Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication (by kgretzky)

Evilginx2 Alternatives

Similar projects and alternatives to evilginx2

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better evilginx2 alternative or higher similarity.

evilginx2 reviews and mentions

Posts with mentions or reviews of evilginx2. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-10-10.
  • Google announces passwordless by default: Make the switch to passkeys
    6 projects | news.ycombinator.com | 10 Oct 2023
    No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

    Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

    WebAuthn almost entirely eliminates phishing risk, and Passkeys are a really nice, clean UX for using WebAuthn.

  • I’ve been stuck on this situation for 3 days, does anyone know how to fix this?
    2 projects | /r/github | 17 Sep 2023
    So I downloaded this onto my computer https://github.com/kgretzky/evilginx2 and that took while since I’m new to GitHub and I barely know my way around computers. That went fine, i noticed there was another repository that was pretty much an add on to that same software I downloaded earlier “evilginx2” by another creator, this is the link https://github.com/simplerhacking/Evilginx3-Phishlets
  • MFA Just Casually being bypassed?? Anyone else seeing this?
    2 projects | /r/sysadmin | 15 Jun 2023
    We had a user compromised simiarly the other day, with what I believe to be https://github.com/kgretzky/evilginx2 now. It stole his session cookie and was able to auth. Fortunately, we have Office 365 Defender and he was flagged immediately on the risky user sign-ins and we were able to block and investigate.
  • Accounting got phished. Paid out big bucks
    3 projects | /r/sysadmin | 31 May 2023
    Evilginx kan bypass MFA and hijack your session https://github.com/kgretzky/evilginx2 Only thing that migitates this is fido keys
  • Phish a User with MFA Enabled
    3 projects | /r/redteamsec | 4 Oct 2022
  • best phishing site or code for hacking insta
    2 projects | /r/hacking | 25 May 2022
  • Soft skills
    4 projects | /r/ProgrammerHumor | 25 Jan 2022
    A good example of this I've run into is evilnginx2 which is a scary piece of software that allows you to somewhat easily do a MITM phishing attack that can even grab MFA tokens. When I ran into a client having an issue with somebody using the same sort of method to phish their site I was able to find ways to mitigate it. This was thanks to evilnginx2 being a proof of concept project which allowed me to easily test ways of blocking it.
  • Launch HN: Keyri (YC S21) – Secure smartphone-based passwordless authentication
    4 projects | news.ycombinator.com | 4 Aug 2021
    Login on desktop happens through scanning a QR code on the service's login page using the service's app. On a mobile device, logging in happens by tapping a button and being verified by biometrics (FaceID etc.) or a passcode (if enabled by the developer).

    TOTP is an objectively worse UX - first you type in your username, then password, then open your phone, open the relevant app, read the code, and type in the code before it expires. With Keyri, you open the relevant app, tap a "scan" UI element, and point it at your screen. No typing, memorization, or race against the clock. Also, with TOTP, you're pulling out your phone and navigating to a specific app anyway, so I don't understand your UX objection. I'm also struggling to picture a situation in which a laptop or other device has connectivity but a phone does not. Presumably the laptop is on a WiFi network that the phone can also connect to. If the laptop is using some sort of satellite connection module, that module and/or laptop can fire up a hotspot. This connectivity problem would also arise in the push notification solution you propose in the next sentence.

    Push notification solutions ("prompts") are defeatable using trivial man-in-the-middle phishing techniques. For example: https://github.com/kgretzky/evilginx2. Authenticator-initiated authentication solutions with two-way authentication like Keyri eliminate phishing.

    4 projects | news.ycombinator.com | 4 Aug 2021
    > The way I use passwords is way safer than Keyri

    I don't see how that is possible.

    (1) Keyri private keys cannot be stolen other than through smartphone malware, which is exceedingly rare, while password managers and older USB keys are vulnerable to desktop malware, which is much more common - both credential stealers and, in the case of older generations of Yubikeys, keyloggers. Hardware OTP devices are additionally vulnerable man-in-the-middle phishing attacks (though the HN audience is generally savvy enough to not fall for phishing) - https://github.com/kgretzky/evilginx2.

    (2) As long as you rely on passwords and TOTP, you're relying on the shared secret paradigm and trusting the relying party to handle your credentials properly. If the relying party's credential store is breached and the credentials were improperly stored (common even today), your credentials (both your password and OTP secrets) can be used by a bad actor to access your account. Public key systems like Keyri and FIDO2 substantially reduce this risk.

    > As I said in a comment below, the fact that companies "can afford" is not the same as "it's worth it" to them

    Please see my response below regarding account sharing. In short, eliminating account sharing in order to enforce TOS is an opportunity to (a) improve security (b) improve UX in cases where provisioning multiple users access to one account is warranted.

    > Finally, with OpenID, I can set up my own identity provider, or use a privacy conscious one.

    As you note, the vast majority of web services don't support arbitrary identity providers or use privacy conscious ones. History has proven that people don't set up their own identity provider. Additionally, the universe of "privacy conscious" OIDC providers is limited (non-existent?).

  • Engineering a real-time phishing simulation proxy in Rust
    3 projects | /r/programming | 2 Feb 2021
    * https://github.com/kgretzky/evilginx2
  • A note from our sponsor - #<SponsorshipServiceOld:0x00007f0f9b77bfd0>
    www.saashub.com | 6 Dec 2023
    SaaSHub helps you find the best software and product alternatives Learn more →


Basic evilginx2 repo stats
30 days ago
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives