Hey, I'm fairly new to giving back to the github community.

I have created a twitter phishlet that works with mobile.twitter.com.
Could you please describe how I create a pull req?

Thanks

I have play around with the phishlets. I have created few phishlets for few websites. Some are working with no error, some have an error.

1. The phishing url doesnt display anything.
2. The phising url just redirect to google.com without the login page.
3. The token are not saved, only username and password.
4. I cannot create a working phishlet for website who doesnt have a subdomain name.

Somewhat related to #57 , the wrong hostname gets substituted with the following configurations.

proxy_hosts:
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'abc.com', session: false, is_landing: true}
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'xyz.com', session: false, is_landing: false}
sub_filters:
  - {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{hostname}', mimes: ['...']}

The requests should be going to https://ssl.xyz.com.phishdomain.com, but instead show in DevTools as https://ssl.abc.com.phishdomain.com.

My current workaround is to hardcode my phish domain into the phishlet config, which prevents me from sharing the phishlet.

sub_filters:
   -  {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{subdomain}.xyz.com.phishdomain.com', mimes: ['...']}

Can anyone give to me the gmail.yaml file?
Thank you

Possible to get an updated release for Linux?

First of all..... Epic. This tool is incredible and I'm very excited for the "phishlets how-to"!

The facebook phishlet does not work when visiting the phishing link from a a mobile device.
Pressing submit appears to have no action from the device at all.

Testing on Chrome (android) and Safari (iphone)

Thanks

: phishlets enable linkedin
[08:21:39] [inf] enabled phishlet 'linkedin'
[08:21:39] [inf] setting up certificates for phishlet 'linkedin'...
[08:21:39] [war] failed to load certificate files for phishlet 'linkedin', domain 'www.letgo.network': open /root/.evilginx/crt/www.letgo.network/linkedin.crt: no such file or directory
[08:21:39] [inf] requesting SSL/TLS certificates from LetsEncrypt...
[08:22:06] [err] [www.letgo.network] acme: Error 400 - urn:acme:error:dns - DNS problem: SERVFAIL looking up A for www.letgo.network
Error Detail:
Validation for www.letgo.network:80
Resolved to:

Used: 

[08:22:06] [!!!] failed to obtain certificates
[08:22:06] [inf] disabled phishlet 'linkedin'

Here is my code for google can u let me know where is the problem.

proxy_hosts:

• {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true}
  sub_filters:
• {hostname: 'accounts.google.com', sub: 'accounts', domain: 'google.com', search: 'action="https://{hostname}/signin/', replace: 'action="https://{hostname}/signin/', mimes: ['text/html', 'application/json']}
• {hostname: 'accounts.google.com', sub: 'accounts', domain: 'google.com', search: 'href="https://{hostname}/speedbump/', replace: 'href="https://{hostname}/speedbump/', mimes: ['text/html', 'application/json']}
• {hostname: 'accounts.google.com', sub: 'accounts', domain: 'google.com', search: '//{hostname}', replace: '//{hostname}', mimes: ['text/html', 'application/json']}
  auth_tokens:
• domain: 'accounts.google.com'
  keys: ['LSID']
  user_regex:
  key: 'identifier'
  re: '(.)'
  pass_regex:
  key: 'password'
  re: '(.)'
  landing_path:
• '/signin'

===================
please help me

I created a phishlet few days ago and it worked fine!.
first error
phishlet get-url go https://www.google.com will take me to the real website login after i enter my credidential.

second error
After i login i get the Captcha
ERROR for site owner: Invalid domain for site key

Hi kgretzky,

First...Excellent project!!!, second my request.. Do you have any wiki with instructions on how to add other phishlets (e.g office365)?.. outlook is a great phishlet, but it's not useful to go after O365 accounts.

Thanks for your help!

First off, I would like to thank you for starting such a great project, there is nothing quite like it out there. I have some feature suggestions that could be a bit out of the scope of this project, but I feel they would be worthy additions.

My first request would be the inclusion of support for SOCKS/HTTP proxies, some services like Gmail, Outlook, etc. are particularly suspicious about users whenever they log on from a far different IP/Geographical location than the usual, and they greet the user with a token/identity request and/or geolocation information, which may raise some red flags. It could be extended to the point where you only supply a list of proxies, and evilginx2 automatically uses the most appropriate one based on similarity of the target's IP.

The second request would be some sort of scripting/injection feature that enables users to modify the proxied response body on the fly, depending on an URL or regex pattern. I think this would be useful to customize your phishing project even further, in case you need to show a message or inject javascript/html in the depths of a phished website's section (e.g. when a user is viewing an email message in outlook.com or changing his preferences), rather than focusing mostly on performing MITM for the login process.

Thanks, I apologize if these features are out of the scope of the project, but I think they would be great!

Hi

After I'm building Google phishlet from evilginx ver 1.1, It wasn't work.
Generated link worked but "Next" and "Forgot Password" and "Create Mail" buttons in the Google sign in page not worked.

I need it for my article.
Plz help me.
Thanks

google.txt

hi @kgretzky

many people have had problems with evilginx 2.1 installation ..

If this video stays here you will be less tired .. No need to buy vps ..we will just get a free domain..

https://www.youtube.com/watch?v=blVRs39DAmA

Hi
I have some problem with google pishlets, please help me on this,
google.txt
thanks
lore gozo

Hi, i have some problem with google phishlets, I try to solving this but it dosent work correctly and sumbit step 1 form. please help me on this.

google.txt
thanks
LORE GOZO

Awesome tool! I have tried to play around with the script and create a new phishlet. However i get an error. There is no cookie and no username and password captured. I am possitive that i dont know how to create a new phishlet.

Development of phishlets could be made smoother by providing users a reload command that re-reads main configs and phishlet yaml.

Some websites save session cookies in the beginning in order to reuse them later after successful authentication.

Add additional authentication detection by not only monitoring saved cookies, but detecting a request to URL that will only trigger after the successful login.

Twitter.yaml pull merge is in root dir and not phishlets dir.

Probably my fault when submitting pull request.

Thanks

Today I tried to collect auth tokens. The service that I'm using has cookies for the parent and a subdomain that keep authentication information, but unfortunately I was unable to fetch them using evilginx2.

auth_tokens:
  - domain: '.service.net'
    keys: ['token1', 'token2']
  - domain: 'sub.service.net'
    keys: ['subtoken1', 'subtoken2']

When commenting out the second entry, everything works as expected, but I'm missing relevant cookies that are required for impersonating a session. I also tried:

auth_tokens:
  - {domain: '.service.net', keys: ['token1', 'token2']}
  - {domain: 'sub.service.net', keys: ['subtoken1', 'subtoken2']}

but I guess that's just another way to write this and doesn't make a difference since your parser should anyway give you an equivalent abstraction.

Unfortunately, it's not a service where you may simply register a free account for testing, but I guess this is a simple bug that just has been overlooked and I can help you testing if required.

: 2018/07/29 01:54:06 [091] WARN: Cannot read TLS request from mitm'd client www.facebook.com EOF
[01:54:06] [imp] [5] redirecting to URL: https://www.facebook.com/

in test this out I am about to grab my credentials however the server fails to forward me onto my facebook feed.

service is running in an aws ec2 instance & domain ns via route53.

I updated the nameservers in namecheap to point to the supplied amazon addresses, then created my host records in route53 as follows:

A record for DOMAIN.com point to my SERVER IP

NS records point to DOMAIN.COM
ns1.DOMAIN.COM
ns2.DOMAIN.COm

CNAMES
facebook.DOMAIN.COM
www.facebook.DOMAIN.COm
m.facebook.DOMAIN.COM
static.facebook.DOMAIN.COM

EVILGINX
config domain DOMAIN.COM
config ip SERVER IP
redirect_key : xi
verification_key : ew
verification_token : 24f4
redirect_url : https://www.google.com

phishlet hostname: facebook.DOMAIN.COM
phishlet get-url: https://www.facebook.com/ (i also tried https://www.facebook.com/settings)
landing url : https://www.facebook.DOMAIN.com/login.php

Could you please explain to me where i've gone wrong with my config.

Hello,

First of all, congrats for such an amazing project!
I didn't tried yet, but I would like to know if its possible to use ngrok or serveo to forward all the traffic to a more "untraceable" site. Also to avoid buying and setting up a server(mostly because of privacy issues).

Hope it makes sense for you.
Thanks in advance!

As far as I understood your awesome blog post and the provided examples, it is required to know the name of the cookie to fetch beforehand. I'm currently working with a service which is giving out cookies that look like servicename_userid, but I don't know the user ID of the users that are going to be fished. Enumerating all values is also impossible since it is at least 6 digits.

Is it somehow possible to tell evilginx2 to capture simply all cookies or provide a regex for the cookie names, e.g.

auth_tokens:
  - domain: 'service.net'
    keys: ['ASP.NET_SessionID', 'service_SessionId', 'service_[0-9]{6}']

for regex or

auth_tokens:
  - domain: 'service.net'
    keys: [*]

to capture all cookies?

[16:24:07] [err] phishlets: invalid syntax: [iliad facebook my.phishing.iliad.iliad.com]

How to set a hostname, iliad18.com being my domain?

How can I fix this?

Hi,

Thank you very much for the excellent tool :D

Trying to proxy a site with an adequate 'phish_sub' on the phishlet works fine. But what happens if I want to serve it without a sub-domain? I have tried using an empty 'phish_sub' but it doesn't work. So, for example:
{phish_sub: 'subdomain', orig_sub: 'subdomain', domain: 'domain.com', session: false, is_landing: true} --> works fine
{phish_sub: '', orig_sub: 'subdomain', domain: 'domain.com', session: false, is_landing: true} --> doesn't work for mydomain.

Just to clarify, what I am trying to do is to proxy linkedin login (for example) on my root domain, i.e. myuselessproxy.com, without a subdomain.

Cheers,

Hi Kuba,

First of all, pretty awesome tool. You and evilsocket made me look into Go, providing such awesome tools! Thanks for all your effort.

I just installed the binary for Kali linux (4.17.0-kali1-amd64 #1 SMP Debian 4.17.8-1kali1 (2018-07-24) x86_64 GNU/Linux)

I was playing around in a local, virtualized environment based on VirtualBox.

For the victim, a Windows 7 box, I added a manual entry for "fakebook.com", pointing towards the local IP of the evilginx server.

The evilginx server was started and I used the linkedin phishlet (I know, the domain is confusing, but just some testing for myself ;)
Because everything is local I have created a self-signed cert, which seems to work.

By accessing the tokenized URL I see the LinkedIn login screen. Entering my credentials works and is intercepted as desigend.
However, after that I end up in a "redirect" loop. Firefox ends with an error. IE simply hangs.
On Evilginx I see constant redirects to "www.linkedin.com".

Any ideas what is going wrong here?

Cheers
Tom

Hey @kgretzky , thank you man, you've done really great job!
It is not an actually "issue" , I just have one question.
Is there any way to generate "clean" links, without base64 extension?
If there is no short answer, please just point me to the related files, so I'll inspect and modify them. Thanks again!

hei... @kgretzky

I have read the evilginx 2.1 installation instructions from breakdev.org ..I am sure that everything has been done properly....I'm running evilginx 2 .1 in developer mode .but when I enter my site it says it's not safe.
I think there is a certificate error..now I'm sending you a screenshot of the actions I have made to you..

I have made no adjustments other than these images...do I have a settings file where I can type the location of the folder where the certificates are stored ?? it probably does not recognize the location of the certificate folder ?? What do you think @kgretzky ??

I installed the tool as your said in debian vps from digital ocean.
pointed the name servers

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

from the cpanel to godady.
added A record to main ip.
I dont know why i get this error . please let me know if im missing anything.
everything looks to be cool through mx toolbox.

[07:00:20] [err] phishlet hostname must end with 'jingjing.work'
: phishlets hostname linkedin linkedin.jingjing.work
[07:00:34] [inf] phishlet 'linkedin' hostname set to: linkedin.jingjing.work
[07:00:34] [inf] disabled phishlet 'linkedin'
: phishlets enable linkedin
[07:00:45] [inf] enabled phishlet 'linkedin'
[07:00:45] [inf] setting up certificates for phishlet 'linkedin'...
[07:00:45] [war] failed to load certificate files for phishlet 'linkedin', domain 'linkedin.jingjing.work': open /root/.evilginx/crt/linkedin.jingjing.work/linkedin.crt: no such file or directory
[07:00:45] [inf] requesting SSL/TLS certificates from LetsEncrypt...
[07:00:49] [err] [www.linkedin.jingjing.work] acme: Error 400 - urn:acme:error:dns - DNS problem: NXDOMAIN looking up A for www.linkedin.jingjing.work
Error Detail:
Validation for www.linkedin.jingjing.work:80
Resolved to:

Used: 

[07:00:49] [!!!] failed to obtain certificates
[07:00:49] [inf] disabled phishlet 'linkedin'

How to implement all through localhost, for test without purchaseing domain and all

Hi

I had this working fine on the linkedin phishlets but the others give out the error below . From what ive found is this an issue for some DNS providers?, but is it a security feature designed to make valid-looking spoofed responses harder to create.??

phishlets hostname facebook rapidone.ml
[01:34:14] [inf] phishlet 'facebook' hostname set to: rapidone.ml
[01:34:14] [inf] disabled phishlet 'facebook'
: phishlets enable facebook
[01:34:37] [inf] enabled phishlet 'facebook'
[01:34:37] [inf] setting up certificates for phishlet 'facebook'...
[01:34:37] [war] failed to load certificate files for phishlet 'facebook', domain 'rapidone.ml': open /root/.evilginx/crt/rapidone.ml/facebook.crt: no such file or directory
[01:34:37] [inf] requesting SSL/TLS certificates from LetsEncrypt...
[01:34:42] [err] [m.rapidone.ml] acme: Error 400 - urn:acme:error:dns - DNS problem: NXDOMAIN looking up A for m.rapidone.ml
Error Detail:
Validation for m.rapidone.ml:80
Resolved to:

    Used:

[01:34:42] [err] [static.rapidone.ml] acme: Error 400 - urn:acme:error:dns - DNS problem: NXDOMAIN looking up A for static.rapidone.ml
Error Detail:
Validation for static.rapidone.ml:80
Resolved to:

    Used:

thanks

Hi

I had this working fine then this happened . From what ive found is this an issue for some DNS providers?, but is a security feature designed to make valid-looking spoofed responses harder to create.??

[m.rapidone.ml] acme: Error 400 - urn:acme:error:dns - DNS problem: NXDOMAIN looking up A for m.rapidone.ml
Error Detail:
Validation for m.rapidone.ml:80
Resolved to:

    Used:

Hi sir, I just want to use evilginx2 for testing purpose on local network. So I download precompile version for linux and config them follow your README(no offense but you miss the 's' for phishlet on https://github.com/kgretzky/evilginx2#getting-started).

./evilginx
:config domain kali.local
:config ip 192.168.125.138
:phishlets hostname outlook my.phishing.kali.local

But when I enable phishlets outlook I got the error below.
:phishlets enable outlook

: phishlets enable outlook
[14:55:26] [inf] enabled phishlet 'outlook'
[14:55:26] [inf] setting up certificates for phishlet 'outlook'...
[14:55:26] [war] failed to load certificate files for phishlet 'outlook', domain 'my.phishing.kali.local': open /root/.evilginx/crt/my.phishing.kali.local/outlook.crt: no such file or directory
[14:55:26] [inf] requesting SSL/TLS certificates from LetsEncrypt...
[14:55:29] [err] [outlook.my.phishing.kali.local] acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: Name does not end in a public suffix
[14:55:29] [err] [login.my.phishing.kali.local] acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: Name does not end in a public suffix
[14:55:29] [err] [account.my.phishing.kali.local] acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: Name does not end in a public suffix
[14:55:29] [!!!] failed to obtain certificates
[14:55:29] [inf] disabled phishlet 'outlook'

Hi

After I'm building Google phishlet from evilginx ver 1.1, It wasn't work.
Generated link worked but Next and Forgot Password and Create Mail buttoms in the Google sign in page not worked.

I need it for my article.
Plz help me.
Thanks

Set up your server's domain and IP using following commands:
config domain yourdomain.com
config ip 10.0.0.1

Have problem - [err] config: invalid syntax: [domain ***********d.com config ip *.161..195]
Help me pls

The evilginx2 Github repository description is currently "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, alowing to bypass 2-factor authentication." The english in this is poor and it should be written. An example new description could be as follows.

"Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies allowing for the bypass of 2-factor authentication mechanisms."

After importing captured cookies, with the Amazon phishlet, Amazon shows that user is signed it, but requests reauthentication when opening My Account -> Your Orders.

Probably an additional cookie needs to be captured to make the session trusted.

cc @customsync

Firstly let me thank you for this work. Its a fantastic project and very interesting. My questions is this:

Vbulletin uses javascript to hash the password a few times before its submitted in a POST request. any insight on how to intercept that javascript event and capture the plain text password as entered?

<form class="block vbform" method="post" action="login.php?do=login" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">

function onsubmit(event) { md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0) }

It would be nice if it was possible to (partly) turn off the URL tokenization or at least give some configuration options. I'm totally aware why this is done and in most cases this makes absolutely sense, but there are scenarios where we are interacting with victims directly, e.g. via phone call or face to face. It is not feasible to dictate such a long token and explain the victim why it is sent to youtube when it had a typo.

To prevent sites from getting flagged by bots crawling CT logs like you described in your blog post, some other configuration options might be useful, e.g.:

• Restrict source IP address (in case of attacks targeted against customers, this information is easy to gather and also makes sure that no other Internet citizens are harmed by accident) - feasible implementation
• Check if the site is crawled by a legit browser (e.g. via User Agent, or, advanced, via some Javascript Foo) - but I think this is hard to do, to keep up with browser development and some bots will still use chrome/firefox headless. Not the best idea.
• Configurable short-URLs like "/owa" or "/login" - Users have seen enough of them to type them correctly and they look legit - probably the simplest to implement?
• Make the evilness happen after the bots where there, e.g. by waiting $timeframe after setting up the server and certificates before actually doing the nasty mitm stuff. The effectiveness may be determined by simply doing some testig.

Login cookie is captured on login before we enter credidential. After you login the same cookie change his value. We can`t login because the script capture the session cookie before the login and new cookie value is not captured, only the old one.

While I'm opening my phishlet I'm getting such errors.

Failed to load https:/external.domain: The 'Access-Control-Allow-Origin' header has a value 'https:/external.domain' that is not equal to the supplied origin. Origin 'https://my.domain' is therefore not allowed access.

So how can I add header "Access-Control-Allow-Origin" to a response in order to let browser fetch data from different origins?

Hello @kgretzky, thank you for that great job, the project is amazing. Is there any documentation or guide on phishlets? I didn't found any explanation on parameters such as what is meaning of "is_landing" and why in ex. facebook.yml "phish_sub" and "orig_sub" are the same and in reddit.yml is not?

└─[$] git:(master) sudo make install
cp: no se puede efectuar `stat' sobre './bin/evilginx': No existe el fichero o el directorio
make: *** [Makefile:20: install] Error 1
┌─[root@Gear] - [~/go/src/github.com/kgretzky/evilginx2] - [jue jul 26, 10:36]
└─[$] git:(master) make

github.com/golang/dep/gps

../../golang/dep/gps/constraint.go:378: undefined: sort.SliceStable
../../golang/dep/gps/lock.go:31: undefined: sort.SliceIsSorted
../../golang/dep/gps/lock.go:38: undefined: sort.Slice
make: *** [Makefile:23: godep] Error 2
┌─[root@Gear] - [~/go/src/github.com/kgretzky/evilginx2] - [jue jul 26, 10:36]
└─[$] git:(master)

i make a google.yaml.but is always CROS error..can you help me...

The following phishlet configuration will generate duplicate dns records when using the get-hosts option in developer mode.

proxy_hosts:
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'abc.com', session: false, is_landing: true}
  - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'xyz.com', session: false, is_landing: false}

phishlet get-hosts abc:

127.0.0.1 ssl.abc.com.phishdomain.com
127.0.0.1 ssl.abc.com.phishdomain.com

expected:

127.0.0.1 ssl.abc.com.phishdomain.com
127.0.0.1 ssl.xyz.com.phishdomain.com

I've not yet verified if this also affects whether or not 2 proxies (abc and xyp) get created correctly or whether this is just a cosmetic bug where the incorrect host entries are printed.

Hey kgretzky,

Great work!

Any chance to create a phishlet for AWS?

Been playing with the new developer mode, and kept getting certificate errors SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Looked at the code a bit, and if I understood correctly you re-use the serial number from the upstream cert?

Did a minor patch, re-using your CA cert serial generation code to have random serials to work around this issue, which works a lot smoother for me:

diff --git a/core/certdb.go b/core/certdb.go
index 01d7e53..997f195 100644
--- a/core/certdb.go
+++ b/core/certdb.go
@@ -314,8 +316,14 @@ func (d *CertDb) SignCertificateForHost(host string, phish_host string, port int
        if srvCert == nil {
                return nil, fmt.Errorf("failed to get TLS certificate for: %s", host)
        } else {
+               serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+               serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+               if err != nil {
+                       return nil, err
+               }
+
                template = x509.Certificate{
-                       SerialNumber:          srvCert.SerialNumber,
+                       SerialNumber:          serialNumber,
                        Issuer:                x509ca.Subject,
                        Subject:               srvCert.Subject,
                        NotBefore:             srvCert.NotBefore,

Not sure what the consequences of this approach are, or what the reasoning was of re-using the original serial - first time playing with this tool so I may just be doing things the wrong way.

Let me know if you'd like me to fork and create a PR.

P.S.: any IRC/Slack channel for evilginx?

First of all you really deserve a huge respect, great work, congrats!

I am trying to create my own phishlets but i am always stuck at recaptcha if the site uses it. Recaptcha is checking the domain being used via API keys. If the domain is not in allowed list then recaptcha doesnt work at all. Any suggestions on this issue ?

More information on Recaptcha API:
https://developers.google.com/recaptcha/docs/domain_validation

Edit : Using {domain_regexp} against window.location.href will solve the issue ?

I would really appreciate an example

Also have issues with cloudflare protected servers. If phished site is cloudfare protected , Page never passes through browser check process therefore real page never loads.