evilginx2

evilginx2 copied to clipboard

Adds 'notifiers' to evilginx2. This enables you to setup notification on specific events:

• Lure visitor (people who used a correct lure url)
• Unauthorized visitor (people/bots that used a non lure url)
• Authenticated user (people who authenticated against your lure)
• unauthorized_user_agent (if ua_filter is set in lure)
• blacklist_add (whenever a IP is added to the backlist)
• blacklist_visit (whenever a blacklisted IP connects to evilginx)

Notifiers allow you to send webhooks (GET or POST requests). POST requests forward all the important information about the event in JSON to the specified URL.

GET requests are intended to be used with forward_param. This allows you to forward a http parameter the original user used. This for example allows for integration with gophish and the ability to hide the RID ioc very easily as a random parameter (without the need for nginx or editing sourcecode). This is purely based of the functionality added by @Cgboal in https://github.com/kgretzky/evilginx2/pull/578 but reworked to function as a configurable notifier.

In the example below n8n is used to act as glue between evilginx2 and API's. Here I configured n8n to parse the incoming data and forward it to mattermost, gotify and gophish. https://www.youtube.com/watch?v=FWlm-dzEM7I

The docker project used in that video can be found here, https://github.com/justin-p/docker-n8n-playground

EDIT 11-08-2023 n8n playground is currently out of date by changes made by n8n, in addtion to the fact this PR has now been updated for evilginx3.

I got the visitor Webhook to work but I can't figure out the authorized webhook

I am enable all events (visitor,unauthorized,authenticated). But I am get only 'visitor' notifier (forwarding visitor info to notifier url http://xx.xx.xx.xx/pathname/g.php?e=v) and not got any other notifiers. Why all sessions is grabbed (login,pass,cookies), but not send to gate?

how do I setup authenticated . no action from the event after setup. unauthorized and visitors events works well and reports to my telegram but authenticated doesn't work.

how do I setup authenticated . no action from the event after setup. unauthorized and visitors events works well and reports to my telegram but authenticated doesn't work.

my configuration on n8n was good. but on the notifier.go after setting authenticated nothing happens during test no function was called on event authenticated. but other events functions work even when wrongly configured you see the error logs but authenticated shows nothing

I got the visitor Webhook to work but I can't figure out the authorized webhook

@ghost did you finally fix this

how do I setup authenticated . no action from the event after setup. unauthorized and visitors events works well and reports to my telegram but authenticated doesn't work.

my configuration on n8n was good. but on the notifier.go after setting authenticated nothing happens during test no function was called on event authenticated. but other events functions work even when wrongly configured you see the error logs but authenticated shows nothing

I guess what I haven't done is include gophish in my setup. I will do that and see if functions on_event authenticated needed it to be activated

From the "notifiers" perspective there is no difference between any of the events, its practically the same code just wrapped in different functions to accommodate the different data structures you would want to forward on set event. Personally used this very recently against o365 and did not have any issues with the authenticated event forwarding session data. From my experience if the event itself is not triggered, especially the authenticated event, it could be a issue with the phishlet and it for example not instructing evilginx2 that the session has properly/fully been captured and thus not triggering the configured notifier. Since the notifier code is not triggered, it also does not provide any logs/feedback to the end user.

Other then that, can't really think of things apart from incorrectly configuring the notifiers themselves.

p.s. adding gophish to your stack is not going to solve your issue.

Thanks for replying. I am testing with Google phishlets and I also transferred your code to evilgophish project. I will test it with another phishlet. Maybe it needs few tweak to work with my phishlets or tweaks on cookies struc of the authenticated event .

I been looking for the cheat sheets of the project around GitHub I seem to be a bit hard to understand the command concept, or this is not working with the telegram webhook or it's only that https://github.com/justin-p/docker-n8n-playground

The notifiers are not built/intended to be used directly against external services such as telegram or w.e. as this would require a lot of overhead in the evilginx source code to make that work. This feature is intended to have a easy and fast way to export information out of evilginx directly when the event happens. This means some glue/middleware is required that will parse the outgoing webhook from evilginx and "do something" with it.

In the provided examples the middleware I used was n8n, as this required no coding to make it "do stuff" as its mostly drag and drop. It should be trivial to adept to your desired outcome.

A alternative would be to write some custom middleware that could capture the incoming webhook and "do something" with it, which is something on my to do list.