2.4.0 "Gone Phishing" update

Author: kgretzky

.gitignore

@@ -1,5 +1,6 @@
-/bin/
-/docs/
-/img/
-/release/
-/build_run.bat
+bin/
+docs/
+img/
+release/
+build/
+phishlets/test-*

CHANGELOG

@@ -1,3 +1,19 @@
+2.4.0
+- Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place `{lure_url_html}` or `{lure_url_js}` in code to manage redirection to the phishing page with any form of user interaction. Command: `lures edit <id> template <template>`
+- Feature: Create customized hostnames for every phishing lure. Command: `lures edit <id> hostname <hostname>`.
+- Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command: `proxy`.
+- Feature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests. Command: `blacklist`
+- Feature: Custom parameters can now be embedded encrypted in the phishing url. Command: `lures get-url <id> param1=value1 param2="value2 with spaces"`.
+- Feature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn't match the whitelist regular expression filter for given lure. Command: `lures edit <id> ua_filter <regexp>`
+- List of custom parameters can now be imported directly from file (text, csv, json). Command: `lures get-url <id> import <params_file>`.
+- Generated phishing urls can now be exported to file (text, csv, json). Command: `lures get-url <id> import <params_file> export <export_file> <text|csv|json>`.
+- Fixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would result in "No embedded JWK in JWS header" error.
+- Removed setting custom parameters in lures options. Parameters will now only be sent encoded with the phishing url.
+- Added `with_params` option to `sub_filter` allowing to enable the sub_filter only when specific parameter was set with the phishing url.
+- Made command help screen easier to read.
+- Improved autofill for `lures edit` commands and switched positions of `<id>` and the variable name.
+- Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.
+
 2.3.3
 - Fixed: Multiple concurrent map writes when whitelisting IPs during heavy loads.
 

ISSUE_TEMPLATE.md

@@ -1,16 +1,8 @@
-#### PLEASE READ THE POSTING GUIDELINES AND ANSWER THE QUESTION BEFORE POSTING, OTHERWISE ISSUE WILL BE CLOSED AND MARKED AS INVALID
+#### DO NOT ASK FOR PHISHLETS.
+#### DO NOT ASK FOR HELP CREATING PHISHLETS.
+#### DO NOT ASK TO FIX PHISHLETS.
+#### DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.
 
-* I hereby declare the following issue is a **[tool specific question/bug report]** and it is **NOT** a help request about creating a phishlet.
-* I am fully aware that this is not a customer support portal, I can't demand answers and I'm aware I am using a free tool.
-* I am not going to use Evilginx to hax my girlfriend's account or use it for any other illegal purpose.
-* I am not trying to set up a domain on FreeNOM (also read the sentence above again).
-* I am not a robot.
-*(Sorry, if you are an adult and a professional and you had to read this.)*
-
-Please type in "**I CONFIRM**" below if you confirm the sentences above or otherwise make some funny remark:
-
-*<type_in_here>*
-
-Thanks!
---
+#### EXPECT A BAN OTHERWISE. THANK YOU!
 
+#### REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Makefile

@@ -5,13 +5,15 @@ PACKAGES=core database log parser
 all: build
 
 build:
-		@go build -o ./bin/$(TARGET) -mod=vendor
+	@go build -o ./bin/$(TARGET) -mod=vendor
 
 clean:
-		@go clean
-		@rm -f ./bin/$(TARGET)
+	@go clean
+	@rm -f ./bin/$(TARGET)
 
 install:
-		@mkdir -p /usr/share/evilginx/phishlets
-		@cp ./phishlets/* /usr/share/evilginx/phishlets/
-		@cp ./bin/$(TARGET) /usr/local/bin
+	@mkdir -p /usr/share/evilginx/phishlets
+	@mkdir -p /usr/share/evilginx/templates
+	@cp ./phishlets/* /usr/share/evilginx/phishlets/
+	@cp ./templates/* /usr/share/evilginx/templates/
+	@cp ./bin/$(TARGET) /usr/local/bin

README.md

@@ -18,17 +18,22 @@ Present version is fully written in GO as a standalone application, which implem
 
 I am very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender's responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
 
-## Video
+## Write-up
 
-See **evilginx2** in action here:
+If you want to learn more about this phishing technique, I've published extensive blog posts about **evilginx2** here:
 
-[![Evilginx Demo](https://i.imgur.com/80jcbDl.png)](https://vimeo.com/281220095)
+[Evilginx 2.0 - Release](https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens)
+[Evilginx 2.1 - First Update](https://breakdev.org/evilginx-2-1-the-first-post-release-update/)
+[Evilginx 2.2 - Jolly Winter Update](https://breakdev.org/evilginx-2-2-jolly-winter-update/)
+[Evilginx 2.3 - Phisherman's Dream](https://breakdev.org/evilginx-2-3-phishermans-dream/)
+[Evilginx 2.4 - Gone Phishing](breakdev.org/evilginx-2-4-gone-phishing/)
 
-## Write-up
+## Video guide
 
-If you want to learn more about this phishing technique, I've published an extensive blog post about **evilginx2** here:
+Take a look at the fantastic videos made by Luke Turvey ([@TurvSec](https://twitter.com/TurvSec)), which fully explain how to get started using **evilginx2**.
 
-https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens
+[![How to phish for passwords and bypass 2FA - Luke Turvey](https://img.youtube.com/vi/B3CycQgkVY0/0.jpg)](https://www.youtube.com/watch?v=B3CycQgkVY0)
+[![Creating custom phishlets for evilginx2 (2FA Bypass) - Luke Turvey](https://img.youtube.com/vi/8mfsF5Qdqw0/0.jpg)](https://www.youtube.com/watch?v=8mfsF5Qdqw0)
 
 ## Phishlet Masters - Hall of Fame
 
@@ -56,22 +61,14 @@ Evilginx runs very well on the most basic Debian 8 VPS.
 
 #### Installing from source
 
-In order to compile from source, make sure you have installed **GO** of version at least **1.14.0** (get it from [here](https://golang.org/doc/install)) and that `$GOPATH` environment variable is set up properly (def. `$HOME/go`).
+In order to compile from source, make sure you have installed **GO** of version at least **1.14.0** (get it from [here](https://golang.org/doc/install)).
 
-After installation, add this to your `~/.profile`, assuming that you installed **GO** in `/usr/local/go`:
+When you have GO installed, type in the following:
 
 ```
-export GOPATH=$HOME/go
-export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
-```
-Then load it with `source ~/.profiles`.
-
-Now you should be ready to install **evilginx2**. Follow these instructions:
-
-```
-sudo apt-get install git make
-go get -u github.com/kgretzky/evilginx2
-cd $GOPATH/src/github.com/kgretzky/evilginx2
+sudo apt-get -y install git make
+git clone github.com/kgretzky/evilginx2
+cd evilginx2
 make
 ```
 
@@ -105,8 +102,8 @@ Phishlets are loaded within the container at `/app/phishlets`, which can be moun
 
 Grab the package you want from [here](https://github.com/kgretzky/evilginx2/releases) and drop it on your box. Then do:
 ```
-unzip <package_name>.zip -d <package_name>
-cd <package_name>
+tar zxvf evilginx-linux-amd64.tar.gz
+cd evilginx
 ```
 
 If you want to do a system-wide install, use the install script with root privileges:
@@ -127,14 +124,20 @@ sudo ./evilginx
 
 By default, **evilginx2** will look for phishlets in `./phishlets/` directory and later in `/usr/share/evilginx/phishlets/`. If you want to specify a custom path to load phishlets from, use the `-p <phishlets_dir_path>` parameter when launching the tool.
 
+By default, **evilginx2** will look for HTML temapltes in `./templates/` directory and later in `/usr/share/evilginx/templates/`. If you want to specify a custom path to load HTML templates from, use the `-t <templates_dir_path>` parameter when launching the tool.
+
 ```
 Usage of ./evilginx:
+  -c string
+        Configuration directory path
   -debug
         Enable debug output
   -developer
         Enable developer mode (generates self-signed certificates for all hostnames)
   -p string
         Phishlets directory path
+  -t string
+        HTML templates directory path
 ```
 
 You should see **evilginx2** logo with a prompt to enter commands. Type `help` or `help <command>` if you want to see available commands or more detailed information on them.
@@ -168,11 +171,11 @@ phishlets enable linkedin
 Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to `https://www.google.com`):
 ```
 lures create linkedin
-lures edit redirect_url 0 https://www.google.com
+lures edit 0 redirect_url https://www.google.com
 lures get-url 0
 ```
 
-Running phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as `redirect_url` under `config`. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use `phishlet hide/unhide <phishlet>` command.
+Running phishlets will only respond to phishing links generating for specific lures, so any scanners who scan your main domain will be redirected to URL specified as `redirect_url` under `config`. If you want to hide your phishlet and make it not respond even to valid lure phishing URLs, use `phishlet hide/unhide <phishlet>` command.
 
 You can monitor captured credentials and session cookies with:
 ```
@@ -186,15 +189,11 @@ sessions <id>
 
 The captured session cookie can be copied and imported into Chrome browser, using [EditThisCookie](https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en) extension.
 
-**Important!** If you want **evilginx2** to continue running after you log out from your server, you should run it inside a `screen` session.
+**Important!** If you want **evilginx2** to continue running after you log out from your server, you should run it inside a `screen` or `tmux` session.
 
 ## Support
 
-If you want to report issues with the tool, please do it by submitting a pull request. Thank you!
-
-## Credits
-
-Huge thanks to Simone Margaritelli ([@evilsocket](https://twitter.com/evilsocket)) for [bettercap](https://github.com/bettercap/bettercap) and inspiring me to learn GO and rewrite the tool in that language!
+I DO NOT offer support for providing or creating phishlets. I will also NOT help you with creation of your own phishlets. There are many phishlets provided as examples, which you can use to create your own.
 
 ## License
 

core/banner.go

@@ -8,7 +8,7 @@ import (
 )
 
 const (
-	VERSION = "2.3.3"
+	VERSION = "2.4.0"
 )
 
 func putAsciiArt(s string) {
@@ -54,6 +54,12 @@ func printLogo(s string) {
 	color.Unset()
 }
 
+func printUpdateName() {
+	nameClr := color.New(color.FgHiRed)
+	txt := nameClr.Sprintf("                 - --  Gone Phishing  -- -")
+	fmt.Fprintf(color.Output, "%s", txt)
+}
+
 func printOneliner1() {
 	handleClr := color.New(color.FgHiBlue)
 	versionClr := color.New(color.FgGreen)
@@ -95,9 +101,11 @@ func Banner() {
 	fmt.Println()
 	putAsciiArt("      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@      \n")
 	putAsciiArt("     @@@@@WW@@@WW@@WWW@@WW@@@WW@@@@@     ")
-	printOneliner2()
+	printUpdateName()
 	fmt.Println()
 	putAsciiArt("    @@@@@@WW@@@WW@@WWW@@WW@@@WW@@@@@@    \n")
+	//printOneliner2()
+	//fmt.Println()
 	putAsciiArt("_   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   _")
 	printOneliner1()
 	fmt.Println()

core/blacklist.go

@@ -0,0 +1,120 @@
+package core
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+
+	"github.com/kgretzky/evilginx2/log"
+)
+
+const (
+	BLACKLIST_MODE_FULL   = 0
+	BLACKLIST_MODE_UNAUTH = 1
+	BLACKLIST_MODE_OFF    = 2
+)
+
+type BlockIP struct {
+	ipv4 net.IP
+	mask *net.IPNet
+}
+
+type Blacklist struct {
+	ips        map[string]*BlockIP
+	masks      []*BlockIP
+	configPath string
+	mode       int
+}
+
+func NewBlacklist(path string) (*Blacklist, error) {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	bl := &Blacklist{
+		ips:        make(map[string]*BlockIP),
+		configPath: path,
+		mode:       BLACKLIST_MODE_OFF,
+	}
+
+	fs := bufio.NewScanner(f)
+	fs.Split(bufio.ScanLines)
+
+	for fs.Scan() {
+		l := fs.Text()
+		// remove comments
+		if n := strings.Index(l, ";"); n > -1 {
+			l = l[:n]
+		}
+		l = strings.Trim(l, " ")
+
+		if len(l) > 0 {
+			if strings.Contains(l, "/") {
+				ipv4, mask, err := net.ParseCIDR(l)
+				if err == nil {
+					bl.masks = append(bl.masks, &BlockIP{ipv4: ipv4, mask: mask})
+				} else {
+					log.Error("blacklist: invalid ip/mask address: %s", l)
+				}
+			} else {
+				ipv4 := net.ParseIP(l)
+				if ipv4 != nil {
+					bl.ips[ipv4.String()] = &BlockIP{ipv4: ipv4, mask: nil}
+				} else {
+					log.Error("blacklist: invalid ip address: %s", l)
+				}
+			}
+		}
+	}
+
+	log.Info("blacklist: loaded %d ip addresses or ip masks", len(bl.ips)+len(bl.masks))
+	return bl, nil
+}
+
+func (bl *Blacklist) AddIP(ip string) error {
+	if bl.IsBlacklisted(ip) {
+		return nil
+	}
+
+	ipv4 := net.ParseIP(ip)
+	if ipv4 != nil {
+		bl.ips[ipv4.String()] = &BlockIP{ipv4: ipv4, mask: nil}
+	} else {
+		return fmt.Errorf("blacklist: invalid ip address: %s", ip)
+	}
+
+	// write to file
+	f, err := os.OpenFile(bl.configPath, os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = f.WriteString(ipv4.String() + "\n")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (bl *Blacklist) IsBlacklisted(ip string) bool {
+	ipv4 := net.ParseIP(ip)
+	if ipv4 == nil {
+		return false
+	}
+
+	if _, ok := bl.ips[ip]; ok {
+		return true
+	}
+	for _, m := range bl.masks {
+		if m.mask != nil && m.mask.Contains(ipv4) {
+			return true
+		}
+	}
+	return false
+}