Releases: kgretzky/evilginx2
Releases · kgretzky/evilginx2
3.3.0 - Go & Phish
Go & Phish - Official Gophish integration released!
You can learn more about this update in the official blog post: https://breakdev.org/evilginx-3-3-go-phish/
CHANGELOG
- Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
- Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in
~/.evilginx/crt/sites/<hostname>/
. Will loadfullchain.pem
andprivkey.pem
pair or a combination of a.pem
/.crt
(public certificate) and a.key
(private key) file. Make sure to run without-developer
flag and disable autocert retrieval withconfig autocert off
. - Feature: Added ability to inject
force_post
POST parameters into JSON content body (by @yudasm_). - Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with
config autocert <on/off>
. - Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
- Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
- Fixed: Added support for exported cookies with names prefixed with
__Host-
and__Secure-
. - Fixed: Global
unauth_url
can now be set to an empty string to have the server return403
on unauthorized requests. - Fixed: Unauthorized redirects and blacklisting would be ignored for
proxy_hosts
withsession: false
(default) making it easy to detect evilginx by external scanners. - Fixed: IP address
127.0.0.1
is now ignored from being added to the IP blacklist. - Fixed: Added support for more TLDs to use with phishing domains (e.g.
xyz
,art
,tech
,wiki
,lol
& more) - Fixed: Credentials will now be captured also from intercepted requests.
3.2.0 - Sleeping With The Phishes
- Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.
- Feature: Lures can now be paused for a fixed time duration with
lures pause <id>
. Useful when you want to briefly redirect your lure URL when you know sandboxes will try to scan them. - Feature: Added phishlet ability to intercept HTTP requests and return custom responses via a new
intercept
section. - Feature: Added a new optional
redirect_url
value for phishlet config, which can hold a default redirect URL, to redirect to, once tokens are successfully captured.redirect_url
set for the specific lure will override this value. - Feature: You can now override globally set unauthorized redirect URL per phishlet with
phishlet unauth_url <phishlet> <url>
. - Fixed: Disabled caching for HTML and Javascript content to make on-the-fly proxied content replacements and injections more reliable.
- Fixed: Improved JS injection by adding
<script src"...">
references into HTML pages, instead of dumping the whole script there. - Fixed: Blocked requests will now redirect using javascript, instead of HTTP location header.
- Fixed: Changed
redirect_url
tounauth_url
in global config to avoid confusion. - Fixed: Fixed HTTP status code response for Javascript redirects.
- Fixed: Javascript redirects now happen on
text/html
pages with valid HTML content. - Fixed: Removed
ua_filter
column from the lures list view. It is still viewable in lure detailed view.
3.1.0
- Feature: Listening IP and external IP can now be separated with
config ipv4 bind <bind_ipv4_addr>
andconfig ipv4 external <external_ipv4_addr>
to help with properly setting up networking. - Fixed: Session cookies (cookies with no expiry date set) are now correctly captured every time. There is no need to specify
:always
key modifier forauth_tokens
to capture them. - Fixed: Captured custom tokens are now displayed properly and values are not truncated.
3.0.0 - Rephishment
- Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
- Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by
certmagic
library. - Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
- Feature: Phishing pages can now be embedded inside of iframes.
- Feature: Changed redirection after successful session capture from
Location
header redirection to injected Javascript redirection. - Feature: Changed config file from
config.yaml
toconfig.json
, permanently changing the configuration format to JSON. - Feature: Changed open-source license from GPL to BSD-3.
- Feature: Added
always
modifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time. - Feature: Added
phishlet <phishlet>
command to show details of a specific phishlet. - Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as
{param_name}
and every occurence will be replaced with pre-configured parameter values of the created child phishlet. - Feature: Added
phishlet create
command to create child phishlets from template phishlets. - Feature: Renamed lure
templates
to lureredirectors
due to name conflict with phishlet templates. - Feature: Added
{orig_hostname}
and{orig_domain}
support forsub_filters
phishlet setting. - Feature: Added
{basedomain}
and{basedomain_regexp}
support forsub_filters
phishlet setting. - Fixed: One target can now have multiple phishing sessions active for several different phishlets.
- Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing
opt
cookies, when all authentication cookies are already captured. - Fixed:
trigger_paths
regexp will now match a full string instead of triggering true when just part of it is detected in URL path. - Fixed: Phishlet table rows are now sorted alphabetically.
- Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
- Fixed: WebSocket connections are now properly proxied.
2.4.0 - Gone Phishing
- Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place
{lure_url_html}
or{lure_url_js}
in code to manage redirection to the phishing page with any form of user interaction. Command:lures edit <id> template <template>
- Feature: Create customized hostnames for every phishing lure. Command:
lures edit <id> hostname <hostname>
. - Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command:
proxy
. - Feature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests. Command:
blacklist
- Feature: Custom parameters can now be embedded encrypted in the phishing url. Command:
lures get-url <id> param1=value1 param2="value2 with spaces"
. - Feature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn't match the whitelist regular expression filter for given lure. Command:
lures edit <id> ua_filter <regexp>
- List of custom parameters can now be imported directly from file (text, csv, json). Command:
lures get-url <id> import <params_file>
. - Generated phishing urls can now be exported to file (text, csv, json). Command:
lures get-url <id> import <params_file> export <export_file> <text|csv|json>
. - Fixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would result in "No embedded JWK in JWS header" error.
- Removed setting custom parameters in lures options. Parameters will now only be sent encoded with the phishing url.
- Added
with_params
option tosub_filter
allowing to enable the sub_filter only when specific parameter was set with the phishing url. - Made command help screen easier to read.
- Improved autofill for
lures edit
commands and switched positions of<id>
and the variable name. - Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.
2.3.0 - Phisherman's Dream
- Proxy can now create most of required
sub_filters
on its own, making it much easier to create new phishlets. - Added lures, with which you can prepare custom phishing URLs with each having its own set of unique options (
help lures
for more info). - Added OpenGraph settings for lures, allowing to create enticing content for link previews.
- Added ability to inject custom Javascript into proxied pages.
- Injected Javascript can be customized with values of custom parameters, specified in lure options.
- Deprecated
landing_path
and replaced it withlogin
section, which contains the domain and path for website's login page.
2.2.0 - Jolly Winter Update
- Added option to capture custom POST arguments additionally to credentials. Check
custom
field undercredentials
. - Added feature to inject custom POST arguments to requests. Useful for silently enabling "Remember Me" options, during authentication.
- Restructured phishlet YAML config file to be easier to understand (phishlets from previous versions need to be updated to new format).
- Removed
name
field from phishlets. Phishlet name is now determined solely based on the filename. - Now when any of
auth_urls
is triggered, the redirection will take place AFTER response cookies for that request are captured. - Regular expression groups working with
sub_filters
. - Phishlets are now listed in a table.
- Phishlet fields are now selectively lowercased and validated upon loading to prevent surprises.
- All search fields in the phishlet are now regular expressions by default. Remember about proper escaping!