explainx.ainewsletter3.4k
performing-initial-access-with-evilginx3

performing-initial-access-with-evilginx3

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-initial-access-with-evilginx3
0 commentsdiscussion
summary

Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session tokens and bypass multi-factor authentication during red team engagements.

skill.md
name
performing-initial-access-with-evilginx3
description
Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session tokens and bypass multi-factor authentication during red team engagements.
domain
cybersecurity
subdomain
red-teaming
tags
- red-team - initial-access - phishing - evilginx - mfa-bypass - adversary-in-the-middle - credential-theft
version
'1.0'
author
mahipal
license
Apache-2.0
d3fend_techniques
- File Metadata Consistency Validation - Application Protocol Command Analysis - Identifier Analysis - Content Format Conversion - Message Analysis
nist_csf
- ID.RA-01 - GV.OV-02 - DE.AE-07

Performing Initial Access with EvilGinx3

Overview

EvilGinx3 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, enabling bypass of multi-factor authentication (MFA). Unlike traditional credential phishing that only captures usernames and passwords, EvilGinx3 operates as a transparent reverse proxy between the victim and the legitimate authentication service, intercepting the full authentication flow including MFA tokens and session cookies. This makes it the primary tool for red teams demonstrating the risk of adversary-in-the-middle (AiTM) attacks against organizations relying solely on MFA for protection.

When to Use

  • When conducting security assessments that involve performing initial access with evilginx3
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Deploy EvilGinx3 with custom phishlets targeting authorized scope
  • Configure DNS and SSL certificates for the phishing domain
  • Capture session tokens that bypass MFA protections
  • Import stolen session cookies into a browser to hijack authenticated sessions
  • Integrate with GoPhish or custom delivery mechanisms for phishing email campaigns
  • Document the complete attack chain from phishing email to authenticated access

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1557 - Adversary-in-the-Middle
  • T1539 - Steal Web Session Cookie
  • T1078 - Valid Accounts
  • T1556 - Modify Authentication Process
  • T1550.004 - Use Alternate Authentication Material: Web Session Cookie

Workflow

Phase 1: Infrastructure Setup

  1. Register a convincing lookalike domain (e.g., using homoglyphs or typosquatting)
  2. Provision a VPS and point the domain's DNS A record to the server IP
  3. Install EvilGinx3: 
    git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
sudo ./bin/evilginx -p ./phishlets
  4. Configure the domain and IP in EvilGinx3: 
    config domain example-phish.com
config ipv4 <server-ip>
  5. EvilGinx3 automatically provisions Let's Encrypt certificates for configured hostnames

Phase 2: Phishlet Configuration

  1. Select or create a phishlet for the target service (e.g., Microsoft 365, Google Workspace): 
    phishlets hostname o365 login.example-phish.com
phishlets enable o365
  2. Verify phishlet is active and SSL certificate is issued: 
    phishlets
  3. Create a lure URL for the phishing campaign: 
    lures create o365
lures get-url 0
  4. Optionally configure a redirect URL for post-capture: 
    lures edit 0 redirect_url https://legitimate-site.com

Phase 3: Phishing Delivery

  1. Craft a pretext email with the lure URL embedded
  2. Use GoPhish or manual SMTP for email delivery: 
    # Integration with EvilGoPhish for combined campaigns
# Provides GoPhish email tracking + EvilGinx3 credential capture
  3. Implement URL masking or shortening if needed for link obfuscation
  4. Deploy landing page with appropriate social engineering pretext

Phase 4: Session Hijacking

  1. Monitor EvilGinx3 for captured sessions: 
    sessions
sessions <session-id>
  2. Extract captured session cookies from the session: 
    # Session output includes:
# - Username and password
# - Session cookies (authentication tokens)
# - Custom captured parameters
  3. Import session cookies into a browser using a cookie editor extension:
    • Export cookies in JSON format
    • Use Cookie-Editor or EditThisCookie browser extension
    • Navigate to the target service to validate session hijack
  4. Establish persistent access by creating application passwords or OAuth tokens

Phase 5: Post-Access Activities

  1. Enumerate mailbox contents, contacts, and shared drives
  2. Identify additional targets for lateral phishing
  3. Check for access to connected cloud applications (SharePoint, Teams, OneDrive)
  4. Document all captured credentials and access achieved

Tools and Resources

ToolPurposePlatform
EvilGinx3AiTM phishing frameworkLinux
GoPhishPhishing campaign managementCross-platform
EvilGoPhishCombined EvilGinx3 + GoPhish integrationLinux
Cookie-EditorBrowser cookie import/exportBrowser Extension
ModlishkaAlternative AiTM proxy frameworkLinux
MuraenaAlternative AiTM phishing proxyLinux

Phishlet Targets

Target ServicePhishletCaptured Data
Microsoft 365o365Session cookies, credentials
Google WorkspacegoogleSession cookies, credentials
OktaoktaSession tokens, credentials
GitHubgithubSession cookies, credentials
AWS ConsoleawsSession tokens, credentials

Detection Indicators

IndicatorDetection Method
Newly registered lookalike domainsDomain monitoring and certificate transparency logs
SSL certificates for suspicious domainsCT log monitoring (crt.sh, Censys)
Unusual login locations after phishingSIEM correlation of authentication events
Session cookie replay from different IPConditional access policy alerts
AiTM proxy headers in trafficNetwork inspection for proxy artifacts

Validation Criteria

  • EvilGinx3 deployed with valid SSL certificates
  • Phishlet configured and enabled for target service
  • Lure URL generated and accessible
  • Test credentials captured successfully through phishing flow
  • Session cookies captured and validated for MFA bypass
  • Session hijack demonstrated in browser with stolen cookies
  • Post-authentication access to target service confirmed
  • Evidence documented with screenshots and session logs
how to use performing-initial-access-with-evilginx3

How to use performing-initial-access-with-evilginx3 on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add performing-initial-access-with-evilginx3
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-initial-access-with-evilginx3

The skills CLI fetches performing-initial-access-with-evilginx3 from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/performing-initial-access-with-evilginx3

Reload or restart Cursor to activate performing-initial-access-with-evilginx3. Access the skill through slash commands (e.g., /performing-initial-access-with-evilginx3) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.554 reviews
  • Anaya Robinson· Dec 28, 2024

    performing-initial-access-with-evilginx3 has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Anika Smith· Dec 24, 2024

    performing-initial-access-with-evilginx3 reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Chaitanya Patil· Dec 20, 2024

    I recommend performing-initial-access-with-evilginx3 for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Soo Kapoor· Dec 16, 2024

    We added performing-initial-access-with-evilginx3 from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Arya Gupta· Nov 23, 2024

    Registry listing for performing-initial-access-with-evilginx3 matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Aarav Ghosh· Nov 19, 2024

    Solid pick for teams standardizing on skills: performing-initial-access-with-evilginx3 is focused, and the summary matches what you get after install.

  • Ama Thompson· Nov 15, 2024

    We added performing-initial-access-with-evilginx3 from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Piyush G· Nov 11, 2024

    performing-initial-access-with-evilginx3 fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Arya Patel· Nov 7, 2024

    performing-initial-access-with-evilginx3 reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Rahul Santra· Nov 3, 2024

    Useful defaults in performing-initial-access-with-evilginx3 — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 54

1 / 6