# GoPhish & Evilginx

In this setup, `GoPhish` is used to send emails and provide a dashboard for <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark> campaign statistics, but it is not used for any landing pages. Your phishing links sent from `GoPhish` will point to an `evilginx3` lure path and <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark> will be used for landing pages. This provides the ability to still bypass `2FA/MFA` with <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark>, without losing those precious stats. Realtime campaign event notifications have been provided with a local websocket/http server I have developed and full usable `JSON` strings containing tokens/cookies from <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark> are displayed directly in the `GoPhish` GUI

<figure><img src="/files/hnjJR2O5TQ1ZsCIujWw1" alt="" width="375"><figcaption></figcaption></figure>

### Infrastructure Layout

* <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark> will listen on an externally accessible address on port `443` (or whatever port you choose in <mark style="color:red;">EvilGinx</mark><mark style="color:red;">`3`</mark> configuration)
* `GoPhish` will listen locally on port `8080` and `3333` (phishing server on port `8080` is not used)
* `Cloudflare Turnstile` server will listen locally on port `80`

### setup.sh

`setup.sh` has been provided to automate the needed configurations for you. Once this script is run and you've fed it the right values, you should be ready to get started. Below is the setup help:

```
Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <feed bool> <rid replacement>
 - root domain                     - the root domain to be used for the campaign
 - subdomains                      - a space separated list of evilginx3 subdomains, can be one if only one
 - root domain bool                - true or false to proxy root domain to evilginx3
 - feed bool                       - true or false if you plan to use the live feed
 - rid replacement                 - replace the gophish default "rid" in phishing URLs with this value
Example:
  ./setup.sh example.com "accounts myaccount" false true user_id
```

### Cloudflare Turnstile Setup

`Cloudflare Turnstile` integration has superseded redirect rules and an IP blacklist with `Apache2`. The `Apache2` approach relied on a predefined list of redirect rules and an IP blacklist. We may miss certain user agents, hosts, or IP addresses that end up detecting our infrastructure. This is usually done through bots and automated software that scans phishing infrastructure. `Cloudflare Turnstile` technology is one of the best defenses against bots at the time of writing and verifying an actual user is accessing your site.

* Create a Cloudflare account
* Select the `Turnstile` tab in the dashboard
* Add a new site and use the domain for your phishing site/campaign
* Edit the `evilginx3/templates/forbidden.html` & `evilginx3/templates/turnstile.html` files with your own changes
* When starting `evilginx3`, include the public/private keys with the `turnstile` flag separated by a `:`. For example:

```
./evilginx3 -feed -g ../gophish/gophish.db -turnstile <PUBLIC_KEY>:<PRIVATE_KEY>
```

### Cloudflare Turnstile HTML Template Guide

If I were to include a static HTML page for the `Cloudflare Turnstile` functionality, everyone's phishing infrastructure would have the same page and it would lead to static HTML code detections. *In comes Go HTML templates*. I have included a starter template in `evilginx3/templates/turnstile.html` as a guideline **YOU WANT TO CHANGE THIS**. Here are the rules around how the template code is setup, failure to follow these rules will likely result in breaking the `Cloudflare Turnstile` functionality:

1. You must include the `{{.FormActionURL}}`, `{{.ErrorMessage}}`, and `{{.TurnstilePublicKey}}` template variables
2. The form action URL for submitting the `Turnstile` challenge must be the `{{.FormActionURL}}` template variable
3. The `data-sitekey` value for the `cf-turnstile` `div` class must be the `{{.TurnstilePublicKey}}` template variable
4. You must save the template at `evilginx3/templates/turnstile.html`
5. The button to submit the challenge form must have its name attribute equal `button`

### replace\_rid.sh

In case you ran `setup.sh` once and already replaced the default `RId` value throughout the project, `replace_rid.sh` was created to replace the `RId` value again.

```
Usage:
./replace_rid <previous rid> <new rid>
 - previous rid      - the previous rid value that was replaced
 - new rid           - the new rid value to replace the previous
Example:
  ./replace_rid.sh user_id client_id
```

**Email Campaign Setup**

Once `setup.sh` is run, the next steps are:

1. Start `GoPhish` and configure email template, email sending profile, and groups
2. Start `evilginx3` and configure phishlet and lure (must specify full path to `GoPhish` `sqlite3` database with `-g` flag)
3. Launch campaign from `GoPhish` and make the landing URL your lure path for `evilginx3` phishlet
4. **PROFIT**

### QR Code Generator

The `QR Code Generator` feature allows you to generate QR codes to deploy QR code social engineering campaigns. Here are the steps to use it:

1. When editing an email HTML template, you can now include the `{{.QR}}` template variable:

<figure><img src="/files/2uCLJ75tEPfn4GDahGFg" alt=""><figcaption></figcaption></figure>

2. When starting a new campaign, enter a size for the QR code images:

<br>

<figure><img src="/files/QmsIt3zybY4NnFdG07Kd" alt=""><figcaption></figcaption></figure>

3. The outcome will be similar to the following, but you can adjust the size to meet your needs:

<figure><img src="/files/LlQZRoapHagTCAZax31D" alt=""><figcaption></figcaption></figure>

4. **PROFIT**

*Note that this feature is only supported for email campaigns and HTML email templates at the moment.*

### SMS Campaign Setup

<figure><img src="/files/e0tQfmsHWJDkunpHPJaC" alt=""><figcaption></figcaption></figure>

An entire reworking of `GoPhish` was performed in order to provide `SMS` campaign support with `Twilio`. Your new `evilgophish` dashboard will look like below:

Once you have run `setup.sh`, the next steps are:

1. Configure `SMS` message template. You will use `Text` only when creating a `SMS` message template, and you should not include a tracking link as it will appear in the `SMS` message. Leave `Envelope Sender` and `Subject` blank like below:

<figure><img src="/files/rGZd5lkeJGc7FXHofGed" alt=""><figcaption></figcaption></figure>

2. Configure `SMS Sending Profile`. Enter your phone number from `Twilio`, `Account SID`, and `Auth Token`:<br>

   <figure><img src="/files/ZVHwQHx0Td7SN8Tl5Deo" alt=""><figcaption></figcaption></figure>
3. Import groups. The `CSV` template values have been kept the same for compatibility, so keep the `CSV` column names the same and place your target phone numbers into the `Email` column. Note that `Twilio` accepts the following phone number formats, so they must be in one of these three:

<figure><img src="/files/Aos3pJiwJl6LRQhSj7V8" alt=""><figcaption></figcaption></figure>

4. Start `evilginx3` and configure phishlet and lure (must specify full path to `GoPhish` `sqlite3` database with `-g` flag)
5. Launch campaign from `GoPhish` and make the landing URL your lure path for `evilginx3` phishlet
6. **PROFIT**

### Live Feed Setup

Realtime campaign event notifications are handled by a local websocket/http server and live feed app. To get setup:

1. Select `true` for `feed bool` when running `setup.sh`
2. `cd` into the `evilfeed` directory and start the app with `./evilfeed`
3. When starting `evilginx3`, supply the `-feed` flag to enable the feed. For example:

`./evilginx3 -feed -g /opt/evilgophish/gophish/gophish.db`

4. You can begin viewing the live feed at: `http://localhost:1337/`. The feed dashboard will look like below:

<figure><img src="/files/AUtL9MHBJqZ6sgz0Svk0" alt=""><figcaption></figcaption></figure>

**IMPORTANT NOTES**

* The live feed page hooks a websocket for events with `JavaScript` and you **DO NOT** need to refresh the page. If you refresh the page, you will **LOSE** all events up to that point.

### A Word About Phishlets

I will add `phishlets` to this repository at my own discretion. There should be no expectation of me creating `phishlets` as part of this repository, you are expected to create your own. ***DO NOT OPEN ISSUES IN THIS REPOSITORY FOR PHISHLETS***

### Installation Notes

The installation script was tested on Ubuntu Focal/Jammy and installs the latest version of `Go` from source. Binaries may fail to build depending on your `Go` environment and what you have installed i.e. installing the original versions this project combines then trying to install this version of them. It also makes changes to DNS so `evilginx3` can take it over. You should understand the implications of this and review it. A fresh environment is recommended and other operating systems haven't been tested.

### Changes to GoPhish

`GoPhish` is never used in any of your actual phishing pages and email headers have been stripped, so there's no need to worry about IOCs within it.

1. Default `rid` string in phishing URLs is chosen by the operator in `setup.sh`
2. Added `SMS` Campaign Support
3. Added additional `Captured Session` campaign event for captured `evilginx3` sessions/tokens


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rproxylab.gitbook.io/evilginx-lab-by-cfs0x/basics/images-and-media.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.