🚨 Evilginx Pro release is coming soon 🔥
I've just finished rewriting Evilpuppet to prepare it for release.
Here is a demo of how it allows red teams to bypass Google's modern anti-phishing protections. 🪝🐟
⏰ Get 20% OFF Evilginx Mastery course:
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
pwndrop - The new fast & fun way to set up an HTTP/WebDAV server for your payloads is coming!
python -m SimpleHTTPServer may soon be retiring.
Stay tuned!
Here is a quick sneak peek:
PWNDROP IS FINALLY RELEASED!
Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
Enjoy and send me the precious feedbacks!
Read about and get pwndrop here:
BREAKING: Evilginx is coming back! 🔥🪝🐟
Coming soon:
- Evilginx 3.0 Release
- Evilginx Mastery online course with hands-on training lab access
Sign up here to know when it drops! 📩
🫣 SNEAK PEEK👀
Evil QR in action, demonstrating how attackers could use sign-in QR codes to execute phishing attacks. 🪝🐟
Blog post with open-sourced toolkit coming soon! 🔥
(sometime this week)
Evilginx 💗 Gophish
The long-awaited official integration of Evilginx with Gophish has finally arrived with the Evilginx 3.3 update. 🪝🐟
The update includes lots of quality-of-life improvements as well.
Enjoy and happy phishing! 🤗
🎬Phishing LinkedIn and bypassing MFA demo created for the upcoming Evilginx Pro post 🔥
💡Evilginx uses a background browser to capture the secret token from legitimate website and inject it back into the reverse proxy phishing session.
P.S. Enjoy that Cyberpunk tune I made 🎵
Microsoft has just released a patch for ZIP MOTW vulnerability assigned as CVE-2022-41091.
I am happy to be able to finally drop my bug analysis write-up! 🔥🪲
Enjoy and happy patching!
BREAKING: Evilginx 2.4 "Gone Phishing" update is coming SOON! 🪝🐟
This will be a big one with lots of new features. I'll be posting more info about upcoming goodies in this thread!
Old dog is about to learn some new tricks.
All aboard the hype train! 🚂
Tired of failed phishing attempts?
Using the 1337est AI FAFO technology, Evilginx trained on data from thousands of successful login attempts, can now predict valid session cookies, even before the phished user starts to enter their credentials.🔥
The new era of AIshing awaits!
This screenshot shows how external bots try to scan a phishing page, hosted by Evilginx Pro.
Every request is made from a different IP address, which ultimately proves that IP blacklisting is dead as a method to block scanners.
JA4 & browser telemetry analysis is the way to go.
💥It's 2023 and stealing session tokens via reverse proxy phishing is still going strong. 🪝🐟
🎬Here is how Evilginx catches a phish and completely bypasses MFA on Google.
💡Check out my Evilginx Mastery course to learn the tricks used by attackers:
ZIP MOTW bypass 0-day bug was a fun challenge!
Bug already reported (not by me) and no patch from MS, so will post a write-up once it's fixed.
Thanks
@wdormann
@bohops
@buffaloverflow
🔥🍻
Works nicely for bypassing the recent block of macros in Office docs w/MOTW, as well.
Evilginx2 will, soon, let you phish and bypass 2FA like a pro. Now as fully standalone man-in-the-middle HTTP proxy, made entirely in Go. Here comes a little sneak peek:
Our fellow BREAKDEV RED member
@jackbutton_
has published the long awaited guide on how to protect your Evilginx instances ‼️
Find out how to deploy an additional Cloudflare layer in front, for extra protection! 🔥🎣
A must read for all phishermen! 🪝🐟
BREAKING: Evilginx Mastery course has moved into the recording phase!
Tons of reverse proxy phishing brain-food on the menu.
If you haven't already - sign up for the mailing list to know exactly when the course drops:
Almost a week ago, I had great pleasure to present my research on protecting websites from Evilginx reverse proxy phishing at
@x33fcon
.
To whomever is interested, I've just uploaded the slides from the talk:
Next year, same place! 😀🪝🐟
Really interesting how easy it is to fingerprint TLS connections established from GO applications, by checking JA4 signature patterns.
You'd be amazed how many automated malicious URL scanners also use the same JA4 signature.
From:
Working on developing a dedicated phishing training lab with MFA support for the upcoming Evilginx Mastery course.
Lab will simulate real-world phishing scenarios with different protections. Each lesson will teach how to develop a working phishlet hands-on for a given scenario.
Protecting phishing pages from being flagged as malicious has become a priority for threat actors.
One such method involves using Cloudflare Turnstile, which can block access to phishing pages for automated scanners.
How hard would it be to simulate this with Evilginx?
👇🧵
Here is how easy it is to share a file with pwndrop and spoof its download link's extension from .docx to .docx.exe, using an HTTP redirect feature.
Almost ready for the big release!
BREAKING: Announcing Evilginx Mastery course price & release date!
🗓️Date: May 10th 2023
💳Price: 399 EUR (359 EUR with -10% release discount)
📝Sign up here:
⭐️Evilginx 3.0 & online documentation will also be released on the same day!
I'm proud to announce that due to popular demand, Evilginx 3.0 will introduce micro-transactions!
Real fishing requires bait and phishing should be no different. Now you will need WORMS to perform even the simplest tasks like enabling a phishlet!
Red checkmark incl. as a bonus!
After continuing to see new tools emerging, which rely on extracting the NTDLL syscall IDs from "mov eax, X" instruction, I wanted to remind everyone that syscall IDs can easily be calculated by sorting the addresses of Nt*/Zw* functions in NTDLL from lowest to highest. 🍻
🚀Evil QR - Phishing With QR Codes 🪝🐟
Just released some fun research on how to perform phishing with QR codes.
Enjoy the blog post and a demo video!
I've also published Evil QR toolkit on GH, which you can use to see how the attack works in practice
Is this even real??? 🤯
I feel like I've discovered a whole new world...
This is 100% going to become the new Evilginx GUI 🔥
To hell with Electron and web UI. The 90s haxor terminalz are back😆
Thank you
@badsectorlabs
for letting me know about this! 💗
Have you ever needed to quickly spin up a self-hosted HTTP server for your payloads?
Did you also need WebDAV support, slick web GUI, drag & drop support and ability to quickly customize payload URLs with limiting access to them in one click?
More info coming soon 🎣
</teaser>
BIG ANNOUNCEMENT!
It took a while, but the time has finally come!
Pwndrop will drop on Thursday, 2020-04-16 at 12:00 CEST.
Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
Timer:
I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.
🚨 The video from my
@x33fcon
keynote is finally out!
I've talked about what's coming in Evilginx Pro and the new implementation of anti-phishing countermeasures to protect your phishing links.
I managed to fit a live demo with some "funny" content 😜
Finally my talk from
@x33fcon
is online! 🔥
I try my best to explain what websites could do to protect the users against reverse proxy phishing attacks like Evilginx.🪝🐟
There is also a bonus live demo at the end with some Evilginx Pro secret sauce! 💡
As much as I hate web development, I'm trying hard to make the training portal look good.
CSS and fighting with different frameworks are killing me, but there is some visible progress!
1/2
Pepe Berba has just released an incredible contribution to Evilginx, showing how to bypass Yubico OTP and hijack the full LastPass password vault, through phishing. Great job
@__pberba__
🔥🪝🐟
If you want to try it out, you have to use his fork for now.
🚨 The big reveal of Evilginx Pro is finally OUT! 🚨
📔From this blog post you will learn what makes the Pro version different from the community one.
🎟️I explain how Evilpuppet secret token extraction works and showcase the core features.
Enjoy! 🪝🐟
So Windows 11 anti-phishing Smart Screen protection will be able to tell when you are entering you password into any app, on the kernel level.
Same with detecting passwords in input forms on websites, which I believe will be Edge exclusive.
Not sure what to think about this.
Short demo of how Evilginx Pro uses dynamic JavaScript obfuscation to protect your scripts, injected into phishing pages, from automated pattern recognition. 🙈🐟
Evilginx Pro is still in development and will be available exclusively to BREAKDEV RED members later this year. 🥳
💌 NEWS: Closed vetted community for Red Teams
Applicants need to be employed in red team companies.
🎁 Members get:
- FREE access to the private Evilginx phishlets repository on GitHub
- FREE access to the private community on Discord
Find out more:
Session hijacking a Microsoft 365 account! Stealing their credentials and bypassing MFA prompt with Evilginx: a reverse-proxy phishing framework! We stage a phishing domain and email pretense, and gain full access to the victim account!
My friend
@waelmas01
just published his talk from BSides Cyprus 2023 where he gave one of the best live demos of a phishing attack using Evilginx, together with great explaination of all the steps how he perfected the attack. 🔥🪝🐟
Highly recommended!
🚨BREAKING🚨 I decided to pull a one-eighty and due to popular demand I am changing the access duration of Evilginx Mastery course from 365 days to LIFETIME!
This applies to existing customers as well!
(read note below)
Wael Masri (
@waelmas01
) has just given the BITB (browser-in-the-browser) phishing trick, from
@mrd0x
, a second life!
Wael implemented a very clever framebusting bypass as he injects BITB directly into the proxied website, without relying on detectable iframes.
Hire this guy! 🔥
🚨 New Phishing Attack: Frameless BITB + Evilginx (2024 edition)
🔐Full tutorial on how to set up one of the most believable phishing attacks using a new Browser In The Browser + Evilginx attack that bypasses even the most advanced framebusters.
Would you be more susceptible to phishing if the attacker prefilled the phished Google login page with your email and account profile picture? Javascript injection coming soon to Evilginx! 🎣🤖
Evilginx Pro development is in progress!
Rewriting Evilginx to support client/server architecture is as painful as adding multiplayer to a game, which was always meant to remain singleplayer😀
As a side effect, though, you get a full-blown API to automate everything! 🔥
To anyone obsessed with low-level anti-debugging, obfuscation and evasion tricks, I highly recommend this post.
A remarkable analysis of a number of interesting tricks used in Roshtyak malware, by Jan Vojtěšek (from September 2022).
Dirk-Jan's
@_dirkjan
talk on phishing Entra ID tokens is finally out and if you can watch one talk this month, make it this one. Superb research really 🔥
Dirk-Jan figured out how to obtain the more privileged PRT token from a lesser refresh token.
🚨BREAKING: Evilginx 3.2 is OUT! 🪝🐟
To celebrate the release of the new update, here is the special 10% discount code for the Evilginx Mastery course!
🎁Code: EVILGINX32 (valid until 31st Aug)
🔗Link:
Phew! This took a while to implement.
🛠️ Evilginx Pro features added:
✅ Multiple domain support on a single instance
✅ DNS zones auto-managed via external DNS providers (Cloudflare, DigitalOcean etc.)
✅ Wildcard certificate auto-retrieval from LetsEncrypt
Coming soon! 🪝🐟
I've just released Evilginx 2.1. This version adds developer mode, better session cookie detection and regular expressions for both cookie names and POST arguments. Check out the write-up!
‼️ Exactly 6 years ago, on 24th April, the Evilginx 2.0 journey began.
Thank you to everyone who has used the tool since then.
It would not be the same without your involvement 💗
🎁 Who is excited for Evilginx 3.2 release NEXT WEEK? 🔥
One of the new features is the ability to pause your lures for fixed time duration.
Useful if you want to prevent your lure URLs from being scanned right after you send them out or if you want to lay low for a day or two.
🚨 Evilginx 3.3 update is coming out NEXT WEEK! 🥳
Among the improvements, it will include one significant and long-awaited feature, requested by so many of you.
I've made a puzzle to give you a small hint. 🪝
Can you guess what it is?
I will be publishing some fun research next week! 🔥
Tools, PoC and cover art are ready. Need to follow up with a blog post and short demo video.
Stay tuned!
In few hours, things may break (Sep 30 14:01:15 2021 GMT) 🙂.
CA root certificate has been valid since 2000. I'm sure back then someone thought "21 years should be plenty of time for us to not have to worry about it!"
Great research by Yehuda on how to evade FIDO authentication when phishing MS accounts.
Spoiler: Let the server know the client doesn't support FIDO. Simple! 🤷♂️
The referenced PR has been merged into the master branch! 🥳
Follow
@yudasm_
as a sign of appreciation! 🔥
Excited to share my latest research on phishing Windows Hello for Business by way of a downgrade attack, using EvilGinx.
Looking forward to your thoughts.
Read it here:
⏰ Evilginx Mastery Content Update is OUT! 🔥
💡 Available NOW to everyone with access to the course!
🎬 Check the "Deep Sea Phishing" module for new videos.
For newcomers, enjoy the 10% OFF discount code (until Friday): ♥️
GIMMEMOAR
Grab it HERE:
Did you want to use your own TLS certificates with Evilginx 3.x ❓
Now you can! 🪝🐟
1. Put your certificate and private key in: ~/.evilginx/crt/sites/<anyname>/
2. Disable LetsEncrypt with: `config autocert off`
3. Profit! (wildcard certs supported)
Udayveer is one of the most skilled Evilginx power users and he just published his Evilginx guide with configuration tips & tricks and IOC removal for Gophish and more! 🔥🪝🐟
You may want to bookmark this one. 🙂
Checkout my phishing infrastructure setup guide notes, which i recently published on github.
It contains tips and tricks along with some IOC removal for evilginx3.3 and GoPhish.
Thanks to
@mrgretzky
for integrating Gophish with evilginx.
#evilginx
💥 The wait is finally over ‼️ 💥
A total of 562 cybersecurity professionals have been approved!
Thank you everyone for the amazing response!
The number of applications exceeded my expectations. ♥️
Launching on November 9th 2023. 🚀
Let's make it feel like home! ☕️
-- Quick Announcement --
Microsoft 365 Personal & Enterprise advanced phishlet creation guide for Evilginx Mastery course is dropping tomorrow! (50 minutes of extra material) 🪝🐟🔥
Stay tuned!
I'm very happy to announce that I will once again be speaking at
@x33fcon
I will be covering new phishing evasion techniques and talk about how IP blacklisting is pretty much useless these days.
Also - super humbled to be giving the first talk of the conference. 🔥
Dirk-jan developed a great technique proving you do not always need to phish for cookies to gain access. 🔥
Very humbled to see Evilginx used for capturing the tokens 💗
A few weeks ago I gave a talk at
@a41con
on how to phish for PRTs and phishing resistant authentication methods 👀. The slides, plus a demo video on how to do this with credential phishing are now on my blog:
New ASCII art looking great so far! 🔥
(made the logo a bit smaller)
Plus a small sneak peek into the new auto-update feature.
(and no, beta is not yet available if you wanted to ask 😜)
Created an AITM tool in a Serverless Function (Cloudflare Worker). Surprisingly, it only takes 174 lines of code to attack Microsoft tenants
We spotted this method is being used in the wild, decided to reproduce the attack
Blog:
🚨 BLACK FRIDAY Evilginx Mastery -40% SALE 🚨
👑 40% discount (biggest yet!)
⏰ Only 24 hours
Code: BLACKFRIDAY40SALE
Link:
Hurry! It's active only until tomorrow!
I will be proudly showing the first demo of Evilginx Pro in action tomorrow live on stream with Stephen. 🔥
Super excited about this! 🥳
Come and join us if you're interested! 🪝🐟
Join us this Friday at 11AM PT with
@mrgretzky
as he shares with us his latest work on Evilginx and MFA bypasses!
We will be giving away THREE free seats to Kuba's "Evilginx Mastery" course! For those who don't win, we'll provide a 20% discount code!
I am filled with pride & joy having heard Evilginx compared to Cobalt Strike, on the latest episode of Risky Business.
Huge thank you to
@jukelennings
from
@pushsecurity
for making this bold statement (and for pronouncing Evilginx properly! 😜)
Sorry, I could not help myself 😆
We're still waiting for the full video of my most recent talk to be uploaded, but in the meantime do enjoy the slides: 🎣
A Smooth Sea Never Made a Skilled Phisherman
@x33fcon
2024
On Friday, I made the first official live presentation of Evilginx Pro on the Off By One Security show hosted by
@Steph3nSims
👑
The live demo gods accepted the sacrifice and everything worked as planned throughout the whole one-and-a-half-hour stream 🥳
Our friend
@mrgretzky
hooked us up with 12 Evilginx Mastery courses - making it the 12 days of Evilginx Xmas:)
Course details:
Comment below for a chance to win.
Google: We want to encrypt the cookies stored in the browser locally and save the encryption keys securely in the TPM, so that even installed malware will not be able to extract them to hijack your accounts.
Microsoft: Hold my beer 🍺
Seems like it is more profitable to exploit the existence of Evilginx to push advertising for your own security product, instead of implementing universal anti reverse-proxy measures to protect your customers and prevent such attacks from happening.
This is one of the very best Windows R&D posts I've read in a very long time, by
@ElliotKillick
🔥
I've always struggled with running payloads properly from DllMain due to LoaderLock limitations and it seems Elliot managed to solve it. 🤯
Link:
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from
@NetSPI
, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain. 🔍 Link in bio 🔗
Not sure how I missed this!
Luke Kavanagh (
@LJKavster
) has exhausted the topic on all the mitigations you can implement to protect your users from reverse proxy phishing 🔥🎣
Recommended reading not only if you are on the defense.