Lures
Lures are essentially pre-generated phishing links, which you will be sending out on your engagements. Evilginx provides multiple options to customize your lures.
Create
A lure has to be assigned to a specific phishlet. For example to create a lure for linkedin
phishlet, you can do:
: lures create linkedin
The lure you create will automatically get an ID assigned. Let's assume the ID of your new lure is 0
. You can always check the list of your lures with:
: lures
Customize
By default, lure URL will come with a randomly generated path, hostname being the one you set up for the phishlet and subdomain which is defined in the phishlet with is_landing: true
.
Your default lure URL should look like this:
: lures get-url 0
https://www.linkedin.not-a-phish.com/PlXFBIrM
You can already take this URL and send it out, but you will miss out on a lot of customizations you can introduce to make the lures look better.
Pause
You can pause a lure for a fixed time duration if you want the lure URL to redirect the visitor to unauth_url
, you set up globally or for specific phishlet, until the timer expires.
The time duration must be enetered in 1d2h3m4s
format.
If you want to pause a lure for 1 day and 12 hours:
: lures pause 0 1d12h
If you want to pause a lure for 5 minutes:
: lures pause 0 5m
If you want to pause a lure for 1 minute and 30 seconds:
: lures pause 0 1m30s
Unpause
Every paused lure can be unpaused at any time:
: lures unpause 0
Hostname
If you're not satisfied with the hostname, which was automatically generated, you can pick any hostname for your lure, under condition that it ends with the top-level domain you set up for your Evilginx installation.
To change hostname for your lure:
: lures edit 0 hostname this.is.a.legit.linkedin.not-a-phish.com
Setting up a custom hostname for a lure will also trigger an automatic retrieval of TLS certificates.
Path
You can also entirely change the path of your phishing landing page for selected lure.
: lures edit 0 path /downloads/RESUME.pdf
Redirector
Redirectors are little websites, which act as a landing page for your phishing links. Selected redirector will be shown to the visitor when the lure URL is opened. Their sole purpose is to redirect the user to the phishing login page, either automatically or requiring user interaction. You can customize your redirectors with custom variables embedded in their HTML files. like {variable_name}
. Values for these variables can be automatically filled in through the generation of lure URLs, using lures get-url
.
To set a specific redirector for your lure do:
: lures edit 0 redirector download_example
Learn how to generate URLs with custom values for redirector variables here
User-Agent filter
This option specifies a regular expression, which has to match the User-Agent
HTTP header of the incoming requests to be accepted. Unauthorized requests will be redirected the same way as requests to invalid lure URLs.
You can use this to filter out desktop or mobile clients, if you only want to cover a specific target group.
: lures edit 0 ua_filter Mobile|Android|BlackBerry
Redirect URL
When the phished user successfully enters their credentials and Evilginx manages to capture them, together with the session cookies, they will be redirected to the URL defined under this option.
If this option is empty, Evilginx will try it's best to continue performing reverse-proxying for logged in users.
: lures edit 0 redirect_url https://drive.google.com/shared/document/0019234/preview
OpenGraph
OpenGraph is the current standard for meta tags to generate previews of website content when sharing links on messengers or social media. Evilginx fully supports customization of the previews for your phishing links. It will inject the set up meta tags into both your redirectors and reverse proxied sign-in pages.
: lures edit 0 og_title "Download RESUME.pdf"
: lures edit 0 og_desc "Download your file securely - click to preview"
: lures edit 0 og_image https://breakdev.org/content/images/2020/09/evilginx_gone_phishing_blog.jpg
: lures edit 0 og_url https://drive.google.com/shared/document/0019234/preview
Here is a quick overview of all the options:
Option | Description | Example |
---|---|---|
og_title | Title (up to 60 characters) | Evilginx 2.4 - Gone Phishing |
og_desc | Description (up to 160 characters) | "Gone Phishing" 2.4 update to your favorite phishing framework is here. May the phishing season begin! |
og_image | Preview image URL (recommended 1200 x 630) | https://breakdev.org/content/images/2020/09/evilginx_gone_phishing_blog.jpg |
og_url | URL visible on the preview | https://breakdev.org/evilginx-2-4-gone-phishing/ |
Information (Notes)
You can also set up some private notes for your lure:
lures edit 0 info "This is a test lure - do not use on engagements"
Generate URL
When you're done customizing your lure, you can start generating your phishing links, which you'll be sending out in your engagement.
Single
If your lure is not using custom variables through a redirector or js_inject
section in your phishlet, you can generate a link simply like this:
: lures get-url 0
If your phishing campaign supports personalized redirectors, together with ability to pre-fill some sign-in form data, allowed by the phishlet you're using, you can specify custom variables while generating phishing links.
Let's say your redirector and/or js_inject
script makes use of your target email
and name
:
lures get-url 0 email=john.doe@company.com name="John Doe"
info
You can escape "
characters with \"
.
The values for defined custom variables will be encrypted into a single GET
parameter for the link. The parameter name is always randomly generated and the encrypted value is always unique, even when using the same values multiple times. This ensures that GET
parameters cannot be fingerprinted later on as they never provide a static signature.
Multiple
Understandably, your engagements will require generation of dozens if not hundreds of personalized phishing links for your engagement. Evilginx thankfully provides a way to generate the links in bulk, all at once.
You can provide an input file with your custom variables in csv
or json
format.
This is an example csv
input file. The first row specifies the variable names as column names and the rows below contain just the values:
email,name
john.doe@company.com,John Doe
elle@company.com,Elle
steven@company.com,Steven
The same input file in json
format would like the following:
[{
"email":"john.doe@company.com",
"name":"John Doe"
},{
"email":"elle@company.com",
"name":"Elle"
},{
"email":"steven@company.com",
"name":"Steven"
}]
To import the custom variables form an input file and output the generated links in the terminal, do it like this:
: lures get-url 0 import input.csv
Or
: lures get-url 0 import input.json
It may be more convenient to export the generated links to a file, which is also possible:
: lures get-url 0 import input.csv export targets.txt
Exported output will also include original values as comments, so that you know which link contains what parameters:
https://www.linkedin.not-a-phish.com/download/RESUME.pdf?h=WYofPy3LHfWukWZvz55jLf8LNJ_ys0-IMGLxtn246RXGIE2Ep8q1kijrEoO5QkN0Gg ; email="john.doe@company.com" name="John Doe"
https://www.linkedin.not-a-phish.com/download/RESUME.pdf?jck=CFSmJJcaWrS--tPAGJbbM5mGdc4wJ_dDtf0GoVYeH3u33q43LExgnG0 ; email="elle@company.com" name="Elle"
https://www.linkedin.not-a-phish.com/download/RESUME.pdf?t=YTvVbl6ZQHMUKBbF88TRrv_gkSA8tdVV0USJTt5EjWDDlArmGvnaA2amm9l7 ; email="steven@company.com" name="Steven"
Commands
: help lures
lures
Shows all create lures and allows to edit or delete them.
lures
show all create lures
lures <id>
show details of a lure with a given <id>
lures create <phishlet>
creates new lure for given <phishlet>
lures delete <id>
deletes lure with given <id>
lures delete all
deletes all created lures
lures get-url <id> <key1=value1> <key2=value2>
generates a phishing url for a lure with a given <id>, with optional parameters
lures get-url <id> import <params_file> export <urls_file> <text|csv|json>
generates phishing urls, importing parameters from <import_path> file and exporting them to <export_path>
lures edit <id> hostname <hostname>
sets custom phishing <hostname> for a lure with a given <id>
lures edit <id> path <path>
sets custom url <path> for a lure with a given <id>
lures edit <id> redirector <path>
sets an html redirector directory <path> for a lure with a given <id>
lures edit <id> ua_filter <regexp>
sets a regular expression user-agent whitelist filter <regexp> for a lure with a given <id>
lures edit <id> redirect_url <redirect_url>
sets redirect url that user will be navigated to on successful authorization, for a lure with a given <id>
lures edit <id> phishlet <phishlet>
change the phishlet, the lure with a given <id> applies to
lures edit <id> info <info>
set personal information to describe a lure with a given <id> (display only)
lures edit <id> og_title <title>
sets opengraph title that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_des <title>
sets opengraph description that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_image <title>
sets opengraph image url that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_url <title>
sets opengraph url that will be shown in link preview, for a lure with a given <id>