3.3.0 - Go & Phish

Go & Phish - Official Gophish integration released!

You can learn more about this update in the official blog post: https://breakdev.org/evilginx-3-3-go-phish/

CHANGELOG

• Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
• Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in ~/.evilginx/crt/sites/<hostname>/. Will load fullchain.pem and privkey.pem pair or a combination of a .pem/.crt (public certificate) and a .key (private key) file. Make sure to run without -developer flag and disable autocert retrieval with config autocert off.
• Feature: Added ability to inject force_post POST parameters into JSON content body (by @yudasm_).
• Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with config autocert <on/off>.
• Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
• Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
• Fixed: Added support for exported cookies with names prefixed with __Host- and __Secure-.
• Fixed: Global unauth_url can now be set to an empty string to have the server return 403 on unauthorized requests.
• Fixed: Unauthorized redirects and blacklisting would be ignored for proxy_hosts with session: false (default) making it easy to detect evilginx by external scanners.
• Fixed: IP address 127.0.0.1 is now ignored from being added to the IP blacklist.
• Fixed: Added support for more TLDs to use with phishing domains (e.g. xyz, art, tech, wiki, lol & more)
• Fixed: Credentials will now be captured also from intercepted requests.

3.2.0 - Sleeping With The Phishes

• Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.
• Feature: Lures can now be paused for a fixed time duration with lures pause <id>. Useful when you want to briefly redirect your lure URL when you know sandboxes will try to scan them.
• Feature: Added phishlet ability to intercept HTTP requests and return custom responses via a new intercept section.
• Feature: Added a new optional redirect_url value for phishlet config, which can hold a default redirect URL, to redirect to, once tokens are successfully captured. redirect_url set for the specific lure will override this value.
• Feature: You can now override globally set unauthorized redirect URL per phishlet with phishlet unauth_url <phishlet> <url>.
• Fixed: Disabled caching for HTML and Javascript content to make on-the-fly proxied content replacements and injections more reliable.
• Fixed: Improved JS injection by adding <script src"..."> references into HTML pages, instead of dumping the whole script there.
• Fixed: Blocked requests will now redirect using javascript, instead of HTTP location header.
• Fixed: Changed redirect_url to unauth_url in global config to avoid confusion.
• Fixed: Fixed HTTP status code response for Javascript redirects.
• Fixed: Javascript redirects now happen on text/html pages with valid HTML content.
• Fixed: Removed ua_filter column from the lures list view. It is still viewable in lure detailed view.

3.1.0

• Feature: Listening IP and external IP can now be separated with config ipv4 bind <bind_ipv4_addr> and config ipv4 external <external_ipv4_addr> to help with properly setting up networking.
• Fixed: Session cookies (cookies with no expiry date set) are now correctly captured every time. There is no need to specify :always key modifier for auth_tokens to capture them.
• Fixed: Captured custom tokens are now displayed properly and values are not truncated.

3.0.0 - Rephishment

• Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
• Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by certmagic library.
• Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
• Feature: Phishing pages can now be embedded inside of iframes.
• Feature: Changed redirection after successful session capture from Location header redirection to injected Javascript redirection.
• Feature: Changed config file from config.yaml to config.json, permanently changing the configuration format to JSON.
• Feature: Changed open-source license from GPL to BSD-3.
• Feature: Added always modifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time.
• Feature: Added phishlet <phishlet> command to show details of a specific phishlet.
• Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as {param_name} and every occurence will be replaced with pre-configured parameter values of the created child phishlet.
• Feature: Added phishlet create command to create child phishlets from template phishlets.
• Feature: Renamed lure templates to lure redirectors due to name conflict with phishlet templates.
• Feature: Added {orig_hostname} and {orig_domain} support for sub_filters phishlet setting.
• Feature: Added {basedomain} and {basedomain_regexp} support for sub_filters phishlet setting.
• Fixed: One target can now have multiple phishing sessions active for several different phishlets.
• Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing opt cookies, when all authentication cookies are already captured.
• Fixed: trigger_paths regexp will now match a full string instead of triggering true when just part of it is detected in URL path.
• Fixed: Phishlet table rows are now sorted alphabetically.
• Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
• Fixed: WebSocket connections are now properly proxied.

2.4.0 - Gone Phishing

• Feature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and place {lure_url_html} or {lure_url_js} in code to manage redirection to the phishing page with any form of user interaction. Command: lures edit <id> template <template>
• Feature: Create customized hostnames for every phishing lure. Command: lures edit <id> hostname <hostname>.
• Feature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command: proxy.
• Feature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests. Command: blacklist
• Feature: Custom parameters can now be embedded encrypted in the phishing url. Command: lures get-url <id> param1=value1 param2="value2 with spaces".
• Feature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn't match the whitelist regular expression filter for given lure. Command: lures edit <id> ua_filter <regexp>
• List of custom parameters can now be imported directly from file (text, csv, json). Command: lures get-url <id> import <params_file>.
• Generated phishing urls can now be exported to file (text, csv, json). Command: lures get-url <id> import <params_file> export <export_file> <text|csv|json>.
• Fixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would result in "No embedded JWK in JWS header" error.
• Removed setting custom parameters in lures options. Parameters will now only be sent encoded with the phishing url.
• Added with_params option to sub_filter allowing to enable the sub_filter only when specific parameter was set with the phishing url.
• Made command help screen easier to read.
• Improved autofill for lures edit commands and switched positions of <id> and the variable name.
• Increased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10 minutes.

2.3.0 - Phisherman's Dream

• Proxy can now create most of required sub_filters on its own, making it much easier to create new phishlets.
• Added lures, with which you can prepare custom phishing URLs with each having its own set of unique options (help lures for more info).
• Added OpenGraph settings for lures, allowing to create enticing content for link previews.
• Added ability to inject custom Javascript into proxied pages.
• Injected Javascript can be customized with values of custom parameters, specified in lure options.
• Deprecated landing_path and replaced it with login section, which contains the domain and path for website's login page.

Blog: https://breakdev.org/evilginx-2-3-phishermans-dream/

2.2.0 - Jolly Winter Update

• Added option to capture custom POST arguments additionally to credentials. Check custom field under credentials.
• Added feature to inject custom POST arguments to requests. Useful for silently enabling "Remember Me" options, during authentication.
• Restructured phishlet YAML config file to be easier to understand (phishlets from previous versions need to be updated to new format).
• Removed name field from phishlets. Phishlet name is now determined solely based on the filename.
• Now when any of auth_urls is triggered, the redirection will take place AFTER response cookies for that request are captured.
• Regular expression groups working with sub_filters.
• Phishlets are now listed in a table.
• Phishlet fields are now selectively lowercased and validated upon loading to prevent surprises.
• All search fields in the phishlet are now regular expressions by default. Remember about proper escaping!

2.0.0

This is a first release! Enjoy!