Evilginx: The Phishing Tool That Outsmarts MFA

 Evilginx

Evilginx is a well-known adversary-in-the-middle (AiTM) phishing framework primarily used in cybersecurity testing and, unfortunately, by attackers to bypass modern authentication protections such as multi-factor authentication (MFA). Below is a detailed but safe, high-level explanation of how it works, why it’s dangerous, and how to defend against it.

What Evilginx Is

Evilginx is an open-source tool that serves as a reverse-proxy phishing framework. Instead of just tricking users into entering credentials on a fake page, it:

• Sits between the victim and the real login site
• Transparently relays data back and forth
• Captures credentials and session cookies in real time

Because of this, it’s far more advanced than traditional phishing pages.

How Evilginx Works (Conceptual Overview)

1. Reverse Proxy Setup

Evilginx creates a phishing domain that appears to be a legitimate site (e.g., a fake Microsoft, Google, or bank login page).

• The victim visits the attacker-controlled domain
• The tool proxies traffic to the real website
• The user sees what appears to be the real login page

2. Real-Time Credential Interception

When the user enters login details:

• Credentials are forwarded to the real service
• The attacker intercepts them simultaneously

No obvious error appears to the victim because the login actually works.

3. MFA Bypass via Session Hijacking

This is the key capability:

• After login, the legitimate site issues a session cookie
• That cookie proves the user has already authenticated (including MFA)

Evilginx captures that session cookie.

Result:

• The attacker can reuse the cookie
• They gain access without needing the password or MFA code again

4. Full Account Access

Using the stolen cookie, the attacker can:

• Log in to the victim’s account
• Operate as the legitimate user
• Bypass MFA protections entirely

Why Evilginx Is Dangerous

Traditional phishing vs Evilginx:

Evilginx is dangerous because it exploits trust in session-based authentication, not just passwords.

Key Concepts behind Evilginx

1. Adversary-in-the-Middle (AiTM)

Unlike man-in-the-middle attacks that intercept traffic passively, AiTM tools:

• Actively terminate and re-establish connections
• Control the entire session

2. Session Cookies

After login, websites issue session tokens:

• Stored in the browser
• Used instead of repeatedly entering credentials

Evilginx steals these tokens.

3. Phishing Domains & TLS

Modern phishing frameworks even use:

• Valid HTTPS certificates (e.g., Let’s Encrypt)
• Lookalike domains

This makes detection harder for users.

How to Defend Against Evilginx

Since Evilginx beats basic MFA, stronger protections are needed.

1. Use Phishing-Resistant MFA

Not all MFAs are equal.

Strong protection:

• FIDO2 / hardware security keys (e.g., YubiKey)
• Passkeys (WebAuthn)

Weaker:

• SMS codes
• Authenticator apps (can still be proxied)

Why:

• These bind authentication to the real domain and cannot be replayed.

2. Check URLs Carefully

Evilginx relies on tricking users into visiting a fake domain.

Watch for:

• Slight misspellings (e.g., micr0soft.com)
• Extra subdomains (login.microsoft.verify-user.com)

3. Browser-Based Protections

Modern browsers help:

• Safe Browsing warnings
• Built-in phishing detection
• Passkey/domain binding protections

4. Conditional Access & Zero Trust

Organizations can implement:

• Device-based authentication
• Behavioral analysis (location, device fingerprint)
• Session risk evaluation

5. Session Security Controls

Web apps can reduce risk:

• Short session lifetimes
• Token binding to device/IP
• Continuous re-authentication

6. User Awareness

Train users to:

• Avoid clicking on unknown links
• Verify login URLs directly
• Recognize suspicious login prompts

Ethical and Legal Context

Evilginx itself is not inherently illegal:

• Used in penetration testing and red teaming
• Helps organizations identify weaknesses

However:

• Using it without authorization is illegal in most jurisdictions
• Often associated with real-world phishing campaigns

Summary

Evilginx is a sophisticated phishing framework that:

• Proxies real websites instead of mimicking them
• Captures credentials and session cookies in real time
• Can bypass traditional MFA protections
• Enables attackers to hijack authenticated sessions

Process Hollowing Explained: How Malware Hides in Trusted Processes

 Process Hollowing

Process hollowing (also called RunPE) is a technique used in malware and offensive security in which a legitimate process is created in a suspended state, its memory is replaced (or “hollowed out”) with malicious code, and execution is then resumed so the malicious code runs under the guise of a trusted process.

Below is a detailed but safe, high-level explanation of how it works, why attackers use it, and how it’s detected.

What Process Hollowing is

Process hollowing is a code injection/evasion technique that allows attackers to:

• Run malicious code inside a legitimate process
• Avoid detection by antivirus and behavioral monitoring
• Blend into normal system activity

Instead of launching a suspicious executable directly, malware makes it appear as though a trusted application (e.g., explorer.exe, svchost.exe) is running normally, while its actual code has been replaced.

Conceptual Workflow (High-Level)

Here’s a simplified conceptual flow of how process hollowing works:

1. Create a Legitimate Process in Suspended Mode

• A trusted executable is launched (e.g., Notepad, svchost)
• It is intentionally paused immediately after creation
• At this moment, it has:
• Valid structure
• No meaningful execution yet

2. Remove or Unmap Original Memory

• The attacker (malware) removes the legitimate executable's code from memory
• This creates an empty “shell” process

This is where the “hollowing” name comes from; the process is emptied internally, but still exists externally

3. Allocate Memory for Malicious Code

• The malware allocates memory inside the hollowed process
• This memory is used to store the attacker’s payload

4. Inject Malicious Payload

• The attacker’s code is written into the target process memory
• The process now contains malicious instructions instead of legitimate ones

5. Adjust Execution Context

• The instruction pointer (CPU execution location) is modified
• So when resumed, it executes attacker-controlled code instead of the original program

6. Resume Execution

• The suspended process is resumed
• From the OS perspective:
• It looks like a normal, trusted application running
• In reality:
• It is executing malicious logic inside

Why Attackers Use Process Hollowing

1. Stealth

• Appears as a trusted system process
• Reduces suspicion from users and security tools

2. Evasion

• Many security solutions trust system binaries
• Helps bypass signature-based detection

3. Persistence and Privilege Abuse

• If targeting privileged processes, attackers can inherit higher permissions
• Helps escalate impact without obvious triggers

Technical Characteristics (Detection Clues)

Even though it is stealthy, process hollowing leaves behavioral artifacts:

Memory Behavior

• Memory regions with:
• Executable permissions
• Unexpected content not matching the original file

API Usage Patterns

Malicious programs often use sequences like:

• Process creation in suspended state
• Memory unmapping/allocation
• Writing to another process's memory
• Thread/context manipulation

Mismatch Indicators

• Executable image on disk ≠ memory image in RAM
• Process name doesn’t match its behavior

Defensive Mitigation Strategies

1. Behavioral Detection

• Monitor suspicious sequences of API calls
• Look for:
• Suspended process creation + memory modification

2. Memory Integrity Checking

• Compare process memory vs. the original executable file
• Detect anomalies in loaded code segments

3. Endpoint Detection & Response (EDR)

• Modern EDR tools flag:
• Process injection patterns
• Context manipulation

4. Least Privilege Principle

• Prevent malware from manipulating high-privilege processes

5. Application Control

• Restrict execution of unknown binaries
• Enforce signed code policies

Comparison to Related Techniques

Important Context

Process hollowing is widely used by:

• Malware families (banking trojans, RATs)
• Advanced persistent threats (APTs)
• Red team/penetration testing tools (for simulation)

However, it's also studied in defensive cybersecurity to understand attacker techniques.

Summary

Process hollowing is a stealthy code injection technique that:

• Creates a legitimate process
• Empties it internally
• Inserts malicious code
• Executes it under a trusted identity

It’s powerful because it exploits trust relationships in operating systems, making malicious activity appear legitimate.

ntlmrelayx Explained: Mechanics, Attacks, and Defenses

 ntlmrelayx

ntlmrelayx is a well-known tool from the Impacket suite used in cybersecurity, primarily for penetration testing and red-team exercises. It exploits weaknesses in Microsoft’s NTLM (NT LAN Manager) authentication protocol to perform what’s called an NTLM relay attack.

1. Background: NTLM Authentication

Before understanding ntlmrelayx, you need to know how NTLM works.

NTLM basics

NTLM is a challenge-response authentication protocol used in Windows environments when Kerberos isn’t available.

Simplified flow:

1. Client requests authentication to a server

2. Server sends a challenge (random value)

3. Client encrypts the challenge using its password hash → sends response

4. Server verifies response

Important property:

• The password is never sent directly, but the response can still be reused in certain contexts.

2. What Is an NTLM Relay Attack?

An NTLM relay attack takes advantage of:

• NTLM’s lack of binding between authentication and the target service
• The ability to reuse authentication messages across services

Concept:

An attacker:

1. Tricks a victim into authenticating to them

2. Intercepts the NTLM authentication

3. Relays it to another service/server

4. Gains access as the victim

Key point:

The attacker does NOT crack the password; they just reuse the authentication.

3. What ntlmrelayx does

ntlmrelayx is a tool that:

• Receives incoming NTLM authentication
• Relays it to another target system or service
• Optionally performs post-authentication actions

It essentially automates NTLM relay attacks.

4. High-Level Architecture

ntlmrelayx acts as a multi-protocol relay server.

Components:

• Listener(s):
• SMB
• HTTP/HTTPS
• LDAP
• MSSQL
• Relay engine
• Targets list
• Attack modules (post-auth actions)

Logical flow:

• Victim → ntlmrelayx (attacker) → Target server

5. Step-by-Step Conceptual Flow

Step 1: Trigger authentication

The attacker causes a victim machine to authenticate via:

• SMB (file share)
• HTTP (web request)
• Other protocols

Step 2: Capture NTLM handshake

The victim sends:

• Username
• NTLM challenge/response

Step 3: Relay to the target

ntlmrelayx forwards the authentication to a target system:

• File server (SMB)
• Active Directory (LDAP)
• Web app (HTTP)
• SQL server

Step 4: Target accepts authentication

If protections are not enabled:

• The target believes it’s talking directly to the victim
• Grants access

Step 5: Perform actions

Depending on the configuration, ntlmrelayx can:

• Dump data
• Execute commands (if privileges allow)
• Modify LDAP objects
• Add users or privileges

6. Supported Protocols

ntlmrelayx is powerful because it supports many protocols:

Input (incoming authentication):

• SMB
• HTTP/HTTPS

Relay targets:

• SMB
• LDAP / LDAPS
• HTTP / HTTPS
• MSSQL
• IMAP / SMTP (limited cases)

7. Common Use Cases (High-Level)

In authorized testing environments, it is used to:

1. Lateral movement

• Reuse one machine’s authentication to access another system

2. Privilege escalation

• Relay a domain admin’s authentication to LDAP to modify AD

3. Active Directory attacks

• Abuse LDAP to:
• Add computer accounts
• Modify delegation settings
• Change permissions

4. Data access

• Access SMB shares without credentials

8. Why NTLM Relay Works

The vulnerability exists because:

NTLM lacks:

• Mutual authentication (client verifies server, but not vice versa)
• Channel binding (authentication isn’t tied to a specific connection)
• Integrity protection across services

9. Defenses against NTLM Relay

Modern environments can mitigate these attacks with:

Protocol-level protections

• SMB signing
• LDAP signing and channel binding
• Kerberos instead of NTLM

Network protections

• Disable NTLM where possible
• Restrict outbound authentication
• Use firewalls to block unnecessary protocols

Identity protections

• Privileged Access Management
• Least privilege

10. Important Security Note

ntlmrelayx is a legitimate security tool, but:

• It is also used in real-world attacks
• It should only be used in authorized environments (labs, pentests, training)

11. Relationship to Other Techniques

ntlmrelayx is often used alongside:

• Responder → captures and triggers NTLM authentication
• MitM6 → forces IPv6 NTLM authentication
• PetitPotam / PrinterBug → coerces authentication
• Impacket tools in the general ecosystem

12. Key Takeaways

• ntlmrelayx does not crack passwords; it reuses authentication
• It exploits weaknesses in the NTLM protocol design
• It enables powerful lateral movement and AD attacks
• Modern defenses can largely mitigate it if properly configured

DCShadow: A Deep Dive into Stealthy Active Directory Replication Attacks

DCShadow

DCShadow is an advanced Active Directory (AD) attack technique used by adversaries to stealthily modify directory data by impersonating a domain controller (DC). It is considered highly dangerous because it bypasses many traditional security controls and blends in with legitimate replication traffic.

What is DCShadow?

DCShadow is a post-exploitation technique (introduced publicly by researchers at Black Hat 2018) that allows attackers to:

• Register a rogue machine as a fake domain controller
• Push malicious changes into Active Directory via replication
• Avoid detection by traditional logging mechanisms

Instead of modifying AD objects via standard administrative APIs (which generate logs), DCShadow injects changes as if they originated from a legitimate DC replication process.

Key Concept: Active Directory Replication

Active Directory uses a multi-master replication model, meaning:

• All domain controllers can make changes
• Changes are synchronized using replication protocols (DRSUAPI)
• Normally:
• DC1 updates an object → replicates to DC2, DC3, etc.
• With DCShadow:
• Attacker introduces a fake DC → pushes malicious changes → other DCs accept them as legitimate

How DCShadow Works (High-Level)

This is a conceptual overview for understanding and defense (not operational instructions).

1. Initial Compromise

An attacker first gains high privileges, typically:

• Domain Admin
• Enterprise Admin
• Or equivalent rights

2. Register Rogue Domain Controller

The attacker:

• Adds a fake domain controller object in AD (configuration partition)
• Uses directory services APIs to make it appear legitimate

3. Prepare Malicious Changes

Examples include:

• Adding a user to Domain Admins
• Modifying ACLs (permissions)
• Injecting persistence mechanisms

4. Trigger Replication

The attacker:

• Uses replication protocols to push changes
• Mimics legitimate DC-to-DC synchronization

Other DCs accept these changes without suspicion.

5. Remove Evidence

After execution:

• The rogue DC object can be removed
• Minimal logs remain compared to normal admin activity

Why DCShadow is Dangerous

Stealth

• Changes happen via replication, not standard AD modification APIs
• Avoids many event logs like:
• Event ID 4728 (group membership changes)
• Event ID 5136 (directory object changes)

Persistence

• Attackers can grant themselves:
• Replication rights
• Hidden backdoor accounts
• Hard to detect and remove

Trust Exploitation

• AD inherently trusts replication from domain controllers
• DCShadow exploits this design assumption

Common Attack Goals

DCShadow is often used for:

• Privilege Escalation
• Add the attacker account to privileged groups
• Persistence
• Modify ACLs to maintain long-term access
• Backdoor Creation
• Grant DS-Replication rights (similar to DCSync capability)
• Identity Manipulation
• Change attributes like:
• adminCount
• SIDHistory

DCShadow vs DCSync

They are often used together in sophisticated attacks.

Detection Challenges

Detecting DCShadow is difficult because:

• Replication traffic is expected behavior
• Logs are minimal or indirect
• Attack duration is often short

Detection Indicators

Defenders should monitor for:

Suspicious DC Registrations

• Unexpected domain controller objects
• Changes in:
• nTDSDSA
• serverReference

Unusual Replication Activity

• Replication from non-standard hosts
• Unexpected invocation of replication APIs

Directory Changes Without Logs

• Privilege changes with no corresponding event logs

Network Monitoring

• Look for replication traffic (DRSR) from non-DC systems

Mitigation Strategies

Limit Privileges

• Reduce the number of Domain Admin accounts
• Use Just-In-Time (JIT) access

Enable Advanced Logging

• Directory Services auditing
• Replication event monitoring

Monitor AD Changes

• Use tools like:
• Microsoft Defender for Identity
• SIEM solutions

Harden Domain Controllers

• Restrict who can:
• Add DC objects
• Modify replication permissions

Detect Replication Abuse

• Alert on:
• Non-DC systems initiating replication
• Changes to replication permissions

Summary

DCShadow is a sophisticated attack that:

• Exploits Active Directory replication trust
• Enables stealthy domain-wide modifications
• Is difficult to detect using traditional logging

It highlights a critical reality:

• In Active Directory, replication is trust, and trust can be abused.

BlueCrack Explained: How Bluetooth PIN Brute-Force Attacks Work

 BlueCrack Bluetooth Attack

A BlueCrack attack is a Bluetooth brute-force attack that attempts to guess the PIN (passkey) of a Bluetooth device, enabling unauthorized access.

It is typically considered an older Bluetooth attack, but it is important for understanding wireless security weaknesses in legacy systems.

How BlueCrack Works

Bluetooth devices pair using a PIN code (passkey). In older Bluetooth versions:

• The PIN is used to generate a link key for encryption
• If the PIN is weak (e.g., 0000, 1234), it can be guessed

Attack Process (Simplified)

1. Capture pairing process

• Attacker monitors Bluetooth communication during pairing
• Tools like sniffers capture authentication exchanges

2. Brute-force the PIN

• Try every possible PIN combination
• Compare generated keys against captured data

3. Recover the correct PIN

• Once matched, the attacker knows the valid PIN

4. Gain access

• Connect to the device
• Access services like:
• File transfers
• Contacts
• Audio channels

Tools Historically Used

• BlueCrack (tool) → designed specifically for brute-force PIN cracking
• Bluetooth sniffers → capture pairing traffic
• Often run on Linux with Bluetooth adapters

Example Scenario

• Target device uses PIN: 1234
• Attacker captures pairing handshake
• Runs brute-force tool:
• Tests 0000 → 9999
• Finds match at 1234
• Attacker now:
• Reconnects as a trusted device
• Accesses data or services

Limitations of BlueCrack

Requires:

• Captured pairing traffic
• Proximity (Bluetooth range ~10 meters typical)
• Weak or short PIN

Less effective today because:

• Modern Bluetooth uses:
• Secure Simple Pairing (SSP)
• Strong encryption (AES)
• Randomized keys

Difference from Other Bluetooth Attacks

How to Mitigate BlueCrack Attacks

• Use modern Bluetooth versions (v2.1+)
• Avoid weak/default PINs (0000, 1234)
• Use long, random passkeys
• Enable Secure Simple Pairing (SSP)
• Turn off Bluetooth when not in use
• Pair devices in trusted environments only

Key Takeaway

• BlueCrack is a brute-force attack on Bluetooth PINs
• It exploits weak pairing mechanisms in older Bluetooth
• Modern devices are largely protected, but legacy systems remain vulnerable

URL Spidering in Penetration Testing: A Complete Guide to Web Enumeration

URL Spidering?

URL spidering (also called web crawling) is an automated technique used in penetration testing, reconnaissance, and security assessment to discover all accessible pages, directories, endpoints, and resources on a web application.

Think of it like a bot that starts at a website and systematically follows every link it finds, just like how search engines index the web.

How URL Spidering Works

A spider typically follows this process:

1. Start with a target URL

• Example: https://target.comptia.org

2. Fetch the page content

• HTML is downloaded and parsed

3. Extract links and resources

• `` links
• Forms (``)
• JavaScript-generated URLs (advanced spiders)
• Images, scripts, APIs, etc.

4. Visit discovered URLs

• Each new link is added to a queue
• The spider continues recursively

5. Record findings

• URLs
• Parameters
• Status codes
• Inputs (GET/POST parameters)

Why URL Spidering is Important in Pen Testing

URL spidering helps testers:

1. Map the attack surface

• Identify:
• Hidden pages
• Admin panels (/admin, /dashboard)
• Backup files (.bak, .old)

2. Discover endpoints and parameters

• Example:

/search?q=term

/login?redirect=home

• These inputs are potential targets for:
• SQL injection
• XSS
• Command injection

3. Find unlinked or “hidden” resources

Files not visible in navigation but still accessible

• Example:

/test/

/backup.zip

/dev/

4. Understand application structure

• Learn how the site is organized:
• User flows
• API endpoints
• Authentication areas

Types of URL Spidering

1. Passive Spidering

• Observes traffic without actively exploring
• Uses proxies (e.g., Burp Suite passive crawl)
• Safe (low risk of detection)
• Limited discovery

2. Active Spidering

• Actively requests pages and follows links
• Finds more content
• Generates traffic → easier to detect

3. Authenticated Spidering

• Crawls after logging into the application
• Discovers:
• User dashboards
• Restricted APIs
• Admin panels

4. Recursive Spidering

• Follows links multiple levels deep
• Builds a full site map

Common Tools for URL Spidering

• Burp Suite Spider / Crawler
• Automatic crawling
• Handles sessions, forms, and authentication
• OWASP ZAP Spider
• Free and widely used
• Good for beginners
• DirBuster / Gobuster / ffuf
• Brute-force spidering (directory guessing)

Example:

gobuster dir -u https://target.com -w wordlist.txt

• wget (basic spidering)

wget --spider -r https://target.com

• Scrapy (Python framework)
• Advanced crawling and automation

Spidering vs. Directory Brute Forcing

Best practice: Use both together

Limitations of URL Spidering

1. Misses unlinked pages

• If no links point to them → not discovered

2. JavaScript-heavy apps

• Some spiders struggle with dynamic content

3. Authentication barriers

• Cannot access protected areas without credentials

4. Rate limiting / detection

• IDS/WAF may block crawling activity

Example Use Case in Pen Testing

1. Run spider:

https://target.com

2. Discover:

/login

/admin

/api/v1/users

/backup.zip

3. Analyze inputs:

/search?q=

/user?id=

4. Launch attacks on discovered endpoints:

• SQL injection
• XSS
• File download vulnerabilities

Key Takeaway

URL spidering is a core enumeration technique that:

• Maps the target website
• Identifies attack entry points
• Reveals hidden or sensitive resources

It is usually the first step before vulnerability scanning or exploitation.

Trivy for Pentesters: Identifying Weaknesses in Containers and Cloud Systems

 What is Trivy?

Trivy is an open-source security scanner developed by Aqua Security that identifies vulnerabilities, misconfigurations, secrets, and compliance issues in modern environments, especially containers and cloud-native systems.

It is widely used in penetration testing, DevSecOps, and cloud security because it is:

• Fast
• Easy to use
• Lightweight
• Highly versatile

What Trivy Scans

Trivy is not limited to one type of target; it supports multiple layers of modern infrastructure:

1. Container Images

• Scans Docker/OCI images for:
• Known vulnerabilities (CVEs)
• Outdated packages
• OS-level issues (Alpine, Ubuntu, Debian, etc.)

Example:

trivy image nginx: latest

2. File Systems

• Scans directories or local systems for:
• Vulnerable libraries
• Dependency issues

Example:

trivy fs /path/to/project

3. Infrastructure as Code (IaC)

• Scans configuration files like:
• Terraform
• Kubernetes YAML
• Dockerfiles

Detects:

• Misconfigurations (e.g., open security groups, no encryption)

Example:

trivy config

4. Kubernetes Clusters

• Analyzes:
• Cluster configurations
• Workloads
• RBAC settings

Example:

trivy k8s cluster

5. Repositories (GitHub, etc.)

• Scans repositories for:
• Secrets (API keys, passwords)
• Vulnerable dependencies

Key Features

1. Vulnerability Detection

• Uses vulnerability databases to detect known CVEs
• Covers:
• OS packages (apt, yum, apk)
• Language-specific deps (npm, pip, Maven, etc.)

2. Misconfiguration Detection

• Identifies insecure settings such as:
• Public S3 buckets
• Open ports
• Weak IAM policies
• Missing encryption

3. Secret Scanning

• Finds sensitive data like:
• API keys
• Tokens
• Hardcoded credentials

4. SBOM (Software Bill of Materials)

• Generates a list of all components in an application
• Useful for compliance and auditing

5. Fast & Lightweight

• Designed for speed (often faster than traditional scanners)
• No heavy setup required

Why Trivy is Important in Pen Testing

For a penetration tester, Trivy helps identify real attack opportunities quickly:

Common Findings

• Vulnerable libraries that can be exploited (RCE, privilege escalation)
• Misconfigured containers (running as root, exposed ports)
• Secrets that allow lateral movement
• Weak cloud configurations

How Trivy Fits Into Security Workflow

In DevSecOps:

• Integrated into CI/CD pipelines
• Automatically scans builds before deployment

In Pen Testing:

• Used during reconnaissance and vulnerability discovery
• Helps prioritize:
• High-risk vulnerabilities
• Misconfigurations that attackers can exploit first

Trivy vs Other Tools

Key Takeaways

• Trivy = container & cloud-native security scanner
• Detects:
• Vulnerabilities
• Misconfigurations
• Secrets
• Works across:
• Images, file systems, Kubernetes, IaC
• Widely used for modern penetration testing and DevSecOps