What's new?

Here are the most important features added to Evilginx Pro, which are not available in the community version of the phishing framework.

Client-Server Architecture

Evilginx has always worked as both the client and the server. You would deploy the application to an external server and control the server from the terminal while using SSH to connect to the remote server.

Evilginx Pro allows you to deploy dedicated Evilginx servers, which work as background daemons and start automatically on every server reboot. You can control and deploy multiple Evilginx servers straight from a single Evilginx client instance, running in the terminal on your local PC no matter if you're on Windows, Linux or Mac.

Evilginx API

One of the most requested features of Evilginx was the ability to extract captured data from the server remotely. With the client-server architecture of Evilginx Pro anyone can now write their own tool instrumentation using the exposed API on every Evilginx server instance.

The API is exposed via HTTPS, listening on the same TCP 443 as the main Evilginx HTTPS server. Evilginx Pro implements a stealth channel, which cannot be interacted with without knowing the internal secret hostname of the API request handler. The connection is additionally protected with a client certificate, allowing only legitimate and whitelisted Evilginx Pro users to connect to the Evilginx API server.

Wildcard TLS Certificates

The biggest issue most red teams struggled with was the fact that once Evilginx obtained the TLS certificate, the phishing hostname would immediately get listed in the public TLS transparency report database. This resulted in dozens of security products immediately performing scans of the Evilginx server looking for malicious activity. This often resulted in the phishing server getting blacklisted before it could've been used for the engagement.

Evilginx Pro will now obtain wildcard TLS certificates, by default, which prevents the hostname of the phishing server from being fully exposed. Security products will be unable to scan the phishing server, by looking at the registered TLS certificate, since the subdomain in the wildcard TLS certificate is an asterisk. The full hostname of phishing pages is not disclosed in clear text.

Botguard

Additionally, Evilginx Pro implements Botguard, which prevents security products from accessing the phishing website even if the hostname and full phishing URL are known to them.

Botguard uses multiple techniques combining JA4 signature fingerprinting and telemetry analysis retrieved from the client browser using Javascript. These methods are used to determine if the phishing server was accessed by bots, through automated means.

If bot-like behaviour is detected, Evilginx Pro will display a spoofed website reverse proxied from an external URL predefined by the red team operator. You can learn more about how it works in the x33fcon keynote by Evilginx creator.

Community Phishlets Database

Evilginx has always been considered to be the phishing framework, which can be extended with "phishlets" to target specific websites. The open-source version of the framework was made available without the ready-to-use phishlets. This decision was made due to ethical reasons to not make it too easy to use out of the box to wreak havoc by malicious actors. Since Evilginx Pro is now made available only to vetted red team professionals, the risk of phishing framework misuse is much lower.

Evilginx Pro now lets you access the community-curated database of ready-to-use phishlets to use for your next phishing engagement. Keep in mind though that there is no guarantee that the phishlets will be constantly updated to work with the most recent version of the target websites.

Evilpuppet (background browser)

With the increasing number of defenses against phishing, implemented by the industry leaders, Evilginx had to innovate to keep up with the changing ecosystem. Websites will often gather telemetry metadata from the user's web browser to determine if the user is not in the middle of getting phished by a malicious actor.

Evilpuppet implements a web browser, running on the Evilginx server in the background, to generate legitimate web browser telemetry, which can be extracted and injected into Evilginx Pro phishing sessions in real time during the phishing attack.

External DNS Management

By default, apart from acting as an HTTP server, Evilginx also acted as a nameserver, listening on port UDP 53 for DNS requests. This allowed Evilginx to be flexible in managing an unlimited number of phishing hostnames required by various phishlets. This however made Evilginx fairly easy to detect, since if anyone investigated the nameservers, set up in the phishing domain's registrar, they would notice that the phishing server is hosted on the same IP as the nameservers, tied to the domain.

Red teams were able to mitigate that issue by using external DNS providers, but in doing so they lost the flexibility since all DNS records had to be managed manually and not through Evilginx automation.

Evilginx Pro now retains that flexibility even when using external DNS providers. Evilginx can now be configured to manage DNS records externally through the API of supported third-party DNS providers, making it more stealthy and easier to use.

Multi-domain Support

Evilginx Pro, unlike its community version counterpart, can now be configured to use more than one domain to run phishing campaigns. You can now set different base domains for each phishlet you want to use, without the need to change your DNS settings.

Each domain can be set up with a different third-party DNS provider, be it internal or external like Cloudflare or Digital Ocean.

Javascript Obfuscation

Evilginx will often inject its own Javascript code into the reverse proxied websites to manage redirects, gather botguard telemetry or provide additional interaction with the viewed website through Javascript injected from phishlets. The injected code could have been easily fingerprinted through static signatures, potentially resulting in reverse proxied websites being flagged as phishing.

Evilginx Pro will now automatically perform code obfuscation of all injected Javascript code, using the obfuscator.io engine running locally. This results in Javascript code taking different shapes with every page load, making the code impossible to fingerprint with pattern detection logic.

Automated Server Deployment

The days of deploying Evilginx servers by hand are over. Evilginx Pro provides a straightforward way of deploying a new phishing server by issuing a single command. You only need to provide the server's IP address and root credentials (password or authorized private key) to access the server. Evilginx client will do the rest.

Website Spoofing

When the Evilginx Pro server detects either a client requesting a URL, which is not a valid phishing lure URL, or determines the connection is made by automation software, it will not redirect the visitor to an external website anymore, but render another website's content in context of the current one.

This provides better phishing anti-detection capabilities and gives the impression a legitimate website is hosted under the phishing URL.

SQLite Database

Data storage for Evilginx data has been completely revamped. Evilginx Pro no longer uses BuntDB text-file storage and it now uses SQLite database for speed and ease of access.

Client-Server Architecture​

Evilginx API​

Wildcard TLS Certificates​

Botguard​

Community Phishlets Database​

Evilpuppet (background browser)​

External DNS Management​

Multi-domain Support​

Javascript Obfuscation​

Automated Server Deployment​

Website Spoofing​

SQLite Database​