Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it [...]
Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it difficult for victims to detect the deception. This process also bypasses any MFA protections by relaying the already existing sessions.
As always, I need to remind you that phishing users outside of a legitimate engagement with a written agreement with a well outlined scope and specified targets (for example), is illegal. I assume no responsibility for your actions.
I won’t go into the finer details on how this phishing technique works since Kuba, the creator of Evilginx has all the information you could want on how it works – for more info check out his site here. A quick diagram to give you enough information at a high level on how it works is below:
Getting Started
To begin this guide its important to understand what we need to be able to host this phishing campaign. Luckily for us it is fairly simple and we only need two things:
Domain
Phishing Server
And we can set this all up for little more than a couple of dollars. For this guide I’ll be showing you how to do it with Amazon Lightsail since it makes the process really easy for us.
Lets start by setting up our phishing server and domain first, then we will go through the process of getting Evilginx running and building phishlets (more on these later).
Creating Our Phishing Infrastructure
This process assumes you have an AWS account setup already and you are at the lightsail home page. The first thing you need to do is select “Create Instance”
Now you will come to the page to create your phishing infrastructure. For this guide we will use a Debian based machine (OS only) – remember to choose you instance location to where you are based or in the area where your client is located (we don’t want the proxied traffic to come from the US if your engagement is in a different country)
After this you have the option to get your SSH key pair – this is useful if you want to connect over SSH from your software of choice but for this guide I’ll keep it easy and use the browser option to connect to the server. Now we can select our instance plan:
It is very unlikely you’ll need more than the cheapest option for these phishing engagements but choose a plan that aligns with your requirements. Once everything above has been selected create the instance and we will come back to this shortly
Registering A Domain
For this guide we will go through the process of registering a new domain (as this is a straight forward guide, I am not going to go into the details of domain trust scores etc but just know that a new domain will have a low trust score and can be very easily marked as malicious.)
To register a domain within Lightsail, we can click on the “Domains & DNS” menu option:
In the Domains and DNS page, click on the “Register domain” link:
Once at the registration page, register your domain – I know you can get cheaper domains from GoDaddy or Namecheap for example but I am keeping this guide as simple as possible and in this case its all managed within the same interface. Feel free to register a domain outside of AWS if you prefer.
Once your new domain is registered we will need to setup a few things to make sure our domain points to our Evilginx server.
Head back to the Domains & DNS page and you should see your newly registered domain there with automatically created DNS zones as well. (If the DNS zone isn’t there – click the “Create DNS zone” link and follow the prompts – it is very straight forward)
Following this, you need to point the Lightsail name servers to your domain (which they should already be – but we will follow the process anyway)
Click on your domain name under the DNS zones section and take note of the name servers:
After this go to the domain assignments and click add assignment and you will create two assignments with the options I have highlighted:
Now go back to the Domains & DNS page and click on your newly registered domain under the “Registered domains” section and then on the following page you will click the option “Edit name servers” and add the name servers we took note of previously:
Once this part is complete its time to move back to the Instances page
Preparing Our Phishing Infrastructure
The first thing we need to do is attach a static IP to our newly created instance:
On the Lightsail home page, choose Networking.
Choose Create static IP.
Select the AWS Region where you want to create your static IP.
Choose the Lightsail resource to which you want to attach the static IP.
Enter a name for your static IP.
Click create
Now we have attached the static, next we want to go to the homepage and click on our newly created instance to manage it. Once you are in the management page for your instance, click the “Domains” sub heading and then the “Assign domain” option and add your newly created domain and then press assign:
Now the last part we need to do is open the required ports on the instance to allow connections to the Evilginx server once it is setup. To do this, click the “Networking” sub heading:
Once in the networking page, setup the following IPv4 Firewall rules:
I would suggest utilising the “Restrict to IP address” option for the HTTP/HTTPS ports to your own IP so that only you can access it. This is good for when you are simply testing and setting up your environment – if you don’t utilise this feature, once Evilginx is running you will see a large amount of scanners instantly scanning your server. They will hit the wrong link though and will automatically be pushed to the blacklist. The default blacklist setting is a dead giveaway that you are running an Evilginx server as it redirects to Rick Roll on Youtube. (I’ll show you how to modify this later)
Installing Evilginx
Now that our domain and instance is setup correctly and ready to proceed, it is time to install Evilginx and setup our first phishlet.
Go back to the Lightsail homepage and we want to access the remote SSH panel:
This will popup a new page with remote access to our instance:
The following will be step by step commands to execute to install and setup Evilginx
Install GoLang – as Evilginx is built using Go we will need to set it up on our instance:
wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
Install Git and make
sudo apt install git make
Install Evilginx
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
Run Evilginx
sudo ./build/evilginx -p phishlets -t redirectors
We now have Evilginx running but there’s still some work left to do to get this up and running correctly. You can see two warnings from the above :
[war] server domain not set! type: config domain
[war] server external ip not set! type: config ipv4 external
We need to set two things: Domain:
config domain example.com <-- Add your newly registered domain here
IPv4 – This is the external static IP of your instance, you can find this in Ligthsail
config ipv4 [static ip]
Now that we have the basics setup we can create our first phishlet. A phishlet is a configuration file, used to configure Evilginx for targeting specific websites, with a goal of perform phishing attacks.
Note: Whenever we load a new phishlet or make changes to it, we will need to restart Evilginx
Executing Our First Phish
For our first campaign, we can use pre-existing phishlets (at the time of posting the o365Businesss phishlet work perfectly, the o365Personal will work for personal accounts but there is an issue I am still debugging with the final redirect but you will still be able to phish a successful login and replay it. All the others are still a WIP but have done 90% of the work for you.)
Copying the phishlet to Evilginx- this .yaml file is our phishlet for Office 365 for Business accounts – it will work with your o365 work email for example.
You can copy the above as a file ending in .yaml to your phishlets folder or you can pull it from my GitHub and simply copy the phishlets into the phishlet folder:
git clone https://github.com/Krptyk/Evilginx.git
Once you’ve added them to the phishlets folder, restart Evilginx and you should see the phishlets listed:
For this example, we will use the 0365Business phishlet. The following is the step by step process to setup the phishlet and create the lure urls:
phishlets hostname o365Business microsoftonline.example.com <-- Add your newly registered domain instead of example.com
If you didn’t opt to restrict / enable IP filtering to your own IP you should change the blacklist configuration to not redirect to Rick Roll on YouTube. The following changes will simply do nothing.
config unauth_url "http://"
Now we can enable the phishlet:
phishlets enable o365Business
We can see that we have enabled the phishlet and we successfully setup the TLC certificates for all the subdomains (these are in the phishlet). If you see errors of collisions, this is fine – if you were running more than one phishlet, these collisions would be a problem but we are only running a single phishlet for now.
Next we have to create the lure URL which is what we will use to deliver to victims:
lures create o365Business
Now we have our lure, we can browse to it and see how the phishing process will work
Note: Make sure to clear all your browsing data before this to see how the full process will look.
Pretty convincing right? Lets continue with the process by logging in with a business email I created and look at it from the Evilginx side (feel free to play around with the login process and see how it works)
We’re off to a great start, our campaign has gotten a user to click on the lure and then fill in their credentials and we also have detected a successful authentication to office365. We have the credentials but this account has MFA enabled, so how can we get access to their login panel?
sessions [sessions number]
This is what a successful phish will look like – and we can replay the cookies to get access to the users session. As the phishlet we are using captures every cookie that exists for the domains, it’ll be extremely long. I’ll leave that up to you to modify the phishlet to grab only the necessary cookies that are required for session authentication.
We can use the Chrome extension “EditThisCookie” to import the cookies within the [] (not including the [ cookies ] part. Evilginx is created to export the cookie information to work with the extension and can simply be added using the import option:
Paste the exfiltrated cookie information in the following section:
Now that we have successfully taken the cookie information, we can now browse to office.com and we will be logged in as the phished user.
Congratulations you have just successfully executed your first reverse proxy phishing campaign!
Remote debugging is a powerful feature that allows developers to connect to a running browser instance and control it externally. This capability, however, can be turned into a potent tool ...
Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive … Read more
Post comments (0)