evilgophish

evilgophish

A Word About Sponsorship

This is the public, free version of the repository, IT IS NOT THE LATEST VERSION. I am purposefully keeping this public version of the repository behind my version for people that sponsor me via GitHub Sponsors. This means this version may be lacking bug fixes or features and there should be no expectations for bug fixes, adding features, or support here. Become a sponsor to gain access to the latest version.

Credits

Before I begin, I would like to say that I am in no way bashing Kuba Gretzky and his work. I thank him personally for releasing evilginx3 to the public. In fact, without his work this work would not exist. I must also thank Jordan Wright for developing/maintaining the incredible GoPhish toolkit. Kuba's Gophish fork was also used as inspiration for some parts of this project after creating his own integration.

Prerequisites

You should have a fundamental understanding of how to use GoPhish and evilginx3.

Disclaimer

I shall not be responsible or liable for any misuse or illegitimate use of this software. This software is only to be used in authorized penetration testing or red team engagements where the operator(s) has(ve) been given explicit written permission to carry out social engineering.

Why?

As a penetration tester or red teamer, you may have heard of evilginx3 as a proxy man-in-the-middle framework capable of bypassing two-factor/multi-factor authentication. This is enticing to us to say the least, but when trying to use it for social engineering engagements, there are some pain points.

Lack of tracking - evilginx3 does not provide unique tracking statistics per victim (e.g. opened email, clicked link, etc.), this is problematic for clients who want/need/pay for these statistics when signing up for a social engineering engagement.
Not a full social engineering toolkit - evilginx3 only provides proxy man-in-the-middle capabilities, it does not provide all of the functionality required for a social engineering campaign via email/SMS. For example, it does not send emails to targets or provide this functionality.
No GUI - do we really need to explain this one further? We all love our GUIs and the visual representation of data for a social engineering campaign is invaluable. Operators can really get a thorough understanding as to the success of their social engineering campaigns by being able to view a visual representation of the data.

Background

In this setup, GoPhish is used to send emails and provide a dashboard for evilginx3 campaign statistics, but it is not used for any landing pages. Your phishing links sent from GoPhish will point to an evilginx3 lure path and evilginx3 will be used for landing pages. This provides the ability to still bypass 2FA/MFA with evilginx3, without losing those precious stats. Realtime campaign event notifications have been provided with a local websocket/http server I have developed and full usable JSON strings containing tokens/cookies from evilginx3 are displayed directly in the GoPhish GUI (and feed):

new-dashboard

Infrastructure Layout

diagram

evilginx3 will listen on an externally accessible address on port 443 (or whatever port you choose in evilginx3 configuration)
GoPhish will listen locally on port 8080 and 3333 (phishing server on port 8080 is not used)
Cloudflare Turnstile server will listen locally on port 80

setup.sh

setup.sh has been provided to automate the needed configurations for you. Once this script is run and you've fed it the right values, you should be ready to get started. Below is the setup help:

Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <feed bool> <rid replacement>
 - root domain                     - the root domain to be used for the campaign
 - subdomains                      - a space separated list of evilginx3 subdomains, can be one if only one
 - root domain bool                - true or false to proxy root domain to evilginx3
 - feed bool                       - true or false if you plan to use the live feed
 - rid replacement                 - replace the gophish default "rid" in phishing URLs with this value
Example:
  ./setup.sh example.com "accounts myaccount" false true user_id

Cloudflare Turnstile Setup

Cloudflare Turnstile integration has superseded redirect rules and an IP blacklist with Apache2. The Apache2 approach relied on a predefined list of redirect rules and an IP blacklist. We may miss certain user agents, hosts, or IP addresses that end up detecting our infrastructure. This is usually done through bots and automated software that scans phishing infrastructure. Cloudflare Turnstile technology is one of the best defenses against bots at the time of writing and verifying an actual user is accessing your site.

Create a Cloudflare account
Select the Turnstile tab in the dashboard
Add a new site and use the domain for your phishing site/campaign
Edit the evilginx3/templates/forbidden.html & evilginx3/templates/turnstile.html files with your own changes
When starting evilginx3, include the public/private keys with the turnstile flag separated by a :. For example:

./evilginx3 -feed -g ../gophish/gophish.db -turnstile <PUBLIC_KEY>:<PRIVATE_KEY>

Blog post here.

Cloudflare Turnstile HTML Template Guide

If I were to include a static HTML page for the Cloudflare Turnstile functionality, everyone's phishing infrastructure would have the same page and it would lead to static HTML code detections. In comes Go HTML templates. I have included a starter template in evilginx3/templates/turnstile.html as a guideline YOU WANT TO CHANGE THIS. Here are the rules around how the template code is setup, failure to follow these rules will likely result in breaking the Cloudflare Turnstile functionality:

You must include the {{.FormActionURL}}, {{.ErrorMessage}}, and {{.TurnstilePublicKey}} template variables
The form action URL for submitting the Turnstile challenge must be the {{.FormActionURL}} template variable
The data-sitekey value for the cf-turnstile div class must be the {{.TurnstilePublicKey}} template variable
You must save the template at evilginx3/templates/turnstile.html
The button to submit the challenge form must have its name attribute equal button

replace_rid.sh

In case you ran setup.sh once and already replaced the default RId value throughout the project, replace_rid.sh was created to replace the RId value again.

Usage:
./replace_rid <previous rid> <new rid>
 - previous rid      - the previous rid value that was replaced
 - new rid           - the new rid value to replace the previous
Example:
  ./replace_rid.sh user_id client_id

Email Campaign Setup

Once setup.sh is run, the next steps are:

Start GoPhish and configure email template, email sending profile, and groups
Start evilginx3 and configure phishlet and lure (must specify full path to GoPhish sqlite3 database with -g flag)
Launch campaign from GoPhish and make the landing URL your lure path for evilginx3 phishlet
PROFIT

QR Code Generator

The QR Code Generator feature allows you to generate QR codes to deploy QR code social engineering campaigns. Here are the steps to use it:

When editing an email HTML template, you can now include the {{.QR}} template variable:

qr-code-generator

When starting a new campaign, enter a size for the QR code images:

qr-campaign-example

The outcome will be similar to the following, but you can adjust the size to meet your needs:

PROFIT

Note that this feature is only supported for email campaigns and HTML email templates at the moment