Advanced Man in the Middle Attack Framework
Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It’s core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.
Evilginx is a man-in-the-middle attack framework for remotely capturing credentials and session cookies of any web service. It uses Nginx HTTP server to proxy legitimate login page, to visitors, and captures credentials and session cookies on-the-fly. It works remotely, uses custom domain and a valid SSL certificate. This project is released for educational purposes and should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
How it works
Attacker generates a phishing link pointing to his server running Evilginx: https://accounts.notreallygoogle.com/ServiceLogin?rc=https://www.youtube.com/watch?v=dQw4w9WgXcQ&rt=LSID
Parameters in the URL stand for:
rc = On successful sign-in, victim will be redirected to this link e.g. document hosted on Google Drive.
rt = This is the name of the session cookie which is set in the browser only after successful sign-in. If this cookie is detected, this will be an indication for Evilginx that sign-in was successful and the victim can be redirected to URL supplied by rc parameter.
Victim receives attacker’s phishing link via any available communication channel (email, messenger etc.).
Victim clicks the link and is presented with Evilginx’s proxied Google sign-in page.
Victim enters his/her valid account credentials, progresses through two-factor authentication challenge (if enabled) and he/she is redirected to URL specified by rc parameter. At this point rd cookie is saved for notreallygoogle.com domain in victim’s browser. From now on, if this cookie is present, he/she will be immediately redirected to rc URL, when phishing link is re-opened.
Attacker now has victim’s email and password, as well as session cookies that can be imported into attacker’s browser in order to take full control of the logged in session, bypassing any two-factor authentication protections enabled on victim’s account.
Usage
usage: evilginx_parser.py [-h] -i INPUT -o OUTDIR -c CREDS [-x]
optional arguments:
-h, --help show this help message and exit
-i INPUT, --input INPUT
Input log file to parse.
-o OUTDIR, --outdir OUTDIR
Directory where output files will be saved.
-c CREDS, --creds CREDS
Credentials configuration file.
-x, --truncate Truncate log file after parsing.
Example:
python evilginx_parser.py -i /var/log/evilginx-google.log -o ./logs -c google.creds
Documentation
Download
