Skip to main content

Quick Start

Learn how to configure Evilginx and set up your first phishing campaign.

Start Evilginx and Evilpuppet following the deployment guide for your type of installation.

Set up a domain

When you start Evilginx for the first time you will see warning messages about server domain and server ipv4 being not set. This is the first thing you need to set up. As an example we'll use the domain and IP address from above.

: config domain not-a-phish.com
: config ipv4 1.2.3.4

If you're setting up a local development setup, you can pick whatever domain you want and make sure to set the ipv4 to a local IPv4 network address e.g. 127.0.0.1.

Set up a phishlet

Now you can start enabling phishlets. You can list all of your available phishlets by typing phishlets. Whenever you need help and find out the list of available commands, type help. When you need more information about specific command type help <command> e.g. help phishlets.

Don't forget to use the Tab button as Evilginx command prompt fully supports auto-complete features and will make using it more convenient.

For this example we'll set up a Linkedin phishlet to demonstrate how to set up your first engagement.

Set up a hostname for your Linkedin phishing URL. You can pick whatever hostname you want with as many subdomains as you want, under condition that it ends with the top level domain you set up with config domain.

Here's an example:

: phishlets hostname linkedin totally.legit.linkedin.not-a-phish.com

Last step you need to do is enable the phishlet.

: phishlets enable linkedin

Now if you're not running a local development instance (started with -developer command line argument), Evilginx will start to automatically obtain the required TLS certificates from LetsEncrypt.

If your firewall rules for inbound TCP 443 and UDP 53 ports are set up correctly, Evilginx should be able to successfully obtain the security certificates and your phishlet should now be ready to use.

info

If you're running Evilginx in developer mode, in your local deployment, you will have to manually modify your /etc/hosts or C:\Windows\System32\drivers\etc\hosts file to be able to map the phishing hostnames to your local IP address.

To make it easier, Evilginx provides a way to generate a list of hosts automatically, which you can copy-paste into your hosts file:

: phishlets get-hosts linkedin

Set up a lure

With the phishlet up and running, you can now create a lure, which will become a phishing link you send out to users in order to lure them to your phishing page.

Create a lure for the linkedin phishlet:

: lures create linkedin

Your first lure will now be created with a random URL path. You can list all created lures with lures command.

You can list all created lures with:

: lures

Grab the URL link of your first lure (we assume the ID of the lure is 0):

: lures get-url 0

You can now copy the URL and paste it into your web browser. If you're testing locally make sure to delete all cookies in your web browser every time before opening your phishing links.

Capture a session

Enter the credentials, for your own account, and go through the multi-factor authentication process, as a test run.

When Evilginx successfully captures the credentials, together with the authentication cookies for the session, you will see the followin message in the terminal window:

all authorization tokens intercepted!

List all captured sessions with:

: sessions

And pick the session of interest by specifying its ID (we assume the ID of the session is 0):

: sessions 0

You will see all the details of the captured session with username, password, IP address and user-agent.

At the bottom you will see the session cookie, which can be used to import it into your own browser to impersonate the captured session. You can find out more about it in a guide dedidcated to sessions.

This concludes the tutorial. If you want to learn more, follow the guides on more specific features.