explaingit

kgretzky/evilginx2

Analysis updated 2026-06-24

15,073GoAudience · ops devopsComplexity · 5/5LicenseSetup · hard

TLDR

A red-team man-in-the-middle framework written in Go that proxies login pages to capture credentials and session cookies, bypassing 2FA. Authorised pentests only.

Mindmap

mindmap
  root((Evilginx))
    Inputs
      Phishlet configs
      Target domain
      TLS certs
    Outputs
      Captured creds
      Session cookies
      Replayable session
    Use Cases
      Authorised pentests
      Red team drills
      Phishing awareness
      Security research
    Tech Stack
      Go
      HTTP server
      DNS server
      TLS
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a sanctioned red-team phishing simulation that proves 2FA cookies can be captured by a reverse proxy.

USE CASE 2

Train a blue team on what session-hijacking phishing traffic looks like in logs and on the wire.

USE CASE 3

Test whether your SSO provider's anti-phishing protections (FIDO2, device-bound cookies) actually hold up.

USE CASE 4

Pair Evilginx with Gophish to run an end-to-end authorised phishing campaign in a controlled lab.

What is it built with?

GoDNSTLSHTTP

How does it compare?

kgretzky/evilginx2direnv/direnvcayleygraph/cayley
Stars15,07315,07315,043
LanguageGoGoGo
Setup difficultyhardeasymoderate
Complexity5/52/54/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Needs a controlled domain, DNS pointing at your server, valid TLS and a working phishlet, only legal with written authorisation from the target.

BSD-3 license, free to use and modify with the copyright notice kept, you may not use the author's name to endorse derived works.

In plain English

Evilginx is a security research tool used during red team penetration tests. The README describes it as a man-in-the-middle framework: it sits between a victim's browser and a real login page, captures the username, password, and the session cookies that get issued after a successful login, and in doing so can bypass two-factor authentication. The README is direct about this: it is a demonstration of what skilled attackers can do, and the author states the tool should only be used in legitimate penetration testing engagements with written permission from the party being tested. The project is a successor to an earlier version released in 2017 which relied on a customised build of the nginx web server. The current version, called Evilginx 3.0 in the README, is rewritten in Go as a single standalone application that runs its own HTTP and DNS servers. That makes it easier to install and operate compared with the older nginx-based approach. A paid commercial version called Evilginx Pro is also available, sold through a separate site after a manual company verification process that the author says took two years to set up because of export regulations. The README lists features of the paid version: detection avoidance against browser protections like Chrome's Enhanced Browser Protection, a maintained library of "phishlets" (configuration files for specific target sites), a Botguard system to filter automated traffic, an Evilpuppet module described as advanced capability against Google, external DNS providers with multi-domain support, website spoofing, JavaScript and HTML obfuscation, wildcard TLS certificates, automated server deployment, and SQLite storage. The author also sells a training course called Evilginx Mastery that teaches reverse proxy phishing techniques and how to use the tool during red team exercises. There is an official integration with Gophish, a separate open source phishing campaign tool, maintained as a fork by the same author. The README links to a series of blog posts that document each version's release and feature additions. Installation and usage instructions are not in the README itself. They are kept on a separate documentation site. The author explicitly says they do not offer support for creating phishlets and points readers at community-shared ones instead. The open source code is released under the BSD-3 license and is maintained by Kuba Gretzky.

Copy-paste prompts

Prompt 1
Set up Evilginx 3 in a lab VM with a throwaway domain and walk me through loading a community phishlet for a test site.
Prompt 2
Write a Caddy or nginx config that fronts Evilginx and only allows traffic from my pentest source IPs.
Prompt 3
Explain the difference between session cookie theft via Evilginx and a classic credential-only phishing page in one paragraph.
Prompt 4
Show me how to detect Evilginx-style reverse-proxy phishing in Microsoft 365 sign-in logs.
Prompt 5
Help me write a written-authorisation template for a client engagement that explicitly covers using Evilginx in scope.

Frequently asked questions

What is evilginx2?

A red-team man-in-the-middle framework written in Go that proxies login pages to capture credentials and session cookies, bypassing 2FA. Authorised pentests only.

What language is evilginx2 written in?

Mainly Go. The stack also includes Go, DNS, TLS.

What license does evilginx2 use?

BSD-3 license, free to use and modify with the copyright notice kept, you may not use the author's name to endorse derived works.

How hard is evilginx2 to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is evilginx2 for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.