Go & Phish - Official Gophish integration released!
You can learn more about this update in the official blog post: https://breakdev.org/evilginx-3-3-go-phish/
CHANGELOG
- Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
- Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in
~/.evilginx/crt/sites/<hostname>/. Will loadfullchain.pemandprivkey.pempair or a combination of a.pem/.crt(public certificate) and a.key(private key) file. Make sure to run without-developerflag and disable autocert retrieval withconfig autocert off. - Feature: Added ability to inject
force_postPOST parameters into JSON content body (by @yudasm_). - Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with
config autocert <on/off>. - Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
- Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
- Fixed: Added support for exported cookies with names prefixed with
__Host-and__Secure-. - Fixed: Global
unauth_urlcan now be set to an empty string to have the server return403on unauthorized requests. - Fixed: Unauthorized redirects and blacklisting would be ignored for
proxy_hostswithsession: false(default) making it easy to detect evilginx by external scanners. - Fixed: IP address
127.0.0.1is now ignored from being added to the IP blacklist. - Fixed: Added support for more TLDs to use with phishing domains (e.g.
xyz,art,tech,wiki,lol& more) - Fixed: Credentials will now be captured also from intercepted requests.