Evilginx 1.1 Release

Hello! Today I am bringing you another release of Evilginx with more bug fixes and added features. The development is going very well and the feedback from you is terrific. I've managed to address most of the requests you sent me on GitHub and I hope to address even more in the future.

If you don't know what Evilginx is, feel free to check out the first post, where I explain the subject in detail.

You can go straight to Evilginx project page on GitHub here:
>> Evilginx 1.1 on GitHub <<

Disclaimer

I am aware that Evilginx can be used for very nefarious purposes. This work is merely a demonstration of what adept attackers can and will do. It is the defender's responsibility to take such attacks into consideration, when setting up defenses, and find ways to protect against this phishing method.

Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.


Version 1.1

Here is the list of biggest improvements in version 1.1:

iCloud.com support

New site config was added that allows to proxy the login process of the iCloud page. This one also performs some on-the-fly modification of Javascript content to disable several domain verifications. By far, this site config was the hardest to develop.

Live.com support

Site config for Outlook/Hotmail page was added. It is fairly simple and should prove as good reference for creating your own templates.

Added support for custom SSL/TLS certificates

If you don't want to use LetsEncrypt SSL/TLS certificates, you can now specify your own public certificates and private keys when enabling the site config:

./evilginx.py setup --enable <site_name> -d <domain> --crt <path_to_public_cert_file> --key <path_to_private_key_file>
Evilginx will remember your site options

You don't have to specify the domain name or certificate paths every time you want to update your site config using --enable parameter. If the site config was enabled and set up, previously, options will be stored in the .config file. All you need to do is enable the site config:

./evilginx.py setup --enable <site_name>
Added script that updates Nginx configuration files

From now on, after every update of Evilginx, you should execute ./update.sh script that will make sure, that your Nginx configuration files are up to date. Fixes were made, in this version, to allow the web server to receive big upstream responses and allow to use long hostnames (now you can specify very long chain of subdomains for your phishing hostnames).

Fixed rare issue with parsing requests from log files

There was a known issue, specifically with using the Google site config. If the user put in their email address into the form in 1st step of the login process and shortly after, the parsing script would launch (by default it launches every minute) and truncated the log file, the intercepted email address would be lost forever, just before the user was about to enter their password.
Issue was fixed by leaving behind custom information with last known parsed email for specific IP address, in the log file, for the next parser execution.

How to update?

You can always find the latest version of Evilginx on GitHub:
>> Evilginx 1.1 on GitHub <<

# pull latest changes from GitHub
git pull  
# run update script to make sure your Nginx configuration files are up-to-date
./update.sh
# re-enable every site config you may have been using to update them to their latest versions
./evilginx.py setup --enable <site_name>

Changelog

[+] Added iCloud.com support.
[+] Added Live.com support.
[+] Specifying domain name with 'setup --enable' is now optional if site was enabled before.
[+] Added ability to specify custom SSL/TLS certificates with --crt and --key arguments.
    Custom certificates will be remembered and can be removed with --use_letsencrypt parameter.
[+] Added 'server_names_hash_bucket_size: 128' to support long hostnames.
[+] Fixed rare issue, which could be triggered when only visitor's email was identified at the time
    of truncating logs, after parsing, breaking the chain of logged requests, which would miss an
    email address on next parse.
[+] Fixed several typos in site config files. (@poweroftrue)
[+] Fixed issue with Nginx proxy bailing out on receiving too big upstream responses.
[+] Fixed issue with Facebook overwriting redirection cookie with 'deleted' (@poweroftrue)
[+] Fixed "speedbump" redirection for Google site config that asks user to provide his phone number.
[+] Fixed bug that would raise exception when disabling site configs without them being enabled first.
[+] Nginx access_log directory can now be changed with VAR_LOGS constant in evilginx.py.
[+] Added 'update.sh' file which should be executed after every 'git pull' to update nginx config files.
[+] Added Dockerfile

Epilogue

I have added a development branch on GitHub where you can monitor all the latest changes. I make sure that this branch is as stable as it can get, but still minor bugs may appear, before they are put to rest. If you have any pull requests of your own, please make sure to apply them to this branch.

Development branch can be found here:
Evilginx development branch

If you have any suggestions, ideas or feedback, make sure to post them in the comments section, but it is even better to post them under issues on GitHub.

I am constantly looking for interesting projects to work on!

Do not hesitate to contact me if you happen to be working on projects that require:

  • Reverse Engineering
  • Development of Security Software
  • Web / Mobile Application Penetration Testing
  • Offensive Tools for Red Team Assessments

Hit me up on Twitter @mrgretzky or directly via e-mail at kuba@breakdev.org.

Enjoy and see you soon!

Kuba Gretzky

I am a reverse engineer, penetration tester and software developer. I seek jobs related to my passion and interests. I would say I'm most proficient in finding vulnerabilities and low-level tinkering.

Poland