DISCLAIMER: All infrastructure, accounts and domains were used temporarily on accounts and domain I own and were not used to conduct real phishing attacks. DO NOT attempt to attempt phishing attacks on users without their prior permission.

Introduction

Evilnginx2 is a reverse proxy type phishing kit/framework, designed to be the man in the middle between a user and a service such as Microsoft 365. It is simple to use requiring simply a linux server with docker installed, it’s small enough also that it can be run on a AWS ec2.t2.micro instance!

The webserver used is a custom version of the http server Nginx. The application itself is written fully in the programming language GO as a standalone application. The simplicity of setting up and configuring evilnginx2 is very easy and quick, all you need is a registered domain and a server.

Evilnginx2 is very similar to a new “evilproxy” service that has surfaced allowing people to pay for a phishing service that is a reverse proxy type phishing server. The application/docker container is extremely lightweight, in the demonstration later in the document, I used a T2.Micro AWS EC2 instance for which little resources were used. I am hoping this document will demonstrate how simple and easy it is to quickly spin up phishing URLS/sites to capture user credentials and session tokens.

Throughout this post I will be using my test domain “microsoft.zero0ne.net”

How it works

Evilnginx2 runs based off templates or “phishlets” which are preconfigured configuration files for the specific site you want to man in the middle, although it does come with premade templates for commonly used sites such as Micrsoft outlook, you can create your own custom ones for specifc sites.

Evilnginx2 runs its own http and DNS server to carry out the attacks. The HTTP server is used to host the phishing websites and reverse proxy and the DNS server is used to create subdomains for each predefined proxy host domains. This requires the NS records for your domain to be set to the evilnginx2 server, this allows the server to spin up subdomains as needed.

Whilst configuring evilnginx2 when you enable a phishlet, for each predefined proxy hosts domain within the phishlet configuration evilnginx2 will use letsencrypt to request a valid TLS certificate. For example, we are using the domain “microsoft.zero0ne.net”, when using the outlook phishlet, evilnginx2 will request certificates for outlook.microsoft.zero0ne.net, login.microsoft.zero0ne.net and account.microsoft.zero0ne.net which will be used in the reverse proxy for HTTPS.

By design evilnginx2 hides itself from internet scanners by using a redirect URL. For example when setting up a lure, you set a redirect URL, this has two purposes, the first is when successful authentication is completed the user is redirected to the set URL, and second is when something or someone attempts to connect to the domain or server IP, for example if the lure URL is https://outlook.microsoft.zero0ne.net/oafghe3 if the exact URL is not entered for say https://outlook.microsoft.zero0ne.net is entered they will be redirected to the redirect URL set seamlessly avoiding detection by internal crawlers or possibly security analysts.

All commands and setup instructions can be found on the evilnginx2 github page.
Github Page -> github.com/kgretzky/evilginx2

Example of a phishlet for outlook.com.

Additional phishlets are available, these are included in the evilnginx2 docker container.

Installation

To install evilnginx2, you will need is docker and git installed as well as no other services running on port 53/udp, 80/tcp and 443/tcp

Confiruration

First, we set the root domain we want to use as well as the evilnginx2 server IP.

Next, we set the hostname for the phishlet we want to use, in this case it is the outlook phishlet. And we want the URL domain to be outlook.microsoft.zero0ne.net Once we set the hostname for the phishlet, you enable the outlook phishlet. In this step evilnginx2 will go and request the appropriate certificates from letsencrypt as predefined in the phishlet config file.

If the server has any DNS errors regarding letsencrypt they will be displayed.

Next, we create the lure, set the lure redirect URL. The lure redirect URL is what the server will redirect the user to once successful authentication has been completed OR if a request to the server is not the redirect URL. Then display the lure URL.

As seen in this screenshot, all of the unauthorized requests are clients attempting to connect to the server but not using the lure URL, this will redirect them to whichever URL you set in the lure redirect URL.

The Attack

Now we have evilnginx2 setup with the phishing URL, if we navigate to the URL, we can see it looks identical to the outlook login page, this is because evilnginx2 is a reverse proxy which just proxy’s requests through. As you can see in the URL, the domain is login.microsoft.zero0ne.net.

Using a generic outlook account with multi factor authentication enabled. Once the user logins in we can see the credentials are logged in the output. Once the authentication is complete the user is redirected to google.com which was set as the redirect URL, this can be set to outlook.com which will make it seem like nothing happened.

Whenever a successful authentication is completed, it is logged as a session, below we can see two logged sessions, and if we select a session, we can see the credentials as well as the session token. This can be used to login to the account without MFA.

Logging In

Using the Firefox extension “edithiscookie” we can import the session cookie.

Refreshed the page and we are in.

As you’ve just seen, it’s that easy to quickly spin up evilnginx2 with minimal setup and resources to start a phishing attack using evilnginx2.

REMINDER: This is for educational purposes only, do not attempt to use what I have shown you here to use on someone without prior written authorization.