Skip to main content

Phishlets

Phishlets are small configuration files, used to configure Evilginx for targeting specific websites, with a goal of perform phishing attacks.

By default phishlets reside under phishlets directory in root directory of Evilginx binary.

Phishlets are created in YAML format and the current documentation of the phishlet format can be found here.

Managing Phishlets

Set up hostname

First thing you have to do to enable a phishlet, is to set up its own hostname, which will be used in your generated phishing URLs. The hostname needs to always end with the top-level domain you set up for Evilginx.

For example if your top-level domain is not-a-phish.com and you want to set up a linkedin phishlet, you can pick the following hostname:

: phishlet hostname linkedin linkedin.not-a-phish.com

Enable or disable phishlets

Whenever you change the phishlet's hostname, it will automatically disable itself. Enable it with:

: phishlets enable linkedin

Once the phishlet is enabled, Evilginx will attempt to retrieve TLS certificates automatically from LetsEncrypt, for the required hostnames. Certificates will be automatically renewed whenever they approach their expiration date.

caution

Using your own TLS certificates is not yet supported. Please contact me and let me know if such feature is important to you.

You can also disable a phishlet. Disabled phishlets will not allow any clients to connect to the hostnames you set up for that phishlet. It is useful to disable any phishlets you are not currently using, to protect your links from online scanners.

: phishlets disable linkedin

Hiding phishlets

Hiding a phishlet will make all requests to phishing links be treated like unauthorized connections. If redirect_url is set up in the config, the unauthorized requests will be redirected there. Otherwise, Evilginx will return error 403. Requests made to hidden phishlets will add the requesting IP to the blacklist if blacklist is set up that way.

Hide a phishlet:

: phishlets hide linkedin

Unhide a phishlet:

: phishlets unhide linkedin

Redirect unauthorized requests

You can override the global unauthorized request redirect URL (config unauth_url) per phishlet if you want. If the value set for a phishlet is empty, the global unauth_url will be used.

Set custom unauthorized redirect URL:

: phishlets unauth_url linkedin https://www.nothingtoseehere.com

Remove custom unauthrozed redirect URL:

: phishlets unauth_url linkedin ""

Hosts file for local development

If you are using Evilginx in local development environment, you will need to update your local hosts file to resolve the hostnames of the phishlet to your local IP address.

You can obtain the output you need to copy-paste into your /etc/hosts or C:\Windows\System32\drivers\etc\hosts like this:

: phishlets get-hosts linkedin

Template Phishlets

Overview

Sometimes the targeted website for your phishing engagement may use be using a personalized hostname, unique for the company you are targeting. In order to target a website with a unique hostname, it would usually require creating a custom phishlet, even though the phishlet's functionality would stay the same.

Now Evilginx allows to create phishlet templates, which can include placeholders in form of custom variables. These placeholders can be replaced with user-defined values, when creating child phishlets, which derive from the template phishlet.

As an example we'll look into an Okta phishlet. Okta hostnames usually consist of okta.com as the top-level domain and the company identifier as a subdomain. In order to support customization of subdomains for <subdomain>.okta.com targets, we can define the following in our phishlet:

params:
  - {name: 'subdomain', default: '', required: true}
proxy_hosts:
  - {phish_sub: '{subdomain}', orig_sub: '{subdomain}', domain: 'okta.com', session: true, is_landing: true}
login:
  domain: '{subdomain}.okta.com'
  path: '/'

Having params group in the phishlet defines it as a template phishlet. This means, you will have to create child phishlets from the template, while specifying the values for custom variables.

Template phishlets support usage of custom variables throughout the whole phishlet. Any detected string patterns of {variable_name} will be automatically replaced with values user defined, during the creation of child phishlets.

To confirm if the phishlet is a template phishlet you can type:

: phishlets okta

And you will get output like:

 phishlet    : okta
 parent      :
 status      : template
 visibility  : visible
 hostname    :
 unauth_url  :
 params      : subdomain: (required)

That way you can learn that the phishlet is a template and that it requires a value for subdomain custom variable, without having to look into the phishlet file.

Create a child phishlet

We'll pick the name company for our child phishlet and create it like this:

: phishlet create okta company subdomain=company-team

You will now see that a new phishlet of name okta:company was created.

: phishlets okta:company

 phishlet    : okta:company
 parent      : okta
 status      : disabled
 visibility  : visible
 hostname    :
 unauth_url  :
 params      : subdomain: company-team

This is now a fully functional phishlet, which can be used for creation of lures. Remember to set up its hostname and enable it afterwards.

When you're done with a child phishlet, you can delete it with:

phishlets delete okta:company

Commands

: help phishlets

 phishlets

 Shows status of all available phishlets and allows to change their
 parameters and enabled status.

 phishlets
   show status of all available phishlets
 phishlets <phishlet>
   show details of a specific phishlets
 phishlets create <phishlet> <child_name> <key1=value1> <key2=value2>
   create child phishlet from a template phishlet with custom parameters
 phishlets delete <phishlet>
   delete child phishlet
 phishlets hostname <phishlet> <hostname>
   set hostname for given phishlet (e.g. this.is.not.a.phishing.site.evilsite.com)
 phishlets unauth_url <phishlet> <url>
   override global unauth_url just for this phishlet
 phishlets enable <phishlet>
   enables phishlet and requests ssl/tls certificate if needed
 phishlets disable <phishlet>
   disables phishlet
 phishlets hide <phishlet>
   hides the phishing page, logging and redirecting all requests to it (good for avoiding scanners when sending out phishing links)
 phishlets unhide <phishlet>
   makes the phishing page available and reachable from the outside
 phishlets get-hosts <phishlet>
   generates entries for hosts file in order to use localhost for testing