Red Team Phishing Simulations: Using Evilginx2 and GoPhish

I'd like to share my experiences using evilginx2 and gophish for red teaming phishing simulations. While there are numerous guides available, I aim to highlight the nuances and practical insights that aren't typically covered in documentation and tutorials.

Approaches

When setting up a phishing campaign for red team purposes, you have three options:

1. you can clone the page and only collect data
2. the next level is not only cloning the page but also verifying the captured data against a legitimate page
3. The last and most sophisticated method involves a man-in-the-middle attack, where your page is a proxy between the victim and the legitimate site.

Evilginx2

The third method is done by evilginx2, which, despite its name, does not have nginx built in, but the functionality is the same, except that evilginx2 has built-in filters and functions like inject_js that make the attacker's life more comfortable.

Gophish

Gophish is a tool that allows you to manage groups and users, dynamically create emails, and send them at will.

Integration

A few weeks ago, Evilginx got an update 3.3, which introduced integration with Gophish, a framework for phishing campaigns. There have been several such projects in the past, such as gophish[1], but in this text, I will focus on the official evilginx by K. Gretzky.

More info about the update with the demo can be found here: https://breakdev.org/evilginx-3-3-go-phish/

Both tools are in Golang, which is a relatively easy-to-understand language.

Experience with Evilginx2

Malicious proxy with evilginx has several drawbacks compared to just cloning the page.

Firstly, the setup is much more complicated.

When you clone a page, you download the necessary files via developer tools and add the password-storing feature via some backend.

Evilginx setup is more complicated. Setup needs a configuration file and a phishlet that works as a template for the phishing proxy. Setting up and running evilginx2 in the production version took me over a week compared to just cloning.

The advantage is that evilginx scales much better. Once you know how to create them, you can change phishing scenarios at will because adding new phishlet is trivial.

I should mention the state of the project in which evilginx is. The documentation is concise and not very useful if you have no experience with evilginx2 already. Some features and behaviors are not documented, and you need to read and debug the source code to find the behavior.

The project has special financing where you can pay 400$ for a course of excellent quality, but it replaces the documentation to some extent, which doesn't seem like a good way. Either it's an open-source project with all the parts, or it's not open-source; this way, it's open-code, but you are forced into buying the expensive course.

It doesn't help that the project has many open issues and bugs that nobody addresses. If you're serious about phishing, you'll probably have to edit the source code and use your version because the author doesn't put much effort into finding new PRs. For example, the PR request I made to fix the POST of a GET request three weeks[2] ago has still not been merged. The project is plagued by old libraries that are long unused. Of course, I don't want the author to handle everything himself, but sometimes, you have to give up control of the project to benefit the project. And more moderators and maintainers who want to help would certainly be found.

But not to be only negative, this project is still the best of its kind. If you learn all its quirks and modify it to your purpose, it will become a tool allowing you to do campaigns of all kinds, with a level of automation that is impossible if you write the tooling yourself.

Experience with Gophish

Gophish isn't updated very often either, but I haven't encountered any bugs, so it doesn't really bother me. Although gophish has an API, it lacks some functionality that would be useful, so K.Gretzky had to add this API[3] to make the integration with evilginx work, anyway this approach is not sustainable and I think gophish would benefit from an API that would allow event reporting.

The Gophish email template community is active, and you don't need to invest much time in a replica of the o365 email because there is a good chance that someone has already created the template.

The UI is very good, and many features, like a timeline of events, will be appreciated by clients in the report.

Bypassing anti measures

If you send emails within a known service such as o365 or Gmail, it is good to first build an instance where you collect crawler IP addresses which you then block on the production instance and domain, thus minimizing the risk of being blacklisted, for example, outlook.

Of course, this is the easier part. The harder part is to have an SMPT server with a good reputation that allows you to send phishing emails in bulk, so I do not recommend building your own SMTP server but rather use some email as a service with its own domain that has a good server reputation by default, for example, Gmail business.

Summary

• While evilginx2 offers powerful features and scalability, its complex setup and poor documentation are significant hurdles.
• Gophish provides robust campaign management tools but also suffers from limited API functionality.
• Both tools require considerable customization and understanding to effectively use in red team operations.
• Mastering both tools offers significant rewards.

Thank you for reading. Feedback is appreciated!

References

[1]: https://github.com/fin3ss3g0d/evilgophish

[2]: https://github.com/kgretzky/evilginx2/pull/1047

[3]: https://github.com/kgretzky/gophish