Skip to content

Running Evilginx 3.0 on Windows

In case you missed it: Evilginx 3 was recently launched to the public. This release is a quality-of-life update and has many fixes and a few new features onboard. You can find the changelog here. Big thanks to the creator Kuba Gretzky for this!

With the new release, the tool no longer has built-in phishlets onboard but is re-launched as a framework where red-teamers can build phishlets for basically any web application. Due to some changes under the hood, the current phishlets may no longer work with the new version. This is why the new release comes with excellent documentation and even an online Evilginx Mastery course, where you will learn all about building phishlets, advanced phishing methods, and remote server deployment. Evilginx 3 comes with one sample phishlet that you can use as your starting point. Of course, I expect more and more phishlets are being created by the community over time.

In this post, I will show you how you can run a local installation of Evilginx on Windows. Running Evilginx locally is excellent for two main reasons:

  1. This will allow anyone to demonstrate the tool without needing a hosted VM and public domain name. You can use whatever domain you like.
  2. Running Evilginx locally is super handy for building your phishlets, as you can quickly make adjustments and test locally. After that, you can set up your remote server for your phishing engagements.

This is all done by editing the local DNS hosts file so that traffic to your web app will be routed to your local instance of Evilginx. If you want to run Evilginx remotely instead, make sure you buy your domain a few weeks ahead to avoid being blocked. Buy your new domain(s) and VPS at Namecheap or DigitalOcean!

Preparation

To set up your local installation, we need a couple of things.

Download the files to your computer, and run the installer. When installing Go, please pick Visual Studio Code as your default editor.
To check whether Go and Git are installed correctly, open the command prompt and run:

go version
git version

Clone Evilginx

On your local hard drive, create a local folder. For example: C:\dev

Open a command prompt, and browse to the folder you just created. Next, run:

git clone https://github.com/kgretzky/evilginx2

After the repo is cloned, go into the folder using the command prompt:

cd evilginx2

Next, run the following command to build and run Evilginx:

build_run.bat

A few seconds later, Evilginx will start. The first time, Windows Defender Firewall will prompt you to allow access.

Configure Evilginx for local use

Now that Evilginx is up and running, we’ll need to so dome additional configurations to start using/developing our first phishlet.

We set the IP address of the Evilginx instance to the local address 127.0.0.1 and the domain parameter to any domain you wish. This does not need to be a domain you actually own, as we only use this locally. In this demo, we use yourfakedomain.com

config ipv4 127.0.0.1
config domain yourfakedomain.com

Next, we need to install the root certificate from Evilginx. This can be found in the user profile folder:

%USERPROFILE%\.evilginx\crt

Add this certificate to the Trusted Root Certificate Authorities store of the Current User.

Load the phishlet

Now it’s time to install the first phishlet. This can be either one you developed yourself or one from a public source. For this demo, I use a Microsoft 365 phishlet I developed for Evilginx 3.0. Download the file, and place it in the .\evilginx2\phishlets folder.

Download here!

Ensure you run the latest version of Evilginx and have the most recent Microsoft365.yaml file. There was a recent change in the way Evilginx captures cookies. In v3.0, we needed to use the ‘always‘ parameter for session cookies(cookies with no expiry date set). That has been fixed in v3.1

Before Evilginx loads the new phishlet, you’ll need to “restart” Evilginx by running:

q
build_run.bat

Evilginx will load all the phishlets from the folder. As you can see, the new phishlet is now showing up.

Configure the phishlet and lure

To use the new phishlet, we need to attach the domain name to the phishlet by running:

phishlets hostname microsoft365 yourfakedomain.com
phishlets enable microsoft365 

Next, we need to edit the local DNS file to route all traffic to your local web server address (127.0.0.1)
The easiest way to do this is by running this command from Evilginx:

phishlets get-hosts microsoft365

Copy the payload to your clipboard. Now, open Notepad.exe (as administrator). Browse to C:/Windows/System32/drivers/etc and open the hosts file. If you don’t see the hosts file, change the .txt (*.txt) filter to any file (*.*), as the hosts file does not have an extension. Add the payload to the hosts file, and save it. Traffic to yourfakedomain.com is now routed to 127.0.0.1, your local Evilginx server instance. You can ignore the double entry for login.yourfakedomain.com.

The last step is creating the lure, our phishing URL.

lures create microsoft365
lures get-url 0

Now, let’s put this to the test. In a browser, past the lure URL, and if all goes well, the phishlet will load, and you are ready to develop your own phishlet!

If you like to proxy your traffic through BurpSuite or Fiddler, please reach out to the docs: Proxy | Evilginx

Take your phishing skills to the next level 🎣

With Evilginx running locally, it is now time to take the next step: build your own phishlet, and push your configuration to a remote server for public access. Maybe your phishlets require some nifty javascript injection, or you want to learn how to use Evilginx with mass and personalized lures, forcing POST parameters, or use custom landing pages?

All these topics, amongst others, are covered in the Evilginx Mastery Course. This course is developed with red-teamers in mind, and it gives an excellent overview of all the capabilities Evilginx has onboard.

By buying the course, you will also support the further development of Evilginx. Also, you will get lifetime access to the course content! You can find the course here.

Use code: HELLOSPRING for 30% discount!

I joined the online course myself, and I learned so much. I was amazed by how much stuff was being covered in the training. And look at the pretty certificate! That will stand out on my resume for sure 😊

If you have a smaller budget, please check out the Simpler Hacking Evilginx Pro Masterclass.

35 thoughts on “Running Evilginx 3.0 on Windows”

  1. Pingback: How to set up Evilginx to phish Office 365 credentials - JanBakker.tech

  2. Hello Jan,

    I hope you are well? I tried your method above for running evilginx on windows.

    I currently run windows in a vitual machine on my macbook. Does this method apply to windows computers only or can it work on vm too?

    I tried on vm but link did not work as described. please advice

      1. Hello Dan, I followed all the steps shown and was successful in every step but the link is not working.

        do I have to use my own domain? please advice

        firefox response to the link: we can’t connect to the server at login.yourfakedomain.com

        1. Do know you can only get to that url (login.yourfakedomain.com) if you edit the hosts file.
          You can use any domain as you manipulate the DNS locally.
          You can only reach that within the VM.

    1. I am having issue with this Copy the payload to your clipboard. Now, open Notepad.exe (as administrator). Browse to C:/Windows/System32/drivers/etc and open the hosts file. If you don’t see the hosts file, change the .txt (*.txt) filter to any file (*.*), as the hosts file does not have an extension. Add the payload to the hosts file, and save it. Traffic to yourfakedomain.com is now routed to 127.0.0.1, your local Evilginx server instance. You can ignore the double entry for login.yourfakedomain.com.

      1. hello Jan, I have been able to set up Evilginx on my VPS as well with your help. Thanks once again

        can you assist me with a way to install the new phishlet you provided on my ubuntu 11 vps?

    1. Hello Davien.

      Could you please share some keypoint on how you manage to pull this through, was it via windows or ubutun?
      Suppose am to use windows, what advise do you have for me. by the way i was able to follow the steps in the windows example and it did work fine for me, am simply wandering how to go about it now that i have my domain and intending to deploy gobally. thanks

  3. Hello Jan.
    I have been following your tutorials and i must say is been illuminating and educative as well. I was able to follow you steps on setting up and working with evilgnix on both windows and vps respectively, all thanks to you man, you rock. I do have questions though some has been answered through your interactions with Davien but then if you don’t mind i will need few clarifications. thanks

  4. Hello Jan.

    Allow me to share few of my experience regarding the behavior of evilgnix when certain actions are taken and it corresponding feedback. As stated in my earlier reply, you tut worked fine and self explanatory to say the least… Back to what i was saying, fo instance without enabling the proxy feature, evilgnix work fine, however when proxy is been enable i usually get this error message “WARN: Cannot read TLS response from mitm’d server http_tunnel: failed dialing to proxy: EOF” even after installing the cert. I couldn’t figure out why that is, and am hoping you could advise me on that.

    1. Hello Jaja, I was able to set up my instance with a domain with glue records and a debian 11 os. Are what system are you getting this error?

  5. hello Jan,
    im getting this error msg…

    build_run.bat : The term ‘build_run.bat’ is not recognized as the name of a cmdlet, function, script file, or operable
    program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    + build_run.bat
    + ~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (build_run.bat:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Suggestion [3,General]: The command build_run.bat was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type: “.\build_run.bat”. See “get-help about_Command_Precedence” for more details.
    PS C:\dev\evilginx2>

  6. Hello Jan, I’ve been getting issues with the links even after installing the certificate on my system. When I click the link, I’m greeted with the warning: potential security risk ahead. Please how can I get around this?

  7. hello, please i need everyone’s assistance. i followed all steps and i was able to get it exactly but when i try to load the given link, it says the site cant be reached. kindly assist me on what to do please. thanks.

  8. Hello Jan Nice work you did here. So self explanatory. i was able to install and have all working properly. The probelm i have now is how to set up telegram notification for all my sessions. So i dont always have to go into the panel to see the captured sessions. I want it set to my telegram. Please can you share some light on this and teach us how to do this.

    Thanks a lot

  9. Hello Jan

    Nice work self explanatory and easy to understand. Thanks for the complete work you did on this one. Please can you explain how or attach the code to setup a telegram BOT to receive all sessions notifications sent to telegram or our email. That way making it easier to use and effective.

  10. Pingback: Evilginx resources for Microsoft 365 - JanBakker.tech

  11. I followed the instructions for installing on Windows and am able to access the fake url without issue. When I access the fake url I can see in the evilginx command prompt that a new visitor has arrived with additional details. The problem is when I type in the credentials of the actual user in the fake Microsoft 365 url screen I get the message ‘There was an issue looking up your account. Tap Next to try again. I know the creds are good because I can successfully login when I go the login.microsoftonline.com url.

    Any idea as to what the problem could be?

  12. Hi jan,
    Great work posting and helping us all install this, but i have a problem. I’m trying to add cloudflare turnstile key but don’t know how to implement it. Can you help me on how to go about it?

  13. Hi
    Thank you a lot for the post Jan. I think it was a big time saver for me.
    I was able to follow the instructions without a problem. However, when I tried to open the site, I got the following:
    WARN: Cannot handshake client login.microsoftonline.com remote error: tls: unknown certificate
    And the site did not open, it only got an error: NET::ERR_CERT_AUTHORITY_INVALID
    Any thoughts on this?

  14. Hello guyz…

    Jan Bakker! Why is it that the link doesn’t last 10mins before its been detect phishing….

    Do you have a way to make this link undetectable?

    Nice coding anyway…
    I have a deal for you, private chat me on telegram @Rhr3ell

Leave a Reply

Your email address will not be published. Required fields are marked *