Proj 17: MITM with Evilginx2 (15 pts.)

What You Need

Purpose

To perform advanced phishing, defeating two-factor authentication, with the Evilginx2 attack tool.

Preparing your System

Your computer will be used to serve Web pages over ports 80 and 443, so those ports must be available.

From your Windows desktop, click Start.

Type cmd

In the Search results, right-click "Command Prompt" and click "Run as administrator", as shown below.

If a User Account Control box pops up. approve the privilege escalation.

In the Administrator Command Prompt window, execute this command:

netstat -ban | more
A list of listening ports appears, in numerical order, as shown below.

Make sure ports 80 and 443 are unused. If they are, you need to stop or uninstall the programs using them before continuing with this project.

Adding Phishing Domains to the Hosts File

For real phishing on the Internet, you need a public domain name you can configure to resolve to the IP address of your attack server. For this project, we'll simulate that locally using the Hosts file, so the attack will only work on the local machine.

In the Administrator Command Prompt window, execute this command:

notepad c:\windows\system32\drivers\etc\hosts
Add these two lines to the end of the file, as shown below.
127.0.0.1      phishing-domain.com
127.0.0.1      www.phishing-domain.com

Save the file. Close Notepad.

Downloading the Unzipping Evilginx2

In a Web browser, go to

https://github.com/kgretzky/evilginx2/releases

Download the Windows version, as shown below. Save the file on your Desktop.

On your desktop, right-click the downloaded file and click "Extract All...", Extract.

A window opens showing the extracted files, as shown below.

From the menu bar, click File, "Open command prompt", "Open command prompt", as shown below.

Launching Evilginx

In the Command Prompt, execute these commands, as shown below.
evilginx.exe -developer
config domain phishing-domain.com 
config ip 127.0.0.1 
phishlets hostname linkedin phishing-domain.com
phishlets enable linkedin
lures create linkedin
lures get-url 0
A URL appears, as shown below.

In a real phishing attack, you'd send that URL to the target via email or an SMS message, or something similar.

For this project, open that URL in Internet Explorer. A warning message appears, as shown below.

Click "Continue to this website (not recommended)".

Log in with test credentials, including your name, as shown below.

Linkedin will reject the credentials, because they aren't for a real account, but that doesn't matter--we are only interested in how they were transmitted.

The stolen username and password appear, as shown below.

Saving the Screen Image

Make sure the stolen credentials are visible, as shown above (but with your own name, not the literal text "YOUR NAME", of course.

Save a whole-desktop image with the filename "Proj 17 from YOUR NAME".

Turning In Your Project

Email the image to cnit.129s@gmail.com with a subject of "Project 17 from YOUR NAME".

Sources

Evilginx Phishing Examples (v2.x: linkedin, facebook, custom)

Posted 1-23-19