search

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
BSD 3-Clause "New" or "Revised" License
10.26k stars 1.87k forks source link

Feature: Support X-Forwarded-For header if present #920

Closed rotarydrone closed 11 months ago

rotarydrone commented 1 year ago

This PR checks if an X-Forwarded-For header is present and treats this as the remote IP. This supports scenarios where Evilginx is behind a reverse proxy, a scenario which may have some operational security benefits.

rotarydrone commented 1 year ago

Some additional detail about why you may want to configure Evilginx behind a reverse proxy this way:

The default behavior of Evilginx is to register certificates for subdomains on the fly. While convenient, this can hurt us if the target proactively monitors certificate transparency logs for brand impersonation attempts. To mitigate this, we can run Evilginx2 in developer mode (which will only generate the certs locally) and then front it with Nginx redirector, using a wildcard certificate and subdomain.

We would configure *.example.com DNS record and request a wildcard certificate (and a wildcard cert for any subdomains we may want to use as well, e.g *.phish.example.com).

An example nginx configuration may look like: 

server {
    listen 443 ssl;
    server_name example.com;
    root /var/www/html;

    ssl_certificate /etc/nginx/pki/fullchain.cer;
    ssl_certificate_key /etc/nginx/pki/example.com.key;

    location / {
            set $backend_name evilginx;
            proxy_pass https://<evilginx_server_ip>:443;
            proxy_ssl_server_name on;
            proxy_ssl_name $host;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}