Skip to content

Releases: kgretzky/evilginx2

3.3.0 - Go & Phish

02 Apr 13:34
Compare
Choose a tag to compare

Go & Phish - Official Gophish integration released!

You can learn more about this update in the official blog post: https://breakdev.org/evilginx-3-3-go-phish/

CHANGELOG

  • Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
  • Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in ~/.evilginx/crt/sites/<hostname>/. Will load fullchain.pem and privkey.pem pair or a combination of a .pem/.crt (public certificate) and a .key (private key) file. Make sure to run without -developer flag and disable autocert retrieval with config autocert off.
  • Feature: Added ability to inject force_post POST parameters into JSON content body (by @yudasm_).
  • Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with config autocert <on/off>.
  • Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
  • Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
  • Fixed: Added support for exported cookies with names prefixed with __Host- and __Secure-.
  • Fixed: Global unauth_url can now be set to an empty string to have the server return 403 on unauthorized requests.
  • Fixed: Unauthorized redirects and blacklisting would be ignored for proxy_hosts with session: false (default) making it easy to detect evilginx by external scanners.
  • Fixed: IP address 127.0.0.1 is now ignored from being added to the IP blacklist.
  • Fixed: Added support for more TLDs to use with phishing domains (e.g. xyz, art, tech, wiki, lol & more)
  • Fixed: Credentials will now be captured also from intercepted requests.

3.2.0 - Sleeping With The Phishes

24 Aug 10:01
Compare
Choose a tag to compare
  • Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.
  • Feature: Lures can now be paused for a fixed time duration with lures pause <id>. Useful when you want to briefly redirect your lure URL when you know sandboxes will try to scan them.
  • Feature: Added phishlet ability to intercept HTTP requests and return custom responses via a new intercept section.
  • Feature: Added a new optional redirect_url value for phishlet config, which can hold a default redirect URL, to redirect to, once tokens are successfully captured. redirect_url set for the specific lure will override this value.
  • Feature: You can now override globally set unauthorized redirect URL per phishlet with phishlet unauth_url <phishlet> <url>.
  • Fixed: Disabled caching for HTML and Javascript content to make on-the-fly proxied content replacements and injections more reliable.
  • Fixed: Improved JS injection by adding <script src"..."> references into HTML pages, instead of dumping the whole script there.
  • Fixed: Blocked requests will now redirect using javascript, instead of HTTP location header.
  • Fixed: Changed redirect_url to unauth_url in global config to avoid confusion.
  • Fixed: Fixed HTTP status code response for Javascript redirects.
  • Fixed: Javascript redirects now happen on text/html pages with valid HTML content.
  • Fixed: Removed ua_filter column from the lures list view. It is still viewable in lure detailed view.

3.1.0

11 Jul 08:05
Compare
Choose a tag to compare
  • Feature: Listening IP and external IP can now be separated with config ipv4 bind <bind_ipv4_addr> and config ipv4 external <external_ipv4_addr> to help with properly setting up networking.
  • Fixed: Session cookies (cookies with no expiry date set) are now correctly captured every time. There is no need to specify :always key modifier for auth_tokens to capture them.
  • Fixed: Captured custom tokens are now displayed properly and values are not truncated.

3.0.0 - Rephishment

10 May 09:13
Compare
Choose a tag to compare
  • Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
  • Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by certmagic library.
  • Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
  • Feature: Phishing pages can now be embedded inside of iframes.
  • Feature: Changed redirection after successful session capture from Location header redirection to injected Javascript redirection.
  • Feature: Changed config file from config.yaml to config.json, permanently changing the configuration format to JSON.
  • Feature: Changed open-source license from GPL to BSD-3.
  • Feature: Added always modifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time.
  • Feature: Added phishlet <phishlet> command to show details of a specific phishlet.
  • Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as {param_name} and every occurence will be replaced with pre-configured parameter values of the created child phishlet.
  • Feature: Added phishlet create command to create child phishlets from template phishlets.
  • Feature: Renamed lure templates to lure redirectors due to name conflict with phishlet templates.
  • Feature: Added {orig_hostname} and {orig_domain} support for sub_filters phishlet setting.
  • Feature: Added {basedomain} and {basedomain_regexp} support for sub_filters phishlet setting.
  • Fixed: One target can now have multiple phishing sessions active for several different phishlets.
  • Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing opt cookies, when all authentication cookies are already captured.
  • Fixed: trigger_paths regexp will now match a full string instead of triggering true when just part of it is detected in URL path.
  • Fixed: Phishlet table rows are now sorted alphabetically.
  • Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
  • Fixed: WebSocket connections are now properly proxied.

2.4.0 - Gone Phishing

14 Sep 11:16
Compare
Choose a tag to compare
  • Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place {lure_url_html} or {lure_url_js} in code to manage redirection to the phishing page with any form of user interaction. Command: lures edit <id> template <template>
  • Feature: Create customized hostnames for every phishing lure. Command: lures edit <id> hostname <hostname>.
  • Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command: proxy.
  • Feature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests. Command: blacklist
  • Feature: Custom parameters can now be embedded encrypted in the phishing url. Command: lures get-url <id> param1=value1 param2="value2 with spaces".
  • Feature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn't match the whitelist regular expression filter for given lure. Command: lures edit <id> ua_filter <regexp>
  • List of custom parameters can now be imported directly from file (text, csv, json). Command: lures get-url <id> import <params_file>.
  • Generated phishing urls can now be exported to file (text, csv, json). Command: lures get-url <id> import <params_file> export <export_file> <text|csv|json>.
  • Fixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would result in "No embedded JWK in JWS header" error.
  • Removed setting custom parameters in lures options. Parameters will now only be sent encoded with the phishing url.
  • Added with_params option to sub_filter allowing to enable the sub_filter only when specific parameter was set with the phishing url.
  • Made command help screen easier to read.
  • Improved autofill for lures edit commands and switched positions of <id> and the variable name.
  • Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.

2.3.0 - Phisherman's Dream

22 Jan 10:37
Compare
Choose a tag to compare
  • Proxy can now create most of required sub_filters on its own, making it much easier to create new phishlets.
  • Added lures, with which you can prepare custom phishing URLs with each having its own set of unique options (help lures for more info).
  • Added OpenGraph settings for lures, allowing to create enticing content for link previews.
  • Added ability to inject custom Javascript into proxied pages.
  • Injected Javascript can be customized with values of custom parameters, specified in lure options.
  • Deprecated landing_path and replaced it with login section, which contains the domain and path for website's login page.

Blog: https://breakdev.org/evilginx-2-3-phishermans-dream/

2.2.0 - Jolly Winter Update

22 Nov 11:30
Compare
Choose a tag to compare
  • Added option to capture custom POST arguments additionally to credentials. Check custom field under credentials.
  • Added feature to inject custom POST arguments to requests. Useful for silently enabling "Remember Me" options, during authentication.
  • Restructured phishlet YAML config file to be easier to understand (phishlets from previous versions need to be updated to new format).
  • Removed name field from phishlets. Phishlet name is now determined solely based on the filename.
  • Now when any of auth_urls is triggered, the redirection will take place AFTER response cookies for that request are captured.
  • Regular expression groups working with sub_filters.
  • Phishlets are now listed in a table.
  • Phishlet fields are now selectively lowercased and validated upon loading to prevent surprises.
  • All search fields in the phishlet are now regular expressions by default. Remember about proper escaping!

2.0.0

26 Jul 09:53
Compare
Choose a tag to compare

This is a first release! Enjoy!