Analysis updated 2026-06-24
Run a sanctioned red-team phishing simulation that proves 2FA cookies can be captured by a reverse proxy.
Train a blue team on what session-hijacking phishing traffic looks like in logs and on the wire.
Test whether your SSO provider's anti-phishing protections (FIDO2, device-bound cookies) actually hold up.
Pair Evilginx with Gophish to run an end-to-end authorised phishing campaign in a controlled lab.
| kgretzky/evilginx2 | direnv/direnv | cayleygraph/cayley | |
|---|---|---|---|
| Stars | 15,073 | 15,073 | 15,043 |
| Language | Go | Go | Go |
| Setup difficulty | hard | easy | moderate |
| Complexity | 5/5 | 2/5 | 4/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Needs a controlled domain, DNS pointing at your server, valid TLS and a working phishlet, only legal with written authorisation from the target.
Evilginx is a security research tool used during red team penetration tests. The README describes it as a man-in-the-middle framework: it sits between a victim's browser and a real login page, captures the username, password, and the session cookies that get issued after a successful login, and in doing so can bypass two-factor authentication. The README is direct about this: it is a demonstration of what skilled attackers can do, and the author states the tool should only be used in legitimate penetration testing engagements with written permission from the party being tested. The project is a successor to an earlier version released in 2017 which relied on a customised build of the nginx web server. The current version, called Evilginx 3.0 in the README, is rewritten in Go as a single standalone application that runs its own HTTP and DNS servers. That makes it easier to install and operate compared with the older nginx-based approach. A paid commercial version called Evilginx Pro is also available, sold through a separate site after a manual company verification process that the author says took two years to set up because of export regulations. The README lists features of the paid version: detection avoidance against browser protections like Chrome's Enhanced Browser Protection, a maintained library of "phishlets" (configuration files for specific target sites), a Botguard system to filter automated traffic, an Evilpuppet module described as advanced capability against Google, external DNS providers with multi-domain support, website spoofing, JavaScript and HTML obfuscation, wildcard TLS certificates, automated server deployment, and SQLite storage. The author also sells a training course called Evilginx Mastery that teaches reverse proxy phishing techniques and how to use the tool during red team exercises. There is an official integration with Gophish, a separate open source phishing campaign tool, maintained as a fork by the same author. The README links to a series of blog posts that document each version's release and feature additions. Installation and usage instructions are not in the README itself. They are kept on a separate documentation site. The author explicitly says they do not offer support for creating phishlets and points readers at community-shared ones instead. The open source code is released under the BSD-3 license and is maintained by Kuba Gretzky.
A red-team man-in-the-middle framework written in Go that proxies login pages to capture credentials and session cookies, bypassing 2FA. Authorised pentests only.
Mainly Go. The stack also includes Go, DNS, TLS.
BSD-3 license, free to use and modify with the copyright notice kept, you may not use the author's name to endorse derived works.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.