll share several tips and insights that aren’t covered in other guides, helping you avoid common pitfalls and streamline your setup process. As always, it’s crucial to remember that Evilginx should only be used for legal and ethical purposes, such as testing your own systems or conducting authorized security assessments. Unauthorized use of these techniques can have serious legal consequences.

1. Setting Up Your Domain and Server

Before diving into the Evilginx setup, you’ll need to create a virtual private server (VPS) and set up a domain. This section will guide you through setting up an AWS Lightsail instance and configuring a subdomain on an existing domain or registering a new one, depending on your setup preferences.

1.1 Creating and Configuring a Lightsail (or Alternative VPS) Instance

The first step in setting up Evilginx is to create a virtual private server (VPS) that will host the phishing proxy. In this guide, we’ll use AWS Lightsail, which is a simple and cost-effective platform for deploying and managing cloud servers. You can alternatively use other VPS providers like DigitalOcean, Linode, or Vultr, but for this example, we’ll focus on Lightsail.

Steps to Create a Lightsail Instance:

  • Access AWS Lightsail:

    • Navigate to the AWS Lightsail Console.
    • Log into your AWS account. If you don’t have one, you’ll need to create an account before proceeding.

  • Create a New Instance:

    • In the Lightsail console, click on “Create instance”.
    • Choose a region that’s closest to your target audience or your testing needs. This helps reduce latency and improve performance.
    • Under “Choose your instance image”, select Ubuntu or Debian as the operating system. Either option works fine, but I personally chose Debian. alt text

  • Select Instance Plan:

    • Choose an instance plan based on your requirements. For basic phishing campaigns and Evilginx, the smallest plan (usually with 1GB RAM) should be sufficient.
    • Make sure your instance has enough resources to handle potential traffic, especially if you expect multiple users to interact with the phishing site simultaneously. alt text Tip: The standard Evilginx deployment requires an IPv4 address, so make sure to select Dual-stack here.

  • Assign a Static IP:

    • After creating the instance, go to the Networking tab in Lightsail and assign a static IP address to your instance. A static IP ensures that your domain always points to the correct server, even after restarts or network changes. alt text

  • Configure Networking and Security:

    • Under the “Networking” section of your Lightsail instance, you’ll need to configure the firewall to allow traffic. Add rules to open HTTP (port 80) and HTTPS (port 443).
    • During the setup phase, I recommend allowing HTTPS access only from your IP address. However, HTTP should be allowed for everyone. This is because when enabling Phishlets, Let’s Encrypt requires HTTP communication with your VPS to create certificates.
    • For added security, you should limit SSH access (port 22) to your own IP address or a trusted range of IP addresses. This will prevent unauthorized users from accessing your instance.

  • Secure the Instance:

    • Disable root login via SSH for security reasons. Use an unprivileged user account with sudo access instead.
    • Set up SSH keys for authentication instead of using passwords, which are more vulnerable to brute-force attacks. You can upload your public SSH key during the instance creation or configure it manually later.
    • Once your server is set up and secured, you are ready to move on to installing Evilginx.

By completing these steps, you will have a basic VPS ready to host Evilginx. This method allows you to fully control the environment while maintaining flexibility over networking and security configurations.

1.2 Configuring Your Domain with Cloudflare (or Your Preferred DNS Provider)

Now that your VPS instance is set up (as covered in 1.1), the next step is to configure your domain to point to your server. In this guide, we’ll use Cloudflare as an example DNS provider, but you can follow similar steps with other DNS providers like Namecheap, GoDaddy, or Google Domains. The key steps remain the same regardless of which service you use.

Steps:

  • Create a DNS Zone in AWS Lightsail:

    • In the AWS Lightsail console, go to Domains & DNS and select Create DNS zone. Enter your domain name and complete the setup process.

  • Update Nameservers in Your DNS Provider (Cloudflare or Other):

    • Log into your DNS provider’s dashboard (e.g., Cloudflare, Namecheap, etc.).
    • Navigate to the DNS settings for your domain.
    • Update the nameservers to point to the AWS Lightsail nameservers, which you will find in the Lightsail DNS zone you created.

  • Create DNS Records in AWS Lightsail:

    • In the Assignments section of the Lightsail DNS zone, create an A record for your subdomain (e.g., login.yourdomain.com) that points to the static IP address of your VPS.
    • Make sure that this A record correctly routes traffic to your Evilginx server.

  • Verify DNS Settings:

    • After making these changes, allow some time for DNS propagation. You can verify that the subdomain is pointing to your server using tools like dig or an online DNS lookup service.

By following these steps, you’ll be able to configure your domain using Cloudflare or any other DNS provider you are currently using, ensuring proper routing from your subdomain to your Evilginx server.

2 Installing Evilginx

Now that the domain and server are set up, you’re ready to install Evilginx. SSH into your VPS and follow the installation steps:

  • Install GoLang – as Evilginx is built using Go we will need to set it up on your instance:
Lang: bash 
wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
  • Install Evilginx and other required packages
Lang: bash 
sudo apt update
sudo apt install git make
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
  • Run Evilginx
Lang: bash 
sudo ./build/evilginx -p phishlets -t redirectors

Once the installation is complete, configure Evilginx to use your domain:

Lang: bash 
config domain yourdomain.com
config ipv4 your-server-ip

This ensures that Evilginx uses your newly registered subdomain as the phishing portal.

Tip: While Krptyk’s guide walks through setting up on AWS, using a different VPS provider gives you greater control over the infrastructure, and registering domains separately lets you avoid being tied to one provider for all services.

3. Configuring Phishlets

Since the community version of Evilginx doesn’t come with pre-built phishlets, you’ll need to create custom phishlets to simulate phishing campaigns. Phishlets are configuration files written in YAML that specify how Evilginx will proxy the login page of the target website, capture login credentials, and steal session tokens.

3.1 Creating Custom Phishlets

To create a custom phishlet, you’ll need to analyze the login flow of the service you are targeting and configure Evilginx to proxy the traffic accordingly.

Steps:

  • Navigate to the Phishlets Directory:

    • SSH into your VPS, then navigate to the phishlets/ directory:
      Lang: bash 
      cd /etc/evilginx/phishlets/

  • Create a New Phishlet File:

    • Create a new YAML file (e.g., targetsite.yaml) to define the login flow, URLs, and resource locations of the website you are targeting. Use a text editor like nano or vim to create and edit the file:
      Lang: bash 
      sudo nano targetsite.yaml

  • Define Target Domains and URLs:

    • Inside your YAML file, define the target domain, login URL, and resources needed to serve the legitimate-looking phishing page. Here’s an example of the YAML structure:
      Lang: yaml 
      meta:
  name: "Target Site"
  login_url: "https://targetsite.com/login"
  favicon: "https://targetsite.com/favicon.ico"

proxy_hosts:
  - {phish_sub: "www", orig_sub: "login", domain: "targetsite.com", session: true, is_landing: true}

static_files:
  - {path: "/", is_file: true, phish_sub: "www", orig_sub: "login", domain: "targetsite.com"}

  • Identify the Login Endpoints:

    • Use the developer tools in your browser (Inspect > Network) to identify the URLs for the login form and any API endpoints that the target service uses for authentication. Add these endpoints to the proxy_hosts section in the YAML file.

  • Configure Session Handling:

    • To capture session cookies and bypass MFA, ensure that the session: true flag is set for the appropriate proxy_hosts entries.

  • Save and Apply Changes:

    • After editing the YAML, save the file and restart Evilginx to apply the new phishlet:
      Lang: bash 
      sudo systemctl restart evilginx2

3.2 Testing the Custom Phishlet

Once your custom phishlet is set up, you’ll need to test it to ensure Evilginx is correctly capturing credentials and session tokens.

  • Set the Hostname:

    • Assign the hostname to the subdomain you configured in your DNS (e.g., login.yourdomain.com):
      Lang: bash 
      sudo evilginx2 -p phishlets hostname targetsite login.yourdomain.com

  • Enable SSL:

    • Use Let’s Encrypt to install SSL certificates for your phishing domain:
      Lang: bash 
      sudo evilginx2 -p certbot-auto --domain login.yourdomain.com

  • Test the Login Flow:

    • Visit the subdomain (e.g., login.yourdomain.com) in a browser and try to log in. Check the Evilginx logs to ensure that credentials and session cookies are being captured:
      Lang: bash 
      sudo tail -f /var/log/evilginx.log

By following these steps, you’ll be able to create custom phishlets tailored to the login flow of any website you want to simulate. Make sure to test thoroughly and adjust the YAML configuration based on the behavior of the target service.

4. Verifying Evilginx Setup (Simplified)

Once your Evilginx instance is set up and configured, it’s important to verify that it is correctly capturing credentials and session tokens. This section provides a simple process to check the functionality of your phishing simulation.

Steps:

  • Visit Your Phishing Subdomain:

    • Open a browser and navigate to the subdomain that you set up for your phishing campaign (e.g., login.yourdomain.com).
    • Ensure the page loads correctly and mimics the target website’s login page.

  • Attempt to Log In:

    • Enter credentials as if you were a victim logging in. Evilginx should capture these credentials and session cookies.

  • Monitor Logs for Captured Data:

    • While performing the login test, monitor Evilginx logs to check if the credentials and session tokens are being captured successfully. Run the following command to view the logs:
      Lang: bash 
      sudo tail -f /var/log/evilginx.log

  • Check Captured Credentials and Tokens:

    • Ensure that the credentials and session tokens are logged as expected. If everything is set up correctly, you should see the login details in the logs.

By following these simple steps, you can verify that Evilginx is functioning properly and that the phishing simulation is working as intended. Regularly testing your setup helps ensure reliability and smooth operation for phishing simulations.

Conclusion

In this guide, we walked through the complete process of setting up Evilginx for phishing simulations, from creating and configuring a VPS instance to installing Evilginx, setting up DNS, and creating custom phishlets. Using Evilginx, you can simulate advanced phishing attacks that capture credentials and session tokens, even bypassing multi-factor authentication (MFA).

The community version of Evilginx requires a bit more effort in terms of creating your own phishlets, but with the right configurations, you can achieve highly effective phishing simulations. By following this guide, you should now have a clear understanding of how to create custom phishlets, configure your environment, and verify that everything is functioning as expected.

It’s important to remember that Evilginx should only be used for ethical purposes, such as penetration testing and improving cybersecurity defenses. Unauthorized use of this tool can lead to serious legal consequences.

With this setup in place, you’re ready to perform controlled phishing simulations and continue refining your techniques as needed. Always stay updated on new developments in the phishing landscape to ensure your tests remain effective and aligned with current threats.