Phishing

  • December 1, 2020

    Hack Passwords and Bypass 2FA .

    I have always manually setup phishing campaigns. I’d create servers, configure domains, copy web applications, setup TLS certificates and everything else that goes with a phish, all by myself. I never used phishing frameworks because I wanted to make sure everything I was doing would meet my expectations. I recently looked at phishing frameworks and came across Evilginx2. Wow, this tool is awesome and so user friendly! A lot of the manual work is really not necessary when using this tool, and thus, here’s a tut. How to Setup EvilGinx2 To start with, you really want a new server and public IP for this, rather than using your own IP address within a LAN, which may cause NAT issues. The easiest way to get up and running is by using a cloud provider like AWS or Digital Ocean. I use Digital Ocean because it has a very simple ‘one click’ style install for Linux servers. You won’t need a huge amount of resources for this, so feel free to chose a $10 package. It really depends on how many users you expect to be processing though your host. Once you have the infrastructure bought, you will need a domain to pair with it, more on this later. Evilginx2 Installation Before we get into using Evilginx2, you will want to install it onto your server. You can download the tool from the following URL: https://github.com/kgretzky/evilginx2. The installation instructions on GitHub are pretty straight forward, but I found they don’t cover everything you need to install on Ubuntu, so here you go: Step 0: Ensure DNS will not conflict with Evilginx2 Firstly, edit the nameserver in “/etc/resolv.conf” to a DNS provider of your choosing. I used Google which is 8.8.8.8, shown below. Now run the following command: systemctl stop systemd-resolved Step 1: Install GoLang...